WindowSecurity.com - Monthly Newsletter - August 2015

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, MCSA, Enterprise Security MVP), independent consultant and Microsoft network security and remote access expert. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


1. Editor's Corner

At the end of last month, Microsoft publicly released Windows 10. This latest release of the Microsoft client operating system brings with it many new features and functionality to improve the end user computing experience across a variety of form factors. One of the most notable features Windows 10 includes is a change in the Start screen. While the Windows 8 Start screen consumed the entire desktop window, Windows 10 now combines the old style Windows 7 Start menu with the modern Windows 8 Start screen. Ostensibly these changes were made to appease the masses who couldn’t figure out how to use the Window key to get back to the desktop. Personal opinion aside, Microsoft clearly received enough push back from users that they had to implement these changes. I had no problem with the Windows 8 Start screen, but I also like the new Windows 10 version as well.

In addition to a plethora of new enhancements to the look and feel, Windows 10 also brings with it significant changes that impact security. We’ll take a look at a few important ones in this month’s newsletter.

--Rich

New and Enhanced Security Features in Windows 10

In addition to the myriad changes Microsoft made to the aesthetics in Windows 10, they also made a substantial effort to improve the security of the new platform as well. Microsoft has made great strides since the 2002 Trustworthy Computing Initiative was launched, and with each new operating system release they continue to get better and better. Windows 10 continues that tradition with the addition or enhancement of some key security technologies that are designed to improve identity and protection for users of the Windows 10 client operating system.

Windows Hello – Microsoft is continuing its assault on the venerable password, and with the introduction of Windows Hello in Windows 10, they are focusing their efforts on making strong, biometric-based authentication easier to use and ultimately easier to adopt. Windows Hello supports advanced biometric identification using fingerprints, facial recognition, and even iris scanning (assuming the underlying hardware supports it). The aim here is to reduce the barrier to adoption for strong authentication by making them simpler to use than standard passwords.

Microsoft Passport – Formerly named “Next Generation User Credentials” in preview releases of Windows 10, this Microsoft Passport feature, along with a new security feature called “Virtual Secure Mode”, is designed to mitigate common credential theft techniques such as “pass-the-hash” by enabling multifactor authentication. Unlike traditional multifactor authentication solutions, this does not require an external service or device. Essentially the Windows client device itself becomes one of the tokens by provisioning an asymmetrical key pair that is stored on the local Trusted Platform Module (TPM). Passport can take advantage of PKI for enterprise deployment as well.

Azure Active Directory Integration – Users can now log on to their Windows 10 devices using Azure Active Directory accounts. No longer is a Microsoft account required. With Azure AD accounts, users gain access to features typically only available to Microsoft accounts, including Store access, synchronization of settings and desktop layout, and more.

Per-App VPN – Windows 8 first introduced the concept of application-triggered VPN connections. However, the major drawback was that once the VPN was established, all applications had access to the corporate network over the VPN. Windows 10 now includes support for per-application VPN. Using an MDM solution, corporate administrators can configure individual applications with VPN access. When the application is launched, the VPN is established and only that application can access the VPN. Other applications running at the same time will not have corporate network access.

Edge Browser – With Windows 10, Microsoft has introduced a new web browser called “Edge”. This is arguably one of the biggest areas of security improvement on the client operating system, as the web browser is a favorite target of attackers due to its ubiquitous use and often poor security structure. The new Edge browser no longer supports risky features such as tool bars, ActiveX, and VBScript. This alone will reduce the number of successful attacks against the browser. Edge also includes some under-the-covers security features such as MemGC (Memory Garbage Collector) and Control Flow Guard. The former prevents attacks that involve memory corruption, while the latter prevents the compromise of vulnerable applications.

Windows 10 also includes features introduced in Windows 8, including Trusted Boot and Measured Boot to protect the system startup process from compromise. Windows Defender and Smart Screen continue to provide essential protection from malware, and disk encryption is much more widely supported (including support for hardware-encrypted disk drives) and enabled by default for most installations.

There’s a ton of great security features in Windows 10, without a doubt. If you haven’t started planning your Windows 10 migration, get started soon!

2. Bulletproof SSL and TLS

With recent revelations of widespread surveillance by government agencies, a strong push is on to encrypt all types of communication regardless of sensitivity. With the popularity and ubiquity of web-based communication, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) have quickly become essential tools to provide the highest level of security and protection for network communication. 

Ivan Ristic, one of the foremost experts in the field of SSL and TLS, recently released a comprehensive guide for deploying secure web servers and applications using SSL and TLS. The book provides a valuable overview of the SSL and TLS protocols along with PKI, and also includes detailed, prescriptive guidance for configuring and deploying systems using SSL and TLS, both Windows and open source.

Order your copy of Bulletproof SSL and TLS today!

Image

Click here to order your copy today!


3. Microsoft Security Bulletins for August 2015

For the month of August Microsoft released 14 security bulletins. 4 are rated critical and 11 important. Affected software includes Microsoft Office, Internet Explorer, Lync, Silverlight, the .NET Framework, System Center Operations Manager (SCOM), the new Edge browser in Windows 10, and all supported versions of Microsoft Windows. Pay close attention this month to MS15-081, which addresses a critical vulnerability in Microsoft Office, specifically allowing remote code execution when a user opens a Word document. MS15-085 is an important update addressing a vulnerability in the Windows Mount Manager that could allow privilege escalation. The Mount Manager is used whenever removable media (e.g. USB flash drive) is inserted into a machine. When this happens, it is possible to run code on a target machine containing this unpatched vulnerability.

Note: Just as this newsletter was being completed, Microsoft released a critical, out-of-band security update (MS15-093) for all supported versions of Internet Explorer. Typically when this occurs, Microsoft is aware of exploit code being actively used in the wild. Customers are urged to apply this update immediately.

For more information about August’s security bulletins click here.

4. Microsoft Security Advisories for August 2015

For the month of August, Microsoft did not release any new security advisories. However, they did update security advisory 2755801 which addresses vulnerabilities in Adobe Flash Player in Internet Explorer.


5. Security Articles of Interest

  1. Privileged identity and access management has long been a difficult problem to solve for many organizations. Microsoft is investing heavily in Azure Active Directory, and has included new features and functionality to address this particular pain point. Using Azure AD, security administrators can better manage privileged access and even configure “just-in-time administration” by granting on-demand, limited time administration privileges.
    http://blogs.microsoft.com/cybertrust/2015/07/23/cloud-security-controls-series-azure-ad-privileged-identity-management/

  2. An often overlooked aspect of pre-production environments is security. It is not uncommon for the focus to be entirely on functionality and availability, with security being an afterthought. This does not change in the cloud, and in fact, you could argue that it becomes much more important when using public facing infrastructure. With Azure, pre-production deployments used something called “deployment slots” that allow for side-by-side deployment of production and pre-production releases. Here’s some guidance on ensuring those pre-production deployments are still secure.
    http://azure.microsoft.com/blog/2015/08/03/securing-your-pre-production-environment-in-the-cloud/

  3. Just after Windows 10 was released last month, the Internets were abuzz with what some online pundits considered a “huge security risk”. Namely, many of the uninformed saw that Microsoft’s new Wi-Fi Sense in Windows 10 allowed the sharing of wireless connection credentials with those in your contact list. However, during the hysteria that ensued, many forgot to actually investigate this feature and, as it turns out, the user must manually and proactively enable the feature on a per-network basis.
    http://www.zdnet.com/article/no-windows-10s-wi-fi-sense-feature-is-not-a-security-risk/

  4. Just a quick heads up for anyone who has deployed the update for Microsoft security bulletin MS14-025, which addressed a security vulnerability in Active Directory Group Policy Preferences that could allow privilege escalation. Just applying the update is not enough. You must make additional changes to Active Directory as outlined in the following security advisory.
    https://support.microsoft.com/en-us/kb/2962486

  5. Microsoft has updated their Message Analyzer to release 1.3.1. The latest release includes new features and functionality that will make analyzing data from various inputs much easier. The new version also includes an auto update mechanism so now you won’t have to be notified out of band that an update is available!
    http://blogs.technet.com/b/messageanalyzer/archive/2015/08/05/message-analyzer-1-3-1-update-released.aspx

  6. Microsoft recently announced their U.S. TechNet On Tour event schedule for the Fall of 2015. Coming to a city near you, you can learn about some interesting and compelling new technologies directly from Microsoft experts. This time around Microsoft will be demonstrating the use of Azure for cloud-based disaster recovery scenarios. Azure Backup is a thing of beauty, and using Azure as your disaster recovery site has tremendous benefits. Be sure to check it out!
    https://yungchou.wordpress.com/2015/08/07/announcing-u-s-technet-on-tour-events-for-fall-2015/

  7. Capturing network traces is often essential to perform in-depth troubleshooting. Having the tools installed and configured to do this is often difficult, and sometimes impossible. Performing network captures remotely is possible, however, using native Microsoft utilities. Read this post to learn how to use native Windows tools to capture network traces remotely.
    http://blogs.technet.com/b/askpfeplat/archive/2015/08/10/leveraging-windows-native-functionality-to-capture-network-traces-remotely.aspx

  8. In the past I’ve written about the Microsoft Enhanced Mitigation Experience Toolkit (EMET). This tool is invaluable for ensuring the best possible security posture for Windows clients and servers. EMET is a really deep and complex tool though, so the folks at Microsoft recently released a Test Lab Guide (TLG) for demonstrating how to use EMET 5.2.
    http://blogs.technet.com/b/tlgs/archive/2015/08/11/tlg-for-the-enhanced-mitigation-experience-toolkit-emet-5-2-is-now-available.aspx

  9. Lost in the onslaught of new features that came out with Windows 10 is an interesting new security feature included in SMB 3.1.1 that is designed to prevent man-in-the-middle attacks. SMB 3.1.1 in Windows 10 now includes pre-authentication integrity, allowing the client and server to mutually trust the established SMB session.
    http://blogs.msdn.com/b/openspecification/archive/2015/08/11/smb-3-1-1-pre-authentication-integrity-in-windows-10.aspx

  10. Personally, I’m a big fan of Lenovo laptops. I’ve been using them for many years now and they are great. However, they really make it hard to like them considering some of the boneheaded security gaffes they’ve made recently! A while back it was determined that Lenovo was disabling Windows Update on their machines to “reduce support calls”. Serious fail. Now comes word that Lenovo was using the BIOS to persist their software on a machine even if the disk was wiped and reloaded. This is a standard procedure for me, and I was certainly surprised to hear this. Thankfully I have a ThinkPad, which was not one of the affected platforms. However, if you are running a Lenovo Yoga 3, Flex 2, Pro 15 or V3000 notebook, or the H,C, or Horizon desktop machines you might want to take a close look at your machine.
    http://www.v3.co.uk/v3-uk/news/2422015/lenovo-caught-installing-bloatware-again-with-windows-bios-backdoor


6. WindowSecurity.com Articles of Interest

  1. Netwrix Auditor for Active Directory Voted WindowSecurity.com Readers’ Choice Award Winner – Group Policy Management
  2. Active Directory in the Cloud – Part 2
  3. RSOP vs. GPMC vs. Secpol Comparison for GPO Reporting [Video]
  4. Microsoft Ignites a New Focus on Security – Part 1
  5. Product Review – Lepide Auditor Suite

7. Windows Security Tip of the Month

Windows 10 includes a great many features targeted squarely at consumers. However, Windows 10 is also a compelling platform for many large organizations. In the enterprise, Windows 10 devices will be most often be joined to the corporate domain and managed using Active Directory Group Policy. To facilitate the management of Windows 10 clients using currently deployed ADs, Microsoft has made available Active Directory Group Policy Templates for managing new features on Windows 10. You can download these Windows 10 AD GPO templates here.