WindowSecurity.com - Monthly Newsletter - August 2016

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, MCSA, Enterprise Security MVP), independent consultant and Microsoft network security and remote access expert. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


1. Editor's Corner

User identification and authentication is one of the most fundamental elements in information security. Once a user is authenticated, they are subsequently authorized to access data and information. If an attacker can assume the identify of a valid, authorized user, they can wreak all sorts of havoc and, making matters worse, do so almost undetected.

 Static passwords have traditionally been the accepted way of identifying users. If you know the password, you are the user. If an attacker obtains the password, they are that user! Sadly, obtaining passwords is often trivial, especially when users choose weak passwords or administrators store or transmit them (or representations of them) insecurely.

 Microsoft, in their continuing effort to move away from the reliance of passwords, has introduced Windows Hello and Microsoft Passport. Read on for more details on these two compelling technologies.

 --Rich


 Windows Hello and Microsoft Passport

With the release of Windows 10, Microsoft introduced Windows Hello and Microsoft Passport, two new technologies designed to work together to mitigate the challenges associated with traditional password-based authentication, while at the same time making strong authentication more convenient for the user.

Passwords have been around since the dawn of (computer) time. They have been the most common way of performing user authentication. Once the user is identified, the password is supplied and verified against some form of identity provider (local database, Active Directory, cloud ID provider, etc.). If successful, the user is granted some level of access associated with their identify.

The challenge here is that just knowing the password is all that is commonly required to assume an identity. Attackers know this, and they invest a great deal of effort obtaining them in a variety of ways. Traditional passwords must be stored in some fashion, so they attack those repositories. In addition, capturing credentials is increasingly effective. After all, the attacker doesn’t necessarily have to know the password. If they can obtain a token, which is a representation of the password, they can gain authorized access to their target system.

The traditional approach to improving password security has been making them longer, more complex, and short-lived. Unfortunately, while improving security somewhat, it has the negative side effect of making them more difficult to use. Users have trouble remembering them and resort to methods such as writing them down on a sticky note placed next to their keyboard and reusing them across multiple systems, all of which ultimately reduce security.

Windows Hello provides reliable, integrated biometric authentication in the form using fingerprints, iris scan, or facial recognition. A Personal Identification Number (PIN) is also supported for devices that do not have hardware-based biometric support. Windows Hello is effectively a combination of an individual user and a specific device. This “Hello” doesn’t roam devices, is not shared with an external system, and can’t easily be extracted from the device. Each Hello is unique for each user and on each device.

Microsoft Passport replaces traditional passwords with strong, two-factor authentication. It verifies the user’s credentials and creates device-specific credentials using biometric data or a PIN. Windows Hello does not authenticate the user. Rather, it is used to unlock the Passport credentials which are used for authentication.

Passport is functionally similar to smart cards in that authentication is performed using advanced cryptography, not just by comparing a string of characters (commonly the salted hash of the user’s plaintext password). The user’s key material is secured inside tamper-resistant hardware. Passport does not require additional infrastructure that smart cards require and does not rely on Public Key Infrastructure (PKI).

Passport for Work is a new feature supported in Windows Server 2016 that allows for the integration of Passport credentials with Active Directory. It does not, however, require any schema changes, nor does it require any changes to forest or domain functional levels. It only requires that one domain controller be running Windows Server 2016. Windows 10 Professional and Enterprise SKUs include an enhanced version of Passport that allows for centralized management of Passport settings for PIN strength and biometric use via Group Policy Objects (GPOs).

The powerful combination of Windows Hello and Microsoft Passport can greatly improve an organizations security posture and dramatically reduce their exposure to pass-the-hash and other forms of credential theft. It eliminates reusable passwords for logon and works in a distributed, non-centralized model to eliminate the risk of widespread compromise often associated with centralized identity providers like the Active Directory database. Security administrators today should take a serious look at implementing these technologies as soon as possible.

 

2. Implementing DirectAccess with Windows Server 2016

DirectAccess is a remote access technology included in Windows Server 2016. It provides seamless and transparent, always on remote network connectivity for managed Windows devices. DirectAccess is built on commonly deployed Windows platform technologies and is designed to streamline and simplify the remote access experience for end users. In addition, DirectAccess connections are bidirectional, allowing administrators to more effectively manage and secure their field-based assets.

Implementing DirectAccess with Windows Server 2016 provides a high-level overview of how DirectAccess works. The vision and evolution of DirectAccess are outlined and business cases and market drivers are explained. It also provides detailed, prescriptive guidance to plan, design, implement and support a secure remote access solution using DirectAccess in Windows Server 2016.

Implementing DirectAccess with Windows Server 2016 is available for pre-order on Amazon.com now. Order your copy today!

Image


3. Microsoft Security Bulletins for August 2016

For the month of August Microsoft, released 9 security bulletins. Five are rated critical and four important. Affected software includes Internet Explore and Edge, Office, Lync, Skype for Business, ActiveSync, and all supported versions of Windows client and server operating systems. MS16-099 should be deployed immediately, as this vulnerability allows remote code execution on the victim machine if the victim opens a malicious Office document. MS16-100 is an update that addresses a serious vulnerability in the Secure Boot feature of Windows. This could allow an attacker to bypass this essential protection mechanism and inject malicious code early in the system startup process.

For more information about August’s security bulletins click here.

 

4. Microsoft Security Advisories for August 2016

This month Microsoft released security advisory 3179528 which is an update for the Windows kernel mode blacklist.

 


5. Security Articles of Interest

  1. The Microsoft Azure Security Center is now generally available to all customers of Microsoft’s popular public cloud platform. I’ve written about Azure Security Center here at WindowSecurity.com in the past, and anyone using Azure today should take advantage of this unique and compelling security offering.
    https://azure.microsoft.com/en-us/blog/azure-security-center-now-generally-available-proven-to-improve-security/

  2. With the recent release of Azure Security Center, Microsoft published this video overview and demonstration with Azure Security Center program manager Sarah Fender. Definitely worth a look!https://www.youtube.com/watch?v=v_ft9b4fo7U

  3. Security incident response is critical to containing and mitigating security breaches. How it is handled in the cloud differs somewhat from traditional on-premises methods. Microsoft has published a white paper that examines how Microsoft investigates, manages, and responds to security incidents within the Azure public cloud platform.
    https://gallery.technet.microsoft.com/Azure-Security-Response-in-dd18c678

  4. In their ongoing effort to make the Azure public cloud the most secure, trusted public cloud offering on the market, Microsoft has added the support of digital certificates for device-level authentication in their Azure Internet of Things (IoT) hub platform. This has tremendous implications for security, especially in the areas of healthcare and other similar verticals. Implementing this features has gained Microsoft the ISO 27017:2015 cloud security certificate.
    http://www.theregister.co.uk/2016/08/04/microsoft_throws_pki_iso_certs_to_harden_azure_cloud/

  5. Malware authors, in their incessant quest to get unsuspecting users to run their malicious code, are now using Object Linking and Embedding (OLE) to deliver their infected payloads. Administrators are well advised to ensure that users are running as non-privileged (non-administrative) users. In addition, having a solid email security solution in place with an effective edge security gateway performing malware scanning are essential.
    https://blogs.technet.microsoft.com/mmpc/2016/06/14/wheres-the-macro-malware-author-are-now-using-ole-embedding-to-deliver-malicious-files/

  6. In an effort to combat password fatigue by having to remember a multitude of individual passwords for numerous systems and applications, many Windows users are taking advantage of a variety of password management solutions. One popular offering is LastPass, which is a cloud-based offering. Recently several security flaws were discovered on LastPass that allowed unauthorized users to fully and remotely compromised user accounts.
    http://www.zdnet.com/article/lastpass-zero-day-vulnerability-remotely-compromises-user-accounts/

    https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/

  7. The Web Proxy Auto Discover (WPAD) protocol and its associated Proxy Auto Configuration (PAC) files have been with us for quite some time. When proxy servers were common place in the enterprise, their use allowed administrators to effectively control the use of web proxy and do so in a scalable way. However, a recently discovered attack demonstrates that it is possible to use WPAD and PAC files to leak information about the HTTPS sites a user is visiting. Details here.
    http://news.softpedia.com/news/attack-with-wpad-protocol-and-pac-files-can-leak-https-traffic-506692.shtml

    https://threatpost.com/wpad-flaws-leak-https-urls/119582/

  8. Microsoft is continually raising the bar for security in Windows. Recently they mandated new hardware changes for PCs by making Trust Platform Module (TPM) 2.0 a requirement on all Windows 10 smartphones, PCs, and tablets. The TPM makes the use of Microsoft Passport and Windows Hello much more effective as well.
    http://www.computerworld.com/article/3101427/security/microsoft-mandates-windows-10-hardware-change-for-pc-security.html

  9. The Security Compliance Manager (SCM) v4.0 is now available for download. This is a free tool from Microsoft that allows administrators to quickly configure and manage computers using Active Directory Group Policy and Microsoft System Center Configuration Manager. This new release includes support for Windows 10 and Windows Server 2016.
    https://blogs.technet.microsoft.com/secguide/2016/07/28/security-compliance-manager-4-0-now-available-for-download/

  10. Not surprisingly, malware authors are increasingly making use of SSL and TLS to hide their malicious code and evade detection while in transport. No doubt they have been aided by the increasing popularity of Let’s Encrypt, an effort to make the deployment of SSL and TLS more widespread. If you are not terminating SSL and TLS on your edge security gateways, you are likely missing a good deal of malicious traffic.
    http://www.zdnet.com/article/malware-disguised-by-ssl-traffic-spikes-over-the-last-year/


6. WindowSecurity.com Articles of Interest

  1. How SIEM Software Can Enforce an Information Security Policy

  2. Dell Active Administrator Voted WindowSecurity.com Readers’ Choice Award Winner – Group Policy Management

  3. Application Security Redux: It’s All about the Apps (Part 7)

  4. Azure Security Infrastructure

  5. Security Visibility in the Cloud

7. Windows Security Tip of the Month

The combination of Windows Hello and Microsoft Passport will be a powerful deterrent to many highly effective and increasingly common credential theft attacks. If you are a developer, take the time to learn and understand these new authentication technologies and begin integrating them soon. Not only will it greatly improve security for all, it will, at the same time, make it much easier to use strong authentication for the user. It’s not often that security administrators can get a win-win like this! For more information about integrating and implement Microsoft Passport and Windows Hello, click here.