WindowSecurity.com - Monthly Newsletter - December 2013

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, MVP), Sales Engineering Director for Iron Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.

Editor's Corner

A fundamental tenet of network and systems security is attack surface reduction. As security administrators, we’ve been taught (or learned the hard way!) that if a service or feature isn’t being used, it is best to disable or remove it. The idea behind this principle is that you can’t attack something that doesn’t exist. A simple example of this would be disabling the print spooler service on a database server. Obviously you’re never going to print from, or connect a network printer to, a server that is running SQL server so you disable the service to prevent potential vulnerabilities in the service from being exploited. Of course there are myriad services that can be disabled to reduce the attack surface of a particular host, and for Windows servers the tool of choice for this exercise is the Security Configuration Wizard (SCW). The SCW is included with the Windows server operating system and it should be leveraged by every administrator to ensure the lowest possible attack surface for their Windows servers. The optimum attack surface reduction method is to deploy Windows Server using the core configuration option. In this month’s newsletter I’ll explore this important deployment configuration in more detail.

--Rich

Improve the Security of your Windows Infrastructure with Server Core

Window Server core is a Graphical User Interface (GUI)-less, command-line only version of Windows Server. Originally appearing in Window Server 2008, this feature provides the least possible attack surface by eliminating the GUI completely. With the removal of the GUI, common attack vectors like the Windows Explorer shell and Internet Explorer, which account for a significant portion of vulnerabilities, are eliminated entirely. The core configuration option for Windows Server 2008 and 2008 R2 had a few challenges, however. First, there were only a few supported workloads on Windows Server 2008 core. They were Active Directory Certificate Services (AD CS), Active Directory Lightweight Directory Services (AD LDS), DHCP, DNS, file and print services, Hyper-V, streaming media services, and IIS. Second, the core configuration option was permanent. That is, once you installed Windows Server 2008/R2 using the core configuration, the only way to get the GUI back, if it was needed, was to wipe the server and reload the operating system with the full installation of Windows Server.

The core configuration option in Windows Server 2012/R2 is greatly improved, making it a viable alternative for mainstream deployment. Beginning with Windows Server 2012, the GUI can be installed and/or removed just like any other feature of the operating system. That means that if you install Windows Server 2012/R2 using the core configuration and later require the GUI, it can be installed without having to reinstall the operating system. Also, there are more supported workloads on Windows Server 2012/R2 server core. In addition to the roles supported by Windows Server 2008/R2 core, Windows Server 2012/R2 core also supports Background Intelligent Transfer Service (BITS) server, BranchCache, iSCSI, load balancing, Multi-Path I/O (MPIO), qWave, telnet server, and Unix Migration services. Supported features also include Windows Server Update Services (WSUS), Active Directory Rights Management Services (AD RMS), and Routing and Remote Access (RRAS), which includes DirectAccess, client-based remote access VPN, and site-to-site VPN. Making Windows Server 2012/R2 server core even more accommodating is the inclusion of support for the Microsoft .NET Framework 3.5 and 4.5. Failover clustering and even BitLocker are also supported on Windows Server 2012/R2 core.

The core installation option is now the default and recommended installation mode for Windows Server 2012 and later. Because of the flexibility of being able to remove the GUI at any point in time, my personal preference and recommendation to others is to install Windows Server with the full GUI and then remove the GUI prior to placing the server in to production. This allows the greatest flexibility and ease of deployment, using familiar GUI tools to configure the server. Once the server is configured and ready for service, removing the GUI can be accomplished by executing a simple PowerShell command:Uninstall-WindowsFeature Server-Gui-Mgmt-Infra

Another compelling feature of Windows Server 2012/R2 core is the Minimal Server Interface option. You won’t see this option available when you first install Windows, but you can enable or disable it once Windows has been installed. Minimal server interface is essentially the core configuration with a few of the GUI features included to increase the number of supported workloads running on server core. With the minimal server interface configured, you still don’t have the full GUI (explorer shell, Internet Explorer, etc.) but you do have access to most local GUI management tools and the MMC. If you have the full GUI installed and wish to transition to the minimal server interface instead of core, you can do this by executing the following PowerShell command:

Uninstall-WindowsFeature Server-Gui-Shell

When making changes to the installation configuration, either adding or removing the GUI, or enabling or disabling the minimal server interface, a restart will be required.

If you’re deploying common workloads like AD DS, AD CS, file and print services, IIS, Hyper-V, and DirectAccess or VPN (remote access or site-to-site), using the core configuration is the way to go. It will provide you with the lowest possible attack surface and the highest availability due to the reduced servicing (patching and updating) requirements of server core. And if you’re not comfortable administering a Windows Server 2012/R2 system running in core configuration, you can always install the Windows Remote Server Administration Tools (RSAT) and manage your systems remotely.

 

Windows Server 2012 Security from End to Edge and Beyond

If you're planning to deploy Windows Server 2012 now or in the future, be sure to order your copy of Window Server 2012 Security from End to Edge and Beyond today. Written by veteran security authors Tom Shinder, Deb Shinder, and Yuri Diogenes, this book provides detailed, prescriptive guidance on how to architect, design, plan, and deploy Windows Server 2012 in a secure manner. This book covers all aspects of Windows Server 2012 security, including Active Directory and Certificate Services, Active Directory Federation Services (AD FS), Active Directory Rights Management Services (AD RMS), patch management, Hyper-V, remote access, and application, network, and cloud security.

This book is an essential reference for IT professionals and security administrators everywhere, so order now. You'll be glad you did!

Image

Click here to order your copy today!

Microsoft Security Bulletins for December 2013

For the month of December, Microsoft has released 11 security bulletins, 5 of which are rated as critical. Affected software includes all supported Microsoft client and server operating systems, all supported versions of Microsoft Office, SharePoint Server 2007 and 2013, Exchange Server 2010 and 2013, Lync 2010 and 2013, ASP.NET, and Visual Studio Team Foundation Server. This month’s security update cycle updates four zero-day vulnerabilities which are currently being exploited in the wild (MS13-096, MS13-098, MS13-104, and MS13-106). MS13-098 also includes new functionality and changes in Windows Authenticode signature verification, which is detailed in Microsoft Security Advisory 2915720. For more information about December’s security bulletins click here.

Security Articles of Interest

  1. With more revelations of government surveillance of private communications, Microsoft recently announced that they will increase their efforts to encrypt global communication links. Personally speaking, I find it difficult to understand how these links were not encrypted in the first place. Perhaps it is because for so many years I worked for a major U.S.-based financial services institution and our policy was to encrypt all links, even point-to-point links! We took nothing for granted. If there’s silver lining in all of this spying finally coming to light, it’s that encrypting more communications is a good thing, because it not only protects us from the prying eyes of governments, but from cyber criminals as well.
    http://blogs.technet.com/b/microsoft_blog/archive/2013/12/04/protecting-customer-data-from-government-snooping.aspx

  2. On a loosely related note, this is an interesting article about a recent discovery of Internet traffic being hijacked and rerouted through foreign countries, presumably for the purpose of spying. The attacks leverage a weakness in the design of the Border Gateway Protocol (BGP) and appear to be targeted with intent. Experts believe that this might be occurring much more frequently than we know. The moral of the story here? Enable end-to-end encryption wherever possible. You never know where you Internet communication might be going!
    http://www.wired.com/threatlevel/2013/12/bgp-hijacking-belarus-iceland/
  3. If you know me at all, you know that I’m no fan of Java. In a recent study, AV-Test.org shows that in two-thirds of all vulnerabilities on Windows systems exploited by malware, Java, along with Adobe Reader and Flash, were responsible. Want to improve the security posture of your organization dramatically? Drastically reduce, or ideally eliminate completely, Java and Adobe Reader/Flash.
    http://www.av-test.org/en/news/news-single-view/artikel//adobe-java-make-windows-insecure/
  4. VMware recently announced security advisory VMSA-2013-0014 to address a security vulnerability in their VMware Workstation, Fusion, ESXi, and ESX virtualization solutions. The vulnerability allows privilege escalation in the guest (not guest to host) and affects Windows 2000 Server, Windows XP, and Windows Server 2003 running on these platforms.
    http://www.vmware.com/security/advisories/VMSA-2013-0014.htm
  5. Microsoft’s Digital Crimes Unit (DCU) recently announced that it has been successful in disrupting the ZeroAccess botnet. This botnet focused on hijacking user’s search results and directing them to potentially dangerous web sites that would install malicious software to steal personal information or participate in click fraud. More details here:
    http://blogs.technet.com/b/security/archive/2013/12/05/microsoft-severs-botnet-hijacking-search-results-and-exploiting-search-engines.aspx
  6. Have you changed your password for Facebook, Yahoo, Twitter, or Google lately? Might be a good time to do it! Security researchers recently discovered an online database loaded with stolen account information for these services. The database also included credentials for email and FTP accounts, along with RDP and SSH login information.
    http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pony.html
  7. As we’re winding up the year, many security pundits are making their predictions for 2014. The Microsoft Trustworthy Computing team chimes in with their top cyber threat predictions for the new year here:
    http://blogs.technet.com/b/security/archive/2013/12/12/security-professionals-top-threat-predictions-for-2014.aspx

 

WindowSecurity.com Articles of Interest

  1. Cisco ASA 5500-X Series voted WindowSecurity.com Readers’ Choice Award Winner – VPN Solution
  2. The Evolution of Microsoft’s Rights Management Services – Part 1
  3. The Hardening of the Core – Security Information and Event Management – Part 1
  4. Pass-the-Hash: Protection Your Windows Computers – Part 2
  5. Use Windows Command Line Tools and PowerShell Cmdlets to Manage Security in Windows Server 2012 – Part 3

Windows Security Tip of the Month

Finishing out our theme of attack surface reduction in this month’s newsletter, my security tip of the month is a little-known utility from Microsoft called, intuitively enough, the Attack Surface Analyzer. The Microsoft Attack Surface Analyzer is a tool that Microsoft uses internally to verify and catalog changes in system state, runtime parameters, and securable objects in the Windows operating system when a new application is installed and configured. This tool is invaluable for understanding how an application installation can impact the attack surface of a system before it is deployed. The tool is first run on a clean system to provide a baseline for further analysis. After the application is installed it is run once again to provide a detailed comparison in the form of an attack surface report. This tool is highly recommended for security administrators to fully understand the impact that installing an application has on the overall attack surface of a given system. You can download the Microsoft Attack Surface Analyzer here.