WindowSecurity.com - Monthly Newsletter - February 2016

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, MCSA, Enterprise Security MVP), independent consultant and Microsoft network security and remote access expert. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


1. Editor's Corner

As a matter of practice, when I purchase a new PC, laptop, or Windows tablet, prior to use I always perform a wipe and reload of the operating system using installation media obtained directly from Microsoft. I’ve done this for quite some time now simply because I despise all of the annoying applications and software that come preinstalled on new systems. Often referred to as “bloatware”, all of this additional unwanted software consumes valuable system resources (CPU, memory, disk space) and tends make things more cluttered than I prefer. Over the last several months there have been a spate of incidents where computer original equipment manufacturers (OEMs) have been loading software that include serious security risks. So, not only does wiping and reloading give me a tidy installation, it also improves my security posture as well. It’s definitely a habit that others should consider adopting.

--Rich

Preinstalled Software on New PCs

Preinstalling software on a new PC has long been standard practice for computer manufacturers (OEMs). Often the software they preload is essential, such as antivirus software, or helpful, such as trial versions of productivity suites such as Microsoft Office. More commonly they include software that isn’t altogether required such as Java, Acrobat Reader, various system utilities, or a variety of games. Not only does this preinstalled software clutter up the system and consume valuable resources, it also increases the attack surface of the device because often the software itself poses an inherent security risk (Java, Adobe Reader, Flash, etc.). Adding third-party web browsers is increasing popular as well. The problem is that all of this software requires ongoing maintenance and increases the overall attack surface of the system. 

To make matters worse, there have been a number of disturbing reports recently where computer manufacturers have been caught installing software on their devices that essentially spied on their users. They accomplished this by implementing software that effectively used a man-in-the-middle (MitM) attack. The software was installed on new Lenovo PCs under the guise of providing a better search results, but really it was used to serve up additional advertising.

In some cases, software installed on the system contains critical software vulnerabilities or is implemented using poor security practices. It was recently identified that a file-sharing application installed on Lenovo computers included a hardcoded password. Critically, the password they chose to hard code in to their software was “12345678”, one of the top 3 most common worst passwords of all time. 

Another shocking case was brought to light a while back when Samsung computers were found to be disabling Windows Update proactively! A “software update” application preinstalled on these computers was found to be silently turning off system updates without the knowledge of the user. According to the OEM, they were disabling Windows Update because device drivers were being installed that were causing some instability and generating support calls. That’s understandable, but disabling Windows Update wholesale and placing millions of users at serious risk is not the right answer!

As you can see, there is a great propensity for computer manufactures to seriously compromise the security, privacy, and integrity of your PC with preinstalled software. Take my advice, always perform a wipe and reload of the operating system and install from media obtained directly from Microsoft. Remember, installing from the OEMs media might just put all of that unwanted software back, which would of course defeat the entire purpose of wiping and reloading!


WindowsNetworking.com kicks of a new series of expert interviews.

Join us on WindowsNetworking.com as we kick off our new series of expert interviews with IT insiders and tech gurus conducted by MVP Mitch Tulloch.

Our first interview series is with Johan Arwidmark Microsoft MVP Cloud and Data Center Management, and Mikael Nyström Microsoft MVP Cloud and Data Center Management. They will be discussing:

  • Which updates were made to MDT 2013 to support Windows 10 deployment?
  • What changes will you need to make to your deployment infrastructure as new versions of Windows 10 are released by Microsoft?
  • What customizations are possible in Windows 10?
  • And much more!

Sign up to the WindowsNetworking.com Real Time Article Update Newsletter to be instantly informed once the first part of the interview is published on Thursday, February 25th.

 

2. Richard M. Hicks Consulting

Looking for assistance with the design, implementation, or support of a Microsoft DirectAccess remote access solution? Need help migrating from Microsoft Forefront Threat Management Gateway (TMG) 2010? Interested in guidance for integrating on-premises networks with Microsoft Azure or Amazon Web Services? I can help!

I am a Microsoft Certified Solutions Associate (MCSA) with nearly 20 years’ experience working with Microsoft network security platforms. I’ve deployed DirectAccess and VPN solutions for some of the largest organizations in the world. I’ve also helped organizations large and small implement hybrid cloud network solutions, migrate from Forefront TMG to other security platforms, and perform other security related services.

For more information about consulting services, click here.

Image


3. Microsoft Security Bulletins for February 2016

For the month of February Microsoft released 13 security bulletins, 6 of which are rated critical and 7 important. Affected software includes all supported versions of Windows, Internet Explorer, Edge, Microsoft Office, the .NET Framework, and Adobe Flash Player. Administrators are advised, as always, to get the IE and Edge browser cumulative updates installed as soon as possible. The vulnerabilities in Office, a ubiquitous application suite, would rank as a close second in my book.

For more information about February’s security bulletins click here.

 

4. Microsoft Security Advisories for February 2016

For the month of February, Microsoft released security advisory 3137909, which addresses vulnerabilities in ASP.NET templates that could allow tampering. In addition, Microsoft updated security advisory 2871997, which addresses an update to improve credential protection and management in Windows operating systems.


5. Security Articles of Interest

  1. As mentioned previously, it was recently identified that Lenovo computers were being shipped with file-sharing software that included a default, hard-coded password. As it turns out, and making matters much worse, the password is 12345678, which is one of the most common (and worst!) passwords of all time. Take my advice, always wipe and reload when you get a new PC or laptop!
    http://www.zdnet.com/article/lenovo-used-third-worst-password-in-file-sharing-backdoor-flaw/
  2. In a very sad display of poor journalism, a so-called “writer” at Forbes has penned an article that purports that Windows 10 is pervasively “spying” on its users. If you have even the most basic understanding of networking, you’ll understand that his “test”, which consisted of blocking all traffic from the Windows 10 machine to the Internet and observing its behavior, was completely irrelevant and really proved nothing. Fortunately, veteran IT technology writer Ed Bott set the record straight here.
    http://www.zdnet.com/article/when-it-comes-to-windows-10-privacy-dont-trust-amateur-analysts/
  3. In an effort to improve privacy for Skype users, Microsoft announced recently that it would begin hiding the IP address of Skype connections by default. The update is included with the latest update for Skype on Windows, Windows Phone, and Android. The update is forthcoming for iOS.
    http://blogs.skype.com/2016/01/21/to-our-gamers-ip-will-now-be-hidden-by-default-in-latest-update/
  4. In a very interesting article published recently by veteran security analyst Chris Sanders, the role of curiosity in security investigations is considered. Curiosity itself is explained, and its effect and usefulness in forensic analysis is examined. This really is a thought-provoking peace and definitely worth the read.
    http://chrissanders.org/2016/01/curiosity-in-security-investigations/
  5. Windows credentials (usernames and passwords) have long been the bane of security administrators. Usernames themselves often divulge important information, and passwords must be sufficiently long and complex enough to prevent guessing, yet remain simple enough to remember. To address these challenges, Microsoft has included two important new technologies in the latest version of the Windows desktop client operating system – Windows Hello and Windows Passport. More details here:
    https://msdn.microsoft.com/en-us/library/windows/apps/xaml/mt608493.aspx
  6. Moving to the cloud invariably presents challenges with meeting security and compliance mandates. Often to meet these requirements, many of the tasks must be handled by the cloud provider, while at the same time some of them must also be handled by the organization. Microsoft recently released a whitepaper designed to address some of the compliance requirements included in ISO 27001 that are unique to migrating applications or services to the Azure public cloud.
    https://azure.microsoft.com/en-us/blog/13-effective-security-controls-for-iso-27001-compliance/
  7. In his continuing series on developing an enterprise IPv6 security strategy, veteran IPv6 security expert Enno Rey highlights required and necessary controls at the host-based level. IPv6 is coming, so now is the time to start planning for it!
    https://www.insinuator.net/2016/02/developing-an-enterprise-ipv6-security-strategy-part-6-controls-on-the-host-level/
  8. While not exactly a new revelation, it is a valuable reminder that many of today’s common security vulnerabilities and risks can be completely mitigated by removing administrative rights from end users. Details here:
    http://www.zdnet.com/article/most-windows-flaws-mitigated-by-removing-admin-rights-says-report/
  9. When considering a migration to Windows 10, security is often top of mind for many organizations. Windows 10 includes many new and compelling security features designed to improve the security posture of the platform greatly. In this latest article from Microsoft, they address the specific requirements for protecting governments from modern security threats using Windows 10.
    http://enterprise.microsoft.com/en-us/industries/government/protecting-governments-from-modern-security-threats/


6. WindowSecurity.com Articles of Interest

  1. Video: Finding Active Directory Users that have Never Logged On
  2. Authenex Powerful Authentication Server - Voted WindowSecurity.com Readers' Choice Award Winner - Authentication / Smart Cards
  3. IoT: The Threats Keep on Coming (Part 2)
  4. Impact of Technology on Wireless Security
  5. IoT: The Threats Keep on Coming (Part 3)

7. Windows Security Tip of the Month

With computer manufacturers increasingly preinstalling software that often introduces serious and critical security vulnerabilities and risks, performing a wipe and reload of any new PC or laptop is essential. Not only does it yield a cleaner installation without all of the added bloatware, you can rest assured that no additional third-party software shipped by the OEM is spying on you or otherwise placing your security or privacy at risk.

Wiping the system can be accomplished in several different ways. First, simply deleting the partition and reformatting is the simplest way to accomplish this task. The process involves booting from the Windows installation media and pressing Shift+F10 when you reach the first prompt. This will launch a command shell where you can use Diskpart to remove the partition. Don’t forget to convert to GUID Partition Table (GPT) to ensure that features like UEFI and SecureBoot continue to work in the future!

Another option is to use disk wiping software. While Diskpart works quickly and effectively, it does not securely erase the drive. When wiping and reloading a new PC, perhaps a secure wipe isn’t really necessary. But, if you are really paranoid, securely erasing is the way to go. There are a number of third-party tools that can perform this task, both free and commercial. One of the best free tools is Darik’s Boot and Nuke (DBAN). Commercial tools can be found using your favorite search engine.

Finally, to reinstall Windows you will of course need the installation media. I recommend getting it Directly from Microsoft. Using the media provided with a new PC may risk putting the very software you’re trying to avoid back on the computer. If you have a Microsoft Volume Licensing agreement or an MSDN account, you can download the software through those channels. If you are a consumer, you can download the consumer editions of Windows here. Be advised that it might be necessary to first run through the out-of-box experience (OOBE) on your new PC and associate it with your Microsoft account prior to wiping it in order for licensing information to be stored on your OneDrive.