WindowSecurity.com - Monthly Newsletter - January 2015

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, Enterprise Security MVP), Technical Services Director for Celestix Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


1. Editor's Corner

Happy New Year! The WindowSecurity.com monthly newsletter kicks off 2015 in a similar fashion as 2014, with a discussion of the end of support for another popular Microsoft operating system – Windows Server 2003. Much like Windows XP last year, there’s a lot of discussion about the support deadline and migration options. There seems to be less doom-and-gloom regarding the security impact of running Windows Server 2003 past the end-of-support date, perhaps because it is not used primarily by consumers for Internet activities. Regardless, this is a significant event and organizations still supporting Windows Server 2003 in production environments will need to plan accordingly.

--Rich

Windows Server 2003 Migration

July 14, 2015. That’s the day that Microsoft will formally end support for the venerable Windows Server 2003 operating system. Like Windows XP, Windows Server 2003 has been widely deployed and is still in use today in datacenters around the world. As with XP, Microsoft will no longer produce security updates for Windows Server 2003 past July of this year, so organizations should plan to migrate workloads off of 2003 before that date.

There is a plethora of information and support for migrating from Windows Server 2003. Of course all of the hardware and virtualization vendors are marketing heavily in this space too. Not surprisingly, cloud service providers are using this as an opportunity to attract new customers. For many organizations, this might just be the time to consider a move to the cloud!

With the maturity of public cloud offerings like Microsoft Azure, organizations moving workloads from Windows Server 2003 would do well to consider hosting those workloads in Azure. Azure’s infrastructure-as-a-service (IaaS) solution is stable and robust, offering unparalleled flexibility and agility. Microsoft continues to pile up important security certifications and accreditations, so you can have peace of mind in knowing that your data and applications are well taken care of. Honestly, in spite of the fact that security concerns are one of the main barriers to entry for many organizations, Microsoft Azure provides considerably more protection than most organizations have the ability to provide for themselves.

Connecting to the public cloud has never been easier. Current Internet connections are fast and cheap, allowing for excellent connectivity using tired and true technologies such as site-to-site IPsec VPN. For large enterprises with more demanding networking requirements, it is now possible to peer directly with Azure datacenters by connecting your current MPLS network WAN via dedicated exchange providers facilities.

2. Bulletproof SSL and TLS

With recent revelations of wide spread surveillance by government agencies, a strong push is on to encrypt all types of communication regardless of sensitivity. With the popularity and ubiquity of web-based communication, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) have quickly become essential tools to provide the highest level of security and protection for network communication. 

Ivan Ristic, one of the foremost experts in the field of SSL and TLS, recently released a comprehensive guide for deploying secure web servers and applications using SSL and TLS. The book provides a valuable overview of the SSL and TLS protocols along with PKI, and also includes detailed, prescriptive guidance for configuring and deploying systems using SSL and TLS, both Windows and open source.

Order your copy of Bulletproof SSL and TLS today!

Image

Click here to order your copy today!


3. Microsoft Security Bulletins for January 2015

For the month of January Microsoft released 8 security bulletins; 1 critical and 7 important. Updates for this month address vulnerabilities in all supported versions of Windows. The one critical update this month, MS15-002, addresses a vulnerability in the Windows Telnet Service, which is not widely deployed. The impact of this vulnerability should be minimal. For more information about January’s security bulletins click here.

4. Microsoft Security Advisories for January 2015

Microsoft released one security advisory for the month of January 2015. Security advisory 2755801 addresses an update for vulnerabilities in Adobe Flash Player in Internet Explorer.


5. Security Articles of Interest

  1. As I stated in previously in this newsletter, Microsoft Azure continues to compile an impressive list of security certifications and accreditations. Recently Microsoft announced that Azure Government is the first commercial infrastructure cloud platform to meet Criminal Justice Information Services (CJIS) requirements for federal, state, and local governments.
    http://azure.microsoft.com/blog/2014/12/18/microsoft-azure-government-meets-criminal-justice-information-services-cjis-requirements/
    http://azure.microsoft.com/blog/2015/01/13/microsoft-azure-reaches-new-industry-leading-cloud-compliance-milestones/

  2. In the continuing saga where Microsoft is resisting attempts by the U.S. government to force it to disclose information stored on a datacenter that is not in the U.S., 10 major groups representing 28 leading technology and media companies filed “friend of the court” briefs siding with Microsoft in this case. This case is compelling and worth following, as the decisions reached here will have far reaching effects.
    http://blogs.microsoft.com/blog/2014/12/15/business-media-civil-society-speak-key-privacy-case/

  3. Google has stated that it plans to begin marking HTTP pages as insecure in their Chrome web browser. Personally, I think this is a bad idea. I believe that this will flood users with errors about pages being secure that they have been visiting without issue for years, ultimately resulting in them ignoring valid security warnings. In addition, there are plenty of web sites where security isn’t required or necessary.
    http://www.zdnet.com/article/google-mark-http-pages-as-insecure/

  4. Microsoft not only continues to make great strides with the security of their platforms, applications, and services, but also for making the ecosystem more secure by supporting global initiatives to develop cybersecurity strategies and risk management frameworks.
    http://blogs.microsoft.com/cybertrust/2014/12/19/nis-platform/

  5. Are you using an outdated web browser? If so, now is the time to update! Using data from the latest Microsoft Security Intelligence Report (SIR), the data shows that users are significantly better protected and less likely to encounter malicious software if they are using Internet Explorer 11.
    http://blogs.technet.com/b/mmpc/archive/2014/12/18/make-your-browsing-14x-safer-for-the-holidays.aspx

  6. In a somewhat surprising turn of events, Microsoft announced recently that it will discontinue the security bulletin Advance Notification Service (ANS). Citing an evolution in the way that users consume this information as the reason behind discontinuing the notification, many believe that recent update challenges may be the real motivating factor.
    http://blogs.technet.com/b/msrc/archive/2015/01/08/evolving-advance-notification-service-ans-in-2015.aspx

  7. Recently security researchers at Google announced a security vulnerability in Windows 8.1. Normally this isn’t a problem, but Google, in sticking to their 90 release policy, announced the vulnerability before Microsoft had released an update for it. Ostensibly Google released the vulnerability in order to “force” vendors to publish updates more quickly, but Microsoft had an update ready to release on their well-known update Tuesday schedule. In my opinion, Google was being extremely irresponsible and releasing the vulnerability prior to Microsoft releasing the patch solved nothing, and needlessly put customers at risk.
    https://code.google.com/p/google-security-research/issues/detail?id=118

  8. Microsoft responds publicly to Google’s release of a security vulnerability in Windows 8.x prior to Microsoft releasing the update.
    http://threatpost.com/microsoft-censures-google-for-publishing-windows-vulnerability/110347

  9. IPv6 is coming, and security administrators are advised to get up to speed on this critical protocol. IPv6 uses extension headers, and these can be leveraged by attackers to evade in place intrusion detection and prevention systems.
    http://www.insinuator.net/2015/01/how-to-configure-snort-to-stop-ipv6-evasion-attacks/

  10. Conduct a security investigation like a Chef? Not entirely, but analysts can learn a few things from the culinary arts. I’m sure you’ll enjoy this unique perspective on security investigations.
    http://chrissanders.org/2015/01/investigating-like-a-chef/

  11. To address the security concerns for public utilities and energy companies and to help them implement risk management strategies and security best practices, the United States Department of Energy recently released their Energy Sector Cybersecurity Framework Implementation Guidance.
    http://www.federaltimes.com/story/government/cybersecurity/2015/01/09/energy-cybersecurity-framework/21500813/


6. WindowSecurity.com Articles of Interest

  1. Configuring, Verifying, and Removing Active Directory Delegations – Part 1
  2. ManageEngine ADAudit Plus – Voted WindowSecurity.com Reader’s Choice Award Winner – Network Auditing Solution
  3. Windows 10 Privacy and Security Features at a Glance – Part 2
  4. Patch or Not? Weighing the Risks of Immediate Updating

7. Windows Security Tip of the Month

Support for Windows Server 2003 ends on July 14, 2015. Don’t be left out in the cold. Start planning your migration today! Microsoft has a number of resources and tools to make this task easier. For example, the Windows Server 2003 Migration Planning Assistant can help organizations discover, assess, target, and migrate from Windows Server 2003 in an efficient manner. For more information about the migration planning assistant and to get started planning your migration today, click here.