- Monthly Newsletter - July 2013

Welcome to the newsletter by Richard Hicks (MCSE, MCITP:EA, MVP), Sales Engineering Director for Iron Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to

Windows 8 Security Features

As the new editor of the Monthly Newsletter, I wanted to introduce myself and share with you a little about my background. My name is Richard Hicks, and I am a Microsoft Most Valuable Professional (MVP) in the Forefront Security discipline. I have been in the IT field for nearly 20 years, having served as an information security engineer for a Fortune 100 financial services institution and most recently as a pre-sales technical support engineer for a Microsoft OEM partner working with edge security and remote access solutions such as Forefront Threat Management Gateway (TMG), Forefront Unified Access Gateway (UAG), and DirectAccess. After many years of writing articles for, I’m excited to now be involved with and I’m looking forward to sharing with you interesting and relevant news and information about Microsoft Windows security on a monthly basis.

With each release of the Windows desktop and server operating systems, Microsoft continues to make great strides by improving existing security features and adding new ones as well. One of the main focuses for security in Windows 8 is malware resistance. Here are some of the security features included or enhanced in Windows 8:

Internet Explorer 10 – Arguably the most common attack vector on client systems is the web browser. With Internet Explorer 7, Microsoft introduced “Protected Mode”, which prevented an attacker from installing software or altering system settings in the event they were successful in executing their exploit code. Protected Mode essentially limits the access that the web browser has to perform functions such as writing to the My Documents folder. Enhanced Protected Mode further restricts the capabilities of the web browser by preventing malicious software from accessing locations that contain personal information. Windows 8 includes two flavors of Internet Explorer 10 (IE10) – a Modern UI version and a traditional desktop version. The Modern UI version of IE10 always runs in Enhanced Protected Mode and does not support the use of browser plug-ins, an increasingly common attack vector. For the desktop version, Enhanced Protected Mode must be enabled in the advanced settings of Internet Explorer. In addition, IE10 includes additional safeguards that prevent “use-after-free” vulnerabilities, which account for the majority of vulnerabilities reported for IE over the last few years.

Windows Defender – Windows Defender was an anti-spyware utility first introduced as an add-on for Windows XP, and later included with Windows Vista. Anti-malware protection was provided by Security Essentials, another optional component. In Windows 8, Windows Defender combines the previous anti-spyware feature with Security Essentials anti-malware functionality, providing a comprehensive, OS-integrated solution to prevent the download of viruses as well as malicious or potentially unwanted software.

SmartScreen – The SmartScreen filter, first introduced with Internet Explorer 8, is a security feature designed to detect and prevent the downloading of malicious software. SmartScreen works by comparing the requested URL for download against a reputation database and blocking downloads from known malicious sites. With Internet Explorer 9, protection from malicious downloads was further enhanced by extended SmartScreen to provide application reputation, warning the user if they are downloading software that does not have a reputation for being safe. In Windows 8, SmartScreen protection is now part of the core operating system and extends these important security features to files being downloaded with third-party web browsers such as Firefox, Chrome, Opera, etc.

Enhancements to ASLR – Address Space Layout Randomization (ASLR) was first introduced in Windows Vista. ASLR randomizes location of code and data in memory, preventing attacks that rely on the predictable location of code and data in memory. Windows 8 extends ASLR to protect more parts of Windows and includes increased randomization that prevents known attacks that circumvent existing ASLR implementations.

Windows kernel and heap – Many of the protections that worked only for user-mode applications have now been applied to the Windows kernel. The Windows kernel has now been updated to prevent user-mode processes from allocating the low 64K of process memory, preventing many known kernel-mode vulnerabilities from being exploited. Also, additional integrity checks for the kernel pool memory allocator now mitigate most kernel pool corruption attacks. The Windows heap has undergone significant changes and now includes new integrity checks, randomization, and guard pages that prevent heap overrun exploits.

Additional Security Features – Windows 8 includes additional features that make it increasingly difficult for an attacker to execute malicious code. Windows 8 Secured Boot now ensures that antimalware software starts before all other third-party components, which provides additional protection from malicious software loading device drivers during system start up. For systems that include Unified Extensible Firmware Interface (UEFI), Windows 8 can leverage a process called Measured Boot, where a log of all boot components that started before the antimalware software is provided to the antimalware software for later evaluation. Measured Boot requires that a Trusted Platform Module (TPM) 1.2 be installed on the system. In addition, BitLocker Drive Encryption, which is now available with the Professional edition of Windows 8, provides essential protection for disk drives and prevents offline attacks in the event a mobile computer or portable storage device is lost or stolen.

Windows 8.1, which will be available as a free update to all Windows 8 users later this year, includes additional security features and enhancements. Stay tuned for next month’s monthly newsletter as I’ll outline new security features included in this forthcoming release.


Windows Server 2012 Security from End to Edge and Beyond

If you're planning to deploy Windows Server 2012 now or in the future, be sure to order your copy of Window Server 2012 Security from End to Edge and Beyond today. Written by veteran security authors Tom Shinder, Deb Shinder, and Yuri Diogenes, this book provides detailed, prescriptive guidance on how to architect, design, plan, and deploy Windows Server 2012 in a secure manner. This book covers all aspects of Windows Server 2012 security, including Active Directory and Certificate Services, Active Directory Federation Services (AD FS), Active Directory Rights Management Services (AD RMS), patch management, Hyper-V, remote access, and application, network, and cloud security.

This book is an essential reference for IT professionals and security administrators everywhere, so order now. You'll be glad you did!


Click here to order your copy today!

Microsoft Security Bulletins for July 2013

For the month of July, Microsoft has released 7 security bulletins, 6 of which are rated as critical. Affected software includes Silverlight and .NET Framework, Windows Kernel-mode drivers, GDI+, Internet Explorer, DirectShow, Windows Media, and Windows Defender. For more information about July's security bulletins click here.

Articles of Interest

  1. It's been said that if you can own the e-mail, you can own the person. I think truer words have never been spoken. Once an attacker has access to your e-mail account, they can use it to reset passwords for various other services, such as banking and social media accounts, with relative ease. I advise everyone I know to use a very strong password for their e-mail accounts, and to make sure it is absolutely unique and not used for any other service. In addition, pay careful attention to those password reset questions. Often they require trivial knowledge about you, and frequently that information can be gleaned from publically available social media content. My suggestion is to use nonsensical answers to these questions to make it more difficult for an attacker to leverage this vector to compromise your accounts.

  2. Microsoft recently released a whitepaper about securing Active Directory. This is quite possibly the single most important asset in your organization from a security perspective, and often one of the most overlooked. This whitepaper describes in detail how to identify vulnerabilities, reduce the attack surface, monitor for indicators of compromise, and how to develop a long-term security plan for your Active Directory.

  3. One of my personal pet peeves is the overuse of the term "Advanced Persistent Threat", or APT. This term has been overhyped by security solution vendors in an effort to promote their products, but often it masks the real source of the attack. In fact, many threats are not that advanced and are most commonly opportunistic. That's not to say that APTs aren't real, however. Many attacks are indeed targeted, often by very determined adversaries. Microsoft recently released a video series in which they provide background information about targeted attacks. In addition, the video series includes techniques for mitigating "pass-the-hash" attacks, and highlights the anatomy of a cyber-attack. The importance of securing Active Directory is also covered.

  4. Last month Microsoft released the latest version of the Enhanced Mitigation Experience Toolkit (EMET). EMET 4.0 is an important tool that can be leveraged to provide protection for applications using the latest Windows security technologies. EMET 4.0 helps protect against Man-in-the-Middle attacks by leveraging Public Key Infrastructure (PKI) and hardening Return-Oriented Programming (ROP). It is has also been updated to work with Windows 8 and Internet Explorer 10.
  5. Starting in late June, 2013, Microsoft has implemented a security bounty program. In an effort to persuade hackers and security researchers to work more closely with them and not publicly disclose vulnerabilities directly, Microsoft will begin paying for certain types of vulnerabilities and exploitation techniques. Not only will Microsoft pay for unique exploitation techniques for circumventing security protections in Windows 8.1 Preview, they will pay additional money if the author includes defensive techniques for their exploit.

  6. The consumerization of IT is one of the most disruptive technologies to come along in quite some time. The Bring Your Own Device (BYOD) movement, where end users access corporate resources with consumer devices, presents a significant challenge for security administrators charged with protecting their corporate assets, while at the same time ensuring productivity for mobile users. Microsoft released the results of its recent Trust in Computing survey, which shows that BYOD is gaining acceptance at an astonishing rate. If you're not preparing for the security challenges presented by BYOD, it's definitely time to get started.

  7. Recently security researchers discovered more than 300,000 servers that were at serious risk of compromise due to flaws in popular out-of-band management protocols such as Intelligent Platform Management Interface (IPMI) and Baseboard Management Controllers (BMC). In my experience, these interfaces are often overlooked and typically poorly (if at all) managed and maintained. Since these management interfaces essentially provide physical access to a system, companies would be well advised to review their use. Articles of Interest

  1. Video: Windows Server 2008 R2 Dcpromo "Local Administrator Password" error message
  2. Security Awareness Training: Your First Line of Defense (Part 3)
  3. Product Review – Netwrix Auditor
  4. The Journey to ISO 27001 (Part 1)
  5. Securing Windows Service Accounts (Part 2)

Windows Security Tip of the Month

If you're sitting at the console of a server (or logged in remotely using RDP) it's pretty easy to find out who is logged on to the server by using the NET SESSION command. However, determining who is logged on to a server when you are remote is a different story. The Windows OS doesn't natively include any tools to accomplish this task, but one tool that I use for this is PsLoggedOn from Sysinternals. With PsLoggedOn, you can quickly and easily determine who is logged on to a system remotely. PsLoggedOn can be downloaded here.