WindowSecurity.com - Monthly Newsletter - July 2014

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, Enterprise Security MVP), Technical Services Director for Celestix Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


Editor's Corner

I recently returned from Washington D.C. where I attended the annual Microsoft Worldwide Partner Conference. This conference is held each year to share sales and marketing strategy with Microsoft’s vast partner ecosystem to ensure alignment with their stated corporate goals and objectives for their next fiscal year, which not coincidentally starts on July 1st. During the keynote address, various Microsoft luminaries lay out the focus for the next year with regard to sales. The mantra driven home clearly was “Cloud-First, Mobile-First”. As Microsoft transforms from a software company to a devices and services company, the promotion of services like Office 365 and Microsoft Azure were front and center. Microsoft’s go-to-market strategy last year focused on four main pillars – cloud, mobile, social, and big data. This year Microsoft announced they’d be adding a fifth pillar – security. I was pleasantly surprised to hear this, but it makes perfect sense. There’s an important element of trust required to convince customers to move their services and data to the Microsoft cloud, and this change in strategy reflects the seriousness with which they need to address these concerns. Of course security isn’t something new to Microsoft. They’ve made tremendous strides with regard to security across their product lines over the last ten years. However, security in the cloud is a different story. Arguably the infrastructure and services hosted in the Microsoft public cloud are infinitely more secure than most small and mid-sized businesses, and perhaps even many large enterprises. After all, the resources Microsoft assign to implementing and maintain security for their solution far exceed all but the largest enterprises. That doesn’t mean we should simply take their word for it though. For this we’ll need to rely on certifications and attestation from important third-parties who have audited the Microsoft public cloud. When you review the programs for which Azure has met compliance, perhaps you’ll be more inclined to consider using Microsoft public cloud services in the future.

--Rich

Microsoft Azure Security and Compliance

Microsoft Azure boasts a very secure hosted public cloud solution that organizations of all sizes can put their faith in. Azure features modern security practices coupled with extensive experience operating some of the largest and busiest properties on the Internet. Designed and managed using the mature Security Development Lifecycle (SDL) and leveraging the expertise and global threat landscape insight from the Microsoft Digital Crimes Unit (DCU), the Microsoft Cybercrime Center, and the Microsoft Malware Protection Center (MMPC), Microsoft can maintain the highest levels of assurance and protection for its customers. Additional security controls in place include around-the-clock physical security monitoring, centralized monitoring, logging, alerting, and event correlation, automated patching of Azure infrastructure systems (hosts), virus and malicious software protection, intrusion detection and Distributed Denial of Service (DDoS) mitigation, network isolation and encrypted communication, optional private network connections with ExpressRoute, and strong data encryption using AES 256. Microsoft also regularly conducts proactive penetration testing to ensure that in-place security controls and practices are performing as they were intended.

To demonstrate the security of the Azure public cloud solution, and to help customers address their own audit and compliance requirements for infrastructure and services hosted in Azure, Microsoft has completed several important certification and accreditations, such as ISO/IEC 27001:2005 audit and certification and SOC 1 and SOC 2 SSAE 16/ISAE 3402 attestations. In addition, Microsoft Azure has been audited against the Cloud Security Alliance Cloud Controls Matrix, has been granted a Provisional Authorities to Operate (P-ATO) from the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB), and is compliant under the Payment Card Industry (PCI) Data Security Standards (DSS) Level 1. For customers using Azure to conform to certain HIPAA and HITECH provisions, a HIPAA Business Associate Agreement (BAA) is available to customers. Azure complies with requirements for the Family Educational Rights and Privacy Act (FERPA), and has also been awarded the G-Cloud Impact Level 2 Accreditation in the United Kingdom.

For more information regarding compliance in Azure, download the Security, Privacy, and Compliance in Microsoft Azure whitepaper here.

Practical IPv6 for Windows Administrators

With the rapid depletion of the global IPv4 address pool, the adoption of IPv6 is growing significantly. The total exhaustion of public IPv4 addresses is inevitable, making IPv6 knowledge an important and essential skill that network engineers and systems administrators will need to have to be successful. While there are some excellent IPv6 references available today, until now there has been a lack of practical, real-world implementation guidance for IPv6. Until now! Practical IPv6 for Windows Administrators provides detailed information necessary for network engineers and systems administrators planning to deploy IPv6 on their corporate networks. It covers important topics such as IPv6 address assignment and name resolution, along with specific IPv6 integration information for Microsoft services such as Exchange, SQL, SharePoint, Hyper-V, and more.

IPv4 is a dead man walking. IPv6 is the way of the future; in fact, it is here now! Order your copy of Practical IPv6 for Windows Administrators today.

Image

Click here to order your copy today!


Microsoft Security Bulletins for June 2014

For the month of July, Microsoft released 6 security bulletins addressing 29 vulnerabilities. 2 bulletins are rated as critical, 3 are rated as important, and 1 rated as moderate. Affected software includes all supported versions of Windows and Internet Explorer. For more information about July’s security bulletins click here. Microsoft also released three security advisories, including security advisory 2871997 that changes the default behavior of Restricted Admin mode in Windows 8.1 and Windows Server 2012 R2 in an effort to defend against credential theft. Security advisory 2960358, which is an update for disabling RC4 in .NET TLS has been updated, along with security advisory 2755801 which is an update for vulnerabilities in Adobe Flash Player in Internet Explorer. In addition, shortly after the Tuesday update cycle Microsoft released security advisory 2982792 which addresses improperly issued digital certificates that could allow spoofing. Also, be advised that there have been reports that one of this month’s updates may be causing crashes on certain Dell computers that have Dell Data Protection-Encryption and CMGShield installed.


Security Articles of Interest

  1. Last month Microsoft announced a private preview of a new security and threat information exchange platform designed for security professionals. Called “Interflow”, this platform provides an automated, machine-readable feed of threat and security information that can be shared in near real-time. Built using open specifications, it enables Interflow to integrate with existing analytical tools in use today in many organizations. More information about Interflow can be found here:
    http://www.microsoft.com/interflow/
    http://blogs.technet.com/b/msrc/archive/2014/06/23/announcing-microsoft-interflow.aspx
    http://technet.microsoft.com/en-us/security/dn726547
  2. In their continuing efforts to protect the Windows ecosystem and customers from malicious software, the Microsoft Digital Crimes Unit (DCU) recently announced that it was successful in disrupting the Jenxcus and Bladabindi malware families. These malware families install backdoor Trojans allowing attackers to steal information and sensitive information and provide complete remote control of the infected system.
    http://blogs.technet.com/b/mmpc/archive/2014/06/30/microsoft-digital-crimes-unit-disrupts-jenxcus-and-bladabindi-malware-families.aspx

  3. Code changes recently introduced to Internet Explorer aim to improve the security of the popular web browser and make it much more difficult for attackers to launch attacks against IE that result in the execution of arbitrary code. The new code is designed to minimize the damage caused when “use-after-free” vulnerabilities are exploited. Attacks of this type have recently been used to target Internet Explorer versions 9, 10, and 11.
    http://arstechnica.com/security/2014/06/ie-users-get-new-protection-against-potent-form-of-malware-attack/

  4. In the wake of the NSA spying revelations, Microsoft continues to make efforts to improve the encryption used in its cloud service offerings like Outlook.com, Office 365, and Microsoft Azure. Outlook.com now features TLS encryption for both inbound and outbound mail. In addition, OneDrive now includes support for Perfect Forward Secrecy (PFS). That is definitely welcome news!
    http://blogs.technet.com/b/microsoft_on_the_issues/archive/2014/07/01/advancing-our-encryption-and-transparency-efforts.aspx

  5. Microsoft recently updated their whitepaper that outlines mitigation strategies for Pass-the-Hash and other types of credential theft. The paper encourages IT professionals to take the stance that they’ve already been breached, which is great advice. Credential theft is particularly insidious, as an attacker can masquerade as a legitimate user, making detection difficult or even impossible. In addition to the strategies and controls detailed in this updated whitepaper, organization would be wise to consider strong authentication (certificates, smart cards, or one-time password) solutions especially for remote access connectivity.
    http://blogs.technet.com/b/security/archive/2014/07/08/new-strategies-and-features-to-help-organizations-better-protect-against-pass-the-hash-attacks.aspx

  6. Following on my suggestion about implementing strong authentication solutions, Microsoft recently updated their whitepaper entitled “Understanding and Evaluating Virtual Smart Cards”. Virtual smart cards can be a cost effective way to implement strong authentication in your organization. Remote access solutions such as DirectAccess also provide support for virtual smart cards. When properly implemented it can dramatically improve your company’s overall security posture.http://www.microsoft.com/en-us/download/details.aspx?id=29076

  7. Speaking of virtual smart cards, last month I shared a link on how to configure TPM protected certificates using a Microsoft Certificate Authority (CA). This month Microsoft published part 2 of this article which pertains specifically to using virtual smart cards. Details here:
    http://blogs.technet.com/b/pki/archive/2014/07/15/setting-up-tpm-protected-certificates-using-a-microsoft-certificate-authority-part-2-virtual-smart-cards.aspx

  8. Security firm Aorato, specialists in Microsoft Active Directory security, recently discovered a vulnerability in Active Directory that may allow an attacker to change a victim’s password without being logged. The issue is linked to the use of NTLM. However, it appears that this “new” vulnerability is not in fact new, but something that has been known for quite some time and is in fact just a limitation of the Kerberos network authentication service. Microsoft provides details on how to manage this limitation here.
    http://www.aorato.com/blog/active-directory-vulnerability-disclosure-weak-encryption-enables-attacker-change-victims-password-without-logged/
    http://www.cso.com.au/article/550132/why_microsoft_active_directory_design_flaw_isn_t_serious/

  9. As I mentioned in the opening of this month’s newsletter, Microsoft is increasing the focus and importance of security in the FY2015 go-to-market strategy. It is vitally important that Microsoft address the concerns expressed by many organizations about the security of their public cloud offerings. Recent revelations of wholesale spying by the U.S. federal government certainly aren’t helping here. Let’s hope Microsoft continues to be successful in their efforts to improve security and privacy for their solutions.
    http://www.channelbuzz.ca/2014/07/microsoft-readies-security-go-market-10149/

  10. With the explosion of mobile devices and the ubiquity of wireless Internet access, the need to use a kiosk computer such as those located in hotel business centers has been greatly diminished, in my opinion. They are, however, still around and although those of us who are security minded would probably never consider using them, some travelers must still use them because they are still around! Recently the U.S. Secret Service advised the hospitality industry to pay close attention to these systems, warning them that they may be compromised. These types of systems are easy targets for attackers. If, for some reason, you are forced to use one of these systems I would discourage you from accessing any potentially sensitive information such as your banking or e-mail accounts. If you need to access these types of services, and you don’t have a trusted mobile device of your own to use, consider using Windows-to-Go or a Linux Live CD.
    http://krebsonsecurity.com/2014/07/beware-keyloggers-at-hotel-business-centers/

  11. Microsoft recently ended support for Windows XP in April of this year. Next up is Windows Server 2003! Extended support for Windows Server 2003 ends on July 14, 2015. Time to start planning your migration now, if you haven’t already started.
    http://blogs.technet.com/b/in_the_cloud/archive/2014/07/15/countdown-to-end-of-support-for-windows-server-2003-take-your-datacenter-by-storm.aspx


WindowSecurity.com Articles of Interest

  1. Managing AppLocker in Windows Server 2012 and Windows 8.x – Part 1
  2. Termination of Window XP Support – How Does This Affect Your Security?
  3. Kaspersky Security for Mail Server voted WindowSecurity.com Reader’s Choice Award Winner – Email Anti Virus
  4. Managing AppLocker in Windows Server 2012 and Windows 8.x – Part 2
  5. Advanced Persistent Threat Perception and Reaction – Part 1
  6. Managing AppLocker in Windows Server 2012 and Windows 8.x – Part 3

Windows Security Tip of the Month

An essential component of an effective security program is a well-defined penetration testing process. Penetration testing should be conducted on a regular and on-going basis. This requirement does not change when an organization moves infrastructure and applications to the public cloud. However, special considerations must be made in these cases, as the cloud hosting provider is likely implementing security controls that can negatively affect the outcome of these tests. Microsoft Azure permits customers to perform penetration testing against infrastructure and services hosted on their platform, but they do require advanced notice. More information about penetration testing for Azure hosted services and a link to the Penetration Testing Approval Form can be found here.