WindowSecurity.com - Monthly Newsletter - July 2016

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, MCSA, Enterprise Security MVP), independent consultant and Microsoft network security and remote access expert. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


1. Editor's Corner

In mid-July, Microsoft made a formal announcement about the release date of the forthcoming Windows Server 2016 operating system. Microsoft has stated they will be releasing the new operating system during the Microsoft Ignite conference the week of September 26, 2106. Many of the new capabilities are designed with the cloud in mind, and in fact many of them certainly originated in Azure. And while much of the new stuff is designed for scalability and deployment flexibility, there are some important new security features as well.
 
--Rich
 

Windows Server 2016

Windows Server 2016 includes many new features that are sure streamline private cloud deployments, as they’ve made heavy investments in virtualization in this release. The most prominent of those is the new Nano server deployment option, which is a radically refactored installation that dramatically reduces the footprint of the server. From a security perspective this is an excellent idea, as the attack surface is reduced significantly in this configuration. However, Nano server supports only a limited number of workloads and is primarily designed to serve as a virtualization host or web server.

There are, however, a number of very important security features being introduced in Windows Server 2016. Here are a some of the major ones.

Just Enough Administration (JEA) – JEA enables delegated administration for PowerShell. It extends and enhances the security of Desired State Configuration (DSC).

Shielded Virtual Machines – Windows Server 2016 also introduces Shielded Virtual Machines, which I wrote about extensively in last month’s WindowsSecurity.com monthly newsletter.

Windows Defender – Microsoft’s integrated antimalware solution, available in their client operating systems for many years, is now included in the server operating system.

Microsoft Passport for Work – Windows Server 2016 includes support for centralized management and control of user device registration using on-premises Active Directory only. The organization must have at least one domain controller running Windows Server 2016 to enable this configuration. An Active Directory Federation Server (AD FS) running Windows Server 2016 is required for certificate-based Passport for Work deployments.

Certificate Services – Microsoft Active Directory Certificate Services (AD CS) provides better support for Trusted Platform Module (TPM) key attestation. It is now possible to use Smart Card KSP for key attestation, and NDES enrollment is now supported for devices that are not joined to the domain.

Federation Services – Microsoft Active Directory Federation Services (AD FS) now includes support for authenticating users stored in a Lightweight Directory Access Protocol (LDAP) directory.

Web Application Proxy (WAP) – WAP features enhanced publishing and preauthentication for more applications and has a better user experience. Exchange ActiveSync is now a supported workload, and wildcard domains can be used to simplify SharePoint publishing.

2. Implementing DirectAccess with Windows Server 2016

DirectAccess is a remote access technology included in Windows Server 2016. It provides seamless and transparent, always on remote network connectivity for managed Windows devices. DirectAccess is built on commonly deployed Windows platform technologies and is designed to streamline and simplify the remote access experience for end users. In addition, DirectAccess connections are bidirectional, allowing administrators to more effectively manage and secure their field-based assets.

Implementing DirectAccess with Windows Server 2016 provides a high-level overview of how DirectAccess works. The vision and evolution of DirectAccess are outlined and business cases and market drivers are explained. It also provides detailed, prescriptive guidance to plan, design, implement and support a secure remote access solution using DirectAccess in Windows Server 2016.

Implementing DirectAccess with Windows Server 2016 is available for pre-order on Amazon.com now. Order your copy today!

Image


3. Microsoft Security Bulletins for July 2016

For the month of July Microsoft released 11 security bulletins, 6 critical and 5 important. Affected software includes the Internet Explorer and Edge browsers, Microsoft Office, Office Services, and Office Web Apps, the .NET Framework, and all supported versions of the Windows server and desktop operating systems. The most important updates this month are the browser and Office updates, as they address vulnerabilities that allow remote code execution.

For more information about July’s security bulletins click here.

4. Microsoft Security Advisories for July 2016

Microsoft did not update or release any new security advisories for the month of July.


5. Security Articles of Interest

  1. Many common security threats can be effectively mitigated with the use of DNS-based security controls. As malware often uses DNS to locate command and control (C&C) servers, monitoring and controlling DNS requests is crucial to detecting and preventing these attacks. To protect resources hosted in the cloud, Microsoft has published essential guidance and best practices for addressing this unique challenge.
    https://azure.microsoft.com/en-us/blog/dns-security-appliances-in-azure/

  2. Microsoft continues to collect certifications and accreditations for its public cloud offering, Azure. They recently announced that Azure Government, a dedicated cloud offering designed for the U.S. public sector, now includes DoD Impact Level 4 Provisional Authorization, ITAR readiness, and FedRAMP High certification.
    https://azure.microsoft.com/en-us/blog/azure-government-cloud-expands-coverage-with-dod-impact-level-4-provisional-authorization-itar-readiness-and-fedramp-high/

  3. Microsoft announced recently the Azure Information Protection service, which builds on the Azure Rights Management (Azure RMS) and their recent acquisition of Secure Islands. This new approach for protecting employee identity builds upon their existing on-premises solutions. Azure Information Protection allows for the classification, labeling, and protection of data when it is created or modified, provides persistent protection for data in transit, enables safe and secure sharing with customers and partners, and offers simple controls to assist users with making the right decision with regard to information protection.
    https://blogs.technet.microsoft.com/enterprisemobility/2016/06/22/announcing-azure-information-protection/

  4. It’s always troubling when security vulnerabilities are discovered in the very products and solutions that are used to secure our systems and networks. That was the case recently, when it was revealed that popular security products from Symantec and Norton contained some critical security vulnerabilities. More details here.
    https://www.us-cert.gov/ncas/alerts/TA16-187A
  5. Last month Microsoft released security update MS16-072 (KB3163622), which was a security update for Active Directory group policy. Organizations who applied this update quickly discovered that it broke the application of GPOs in a number of different circumstances. As it turns out, Microsoft fundamentally changed the way GPOs were being read, and many administrators using security filtering for their GPOs quickly realized that they were no longer being applied. You can read about all of the details and how to resolve these issues here.
    https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/
  6. Microsoft recently announced the ability to export Azure audit logs to storage accounts and event hubs. In addition, they’ve made some important and useful changes to the user interface that Azure administrator are sure to find helpful.
    https://azure.microsoft.com/en-us/blog/azure-audit-logs-ux-refresh/
  7. Azure Security Center is a compelling new offering from Microsoft that is extremely valuable for managing the security of resources hosted in Azure. There’s tons of documentation for Azure Security Center, but Microsoft recently published this helpful FAQ-based post to answer many of the common questions regarding the configuration and use of Azure Security Center.
    https://blogs.technet.microsoft.com/yuridiogenes/2016/07/15/azure-security-center-from-planning-to-operations-in-10-steps/

  8. In the ongoing battle between Microsoft and the U.S. Federal government over the government’s requested access to customer data hosted outside of the U.S., Microsoft recently won a crucial appeal, allowing them not to disclose the information originally requested. This case has important consequences for U.S. based organizations. The implications will be far reaching, no doubt. This case is likely not over, but Microsoft and privacy advocates everywhere can definitely consider this a victory.
    http://www.zdnet.com/article/microsoft-wins-appeal-over-warrant-for-overseas-emails/


6. WindowSecurity.com Articles of Interest

  1. The Return of Macro Attacks

  2. Trend Micro InterScan Messaging Security Suite voted WindowSecurity.com Readers’ Choice Award Winner – Email Antivirus

  3. Application Security Redux: It’s All About the Apps (Part 5)

  4. Application Security Redux: It’s All About the Apps (Part 6)

  5. Security Challenges Presented by Microservices

7. Windows Security Tip of the Month

With the general availability of Windows Server 2016 fast approaching (September 2106!) now is the time to begin preparing for this new operating system release. There are TONS of great new features in the new OS, and of course lots of security enhancements as well. You can get started with the new operating system today by downloading and installing Windows Server 2016 Technical Preview 5, which is the last technical preview planned before Release-to-Manufacturing (RTM) code will be available. You can download Windows Server 2016 Technical Preview 5 here