WindowSecurity.com - Monthly Newsletter - June 2014

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, Enterprise Security MVP), Technical Services Director for Celestix Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


Editor's Corner

Digital certificates have been around for quite some time now, dating back to the X.509 standard originally published in 1988. Although this technology is quite mature, it is, surprisingly, not as widely deployed as you might think. Certificates can be leveraged to provide strong authentication and, when deployed correctly, can dramatically improve your organization’s security posture. Certificates provide a high level of assurance and can be used to improve the security of your remote access solution, to control access to sensitive data, and to provide secure network communication with IPsec. Installing and configuring a Certificate Authority (CA) is fairly straightforward. In fact, in Windows Server 2012 R2, it can be accomplished with two lines of PowerShell code. However, implementing a Public Key Infrastructure (PKI) for a production environment is not so simple. Careful consideration must be made and diligent planning performed to ensure the highest level of security and the greatest flexibility of your deployment. Too often, PKI planners fail to consider deployment scenarios or uses cases which may require a redesign of the entire PKI infrastructure at a later date. Before starting your PKI project, I’d suggest reading Brian Komar’s excellent reference on Windows PKI. It is written for Windows Server 2008 so it is a bit dated, but much of it still applies today. Hopefully the title will be updated soon, as it is a valuable resource!

--Rich

Public Key Infrastructure (PKI)

If your organization has not implemented a Public Key Infrastructure (PKI), now is the time to start planning for one. Few technologies today have the potential to improve security in your company as much as PKI does. Digital certificates can be issued to provide strong authentication for users accessing the corporate network remotely, which is one of the most important use cases for deploying certificates. Certificate-based authentication for VPN and DirectAccess can provide the highest level of assurance and can be used to ensure integrity and confidentiality for remote users. Preparing a Certificate Authority (CA) in Windows Server 2012 R2 is as easy as executing a few lines of PowerShell code. For example, the following command installs the Active Directory Certificate Cervices (AD CS) role:

Install-WindowsFeature AD-Certificate -IncludeManagementTools

The following command configures the certificate server as an Enterprise CA using the RSA cryptographic key storage provider with a 2048 bit key, using the SHA256 hash algorithm and a validity period of 5 years for the corp.example.com domain.

Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 5 -CACommonName "ROOT-CA" -CADistinguishedNameSuffix "DC=corp,DC=example,DC=com"

That’s it! You’ve now got a working PKI. But hold on…not so fast! Unfortunately, it’s not always this simple. Although this will get you a PKI up and running quickly, it is far from an ideal implementation. Having a single, online enterprise root CA might be acceptable for a small test lab, but it is not the recommended configuration for a production environment. If this CA is compromised at all, it will have to be removed and rebuilt, resulting in a great deal of pain. To address this concern, it is recommended to first install a standalone root CA that will be used for the sole purpose of issuing a signing certificate to a subordinate Enterprise CA. Once the subordinate Enterprise CA is online, the standalone root CA can be taken offline for the highest level of security. If a subordinate CA is compromised, the offline root can be brought back online to revoke the signing certificate of the subordinate CA without requiring a complete rebuild of the entire PKI. In some cases it might be necessary to have multiple levels of CAs to facilitate separation of administrative roles or to implement different certificate issuance policies per CA. In this scenario, a root CA will be deployed which will be offline, while intermediate CAs will be used for separate policy requirements. CAs below those will then be used to issue certificates to users and endpoints.

Planning and implementing a PKI is not a trivial task. With careful planning and consideration, it can be go a long way to securing access to sensitive corporate resources. Without question, the improvement in security will far outweigh the effort. Start doing your research now, and get that PKI up and running soon. You’ll have the peace of mind that your remote users are indeed who they say they are, and you can further leverage your PKI for things like IPsec, Smart Card logon, internal web services, Encrypting File System (EFS), and much more. Good luck!

Practical IPv6 for Windows Administrators

With the rapid depletion of the global IPv4 address pool, the adoption of IPv6 is growing significantly. The total exhaustion of public IPv4 addresses is inevitable, making IPv6 knowledge an important and essential skill that network engineers and systems administrators will need to have to be successful. While there are some excellent IPv6 references available today, until now there has been a lack of practical, real-world implementation guidance for IPv6. Until now! Practical IPv6 for Windows Administrators provides detailed information necessary for network engineers and systems administrators planning to deploy IPv6 on their corporate networks. It covers important topics such as IPv6 address assignment and name resolution, along with specific IPv6 integration information for Microsoft services such as Exchange, SQL, SharePoint, Hyper-V, and more.

IPv4 is a dead man walking. IPv6 is the way of the future; in fact, it is here now! Order your copy of Practical IPv6 for Windows Administrators today.

Image

Click here to order your copy today!


Microsoft Security Bulletins for June 2014

For the month of June, Microsoft released 7 security bulletins addressing 66 vulnerabilities, a record 59 of which are included in MS14-035 for Internet Explorer. 2 bulletins are rated as critical and 5 are rated as important. Affected software includes Internet Explorer, the Microsoft Graphics Component, Microsoft Word, Microsoft Core XML services, Lync Server, TCP, and the Remote Desktop protocol. For more information about June’s security bulletins click here. Microsoft also updated Security Advisory 2755801 for an update to address vulnerabilities in Adobe Flash Player in Internet Explorer. In addition, shortly after the update Tuesday release, Microsoft announced Security Advisory 2974294 which addresses a vulnerability in the Microsoft Malware Protection Engine that could allow a denial of service.


Security Articles of Interest

  1. Score another win for the good guys! Once again, Microsoft, working with the FBI have been successful in taking down the developer of the insidious Blackshades malware. Blackshades is a widely distributed remote access trojan (RAT) that allowed cybercriminals to steal passwords and other sensitive information from infected computers. The software would also steal personal data like documents and photos, recording all keystrokes, activating webcams, holding computers for ransom (a la cyrptolocker) and even be used for distributed denial of service (DDoS) attacks.
    http://www.fbi.gov/news/stories/2014/may/international-blackshades-malware-takedown/international-blackshades-malware-takedown

  2. And yet another win for the good guys! This time Microsoft assists the FBI in taking down and cleaning up the Zeus botnet.
    http://blogs.technet.com/b/microsoft_blog/archive/2014/06/02/microsoft-helps-fbi-in-gameover-zeus-botnet-cleanup.aspx

  3. Here’s an ironic twist for you. Attackers recently hijacked servers used to protect against DDoS attacks and used them to conduct a massive DDoS attack!
    http://www.scmagazine.com/hijacked-anti-ddos-servers-used-to-carry-out-massive-ddos-attack/article/346619/
  4. SNMP is a common attack vector for network devices, and it is often overlooked by security administrators. Of course in many small and medium-sized businesses which have no dedicated security personnel, security concerns with SNMP will often go unnoticed completely. SNMP lacks any real security, relying instead on the obscurity of the community string to prevent unwanted access. Unfortunately, some networking equipment vendors enable SNMP by default and also use default, well known community strings like “public” or “private”, making it trivial to exploit any vulnerabilities. Recently a number of security devices were discovered to be vulnerability and provide unauthorized access to critical information.
    http://www.scmagazine.com/critical-info-on-modems-load-balancer-exposed-via-snmp-community-string/article/347393/

  5. Microsoft recently announced that it successfully challenged a National Security Letter (NSL) from the FBI. The NSL requested information about one of Microsoft’s enterprise customers and included a gag order, preventing Microsoft from notifying the customer in question. Microsoft objected and ultimately won.
    http://blogs.technet.com/b/microsoft_on_the_issues/archive/2014/05/22/new-success-in-protecting-customer-rights-unsealed-today.aspx

  6. Still running Windows XP? Shame on you! Ok, there may be some corner cases where there’s a legitimate reason for continuing to run Windows XP (e.g. embedded industrial equipment). However, with Windows XP now out of support, it is no longer receiving security updates. Interestingly enough, someone cleverly discovered that certain versions of XP were indeed still receiving updates! Namely the Windows Embedded POSReady 2009 version which is supported until April 9, 2019. It turns out that a simple registry hack can make Windows Update think you’re running this supported version of XP and it will provide you with updates. Microsoft cautions that these updates are not designed for commercial and consumer versions of Windows XP and may result functionality issues. Obviously if you’re running XP there are many compelling reasons to upgrade. However, if you’re stuck for some reason, perhaps this is a way to limp along a little more securely.
    http://www.zdnet.com/registry-hack-enables-continued-updates-for-windows-xp-7000029851/

  7. I’m a huge proponent of IPv6. Since being exposed to it with DirectAccess in Windows Server 2008 R2 many years ago, I’ve come to understand the importance of implementing this protocol as soon as possible. As with any protocol, there are potential vulnerabilities that need to be considered and addressed, and IPv6 is one of them. IPv6 uses something called “extension headers” and, as it turns out, a clever attacker can use them in an effort to evade IPv6 security devices.
    http://www.insinuator.net/2014/05/a-novel-way-of-abusing-ipv6-extension-headers-to-evade-ipv6-security-devices

  8. In a stunning and rather bizarre turn of events, the authors of the popular open source disk encryption software TrueCrypt abruptly and without much explanation announced that TrueCrypt is not secure and may contain unfixed security issues. The authors have terminated development of TrueCrypt and have suggested migrating to Microsoft BitLocker. Many, including myself, assumed that the web site had been hacked and it was just a joke. However, that does not appear to be the case. There’s been much speculation on the Internet about the reason for this sudden action, but to date there’s been no definitive information regarding the product.
    http://truecrypt.sourceforge.net/

  9. There’s nothing more unsettling than finding out a commercial product used by your organization contains an undocumented backdoor. In this case, it is particularly troubling because the software is a call monitoring product from NICE Systems. The NICE product is a voice recording solution used by public safety and customer service organizations. The backdoor could give attackers unprecedented access to extremely sensitive information and could be used to spy on companies that have deployed the software.
    http://krebsonsecurity.com/2014/05/backdoor-in-call-monitoring-surveillance-gear/

  10. Who exploits vulnerabilities? Microsoft looks at data from the latest Security Intelligence Report (SIR) Volume 16 to answer that question.
    http://blogs.technet.com/b/security/archive/2014/06/12/who-exploits-vulnerabilities-the-path-from-disclosure-to-mass-market-exploitation.aspx

  11. Well played, malware authors! Recent attacks were discovered using malware that leveraged a security feature in Windows, Software Restriction Polices, to prevent anti-malware software from being installed.
    http://blog.trendmicro.com/trendlabs-security-intelligence/windows-security-feature-abused-blocks-security-software/

  12. For the highest level of protection for digital certificates installed on workstations, laptops, or tablets, a Trusted Platform Module (TPM) should be used. The TPM provides much better protection for the certificate and it’s private key, include non-exportability, anti-hammering, and key isolation. This article provides details for using a TPM to protect certificates issued by Microsoft Certificate Authority (CA).
    http://blogs.technet.com/b/pki/archive/2014/06/05/setting-up-tpm-protected-certificates-using-a-microsoft-certificate-authority-part-1-microsoft-platform-crypto-provider.aspx


WindowSecurity.com Articles of Interest

  1. Security Your Lync Server – Part 2
  2. Video: Auditing vs Advanced Auditing Configurations - Part 2
  3. GFI Endpoint Security – Voted WindowSecurity.com Readers’ Choice Award Winner for Endpoint Security
  4. Securing Your Lync Server - Part 3
  5. Improving Security Through Least Privilege Practices

Windows Security Tip of the Month

In this month’s newsletter we’ve discussed the security benefits that come from deploying a Public Key Infrastructure (PKI). A PKI can become a target for determined attackers, and it should be designed using stringent security best practices. Since deploying a PKI properly and securely is a non-trivial task, Microsoft recently published new guidance for securing your Windows-based PKI. The document provides recommendations for common attack vectors, planning the use of cryptographic algorithms and certificate usage, designing your PKI physical security, implementing technical controls to secure PKI, protecting PKI artifacts and assets, strategies for monitoring your PKI for malicious activity, and guidance for recovering from a PKI compromise. If you’re planning to deploy a PKI (and you should be!) this document will serve as an essential reference and critical planning guide and will ensure the best possible deployment experience from both a performance and security perspective. You can download Securing Public Key Infrastructure (PKI) here.