WindowSecurity.com - Monthly Newsletter - June 2016

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, MCSA, Enterprise Security MVP), independent consultant and Microsoft network security and remote access expert. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


1. Editor's Corner

Virtualization has been around for many years, and without question it is a mature and commonly deployed technology by organizations of all sizes. Unfortunately, security has always lagged behind on the popular hypervisor platforms. Not surprising really, as virtualization was largely the domain of the enterprise initially, where the virtualization host servers were commonly deployed safely and securely in heavily guarded and monitored data centers.

The cloud is now changing the way we think about virtualization security. With the public cloud in particular, the customer doesn’t trust the fabric administrator. So how is it possible to protect virtually deployed assets when we don’t own the virtual infrastructure? Microsoft has a solution. They’ve introduced Shielded Virtual Machines, a new feature in Windows Server 2016 Hyper-V, to effectively mitigate these security challenges.
 
--Rich

Hyper-V Shielded Virtual Machines

Shielded Virtual Machines (VMs) is a compelling new feature in Windows Server 2016 Hyper-V. It is designed to provide essential protection for VMs running on a Hyper-V host server from malicious administrators and host-based malware attacks in both public and private clouds. And while security challenges aren’t unique to Hyper-V, the solution to mitigate these challenges is.

 Shielded VMs address a critical challenge with virtualization, namely the fabric administrator having full unrestricted access to all virtual resources. While this might be acceptable in a private cloud environment where the administrators are trusted, it is most certainly not in a public cloud. A fabric administrator could easily access VMs and steal data, or potentially copy entire virtual disks to external storage for offline access. If an organization is hosting any sensitive data in a shared virtual environment, for example virtualized domain controllers, SQL or SharePoint servers, or other workloads that access or store sensitive information, all of these are exposed to the administrator that created and manages the infrastructure.

Shielded VMs are part of a new guarded fabric that creates a strong isolation boundary between the virtual host and its guest VMs. Even a full administrator on the host itself cannot access any resources for deployed shielded VMs. This includes accessing the console and even the virtual hard disk itself.

Shielded VMs leverage virtual Trusted Platform Modules (TPM) to encrypt not only the virtual hard disk, but to provide important key protection and attestation to the new Host Guardian Service. This service verifies the health of the VM before allowing it to start.

Shielded VMs are supported only on Windows Server 2016 Hyper-V, and only for Generation 2 VMs (for which only Windows 8.x, Windows 10, Windows Server 2012 and 2012 R2, and Windows Server 2016 are supported). VMs that are deployed natively as shielded VMs are the most secure, but Microsoft does allow for “grandfathering” (converting) of standard VMs to shielded VMs (assuming they meet all of the requirements for shielded VM support, of course).

This technology will be crucial for hosting providers with infrastructure running Microsoft Hyper-V. Enterprises deploying private clouds would also do well to deployed shielded VMs, as it can provide important protection that greatly improves security and compliance for hosted workloads.


2. Richard M. Hicks Consulting

Looking for assistance with the design, implementation, or support of a Microsoft DirectAccess remote access solution? Need help migrating from Microsoft Forefront Threat Management Gateway (TMG) 2010? Interested in guidance for integrating on-premises networks with Microsoft Azure or Amazon Web Services? I can help!

I am a Microsoft Certified Solutions Associate (MCSA) with nearly 20 years’ experience working with Microsoft network security platforms. I’ve deployed DirectAccess and VPN solutions for some of the largest organizations in the world. I’ve also helped organizations large and small implement hybrid cloud network solutions, migrate from Forefront TMG to other security platforms, and perform other security related services.

For more information about consulting services, click here.

Image


3. Microsoft Security Bulletins for June 2016

For the month of June Microsoft released 17 security bulletins, 6 critical and 11 important. Affected software includes Internet Explore and Edge web browsers, JScript and VBScript, Microsoft Office, Windows DNS, Active Directory Group Policy, Exchange Server, Windows PDF, Windows Search, and Adobe Flash Player. The most critical update this month is MS16-071 , which addresses a vulnerability in the Windows DNS server service. This is a critical update that, if exploited successfully, can provide an attacker remote code execution (RCE). Making matters worse, a common practice is to install the DNS service on Active Directory domain controllers, so getting this update applied immediately is recommended.

For more information about June’s security bulletins click here

4. Microsoft Security Advisories for June 2016

Microsoft did not update or release any new security advisories for the month of June.


5. Security Articles of Interest

  1. This month, Verizon released their annual Data Breach Investigations Report (DBIR). This report includes information and data that will be invaluable to security administrators everywhere. The DBIR can be downloaded (registration optional) here.
    https://www.us-cert.gov/ncas/alerts/TA16-144A

  2. The Microsoft Office platform is highly extensible and with the use of Visual Basic for Applications (VBA), there’s almost no limit to what a talented and creative developer can accomplish. Unfortunately, this capability is commonly exploited by attackers. Here is a demonstration of the use of VBA and malicious macros to download and install ransomware.
    https://blogs.technet.microsoft.com/mmpc/2016/05/17/malicious-macro-using-a-sneaky-new-trick/
  3. As noted in the previous link, Office applications and specifically the macros they might contain are a popular attack vector for cybercriminals. Microsoft is fully aware of this, and has introduced new features in Office 2016 that can block macros and help prevent malware infection.
    https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/
  4. Browser takeover by malicious web sites can be terribly frustrating. Microsoft has made great strides to ensure that the web browsing experience remains under the full control of the user in the latest versions of Windows and the Edge browser. Here’s an update on the progress they’ve made and some updates recently introduced.
    https://blogs.technet.microsoft.com/mmpc/2016/03/23/keeping-browsing-experience-update/
  5. DNS can be a tremendously valuable tool when it comes to performing incident response and conducting forensic investigations. There’s often a wealth of data there that can shed valuable light on what a particular user or host was doing at any given point in time. A new feature in Windows Server 2016 allows administrators to enable important DNS analytic data logging. In addition, this feature has also been backported to Windows Server 2012 R2.
    https://blogs.technet.microsoft.com/teamdhcp/2015/11/23/network-forensics-with-windows-dns-analytical-logging/
  6. Managing and monitoring privileged access in the enterprise is essential. Even if your administrators are trusted, the potential always exists for account compromise. It’s an excellent idea to limit the use of privileged access to reduce exposure to these types of attacks. This post from Microsoft outlines a phased approach to systematically securing privileged access.
    https://blogs.technet.microsoft.com/windowsserver/2016/05/26/securing-privileged-access-preventing-and-detecting-attacks/
  7. I’ve written frequently in this newsletter about the bane of preinstalled software on new PCs and laptops. Not only are they an annoying nuisance, they often include critical security vulnerabilities. Here’s yet another of example of the current state of security for preinstalled software on new machines.
    http://www.zdnet.com/article/hp-dell-acer-asus-bloatware-security-flaws-vulnerabilities/
  8. TeamViewer is a popular remote administration tool used by organizations large and small. While flexible and convenient, it presents a rich target for attackers. Recently there have been reports of many compromised TeamViewer accounts, leading some to suggest that perhaps TeamViewer itself had been the victim of a data breach. That appears not to be the case. Rather, the culprit here seems to be account reuse. The sheer volume of credentials available from other data breaches is allowing attackers to use those same usernames and passwords on other systems. Clearly they are having success with that approach on systems with TeamViewer installed.
    http://arstechnica.com/security/2016/06/teamviewer-says-theres-no-evidence-of-2fa-bypass-in-mass-account-hack/
  9. A recent study found that millions of devices have many ports open unnecessarily. That doesn’t surprise me at all, as I personally find that many administrators are unfamiliar with basic network auditing tools like Nmap. In addition, there’s an alarming lack of management of the host-based firewall installed on Windows client and server operating systems. In fact, it is alarming how often I see the Windows firewall proactively disabled!
    http://www.scmagazine.com/report-finds-millions-of-firewall-ports-left-open-unnecessarily/article/502298/ 
  10. Microsoft recently released Advanced Security Management for Office 365. This new features introduces enhanced security and protection mechanisms such as anomaly detection and behavioral analytics.
    http://www.eweek.com/security/microsoft-enables-threat-detection-in-office-365.html


6. WindowSecurity.com Articles of Interest

  1. Application Security Redux: It’s All About the Apps (Part 3)

  2. Symantec Endpoint Protection Voted WindowSecurity.com Reader’s Choice Award Winner – Endpoint Security

  3. Top 10 Ways to Reduce the Risk of Data Leakage

  4. Application Security Redux: It’s All About the Apps (Part 4)

  5. Introduction to Microsoft Azure Security Center

7. Windows Security Tip of the Month

Shielded VMs, a new security feature for the Hyper-V hypervisor in Windows Server 2016, is sure to be an essential component for public cloud hosting providers and large enterprises hosting VMs in Hyper-V. This powerful technology has the potential to significantly reduce the attack surface for virtual workloads, while at the same time providing much higher levels of assurance and compliance. You can learn more about Hyper-V Shielded VMs in Windows Server 2016 here