WindowSecurity.com - Monthly Newsletter - March 2016

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, MCSA, Enterprise Security MVP), independent consultant and Microsoft network security and remote access expert. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


1. Editor's Corner

I’ve written here more than once about the importance of SSL and TLS to the security ecosystem. This critically important security technology is widely used, yet sadly, poorly understood. Critically, it is often misconfigured and frequently not maintained. This month another serious vulnerability affecting SSL got me thinking once again about this important topic, so I thought perhaps it was a good time to remind everyone again about the perils of neglecting the security configuration of web sites and services relying on SSL and TLS for protection.

--Rich

SSL and TLS Security

SSL and TLS are arguably the most important security and protection technology on the Internet. It is used by web sites to provide privacy, enabling modern electronic commerce. It is used by many organizations to secure communication between endpoints, a common example being client-based and clientless VPN. In addition, important infrastructure services such as mail and many file transfer mechanism leverage SSL and TLS for protection. There’s no question that SSL and TLS security configuration is important, and keeping it updated is vital to everyone’s personal and commercial security.

Just a few weeks ago another serious vulnerability in SSL was discovered. Dubbed DROWN (Decrypting RSA with Obsolete and Weakened Encryption), this attack is particularly insidious because it can allow an attacker to break an otherwise securely configured server. This means that just a single misconfigured server or service running in your organization can put the secure communication of many other properly configured systems at risk.

DROWN is essentially a padding oracle attack leveraged against SSL v2. SSL v2 is a ridiculously out-of-date protocol, dating back to the mid-1990’s. It was formally deprecated in 2011 and is not used at all by any modern operating system. SSL v2 should be disabled on any system using SSL and TLS. If SS v2 is disabled everywhere in your organization, you have nothing to worry about.

However, if there are any services that still have SSL v2 enabled, not only can an attacker gain access to encrypted data for those connections, they can also use that information to successfully attack any other server using the same private key, even those running only secure protocols like TLS. Reusing certificates across multiple servers and services is sometimes unavoidable, but many organizations are using wildcard or multi-SAN certificates. While these certificate are convenient and cost effective, they don’t offer the best security because the same private key is used across many services. Here, the DROWN attack exposes the downside to using these types of certificates.

To prevent the DROWN attack, all that is required is to disable SSL v2. Unfortunately, SSL and TLS security configuration is often overlooked by administrators. Typically, servers, services, or security devices that rely on SSL and TLS will ship in a reasonably secure configuration, but as time marches on and new vulnerabilities are discovered, without additional maintenance these systems can be critically vulnerable to attack. This is a particular challenge with preconfigured security devices. Firewalls, routers, application delivery controllers and load balancers, and most important SSL VPNs, often rely on SSL and TLS but without additional configuration can expose private information due to less than optimal or improper configuration.

For some security administrators, the discovery of the DROWN attack poses no risk at all. If you have been managing your SSL and TLS enabled servers and services, SSL v2 would have been disabled ages ago, so there’s no real exposure. But if you’re running older Windows servers (for example IIS or Forefront TMG) in their default configuration and are supporting web, mail, file transfer services, or VPN (specifically the SSTP protocol), you may be at risk. If you are relying on a proprietary security appliance for SSL VPN or have an application delivery controller managing traffic for web sites and services using SSL and TLS, I would urge you to look at the configuration of those devices closely.

For more information about how to identify and re-mediate configuration issues with SSL and TLS, be sure to scroll to the end of the newsletter and read the Windows Security Tip of the Month.

2. Richard M. Hicks Consulting

Looking for assistance with the design, implementation, or support of a Microsoft DirectAccess remote access solution? Need help migrating from Microsoft Forefront Threat Management Gateway (TMG) 2010? Interested in guidance for integrating on-premises networks with Microsoft Azure or Amazon Web Services? I can help!

I am a Microsoft Certified Solutions Associate (MCSA) with nearly 20 years’ experience working with Microsoft network security platforms. I’ve deployed DirectAccess and VPN solutions for some of the largest organizations in the world. I’ve also helped organizations large and small implement hybrid cloud network solutions, migrate from Forefront TMG to other security platforms, and perform other security related services.

For more information about consulting services, click here.

Image


3. Microsoft Security Bulletins for March 2016

For the month of March Microsoft released 14 security bulletins, 6 of which are rated critical and 8 important. Affected software includes Internet Explore and Edge browsers, Microsoft Office, .NET Framework, and all supported versions of Windows. As always, the cumulative updates for Microsoft web browsers (IE and Edge) should be applied quickly as they represent a common and popular attack vector for attackers. Also, pay close attention to MS16-029 which addresses critical vulnerabilities in Microsoft Word. Word documents are commonly used to deliver exploits via file sharing and email attachments.

For more information about March’s security bulletins click here.

4. Microsoft Security Advisories for March 2016

Microsoft released no new security advisories or updates for existing ones this month.


5. Security Articles of Interest

  1. At the beginning of March, security researches disclosed a serious vulnerability in SSL v2. When successful, the DROWN attack allows the attacker to gain access to encrypted communication. Crucially, otherwise secure servers and services may be vulnerable if they share a private key with a vulnerable system. More details about the DROWN SSLv2 attack can be found here.
    https://drownattack.com/

  2. Using an SSL VPN for secure remote access in your organization? Chances are good that it isn’t secure! Recent research indicates that up to 90% of SSL VPNs are insecure. To be fair, and as one of my Twitter followers thoughtfully pointed out, it really means that most “misconfigured” SSL VPNs are insecure. As the DROWN attack illustrates, many security administrators neglect the security configuration of their SSL and TLS-based services. SSL VPN is no exception. Don’t forget to evaluate your SSL VPNs security posture and remediate any security risks today!
    http://www.theregister.co.uk/2016/02/26/ssl_vpns_survey/

  3. Bret Arsenault, Microsoft’s Chief Information Security Officer (CISO), recently provided a progress report for enterprise security. In the report, Bret provides valuable insight as to how Microsoft is assisting customers with protecting their digital assets. He outlines the availability of new security platforms for cloud and on-premises workloads, and details new Azure features like Customer Lockbox for SharePoint Online and OneDrive for Business as well as Azure Security Center and more.
    https://blogs.microsoft.com/blog/2016/02/25/enterprise-security-for-our-mobile-first-cloud-first-world-2/

  4. Microsoft recently announced a number of important new partner solutions to be integrated with Azure Security Center. Among them are Checkpoint, Cisco, and Fortinet for Next Generation Firewalls, and Imperva SecureSphere and Incapsula Web Application Firewalls (WAF). More importantly, Microsoft is extending the provisioning of WAFs to Classic virtual machines! A number of additional features including advanced threat detection and prevention, SSH brute force attack detection, and much more are now available.
    https://azure.microsoft.com/en-us/blog/azure-security-center-adds-new-partners-detections-and-more/

  5. In an effort to provide more robust threat protection for enterprise customers, Microsoft announced recently a new service called Advanced Threat Protection. Aimed at large enterprise customers, it is designed to provide enhanced protection and detection of more sophisticated attacks. It leverages behavioral sensors included in Windows, cloud-based security analytics, and threat intelligence from Microsoft’s security graph.
    https://blogs.windows.com/windowsexperience/2016/03/01/announcing-windows-defender-advanced-threat-protection/

  6. It’s often been said that the only way to truly protect a system is not to put it on a network. That might not entirely be true! Researchers recently hacked a computer that was not connected to a network at all, proving the so-called “air-gapped” approach to security is still potentially not perfect.
    http://www.csmonitor.com/Technology/2016/0216/How-researchers-hacked-a-computer-that-wasn-t-connected-to-the-Internet

  7. Are you using Azure Active Directory? Here’s a new security service from Microsoft you may be interested in. Azure AD Identity Protection is designed to provide a holistic view of risk events and potential vulnerabilities in your organization. Azure AD Identity Protection can identify potentially leaked credentials, anomalous sign in events (for example signing in from the U.S. and then from a foreign country just minutes later), sign-ins from IP addresses that are known to be malicious, and much more.
    https://azure.microsoft.com/en-us/documentation/articles/active-directory-identityprotection/

  8. In yet another of a long list of important security certifications and accreditations for Microsoft’s Azure public cloud offering, Microsoft announced they are the first global cloud service provider to receive the Cloud Security Mark (Gold) accreditation from the Japan Information Security Audit Association (JASA).
    https://azure.microsoft.com/en-us/blog/microsoft-first-global-csp-to-receive-the-cloud-security-mark-gold-accreditation/

  9. Verizon has released their first-ever data breach digest that includes important security case studies. This valuable report is essential reading for anyone involved in information security. There are valuable lessons to be learned from other organizations who have suffered a data breach. In addition, there are some entertaining stories included in this report too. Definitely worth the read!
    http://www.csoonline.com/article/3039555/investigations-forensics/verizon-releases-first-ever-data-breach-digest-with-security-case-studies.html

  10. Microsoft will be hosting their first Virtual Security Summit on March 29 from 9:00AM to 12:00PM PDT. This event will help security administrators understand more about modern attacks and evolving attacks and the tools they can use to protect their data and infrastructure. Register now!
    http://enterprise.microsoft.com/en-us/event/virtual-security-summit/


6. WindowSecurity.com Articles of Interest

  1. Spear Phishing of Whaling Scams Continue to Lure Organizations
  2. IoT: The Threats Keep on Coming – Part 4
  3. Acunetix Web Vulnerability Scanner Voted WindowSecurity.com Reader’s Choice Award Winner – Web Application Security
  4. The Risk of Running Obsolete Software – Part 1
  5. Focal Points for Managing Access to your AWS Management Console

7. Windows Security Tip of the Month

SSL and TLS security configuration is an often overlooked area in my experience. Many security administrators lack the fundamental knowledge and understanding of the protocol to properly assess and manage SSL and TLS security. To address this challenge, noted SSL and TLS security expert Ivan Ristic’s book Bulletproof SSL and TLS is essential reading. In addition to this book, an essential tool for evaluating and assessing the security posture of any SSL or TLS-based web site or service is the Qualys SSL Labs server test site. Using this web site allows the administrator to gain essential understanding of their current security posture, identification of current vulnerabilities, and helpful guidance for remediating any findings.