- Monthly Newsletter - November 2015

Welcome to the newsletter by Richard Hicks (MCSE, MCITP:EA, MCSA, Enterprise Security MVP), independent consultant and Microsoft network security and remote access expert. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to

1. Editor's Corner

Editor’s Corner

Windows 10 includes many important features designed to improve security. Credential theft is one area that Microsoft focused their energy on in the latest release, making a concerted effort to mitigate and thwart common attacks such as Pass-the-Hash (PtH). PtH has been a highly effective way for attackers to gain a foothold within an organization and later pivot to other systems using credentials stolen from a compromised machine. To address this concern, Microsoft introduced a powerful new feature called Credential Guard (sometimes referred to as Virtual Secure mode, or VSM). Credential Guard has the ability to dramatically reduce the effectiveness of many credential theft attacks on the Windows client operating system. It’s not trivial to implement, however. It is also not available on all desktop operating system SKUs. In this month’s newsletter we’ll take a closer look at the advantages and disadvantages of Windows 10 Credential Guard.


Windows 10 Credential Guard

Credential Guard (formerly Virtual Secure Mode, or VSM) is a new security feature in Windows 10 that is designed to mitigate increasingly popular (and highly effective!) credential theft attacks. Credential theft can occur when an attacker gains administrative access on a system and dumps the password hashes from running processes or the local SAM account database. If a privileged domain user (e.g. domain administrator) has ever logged on locally to the system, an attacker can obtain those password hashes and use them to authenticate to another host on the network. Even if privileged user password hashes are not available, an attacker can use other non-privileged accounts and use those to authenticate to other systems on the network to perform additional reconnaissance or perhaps execute an exploit against that system.

The real challenge with credential theft attacks is that they are prohibitively difficult to defend against. After all, the system is already fully compromised and with full administrator rights on the device, the attacker can do anything they want. Credential Guard aims to eliminate this attack vector by isolating critical system processes such as the Local Security Authority (LSA) from the operating system completely. It is accomplished, cleverly I might add, by using Hyper-V on the client operating system. Essentially, Credential Guard places some critical system processes in a separate, hardware-isolated virtual machine running in Hyper-V. As such, even a fully compromised system would be immune to credential theft attacks with Credential Guard enabled.

To support Credential Guard, the system must support UEFI and Secure Boot must be enabled. Also, the client machine must have a Trusted Platform Module (TPM) v1.2 or later. Credential Guard is available only on Windows 10 Enterprise and Education SKUs, and requires the installation of Hyper-V on the desktop operating system. Also, it is important to know that Credential Guard does not protect local credentials, only domain credentials.

See the Security Articles of Interest later in this newsletter for a reference to enabling Credential Guard in Windows 10.


2. Bulletproof SSL and TLS

With recent revelations of widespread surveillance by government agencies, a strong push is on to encrypt all types of communication regardless of sensitivity. With the popularity and ubiquity of web-based communication, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) have quickly become essential tools to provide the highest level of security and protection for network communication. 

Ivan Ristic, one of the foremost experts in the field of SSL and TLS, recently released a comprehensive guide for deploying secure web servers and applications using SSL and TLS. The book provides a valuable overview of the SSL and TLS protocols along with PKI, and also includes detailed, prescriptive guidance for configuring and deploying systems using SSL and TLS, both Windows and open source.

Order your copy of Bulletproof SSL and TLS today!


Click here to order your copy today!

3. Microsoft Security Bulletins for November 2015

For the month of November Microsoft released 12 security bulletins. 4 are rated critical and 8 important. Affected software includes Internet Explorer and Microsoft Edge, Microsoft Office, Office Services, Office Web Apps, Lync, Skype for Business, the .NET Framework, and all supported versions of Windows. The most crucial updates would appear to be the cumulative updates for Internet Explorer and Edge.

For more information about November’s security bulletins click here.

4. Microsoft Security Advisories for November 2015

For the month of November, Microsoft release security advisory 3108638 for an update to Hyper-V to address a CPU weakness. It is designed to protect against a potential Denial-of-Service (DoS) attack against systems with a specific CPU chipset. And it wouldn’t be another month without a vulnerability in Adobe’s Flash Player, so advisory 2755801 has been updated accordingly.

5. Security Articles of Interest

  1. Credential Guard, an important new security feature in Windows 10 Enterprise and Education, is designed to mitigate risks associated with credential theft attacks. For details on how to enable and configure Credential Guard in Windows 10, you’ll find a step-by-step guide here.
  2. The Center for Internet Security (CIS) recently updated their Critical Security Controls document. Version 6 of the Controls for Effective Cyber Defense provides detailed guidance for implementing security controls in the most effective manner. You can download this important documentation here.
  3. In an attempt to deliver on the mantra “encrypt all the things”, the “Let’s Encrypt” project, which provides free SSL certificates to everyone, reached a major hurdle recently. The open source project announced recently that its certificates are now trusted by all major browsers. Of course using a free SSL certificate does nothing for assurance, but I’ll concede that using a free certificate might be sufficient in some use cases. I’d still suggest proceeding with caution though. You get what you pay for, after all!
  4. Cloud computing. Perhaps you’ve heard of it? Apparently it’s a thing. Seriously though, today’s cloud computing offerings are incredibly compelling, both from a technology and cost savings perspective. Organizations not moving services and infrastructure to the cloud will be unable to compete in the marketplace. Most cloud adoption to this point has been from the private sector, but increasingly, public sector entities are considering migration to cloud services and infrastructure. Microsoft recently released a whitepaper that outlines in detail a framework for innovation, security, and resilience aimed at public sector organizations. Definitely recommended reading for those in the public sector considering cloud-based solutions today.
  5. In the latest installment of their “Cloud Security Controls” series, Microsoft tackles the often difficult and challenging task of managing “Shadow IT”. If you’re not familiar with this term, Shadow IT describes a scenario in which a business unit engages with an outside organization to provide services instead of leveraging their own existing internal IT organization. A classic example is the head of a business unit signing up for a cloud-based service directly when central IT disapproves. It can be tremendously difficult for IT organizations to manage these scenario, and it is essentially critical because often these rogue services and applications have private, sensitive data and information stored on them.
  6. Every Microsoft operating system, and nearly every application, includes support for telemetry. This telemetry information, communicated to Microsoft securely and anonymously, helps Microsoft understand operating system and application usage, feature usage, and most importantly, allows them to proactively identify when there is an issue that needs to be addressed. However, many people believe that this is a security risk, and perhaps in some corner cases it might be. Telemetry can be tailored to your specific needs, and you do have the ability to opt in or out of most of it. Details here.
  7. Security is often cited as a primary concern for organizations migrating applications, services, and infrastructure to the cloud. Microsoft, with their Azure public cloud offering, has an incredible amount of security certifications and attestations that far surpass the needs and requirements for most companies. Recently Microsoft updated their list of security attestations for Azure. You can find them here.
  8. The Microsoft Azure Active Directory (AD) Application Proxy services allows administrators to publish on-premises web applications using the Azure cloud service, and without requiring any additional on-premises hardware. However, one nagging challenge that Azure AD Application Proxy faced was its inability to be able to automatically redirect users from HTTP to HTTPS. Thankfully, this essential feature was recently added and is now enabled by default for all Azure AD Application Proxy users. Enjoy!

6. Articles of Interest

  1. Clarity on Windows 10 Data Collection
  2. Acunetix Web Vulnerability Scanner - Voted Readers' Choice Award Winner - Security Scanners
  3. Microsoft Ignites a New Focus on Security – Part 6
  4. Product Review: Specops Password Policy
  5. Video: Random Passwords for New Users
  6. Microsoft Ignites a New Focus on Security – Part 7

7. Windows Security Tip of the Month

On November 12, Microsoft released their first major update to Windows 10. The “November Update”, referred to as build 1511, includes a number of important changes targeted at driving enterprise adoption for Windows 10. Along with the usual bug fixes and feature enhancements the update includes, Microsoft also announced important new supporting services. Windows Update for Business now provides IT organizations with the ability to update Windows 10 clients on their terms. Windows Update for Business also provides the ability to create deployment groups, allowing for the phased deployment of updates across the organization. Additionally, Microsoft also announced the Windows Store for Business, which provides IT organizations with a flexible mechanism with which to manage and distribute applications, both Windows Store apps and line-of-business apps. For more information about the Windows 10 November update, Windows Update for Business, and Windows Store for Business, click here.