- Monthly Newsletter - October 2013

Welcome to the newsletter by Richard Hicks (MCSE, MCITP:EA, MVP), Sales Engineering Director for Iron Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to

Editor's Corner

No one disputes the fact that Microsoft has made incredible strides in security over the last decade. The Microsoft Security Development Lifecycle, born out of the Trustworthy Computing Initiative, is a model that many organizations would do well to implement to provide the highest level of security for their products. In the last few years, however, Microsoft has been moving away from many of their security solutions. For example, the Forefront line of security products has been deprecated, with Forefront Endpoint Protection moving in to the System Center systems management suite, the formal retirement of the venerable Forefront Threat Management Gateway (TMG) 2010 edge security solution, and Forefront Unified Access Gateway (UAG) 2010 on life support and without a clear future (and relying on TMG doesn't help!). Indeed it appears that Forefront Identity Manager (FIM) 2010 R2 is the only Forefront product that seems to be thriving, and even then I expect it will get a rebranding in the future to lose the Forefront name. That's not to say that Microsoft is giving up on security. Quite the contrary. In fact, the official posture of Microsoft is that their solutions are more secure than ever and don't require separate products to protect them. I suspect there's some truth in that statement, but I firmly believe that the decision to move away from point security solutions is a strategic one. Competing in the security space does not advance their primary objective, and that is to win the cloud. With an emphasis on all things cloud-related at Microsoft, and a corresponding de-emphasis of on-premises solutions (or at least on-premises solutions that don't serve the goal of enabling cloud adoption), Microsoft is better served by exiting those markets. Sadly, it leaves many organizations out in the cold, as they've come to rely heavily on the deep integration Microsoft security solutions have with Microsoft technologies. There are worthy alternatives, but in many cases there are key features and/or functionality that can't or haven't yet been provided by third parties.


Desktop Antivirus

Desktop antivirus has been around for many years. I think we can all agree that operating a computer without desktop antivirus installed would be foolish. Desktop antivirus tends to be a punching bag for many in the security industry, with more than a few industry experts lamenting signature-based virus and malicious software detection as being antiquated and of little use. Often these same experts are marketing folks working for a security vendor selling the latest, state-of-the art security product. I'll agree that traditional desktop antivirus is a bit dated. However, it serves its purpose well. In an overall protection scheme, desktop antivirus is considered compulsory, but it should be considered your last line of defense in terms of protection. Any organization that is serious about providing protection for corporate assets would not rely on desktop antivirus alone as their only line of defense. In fact, the best place to detect and prevent viruses and malicious software is at the network edge, where it attempts to enter your network. Many secure web gateways and next generation firewalls include virus and malicious software scanning, and there are dedicated solutions available as well. Ideally you'll want to use separate antivirus vendors on the desktop and the network edge to improve the chances of identifying and blocking malicious software.

Back to the desktop for a moment. In the early days of the Windows desktop operating system, Microsoft left the task of providing antivirus protection to third parties. This required users to proactively install and maintain a desktop antivirus solution for themselves. Many OEMs include evaluation versions of popular desktop antivirus solutions, but again it required the end users to ultimately renew the subscription to continue providing protection. Unfortunately the rate at which users did this was low, resulting in millions of PCs being left without protection at all. In an effort to improve this situation, Microsoft released the Microsoft Security Essentials free desktop antivirus solution and later included this technology with Windows Vista as a part of Windows Defender, and this has continued with Windows 8, 8, and 8.1. Along with improvements in the operating system, the inclusion of antivirus with the base operating system has helped to drive the number of compromises down significantly.

Microsoft has been bashed recently for low scores in some independent testing, prompting them to remind everyone that Security Essentials provides "baseline" security and that customers should probably install a third-party solution with more advanced features. I'm not certain I agree with that, however. It stands to reason that Security Essentials provides baseline security protection, but at the desktop, that's all that should be required. And of course there are third parties with more advanced features. Microsoft Security Essentials, much like ntbackup and the native disk defragmenter, do provide a basic set of features and third parties produce much more robust solutions. Typically the functionality is similar, the real difference comes in managing these solutions at enterprise scale. At the end of the day, I think Microsoft Security Essentials works well enough, and I use it as my only desktop antivirus for all of my personal machines. There are most certainly more advanced solutions, but Microsoft Security Essentials effectively performs the task it was designed to.

For more details on how Microsoft Security Essentials performs in independent testing, see the "Articles of Interest" section later in this newsletter.

Windows Server 2012 Security from End to Edge and Beyond

If you're planning to deploy Windows Server 2012 now or in the future, be sure to order your copy of Window Server 2012 Security from End to Edge and Beyond today. Written by veteran security authors Tom Shinder, Deb Shinder, and Yuri Diogenes, this book provides detailed, prescriptive guidance on how to architect, design, plan, and deploy Windows Server 2012 in a secure manner. This book covers all aspects of Windows Server 2012 security, including Active Directory and Certificate Services, Active Directory Federation Services (AD FS), Active Directory Rights Management Services (AD RMS), patch management, Hyper-V, remote access, and application, network, and cloud security.

This book is an essential reference for IT professionals and security administrators everywhere, so order now. You'll be glad you did!


Click here to order your copy today!

Microsoft Security Bulletins for October 2013

For the month of October, Microsoft has released 8 security bulletins, 4 of which are rated as critical. Affected software includes all supported Microsoft client and server operating systems, as well as Microsoft Office, SharePoint Server, and Silverlight. For more information about October's security bulletins click here.

Security Articles of Interest

  1. As I mentioned earlier, Microsoft has been taking some heat for its free desktop antivirus software, Microsoft Security Essentials, receiving low scores in some independent testing recently. In a recent interview, Holly Stewart, Senior Program Manager of the Microsoft Malware Protection Center (MMPC) was quoted as saying that Security Essentials is essentially a baseline protection mechanism and that more advanced, third-party solutions should be leveraged to provide the highest levels of protection for the Windows desktop.
  2. After Holly Stewart made public statements to the fact that Microsoft Security Essentials was a baseline technology, many interpreted this statement to mean that Microsoft wasn't fully committed to providing essential protection with its solution. To set the record straight, Microsoft reiterated its commitment to protecting the desktop from viruses and malicious software here:
  3. With all of the noise recently about Microsoft Security Essentials performing poorly in some independent tests, I decided to check one of the more trusted independent antivirus testing labs, Virus Bulletin, to see how Microsoft performed in their VB100 testing. The results were positive, showing that average scores over the last four rounds of testing for Microsoft have them in the upper right quadrant of the group, with high scores for both proactive and reactive detection. Full results are available only by subscription, but here's a link to the high-level results:
  4. Windows Azure, Microsoft's cloud platform, is an impressive solution. With Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) offerings, there's something for everyone there. Cloud solutions can be compelling from both a cost and operational efficiency perspective, but one of the major hurdles to cloud adoption continues to be security. Windows Azure is already one of the most accredited public cloud services available today, currently supporting ISO 27001, SSAE 16/ISAE 3402, HIPAA BAA, and European Union Model Clauses. Recently Microsoft announced that Windows Azure was granted FedRAMP Join Authorization Board (JAB) Provisional Authority to Operate (P-ATO), becoming the first and currently only public cloud platform to receive JAB P-ATO. FedRAMP JAB P-ATO will streamline the process of onboarding Windows Azure services for government organizations.
  5. Not to be outdone by the recent Windows Azure security announcements, the Windows Phone team announced that the Windows Phone 8 has received all nine FIPS 140-2 validation certificates. With this, government customers in the U.S. and Canada can begin testing and validating the Windows Phone 8 and hopefully deploying Windows phones to their employees soon.
  6. This month, Microsoft "Patch Tuesday" turns ten years old! It seems like just yesterday that we had to install security updates in an ad-hoc, purely reactive manner. Today, the regular and consistent cadence of monthly security updates ensure that Microsoft products are as secure as they can be. In my opinion, this regular release cycle should be leveraged by more vendors than just Microsoft. I can think of a number of solutions that could benefit from this!
  7. Can our systems be more secure if we patched less? Absolutely not. Consistent and diligent patch management is a cornerstone to providing a secure and reliable computing environment. However, the point of this article is that we should be aware of vulnerabilities, not just security updates. Mitigating risks and preventing exploits is the key to improving security. By focusing on the types of attacks that are common, and implementing changes to prevent those attacks, we can more effectively protect our valuable corporate assets. Articles of Interest

  1. Video: Change Management for Active Directory – Part 2
  2. Complacency: The 8th Deadly Sin of IT – Part 3
  3. Change Management for Active Directory
  4. Use Windows Command Line Tools and PowerShell to Manage Security in Windows Server 2012 – Part 1
  5. Panda Cloud Office Protection Voted Readers' Choice Award Winner - Firewall

Windows Security Tip of the Month

The last link in the Articles of Interest section above really made me think about how some organizations approach security. Often a firewall is erected and a patch management solution is put in place and the company is considered "secure". Unfortunately, it isn't that easy. Yes, a strong edge security solution and an effective patch management infrastructure are essential, but protecting our systems takes much more than that. For companies serious about reducing their exposure to threats and vulnerabilities and making a significant improvement in their overall security posture, getting back to basics is often required. A good way to do that is to consider what changes could be made in our environment that would have the highest impact for reducing risk. The SANS Twenty Critical Security Controls for Effective Cyber Defense is an excellent reference which, when implemented, can provide demonstrable reduction in risk. Have a look at the most recent 20 Critical Security Controls list here.