WindowSecurity.com - Monthly Newsletter - September 2014

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, Enterprise Security MVP), Technical Services Director for Celestix Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


Editor's Corner

I love the Windows phone. As an unabashed Microsoft cheerleader, I’m proud to say that I’ve never owned an iPhone, although I’ve had more than a few Blackberries and even a Palm Treo once (showing my advanced age there, huh?). I will tell you that I almost left the platform a few years ago. After owning a number of Windows Mobile devices, I was fed up with the lack of features and applications available. At the time, I was seriously considering moving to Android. However, right about that time a number of my close contacts inside Microsoft shared privately that there was a new Windows Phone OS coming that would change things dramatically. I held off on my decision, and after seeing the new Windows Phone 7 platform I decided to stick. I’m glad I did! Even though I didn’t have the best handset, I really liked Windows Phone 7 (here in the U.S., handsets are closely tied to the carriers, and I really liked my carrier though my choice of Windows phones was severely limited). Yes, the application availability was still very limited, but I loved the look and feel. With the introduction of Windows Phone 8, and the availability of one of the best Windows Phones on the market, the Lumia Icon, I’m happier than ever. Sure, the application selection still lags other platforms, but it hasn’t been a significant hindrance to me yet. But what about security? Is the Windows Phone 8 platform secure? Can it be securely managed? Is it a good candidate to replace the venerable Blackberry in the enterprise? We’ll explore those questions in this month’s newsletter.

--Rich

Windows Phone 8.1 Security

When the Windows Phone 7 was first introduced, it was purely a consumer device with very few real enterprise grade features. Since that time, Microsoft has made great strides to make the Windows Phone platform the mobile platform of choice for enterprises. In fact, with the upcoming release of Windows Phone 8.1, Microsoft is introducing a ton of new features that will greatly improve security and management for enterprises. Chief among these are features like secure MDM enrollment, security policy management, encryption of data and applications on removable storage media, assigned access to lock down the phone and restrict access to specific applications and services, and support for S/MIME. In addition, improvements to secure networking include support for enterprise Wi-Fi connectivity with EAP-TLS and EAP-TTLS, support for secure VPN protocols like IKEv2, IPsec, and SSL VPN, and auto-triggered VPN connections. Windows Phone 8.1 also provides support for essential mobile device security features like remote business data removal. And to address identity concerns, the new platform includes support for virtual smart cards.

The security of any mobile device depends greatly on the security of the hardware itself. The Windows Phone devices include a Unified Extensible Firmware Interface (UEFI) to ensure the integrity and provide essential protection for the boot process, and a Trust Platform Module (TPM) to provide tamper resistance and protection for cryptographic keys and hashes. Malware resistance is greatly improved by leveraging these technologies to secure the boot process, reducing the likelihood of root kit installation or other malware installed during operating system startup.

Application security and integrity is another key element in providing a secure mobile device experience, and the Windows Phone 8.1 platform excels here. Windows Phone apps are downloaded from the Windows Phone store, where all published apps are carefully screened and scanned for viruses and malicious software. Apps running on the phone are sandboxed and isolated from each other and the operating system. Windows Phone 8.1 also includes features like Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to mitigate common attack techniques.

To address data leakage concerns, Windows Phone 8.1 supports internal storage encryption, including encryption for external storage devices. Also, it includes native support for Information Rights Management (IRM) using Windows Rights Management Services (RMS).

Mobile device management includes the controlled provision, ongoing management, and deprovisioning of devices. To support these initiatives, Windows Phone 8.1 includes support for remote wipe, remote device retirement, remote lock, remote password (PIN) reset, and remote ring. Assigned Access enables administrators to provision Windows Phone 8.1 devices in a locked down mode where only a specific set of applications or services are accessible to the user. A common use case here would be for kiosk like functionality for retail workers. Windows Phone 8.1 can be managed natively using System Center Configuration Manager (SCCM), Windows InTune, or a variety of third-party mobile device management platforms.

Windows Phone 8.1 is loaded with enterprise grade features that effectively address the security and management issues faced by many organizations today. You’d be foolish not to give it serious consideration for your mobile device requirements. Not only will you be getting one of the most secure and manageable platforms available today, your users will also benefit from a seamless experience using Windows across all of their platforms – PC, tablet, and smart phone.

For more information about Windows Phone 8.1 security, click here.

 

Practical IPv6 for Windows Administrators

With the rapid depletion of the global IPv4 address pool, the adoption of IPv6 is growing significantly. The total exhaustion of public IPv4 addresses is inevitable, making IPv6 knowledge an important and essential skill that network engineers and systems administrators will need to have to be successful. While there are some excellent IPv6 references available today, until now there has been a lack of practical, real-world implementation guidance for IPv6. Until now! Practical IPv6 for Windows Administrators provides detailed information necessary for network engineers and systems administrators planning to deploy IPv6 on their corporate networks. It covers important topics such as IPv6 address assignment and name resolution, along with specific IPv6 integration information for Microsoft services such as Exchange, SQL, SharePoint, Hyper-V, and more.

IPv4 is a dead man walking. IPv6 is the way of the future; in fact, it is here now! Order your copy of Practical IPv6 for Windows Administrators today.

Image

Click here to order your copy today!


Microsoft Security Bulletins for September 2014

For the month of September, Microsoft released four security bulletins to address forty two individual CVEs. One is rated critical and three are rated important. Affected software includes Windows, Internet Explorer, Lync, and .NET Framework. For more information about September’s security bulletins click here. Microsoft also revised three security advisories. The first is security advisory 2871997, which provides an update to improve credential protection and management. This update now includes support for Windows 7 and 2008 R2. Security advisory 2905274 which includes an update to address an insecure ASP.NET site configuration issue is now available via Windows Update, and security advisory 2755801, an update for vulnerabilities in Adobe Flash Player in Internet Explore was also updated.

 


Security Articles of Interest

  1. Recently the Microsoft Rights Management team announced major updates to their offering including improved Office file support and service improvements. Efforts were made to improve the way you share RMS protected documents and make them work on more devices. Also added were email notifications, support for MAC OS X, and integration with Azure RMS with on-premises services. Check out the details here. Look for more updates to come soon!

  2. Stanford University just held their inaugural Congressional Cybersecurity Boot Camp which included two
    dozen U.S. congressional staffers along with academic and industry security experts to discuss ways to better protect government, public, and industry from threats. One of the topics of discussion was a publication by the council on critical controls for effective cyber defense, which establishes a prioritize list of controls, similar in some ways to the SANS top 20 critical controls. More details here.

  3. Availability is a critical, and often overlooked, component of security. Having a good disaster recovery plan in place is essential for this. The cloud lends itself quite well in this respect, and Microsoft even provides cloud-based disaster recovery services with Azure Site Recovery. Of course when you start shipping services and data to the public cloud, there are of course security and privacy concerns. For details on how Microsoft keeps your data safe when using Azure Site Recovery, click here.

  4. Recent data shows that industry vulnerability disclosures are trending up. Microsoft has released data detailing vulnerability severity trends, vulnerability complexity trends, as well as operating system, browser, and application vulnerabilities. More details here.

  5. Microsoft announces the Microsoft Bitlocker Administration and Monitoring (MBAM) compliance data cleanup tool version 2.5. This is a command line tool that enables you to delete machine records from the compliance status database of MBAM. More details here.

  6. Firmware on USB devices may pose a potential threat for home and enterprise users alike. Security researchers have demonstrated that it is possible for malware to overwrite firmware on USB drives, making possible attacks like the USB drive masquerading as a keyboard and issuing keystrokes to download malicious software to the infected host. A few other insidious attacks are also possible. These attacks have not yet been seen in the wild, so there’s no need to throw all of your USB drives out just yet. Microsoft provides guidance for both consumers and enterprises in this blog post from the MMPC.

  7. Brad Anderson describes how Microsoft is taking the offensive against malware, providing details about how Microsoft protects devices and users, and how System Center Endpoint Protection (SCEP) integrates with System Center Configuration Manager (SCCM).

  8. In the last few newsletters I’ve shared with you stories about Microsoft battling the U.S. government’s request for data that resides in a foreign data center. This has serious implications for cloud providers doing business outside of the U.S. Although Microsoft lost their appeal in this case, they have refused to hand over the data and have now been found in contempt. I think this speaks volumes about Microsoft and the seriousness with which they take in providing security and privacy for their customer’s data. More details here.

  9. The SHA-1 hashing algorithm, although widely in use today, has been demonstrated to be weak and is in the process of being phased out in favor of SHA256. Microsoft has previously stated that it won’t accept SHA1 certificates after 2016, so organizations have some time to migrate. However, Google recently made some policy changes that will penalize sites that use SHA-1 before that time. If you haven’t begun planning your migration to SHA256 certificates, now is the time to start! Find out more here.

  10. A recent trend has arisen where malware authors are now bundling bitcoin miners into the installers of popular games. When the game is installed, the bitcoin miner silently runs in the background, consuming system resources generating cash for the authors. More details here.

WindowSecurity.com Articles of Interest

  1. Planning considerations for BYOD and Consumerization of IT – Part 2
  2. Video: Microsoft Baseline Security Analyzer 2.3 – A Detailed Look
  3. Planning Considerations for BYOD and Consumerization of IT – Part 3
  4. Microsoft Windows Server Update Services (WSUS) voted WindowSecurity.com Readers’ Choice Award Winner – Patch Management

Windows Security Tip of the Month

As I stated previously, the latest release of the Windows Phone platform, Windows Phone 8.1, includes many new features and functionality to improve security and manageability. Windows Phone 8.1 can, naturally, be managed using Microsoft System Center Configuration Manager (SCCM) and Microsoft’s cloud-based systems management tool, Windows InTune. Although third-party management platforms are also supported, I expect that the best experience will be found using the Microsoft offerings. If you’re interested in learning more about Windows Phone 8.1 device enrollment, configuration policies, assigned access, storage management, certificate and Wi-Fi management, VPN configuration, email account and message management, application management, and device lifecycle management, download the Windows Phone 8.1 Mobile Device Management Overview guide here.