Forefront TMG 2010 has been Discontinued !!!

Finally it was announced and Microsoft has decided to discontinue some of its very popular products such as Forefront Threat Management Gateway 2010 together with some others listed below:

  • Forefront Protection 2010 for Exchange Server (FPE)
  • Forefront Protection 2010 for SharePoint (FPSP)
  • Forefront Security for Office Communications Server (FSOCS)
  • Forefront Threat Management Gateway 2010 (TMG)
  • Forefront Threat Management Gateway Web Protection Services (TMG WPS)

It also should be mentioned that among all of these, Forefront Protection 2010 for Exchange Server (FPE) will still be there but will be bound to Office365 and will be called Exchange Online Protection.

I still remember the rumor about a year ago about this decision but it was not confirmed then. Now that is is confirmed, there are still questions left on why Microsoft has made this strategic decision especially the decision to discontinue TMG which is a very popular product. It is now being used by a lot of companies as a gateway software for so many different purposes. It was the successor of popular Microsoft ISA Server 2006 and now all have been discontinued to be any further developed.

Continue reading

How to Patch the Internet Explorer 9 Security Vulnerability…

After the big security issue on Java 6, a few days ago we heard of a very serious security vulnerability discovered in Windows Internet Explorer 9 and below. This security problem would allow remote code execution on an infected machine by an attacker. This will be possible when the user clicks on a link and is redirected to a website that has malicious code inside that will exploit the vulnerability on the user’s machine.

Here is a link that will give you more information about the nature of the vulnerability: CVE-2012-4969

Microsoft reacted on this pretty critical issue, even thought not super fast, it took them only a couple of days (If I am not mistaken) to release a patch for it. It deserves a mention that some hours after the discovery of the issue, they introduced a workaround for the problem that could keep the machine safe but was not the best solution anyways and I don’t think any organization went through the hassle of implementing it on a big number of machines.

Anyways, Microsoft came up with the patch today and here is the link for you to get more information about it:

Microsoft Security Bulletin MS12-063

It will be automatically downloaded to your machines if you have enabled automatic update in Windows but if not, you can go directly to this link and download it:

Cumulative Security Update for Internet Explorer

Of course this was the link to the patch for a Windows 7 32-Bit version but if you are using other versions of Windows, you can go to the first link and get the right version of the update.

Please leave me a comment in case you have any more questions or concerns.

Cheers,

Esmaeil

Centralized Security in Windows Server 2012

Trying to control file security on enterprise servers is like herding extremely fertile cats; without clamping down on breeding, they’re soon too numerous to control. Microsoft (NSDQ:MSFT) addresses this problem with Dynamic Access Control, a feature in the forthcoming Windows Server 8 that introduces centralized, domain-level security for file and folder access that layers atop any existing file system permissions.

According to Microsoft, upwards of 80 percent of corporate data is found on company servers, often will little or no content documentation, custody auditing or departmental ownership metadata.

Delivered via a new version of Active Directory, Dynamic Access Control works by layering Kerberos security and an enhanced file-level auditing and authentication system that can automatically tag sensitive data based on content and creator.

Dynamic Access Control introduces claimsinto the Windows Server security lexicon, a concept long present in the broader realm of federated Internet security, but in Microsoft parlance refers to object assertions issued by Active Directory.

Active Directory 8 defines claims for files, folders and shares; all of which can be sent and applied to other Windows Sever 8 servers across an organization along with file property definitions and access policies.

The four-pillar Dynamic Access Control system begins with identification of high-impact data with manual, automatic or application-based tagging. For instance, administrations might choose to tag all Excel documents as sensitive, and search Word docs for certain words such as “confidential” for additional tagging.

Central access policies are created based on these file tags using a new expression-based tool in Active Directory Administrative Center that sets up access conditions for users and device claims and file tags and handles access-denied remediation.

By applying centralized policies automatically (or manually), access to such files can be restricted by multiple criteria, including user, device and department.

Part three of DAC is auditing, for which Microsoft provides centralized policies applicable across multiple servers using the same expression-based tool and claim support, plus a staging area that permits policy-change simulations.

The final pillar of Windows Server 8’s access security platform is data protection, which automatically applies Microsoft’s RMS security model to Office documents with near-real time protection immediately after documents are tagged and is extensible to non-Office documents.

Windows 8 Security Mechanisms

We live in a world of information where all our data is maintained in a digital format.

What would be your reaction if you found out that an unknown person has accessed your profile information? How would you react if you found out that your credit card details and passwords stored in your computer have been compromised?

Microsoft has ensured that it leaves no stone unturned to ensure that its new billion-dollar venture is equipped with adequate levels of protection.

Viruses, worms and Trojans that corrupted the previous versions of Windows will not be able to tamper with Windows 8 operating system easily. Windows president Steven Sinofsky has mentioned some security features of Windows 8 at the recent Microsoft build conference and how they are derived from their predecessor operating system Windows 7.

In this article, we present an overview of the new security features of Windows 8.

Security Features of Windows 8

  • Address space layout randomization (ASLR)

It involves random arrangement of base addresses of executable, libraries, heap and stack addresses in a process’s address space. The user’s code and data locations on hard drive are shuffled randomly to avoid revealing addresses to hackers. This feature was existent in Windows 7 but has been enhanced in Windows 8.

  • Heap Randomization (HR)

Attackers can corrupt or cause abnormal execution of programs by overwriting data pointers located in the heap. Randomization attempts to prevent this by adding guard pages in between so that data pointers are not altered.

  • Kernel mode security:

Kernel mode processes run in a special section of memory reserved for them. Microsoft has tweaked the user mode processes in Windows 8 so that they cannot access the kernel address space which means the lower 64k of process memory is not accessible by user processes.

  • UEFI Secure Boot:

Drivers and applications that start along with the operating system are assigned keys by Microsoft that is verified by the operating system at startup. If the driver or application does not possess the proper key, it is not allowed to start with the operating system processes. This ensures that malware does not interfere with antivirus programs.

  • Windows Defender:

Windows defender has been enhanced to identify all types of malware, virus and worm signatures from Microsoft malware protection center. Previously, the database only stored spyware and adware signatures.

Microsoft continues its support for third party antivirus and antimalware vendors while revamping their Widows defender with the help of their security development team.

Microsoft is following a security development lifecycle to ensure they do not encounter problems like those that the Windows XP users experienced in the past. Microsoft has noted the main cause of inadequate malware protection on 75% of the computers.

According to Microsoft, users fail to revamp their trial version after expiry and most of them do not update their security components regularly. Stay tuned for more security related news from Microsoft.

Manage the Network Security from the Cloud using Windows Intune

While everything is moving to the cloud, you may wonder if it would be possible to manage the computers in the network from the cloud? The answer is yes, using Microsoft Windows Intune, you can protect your PCs from network threats and malware, manage security policies and firewalls, easily deploy the latest Microsoft security updates and help safeguard data with Bitlocker and Bitlocker to Go in Windows 7 Enterprise.

Microsoft believes Windows Intune, their web-based PC management service, is well-suited for companies and businesses with around 500 PCs. InTune bypasses (but respects) Active Directory (AD) and Group Policy (GP), offering instead a pretty simpler set of management capabilities that should be welcome to overtaxed IT departments in mid-sized businesses.

InTune hits a nice balance. It consists of a Silverlight-based web console that looks and feels a lot like Microsoft’s on-premise consoles as well as a set of client agents. From the web console, you can view details about the connected computers (alert statuses, update statuses, and malware protection statuses); view, manage, and configure how updates will be applied to your managed computers; view the anti-malware status for managed computers; view alerts, survey the software and software versions that are installed across your managed computers; optionally manage volume licenses to ensure that the software in your environment is correctly licensed; create and manage (non-GP) policies, view and create reports, and perform other administrative tasks.

Managed clients can include PCs running Windows XP SP2+, Vista, or 7 and requires a software agent install. For those environments using GP, Microsoft provides instructions for properly configuring the client (to avoid policy conflicts) and rollout the agent. Smaller outfits can deploy the client manually.

Windows Intune also does not support mobile devices like smartphones and tablets; it supports only Windows PCs. But Main says Microsoft plans to extend the support to mobile devices in future versions.

Microsoft also plans to integrate Windows Intune with Office 365 so that IT pros can use Intune to deploy Office in the cloud. But right now, that integration is not in place for Windows Intune 2.0.

What are Honeypots ?!!

Today I would like to speak to you all about honeypots. The purpose of this article is to provide you with a detailed analysis of what honeypots are, what are some of their characteristics, and what are the different types of honeypots, the pros and cons of honeypots, the actual mechanics of how honeypots work, and who uses them. The methods of how can they prevent attacks, and of course their value as a technology form common users use to corporate value.

The word .honeypot. originated from an espionage technique used during the Cold War, with it origins based on sexual entrapment. The term “honeypot” was used to describe the use of female agent sexual entrapment of a male official of the other side for the purpose to gain information. For example, handling over top secret information for his eyes only type stuff, not knowing her true intension as informative spy to hand over our troop movements by: land, air, sea; supply line, to the future plans deployment of invasion or evacuation of troops. Not know the agents true intension, that movie Hostel. So now is the computer term of what is a honeypot. A honeypot is a decoy resource that pretends to be a real target setting up a trap expecting to be attacked or compromised. The main goals are as a distraction of an attacker and the gain of information about the attacker, his methods of attack, and his tools. Pretty much a honeypot attracts attacks to them because of their act of being a weakened system and as an entrance to their target, .it like the fire leading a moth to the flame..

I feel honeypot are an effective countermeasure in the attempts at preventing unauthorized use of critical information systems on the network. Here the basis characteristic to honeypots one they are highly flexible systems, two their able to detect attackers movements and behaviors, and three the capture of the latest spreads of on-line vulnerabilities to the networks for administration team analyze and fix for a stronger network. Where are Honeypots being used for and by whom? Honeypots are being used at Government building, big businesses, other Non-Profit Organizations, and Schools like here at ECU. As you will read and be explained the Government, big businesses, and other Non-Profit Organization will use the honeypot technology for production purposes as support from attacks attempt to invade secure system and bring them down. Instead the attacker will attack the decoy honeypot and serve it purpose. As for the Schools they would use the honeypot technology for research purposes for study to teach future security major the weakness of different attacks gained for the honeypots and as a method of developing new tools for future defense to add to network.

Continue reading

A Step by Step Guide on How to Set Up Teredo Tunneling…

What is Teredo? A Microsoft-supported tunnel that is established directly from your client machine. Teredo was meant to be used only by applications that specifically request it. For this reason, a host that has Teredo enabled would only ever use Teredo to connect to IPv6-only machines. If IPv4 is an option, it will always prefer that. So, why talk about it first? Because it ships with both Windows XP SP2 and Windows Vista/7 – enabled by default in the latter two, though not enabled for “general application use” by default – and we can expect it to be used to get to IPv6-only content, as tunnel brokers, on the outside, may seem like more work to set up. And indeed, with the release of an ipv6 capable uTorrent and HE’s provisioning of Teredo relay servers, Teredo traffic has spiked sharply.

Setting up Teredo

And here’s the step by step guide on how to set up Teredo. Again, keep in mind, IPv4 will always be preferred. go6.net will show you with an IPv4 address if all you have is Teredo.

Windows XP SP2

  • Realize that Teredo in Windows XP does not support Hide NAT, aka PAT, aka many-to-1 NAT, aka what your home router does. In Teredo language, that kind of NAT is called “Symmetric NAT”, and it’s just not supported by the Teredo implementation in XP. You can still experiment some by either sticking a host onto the Internet directly, without a home router in between. If you have an additional public IP address, you could also set up a Static NAT (aka 1-to-1 NAT), which Teredo calls a “Cone NAT” (if you allow all incoming) or “Restricted Cone NAT” (if you disallow incoming connections), and which is supported. My experiments with my router’s “DMZ” setting, to see whether that will get around the issue, have been less than successful. While Teredo claimed I was behind “cone” NAT, I still had no connectivity.
  • Add the IPv6 protocol to your interface. Control Panel | Network Connections -> Right-Click “Properties” on your LAN or WiFi connection, “Install…”, “Protocol”, “Add…”, choose “Microsoft TCP/IP version 6″, hit “OK” until you’re out again.
  • Open a command line – “cmd” from Start | Run – and run “ipconfig /all”. You should now see a “link local” IPv6 address, which looks something like “fe80::214:85ff:fe2f:8f06%4″. This won’t be useful for connecting to anything “out there”, but it’ll let you know IPv6 is up and running.
  • Configure Teredo. Assuming you are in the US, the command would be “netsh interface ipv6 set teredo client teredo.ipv6.microsoft.com”. If you are elsewhere in the world, you may be able to find a closer Teredo server.
  • If you are on a Windows domain – as opposed to a home workgroup – Teredo will disable even if you configure it. You can get around that with the command “netsh interface ipv6 set teredo enterpriseclient”
  • The command to see the configured Teredo parameters is “netsh int ipv6 show teredo”, and the message indicating that a user is behind PAT and thus Teredo won’t work here is “Error : client behind symmetric NAT”
  • Use an IPv6-only host to test connectivity. If you can connect tohttp://ipv6.google.com/, it’s working.  Or you could “ping ipv6.google.com” from command line, which should show you an IPv6 address, and succeed.
  • A useful command to use while trying different configurations is “netsh int ipv6 renew”, which will re-negotiate the Teredo tunnel. “netsh int ipv6 show route” will show you ipv6 routes.
  • Keep in mind that Windows XP will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.
  • Lastly, there are reports that Firefox 2 on Windows XP does not handle IPv6 well. Try Firefox 3, or Internet Explorer.

Windows Vista

  • IPv6 and Teredo both are enabled by default in Windows Vista. Teredo also supports Hide-NAT aka PAT aka what your home router does. Woo, we’re done? Not so fast, young Arakin: In order to avoid IPv6 connectivity issues caused by default Teredo tunnels, Microsoft have configured DNS so that the system will never resolve any name to an IPv6 address, as long as the system only has link-local and Teredo IPv6 addresses. Teredo is meant to be used by applications that specifically request its use, and that does not include any browsers.
  • Thus, we need to hoodwink Vista. If the criteria is “has only link-local or Teredo addresses”, why, then we need to supply another address. Luckly, IPv6 maps the entire ipv4 address space, so we can use that. In reality, it doesn’t matter which address we configure, since it won’t ever be used anyway. Open up the Properties of your LAN or WiFi interface, and change it to have a static IPv6 address. Use either the converted IPv4 address you figured out using the link I gave, or use the 192.168.1.2 equivalent of 2002:c0a8:102:: with a netmask of 48. Do not configure a default gateway for this address.
  • Vista would now resolve names to IPv6 addresses, but we need to force it to route traffic through our Teredo interface first. For this, you’ll need to run a Command prompt as “Administrator”. Create a shortcut to a Command prompt on your desktop, then right-click “run as administrator”.
  • Figure out the ID of your “Teredo Tunneling Pseudo-Interface” using “route print” and looking at the “Interface List” at the top of its output. In my case, it is “14″. Then, using this ID, add a default route that forces all IPv6 traffic through Teredo: netsh interface ipv6 add route ::/0 interface=14
  • Use an IPv6-only host to test connectivity. If you can connect to http://ipv6.google.com/, it’s working.  Or you could “ping ipv6.google.com” from command line, which should show you an IPv6 address, and succeed.
  • Keep in mind that Windows Vista will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.

[Edit 2010-02-24 – added Windows 7 and Troubleshooting sections]

Windows 7 [this is the same procedure as for Vista, tested on Win7 x64]

[Edit 2010-04-09 – replaced kludgy workaround for disappearing default route with elegant workaround received through comment]

  • IPv6 and Teredo both are enabled by default in Windows 7, just as in Vista. Also as in Vista, Microsoft have configured DNS so that the system will never resolve any name to an IPv6 address, as long asthe system only has link-local and Teredo IPv6 addresses.
  • Thus, we need to hoodwink Win7. As with Vista, we will provide a 6to4 address. Luckly, IPv6 maps the entire ipv4 address space, so we can use that. In reality, it doesn’t matter which address we configure, since it won’t ever be used anyway. Open up the Properties of your LAN or WiFi interface, and change it to have a static IPv6 address. Use either the converted IPv4 address you figured out using the link I gave, or use the 192.168.1.2 equivalent of 2002:c0a8:102:: with a netmask of 48. Do not configure a default gateway for this address.
  • In order for Win7 to resolve names to IPv6 addresses, we need to force it to route traffic through our Teredo interface first. For this, you’ll need to run a Command prompt as “Administrator”. Create a shortcut to a Command prompt on your desktop, then right-click “run as administrator”.
  • Figure out the ID of your “Teredo Tunneling Pseudo-Interface” using “route print” and looking at the “Interface List” at the top of its output. In my case, it is “14″. Then, using this ID, add a default route that forces all IPv6 traffic through Teredo: netsh interface ipv6 add route ::/0 interface=14
  • Use an IPv6-only host to test connectivity. Try to ping ipv6.google.com or connect to http://ipv6.google.com/.
  • Keep in mind that Win7 will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.

Continue reading

A Complete Guide on Active Directory Certificate Services in Windows Server 2008 R2

Windows Server 2008 R2 includes a built-in Certificate Authority (CA) technology that is known as Active Directory Certificate Services (AD CS). The first iteration of AD CS emerged with Windows Server 2008, though previous versions of the technology were simply known as Certificate Services. AD CS can be used to create certificates and subsequently manage them; it is responsible for ensuring their validity. AD CS is often used in Windows Server 2008 R2 if there is no particular need to have a third-party verify an organization’s certificates. It is common practice to set up a standalone CA for network encryption that requires certificates only for internal parties. Third-party certificate authorities such as VeriSign are also extensively used but require an investment in individual certificates.
Note

Although the term Active Directory has been incorporated into the name of the Windows Certificate Services function, it should be understood that AD CS does not necessarily require integration with an existing Active Directory Domain Services (AD DS) forest environment. Although this is commonly the case, it is important to understand that AD CS has independence over AD DS forest design.
Windows Server 2008 R2 introduced a few additions to AD CS features, including the following:

Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service— This is the most significant improvement, essentially allowing certificates to be enrolled directly over HTTP, enabling non-domain or Internet-connected clients to connect and request certificates from a CA server.

Improved support for high-volume CAs used for NAP— AD CS in Windows Server 2008 R2 improves the database performance when high-volume scenarios such as NAP are utilized.

Support for cross-forest certificate enrollment— AD CS in Windows Server 2008 R2 allows for CA consolidation across multiple forests.

Continue reading

System Center Endpoint Protection 2012

Hi all and happy late new year…

Today I want to introduce a new software by Microsoft called System Center Endpoint Protection 2012 which is going to be released soon. This is a really good software helping you centralize the endpoint security in your environment. It will be used in conjunction with System Center Configuration Manager to bring a lot of exciting new security features. As far as the information about the product says, there are going to be endpoint clients distributed out to clients through which clients could be connected to and therefore managed by the central management console which is installed on a server.

One of the interesting features is that if there are already anti-virus applications installed on the client computers, the endpoint client applications will automatically remove all those third-party anti-virus or anti-spyware softwares and will install itself instead. SCEP 2012 will also provide support for non-Microsoft clients. All in all, SCEP 2012 will allow you to combine the two concepts of security management and client management. Usually one of them is missing in almost all the solutions we see in the market and Microsoft believes with SCEP 2012 they can bring both security and client management in the same window for the admins.

There has not been so much information about it yet but there is a great interview video you can watch here which is all about SCEP 2012.

You can also download the Release Candidate from this link.

Best Wishes

Identity Theft and its Huge Cost

Identity theft is a big threat for every one in the cyber world and each identity stolen is worth almost 5000$ for a criminal which is a pretty big number. But the question is how people are taking care of their identity?

As far as my memory helps me, when it comes to security, people only think of installing anti-viruses on their machines to protect them against any possible threats on the internet and they are fully unaware of the fact that there are tens of different ways that could put their identity at risk. The infographic below by Zonealarm shows different identity theft techniques and the valuable outcome for the thieves and of course the steps that need to be taken to hopefully get your ID back: