A Complete Guide on Active Directory Certificate Services in Windows Server 2008 R2

Windows Server 2008 R2 includes a built-in Certificate Authority (CA) technology that is known as Active Directory Certificate Services (AD CS). The first iteration of AD CS emerged with Windows Server 2008, though previous versions of the technology were simply known as Certificate Services. AD CS can be used to create certificates and subsequently manage them; it is responsible for ensuring their validity. AD CS is often used in Windows Server 2008 R2 if there is no particular need to have a third-party verify an organization’s certificates. It is common practice to set up a standalone CA for network encryption that requires certificates only for internal parties. Third-party certificate authorities such as VeriSign are also extensively used but require an investment in individual certificates.

Although the term Active Directory has been incorporated into the name of the Windows Certificate Services function, it should be understood that AD CS does not necessarily require integration with an existing Active Directory Domain Services (AD DS) forest environment. Although this is commonly the case, it is important to understand that AD CS has independence over AD DS forest design.
Windows Server 2008 R2 introduced a few additions to AD CS features, including the following:

Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service— This is the most significant improvement, essentially allowing certificates to be enrolled directly over HTTP, enabling non-domain or Internet-connected clients to connect and request certificates from a CA server.

Improved support for high-volume CAs used for NAP— AD CS in Windows Server 2008 R2 improves the database performance when high-volume scenarios such as NAP are utilized.

Support for cross-forest certificate enrollment— AD CS in Windows Server 2008 R2 allows for CA consolidation across multiple forests.

Continue reading

System Center Endpoint Protection 2012

Hi all and happy late new year…

Today I want to introduce a new software by Microsoft called System Center Endpoint Protection 2012 which is going to be released soon. This is a really good software helping you centralize the endpoint security in your environment. It will be used in conjunction with System Center Configuration Manager to bring a lot of exciting new security features. As far as the information about the product says, there are going to be endpoint clients distributed out to clients through which clients could be connected to and therefore managed by the central management console which is installed on a server.

One of the interesting features is that if there are already anti-virus applications installed on the client computers, the endpoint client applications will automatically remove all those third-party anti-virus or anti-spyware softwares and will install itself instead. SCEP 2012 will also provide support for non-Microsoft clients. All in all, SCEP 2012 will allow you to combine the two concepts of security management and client management. Usually one of them is missing in almost all the solutions we see in the market and Microsoft believes with SCEP 2012 they can bring both security and client management in the same window for the admins.

There has not been so much information about it yet but there is a great interview video you can watch here which is all about SCEP 2012.

You can also download the Release Candidate from this link.

Best Wishes

Identity Theft and its Huge Cost

Identity theft is a big threat for every one in the cyber world and each identity stolen is worth almost 5000$ for a criminal which is a pretty big number. But the question is how people are taking care of their identity?

As far as my memory helps me, when it comes to security, people only think of installing anti-viruses on their machines to protect them against any possible threats on the internet and they are fully unaware of the fact that there are tens of different ways that could put their identity at risk. The infographic below by Zonealarm shows different identity theft techniques and the valuable outcome for the thieves and of course the steps that need to be taken to hopefully get your ID back:

Windows 8 Picture Password

One of the new features of Windows 8 is the ability of the user to create a picture password which is quite interesting in its kind. Never before had we seen such functionality in an operating system and Microsoft seems to be very keen in improving the consumer security with such new features in its new operating system coming soon to the market.

Picture password allows you to use a picture instead of text to log in but how? It’s pretty easy and you just need to choose a picture from your computer for your user and then specify which parts of the picture would you like to tap and how many times, before the Windows will allow you to log in.

So every time you want to log in, you will see that picture asking you to tap for example three times on it so that you can log in provided that you have tapped the right places on the picture. Of course tapping is not only restricted to tapping your fingers simply on the screen surface but it will also allow you to draw shapes like lines, circles and etc. on the screen with every tap.

This is a great improvement in Windows and I quite loved the idea. This will make it way more difficult for malicious users to break in by cracking the password. The level of the difficulty in this type of password of course to a large extent depends on the number of taps on the picture and the gestures you have drawn and also some other factors.

Here is a great link through which you can get more information about this new feature.

How people look at your profile page ?!!

I don’t want to talk so much as the picture I have posted below talks enough about itself… This is how people look at your Facebook profile page. This information is based on a study conducted by eyetrackshop.com and it pretty much shows how people unwantedly care about your personal information.

If you want to see the result of the study on the profile pages of the other social networking websites, you can go to this link.


Let’s assume the worst !!!

I was reading an interview with Andy Dancer, the CTO of EMEA, Trend Micro and I really liked the point he had mentioned in his words that I thought why not would I share them with you…

What he was talking about actually was that the old approach of having a perimeter network as the security frontier doesn’t work anymore and we need to think about securing every host rather than looking at security in an enterprise as a whole. Nowadays the staff of a company tend to use their devices everywhere and even at work which is one easy way of letting intruders come in. Hackers do not have to come through the firewall anymore when they have such easy ways of accessing the network. One thing Dancer had suggested was encryption on every possible device, whether a PC or a server or a tablet and smartphone. Encryption plays a very important role in making sure the data is secure when the device is detached from the network. Microsoft Bitlocker could be a really good choice since it provides offline encryption as well.

Let’s just assume the worst by asking ourselves what if for instance this smartphone were compromised, what would be the risks the whole enterprise is going to be at? Is it that serious? What kind of data is it storing and if that data were revealed, would the company sustain losses and if yes, then to what extent?

Never think of patches as the only way to secure an end device. Patches for Microsoft platforms and softwares are released every Tuesday but they need to be tested and then applied on the server and it naturally takes a long time; then does it mean we need to let the host be in danger? Host-based IPS systems  are the suggested solution for this type of risk.  At least you can make sure that a lot of these kinds of attacks can be mitigated. I already have another article on my blog about mitigating 0-day exploits using Microsoft Enhanced Mitigation Experience Toolkit and it can be accessed from here.



5nine Anti-Virus and Virtual Firewall for Hyper-V

When it comes to cloud security, as I have mentioned before many times in my blog posts and presentations, it is not always the physical servers that need to be protected against the outside attacks but attacks from the inside have also become very critical. With all those different layers of security such as firewalls, IDS and IPS systems protecting the environment from those outside attacks, attackers are now thinking of attacking from the inside by only having a minimum needed access to some resources inside the cloud infrastructure.

This minimum access is usually and most of the time access to a virtual machine whereby the attacker can settle down and try to escalate his/her privilege. In order to secure the access between the virtual machines and to stop the hackers from accessing resources inside a VM from another VM, we need to make use of a firewall system to control the flow of traffic between the VMs. Before I go on with introducing a solution for that, it needs to be mentioned that there are already two ways to stop this kind of attack. The first thing is that there is a number of different filters built inside the Hypervisor in Microsoft Hyper-V and since the Hypervisor mediates access between the VMs, most of the attacks will be prevented. The other thing that is put inside Hyper-V is the use of VLANs and of course this is up to the designer to choose how he/she would make use of them to filter the traffic between different VMs throught the use of VLANs and virtual switches in Hyper-V.

But the one which this article is going to be about is 5nine Security Manager software which is an ant-virus and virtual firewall that helps us to be immune against this kind of attack. It provides a lot of different features:

  • Controls Network Traffic – Using simple PowerShell API/scripts or the management application, we can control the flow of the traffic between the VMs and also between the VMs and the external network.
  • Security Heartbeat Service – It’s a special kind of service that checks whether the rules are being enforced and if it feels like a VM for instance is compromised, it will stop the VM.
  • Anti-Virus and Anti-Malware protection – This type of scan is well-managed that never lets any type of performance degradation occur.
  • Bandwidth Throttling – It also includes a VM bandwidth shaper.
  • Stateful Packet Inspection.
  • Deployment options – 5nine Virtual Firewall can be used with Microsoft System Center Virtual Machine Manager to be deployed on the physical machine before any of the VMs are placed on the physical machine.
  • Compliance Audits – It makes the admin able to monitor and audit the network traffic flowing between the VMs any time.

In this post I tried to have an overview on this really good software and soon I will try to have a deeper dive into it.

For the time being, here is the website to have a close look at.


Techinsights 2011 SEA – Hey you… Stay away from my network…

Hi everyone,

This is right after my second session on the second day of Techinsights 2011 South East Asia here in Kuala Lumpur, Malaysia. The title of this session was Hey You.. Stay away from my network…

I uploaded the slides for you to download:


Techinsights 2011 SEA – Security from the Ground up to the Cloud

Hello folks,

A few hours ago I finished my presentation in Techinsights 2011 South East Asia and here I left the slides for you. I hope you will enjoy it

Social Engineering by Fake and Deceiving Support Calls

We have had a lot of talk about technical things and how to protect our environment from a technical point of view, however we still need to pay more attention to social engineering techniques that intruders use to penetrate into your computers and networks because honestly there is no patch for human’s stupidity.

It might be unbelievable but there are so many hackers who call people at home or on their cell phones and ask the person if they’d need support for any issues and they introduce themselves as technical staff calling from Microsoft or any other pretty well-known corporation. You may not believe how excited people (Especially those non-technical ones always looking for support) get to receive help from somebody calling them up from heaven and wanting to help them and I get frustrated when I see how easily people are deceived and will give away their personal information such as their computer’s username and passwords or credit card information or etc. Some even very easily click on a link to download a software on their computers to receive support from the person behind the phone.

Trustworthy Computing Team at Microsoft has conducted a survey of 7000 people and realized that more than 1000 of them had received such phone calls and nearly 22 percent of them (234 people) were deceived and 184 of them even lost money. (Something around 800 USD all of them in total)

It is always really easy to deceive people and much easier than hacking into a computer system which can be pretty up-to-date with all these automatic update services running on machines. I believe there needs to be more seemless training provided to people through different types of media because not all the people read security websites to get to know about such threats. After all, to keep people’s confidential information secure on the net is the main purpose of the professionals and authorities in charge of security and in order to do so, learning is the most fundamental thing to be done.

Above said, I have some very quick tips that I want to share with you people to keep you away from such fake calls:

  • In case of such calls claiming to be from a well-known company, ask for the person’s name and phone number on the other end of the call and ask him/her if you can call him/her back. Ask him to give you the company’s phone number so that you will call the company not his direct phone… (Do not be ashamed, you just want to make sure he is the right guy)
  • Remember Microsoft will never have such support services calling you without your request for any given on-the-phone services… I’m not sure about any other companies but well as far as I can remember I have never seen any company giving such services by cold calling people.
  • Never give the guy on the other end your name, username and password of your computer or any website you are a member of, your credit card information and other confidential information.
  • Ask the person upfront if you will have to pay for this service and try to realize why that person has called you.
  • Do not click on any link on any website that the caller gives you even if it seems to be a pretty well-known trusted website.
At the end, if you feel like you will never be deceived by these fake callers, at least try to increase the awareness about such threats by letting your friends and family members know about them.