Ultimate Guide to Security on Windows Server 2012 R2

2

I am so proud and excited to announce that I am finally finished with my first book and it is released to public. This book is on the topic of security on Windows Server 2012 R2 and after a year of working on it, I finally decided to not release it through Microsoft global marketplace (which is only private to training centers worldwide) and instead self publish it and make it available to everyone globally.

Learn how to secure the new Microsoft Windows Server 2012 R2 through this completely practical book which includes many step-by-step guides, exercises, and lab scenarios. This book will:

  • Provide beginner to advanced level content on the topic of security
  • Include many step-by-step hands-on labs and exercises
  • Include guides on how to configure commonly-used security services such as Network Access Protection, Network Policy Services, Dynamic Access Control, and many more.
  • Include also contents on how to configure security for Hyper-V
  • Fit also the need of those managing Windows Server 2008 (R2) environments

This book is a must-read for those who are tired of searching for good contents and would like to read something which is so right to the point. You can have more information about this book from www.windowsserversecurity.com and even have a glance inside the book contents.

Looking forward to your feedback about the book.

Cheers,

Esmaeil

Forefront TMG 2010 has been Discontinued !!!

Finally it was announced and Microsoft has decided to discontinue some of its very popular products such as Forefront Threat Management Gateway 2010 together with some others listed below:

  • Forefront Protection 2010 for Exchange Server (FPE)
  • Forefront Protection 2010 for SharePoint (FPSP)
  • Forefront Security for Office Communications Server (FSOCS)
  • Forefront Threat Management Gateway 2010 (TMG)
  • Forefront Threat Management Gateway Web Protection Services (TMG WPS)

It also should be mentioned that among all of these, Forefront Protection 2010 for Exchange Server (FPE) will still be there but will be bound to Office365 and will be called Exchange Online Protection.

I still remember the rumor about a year ago about this decision but it was not confirmed then. Now that is is confirmed, there are still questions left on why Microsoft has made this strategic decision especially the decision to discontinue TMG which is a very popular product. It is now being used by a lot of companies as a gateway software for so many different purposes. It was the successor of popular Microsoft ISA Server 2006 and now all have been discontinued to be any further developed.

Continue reading

Social Engineering by Fake and Deceiving Support Calls

We have had a lot of talk about technical things and how to protect our environment from a technical point of view, however we still need to pay more attention to social engineering techniques that intruders use to penetrate into your computers and networks because honestly there is no patch for human’s stupidity.

It might be unbelievable but there are so many hackers who call people at home or on their cell phones and ask the person if they’d need support for any issues and they introduce themselves as technical staff calling from Microsoft or any other pretty well-known corporation. You may not believe how excited people (Especially those non-technical ones always looking for support) get to receive help from somebody calling them up from heaven and wanting to help them and I get frustrated when I see how easily people are deceived and will give away their personal information such as their computer’s username and passwords or credit card information or etc. Some even very easily click on a link to download a software on their computers to receive support from the person behind the phone.

Trustworthy Computing Team at Microsoft has conducted a survey of 7000 people and realized that more than 1000 of them had received such phone calls and nearly 22 percent of them (234 people) were deceived and 184 of them even lost money. (Something around 800 USD all of them in total)

It is always really easy to deceive people and much easier than hacking into a computer system which can be pretty up-to-date with all these automatic update services running on machines. I believe there needs to be more seemless training provided to people through different types of media because not all the people read security websites to get to know about such threats. After all, to keep people’s confidential information secure on the net is the main purpose of the professionals and authorities in charge of security and in order to do so, learning is the most fundamental thing to be done.

Above said, I have some very quick tips that I want to share with you people to keep you away from such fake calls:

  • In case of such calls claiming to be from a well-known company, ask for the person’s name and phone number on the other end of the call and ask him/her if you can call him/her back. Ask him to give you the company’s phone number so that you will call the company not his direct phone… (Do not be ashamed, you just want to make sure he is the right guy)
  • Remember Microsoft will never have such support services calling you without your request for any given on-the-phone services… I’m not sure about any other companies but well as far as I can remember I have never seen any company giving such services by cold calling people.
  • Never give the guy on the other end your name, username and password of your computer or any website you are a member of, your credit card information and other confidential information.
  • Ask the person upfront if you will have to pay for this service and try to realize why that person has called you.
  • Do not click on any link on any website that the caller gives you even if it seems to be a pretty well-known trusted website.
At the end, if you feel like you will never be deceived by these fake callers, at least try to increase the awareness about such threats by letting your friends and family members know about them.
Cheers

General Rules of Security

Today in this post I want to talk a little bit about some general rules when it comes to network security. There are so many different running services in every network and securing every each and one of them is such a big pain in the neck but following some general efficient rules and applying them in every portion of your design can assure some really good, if not ultimate, level of security in your network.

Rule #1:

Begin your security from the weakest part. This is very important to know that your network is only as secure as the weakest portion of it. If you have the greatest firewalls and VPN servers placed at the edge of your network but the client infected by a malware, can easily connect to the network, then your network could be at risk. So start small. Start from the clients first and then go bigger.

Rule #2:

Known vulnerabilities are the first to be patched. There are hundreds of security vulnerabilities published everyday on different security websites by security researchers. If you as the security engineer want to check every single one of them and patch the network, it could be a big waste of time, so try to concentrate on the known vulnerabilities and patch the system against the threats threatening those weaknesses.

Rule #3:

A false sense of security is always worse than a true sense of insecurity. I have seen tens of engineers in this field who are always so confident about their infrastructure and they believe their network is fully secure against any attack while they have absolutely done nothing to keep it secure. You know they just keep convincing themselves and the others about the security of their systems and network… But that’s only keeping a blind eye to the reality. The reality is that if someone at least knows that they have an insecure network and environment or at least they know which part is more vulnerable to attacks, then in case of an attack they will know which part they are hit at and taking action is always more easily done.

Rule #4:

Keep the security design as simple as you can. The more complex your systems, the less secure it is. I have seen a great number of really complicated systems that even the system designer was not able to understand some parts of it and in such network do you think security can be totally accomplished? Don’t you think there will be always some ways hackers will be able to find a way into that very complicated system even without anyone realizing.

Rule #5:

The more secure the system, the less usable it is for the user somehow, so know the limits. What is the main objective of a service? To serve users right? Right… So, it first of all needs to be usable and usability must never be sacrificed by security. Remember security and usability are always inversely proportional.

I hope they were some good and useful tips for you. I thought they could help you have a better understanding on what a pretty good and secure design is and how you can accomplish that…

Cheers

Security Dependencies

To me, systems security is not all about the configuration but it is mostly about design. Staying away from attacks and keeping the environment safe pretty much depends on how the security engineer designs a system. There are a lot of things that play very important roles in bringing security to systems. One of the most important things that should be paid a great amount of attention to is security dependencies.

A security dependency occurs when the security of a system is dependent on the security of another system. This is the case in almost all networks with all these unified systems deployed in each of them. Take Active Directory for instance. In an AD environment there are so many different services which get authenticated and authorized with the Domain Controller. What does it mean? This simply means that the security of all those systems running those services are dependent on the security of the Domain Controller. Once the DC is hacked, the whole network with all those services which are dependent on the DC will be in danger.

This way of thinking will give the security designer a very good view on their design. They pretty much know what they need to begin their design with. They know exactly what kind of data must be stored on each server and how this data is going to be used by the other servers. This way of clarifying things will give the designer a better view on how to relate services and servers.

We generally have two types of dependencies:

Acceptable dependency: In this type of dependency, a less sensitive service or server is dependent on a more sensitive server or service. For example the security of a client PC is dependent on the security of a DC in an AD network.

Unacceptable dependency: In this type of dependency, a more sensitive service or server is dependent on a less sensitive server or service. As a simple example, you can take a DC running Windows Server 2008 R2 in a part of a network being protected by another server running Windows Server 2003 running Routing and Remote Access Service with a basic firewall. This is where we should think again about our design:

Should we run the AD database on a Windows Server 2008 R2 server and protect it from the outside attacks using a Windows Server 2003 or the other way around???!!!

Or maybe we should go a head with a totally different design by adding another Windows Server 2008 R2 to the network.

Thinking about virtualization technologies we get to the same point. The point here is that all the virtual machines (VMs) are dependent on the security of the Hypervisor. With a basic configuration of Hyper-V the whole virtualized environment could be exposed to attacks and once the host is hacked, the other VMs will be at risk but yet again there are ways to make some changes in this kind of dependency and mitigate the attacks. In this post I have explained one of those ways.

All in all, security dependency always exists in our network and systems but what really matters is the level of this dependency and seeing exactly what is dependent on what? In those situations that we have to make a choice, it’s very important to analyze different choices that we have and then choose the one which makes the less sensitive server dependent on the more sensitive one if there is no way to eliminate the whole dependency.

Cheers

Necessary Services on a Domain Controller

Domain controllers are those very important servers in every network. Active Directory service is installed on a domain controller and there is very important data about objects and resources stored in every domain controller. In order to secure a domain controller or generally every other computer, we need to reduce the attack surface by reducing the number of applications and services running on top of that server or computer.

Windows Server 2008 R2 is actually an OS with a lot of different services that can be running on top of it but the question is that how many and which of them need to be running or stopped?

I tried to come up with this table below to specify the state of different services in every domain controller:


Service

State

Alerter Disabled
Application Layer Gateway Service Manual
Application Management Disabled
ASP.NET State Services Disabled
Automatic Updates Automatic
Background Intelligent Transfer Service Manual
Certificate Services Disabled
MS Software Shadow Copy Provider Manual
Client Service for NetWare Disabled
ClipBook Disabled
Cluster Service Disabled
COM+ Event System Manual
COM+ System Application Disabled
Computer Browser Automatic
Cryptographic Services Automatic
DHCP Client Automatic
DHCP Server Disabled, unless acting as a DHCP server
Distributed File System Automatic
Distributed Link Tracking Client Disabled
Distributed Transaction Coordinator Disabled
DNS Client Automatic
DNS Server Automatic
Error Reporting Service Disabled
Event Log Automatic
Fax Service Disabled
File Replication Service Automatic
File Server for Macintosh Disabled
FTP Publishing Service Disabled
Help and Support Disabled
HTTP SSL Disabled
Human Interface Device Access Disabled
IAS Jet Database Access Disabled
IIS Admin Service Disabled
IMAPI CD-Burning COM Service Disabled
Indexing Service Disabled
Internet Authentication Service Disabled
Windows Firewall/Internet Connection Sharing (ICS) Disabled
Intersite Messaging Automatic, if using SMTP for intersite replication
IP Version 6 Helper Service Disabled
IPSec Policy Agent (IPSec Service) Automatic
Kerberos Key Distribution Center Automatic
License Logging Service Disabled
Logical Disk Manager Manual
Logical Disk Manager Administrative Ser-vice Manual
Message Queuing Disabled
Message Queuing Down Level Clients Disabled
Message Queuing Triggers Disabled
Messenger Disabled, unless using a UPS
Microsoft POP3 Service Disabled
MSSQL$UDDI Disabled
MSSQLServerADHelper Disabled
.NET Framework Support Service Disabled
Net Logon Automatic
NetMeeting Remote Desktop Sharing Disabled
Network Connections Manual
Network DDE Disabled
Network DDE DSDM Disabled
Network Location Awareness (NLA) Manual
Network News Transfer Protocol (NNTP) Disabled
NTLM Security Support Provider Automatic
Performance Logs and Alerts Manual
Plug and Play Automatic
Portable Media Serial Number Disabled
Print Server for Macintosh Disabled
Print Spooler Disabled
Protected Storage Automatic
QoS RSVP Not Applicable
Remote Access Auto Connection Manager Disabled
Remote Access Connection Manager Disabled
Remote Administration Service Manual
Remote Desktop Help Session Manager Disabled
Remote Installation Disabled
Remote Procedure Call (RPC) Automatic
Remote Procedure Call (RPC) Locator Disabled
Remote Registry Automatic
Remote Server Manager Disabled
Remote Server Monitor Disabled
Remote Storage Notification Disabled
Remote Storage Server Disabled
Removable Storage Disable
Resultant Set of Policy Provider Automatic
Routing and Remote Access Disabled
SAP Disabled
Secondary Logon/RunAs Service Disabled
Security Accounts Manager Automatic
Server Automatic
Shell Hardware Detection Disabled
Simple Mail Transfer Protocol (SMTP) Automatic, if using SMTP for replication
Simple TCP/IP Services Disabled
Single Instance Storage Groveler Disabled
Smart Card Automatic, if using smart cards
SNMP Service Disabled unless required in your network
SNMP Trap Service Disabled
Special Administration Console Helper Disabled
SQLAgent$* (*UDDI or WebDB) Disabled
System Event Notification Automatic
Task Scheduler Manual
TCP/IP Net BIOS Helper Service Automatic
TCP/IP Print Server Disabled
Telephony Disabled
Telnet Disabled
Terminal Services Automatic
Terminal Services Licensing Disabled
Terminal Services Session Directory Disabled
Themes Disabled
Trivial FTP Daemon Disabled
Uninterruptible Power Supply Automatic, if using a UPS; otherwise, Disabled
Upload Manager Disabled
Virtual Disk Service Disabled
Volume Shadow Copy Manual
WebClient Disabled
Web Element Manager Disabled
Windows Audio Disabled
Windows Image Acquisition (WIA) Disabled
Windows Installer Manual
Windows Internet Name Service (WINS) Disabled, unless the domain controllers is hosting a WINS server
Windows Management Instrumentation Automatic
Windows Management Instrumentation Driver Extensions Manual
Windows Media Services Disabled
Windows System Resource Manager Disabled
Windows Time Automatic
WinHTTP Web Proxy Auto-Discovery Service Disabled
Wireless Configuration Disabled
WMI Performance Adapter Manual
Workstation Automatic
World Wide Web Publishing Service Disabled

 Of course, it still depends on your services that need to be necessarily running on your domain controller and if for instance you want to configure your DC as a DHCP server, then you will have to change the “DHCP Server” service state to Automatic.

You want to learn more specifically about this topic? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:

1

I hope you enjoyed it

Cheers

Microsoft Attack Surface Analyzer

I’m back with a great tool released by Microsoft which is still in the beta version. It is called Attack surface analyzer. This tool is used when you want to know to what extent your system is exposed to attacks after installing so many software and applications on it.

In order to make use of this tool, you need to scan the system using it once when the system is clean and before the installation of any software or application and get a baseline scan report. The sec

ond time you run a scan is when you have installed applications and softwares on your system and you want to know how much exposure to attacks they have given to your system after their installation. After the second scan is run, it will give you a report of the security vulnerabilities found on your system.

You can download the tool from here.

I hope you can use it for good.

Cheers

Social Engineering, Still a Big Threat…

If you are working as a security engineer or analyst in a large enterprise, you probably have to constantly deal with a large number of different attacks always threatening the network. One of those types of attacks is social engineering which has gotten a new shape these days due to the complexity of relationships and with the vast growth of social networking websites such as Facebook.

Social engineering, in its easiest definition, refers to the act of talking people into doing something without them even knowing that it harms the company or themselves even. It’s usually planned and done by hackers in order to find a way inside the big organizations’ networks at the early stages of hacking. Even right now penetration tests performed by security engineers check the social vulnerability of the employees working in that organization.

With this rapid increase in this type of attacks which is really difficult to handle by the security people, as I mentioned above we can see new types of social engineering attacks taking place. Hackers reach employees through social networking websites to achieve what they cannot achieve using the old methods of cracking. This is pretty much the easiest way an attacker can penetrate into the network. For instance Phishing attacks by using social networking websites which could be called a kind of social engineering technique has jumped significantly from 8.3% in January 2010 to 84.5% in December which pretty much shows its popularity among internet criminals.

But seriously what could be done to stop these attacks from happening?

This really depends on the level of awareness against these types of attacks among the employees. Before I go any further into this discussion, let me ask a question…

Which one would you prefer? Buying the latest and the most expensive Firewall appliances for your network or having regular seminars among the employees?

I am sure more than half would go for firewalls. No one would ever think that security starts from that very employee working inside the organization or company. Even a janitor can reveal so much information about a network. You might think it’s silly but it’s true. Have you ever asked yourself this question that who is the person knowing exactly who is on shift at work or who is the one that knows exactly the person always checking the server room or what time do employees leave their rooms for a break or … ? Yes, that’s the janitor who sees and knows all these… How easy do you think it is to get all this information from a janitor? 1 minute? 2 minutes? 15 minutes? or maybe 1 hour when you treat him for a coffee…

Again I say that might seem funny but these are the real world threats even nowadays… Nowadays that devices are that strong and sometimes unbreakable, hackers would think of human mistakes and vulnerabilities. Yes that’s true… Here is a link to a roundtable video with two guests from Microsoft talking about social engineering threats.

Trust me guys… Hacking and penetration is as simple as this… Go and think of the culture you need to create among the people in your company and try to create an awareness about any possible attacks…

Good luck

Step-By-Step Guide on Configuring Applocker in the Domain…

As a systems admin, you might have probably wanted to deny your users to use a particular software application. This is pretty common since using some applications in some network environments is illegal.

In order to block an application, we can make user of a great feature called AppLocker available in Windows 7 and Windows Server 2008 R2. Here is a step by step guide on how to configure AppLocker in the domain or on computers in a special OU or site.

Let’s assume in this exercise you want to block the Chess game on all the computers in your domain.

First of all, on your DC you need to go to Administrative Tools and open up Group Policy Management console and then right click on the Default Domain Policy and click Edit to open Group Policy Management Editor.

Then here, under Computer Configuration go to Windows Settings -> Security Settings -> Application Control Policies -> AppLocker

Before anything right-click on AppLocker and click on Properties and then under Executable Rules, click on Configured and choose Enforce rules:

And then as shown in the below photo right click on Executable Rules and choose Create New Rule:

Once you click on Create New Rule, this window will open up and you just need to click on Next:

On the next Window, you will need to select which users or groups this rule applies to and whether you want the rule to allow users or deny them to use that application. Once Configured, click Next:

On the next window choose File Hash and then click Next:

On the next windows click on Browse Files and choose the program file and then click Next:

Give the new rule a name and then click Create:

Now the new rule must have been added under Executable Rules as shown below:

Now if anyone in the domain tries to open Chess from their computer, they will receive this message, meaning that Chess game has been blocked by a policy:

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:

1

Good luck for the weekend

Cheers

Increase the performance and stay secure…

There are so many types of files on a computer or server and the anti-virus software is responsible for scanning all of them to find out possible malicious pieces of codes attached to any of them. That could seriously impact the performance of the system as you can see many people avoid installing anti-virus softwares only because of this reason.

For instance, I myself used to have so much trouble with Norton 2004 when I installed it on my machine in the past. But What can be done?

There are so many files in the Windows OS that do not need to be scanned really as they are either locked and impossible to be scanned or always clean and never infected and trying to scan them all would be just the waste of time and effort and would greatly reduce the performance of the system. So how about excluding them all from the scanning tasks of our anti-virus?

That seems like a good solution for improving the performance of the operating system when there is an anti-virus software on your machine which has a terrible effect on the operating speed of your machine. But the question is which files need to be excluded?

Here is a list of types of files that need to be excluded for scanning in Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, Windows XP, Windows Vista, or Windows 7. There is something very important about this exclusion as you can also read on the page whose link I gave you; that excluding these file types should only be temporary to see if the problem with your computer being slow is the anti-virus and if that’s the case, you can contact the producer of your anti-virus company to ask for possible solutions.

Thanks for reading…