A General Lack of Focus…..

For anyone that has been on this particular blog in the last, well, really long time – I’ve not been too active with it.  And, that generally could be taken as a gross understaement by even the least observant among us.


However, I suspect that I won’t be posting to this blog for much longer, because it, too, will likely be lost when the rest of my MVP benefits are revoked.


Yes, all – it is true.  I am losing my MVP status.  It pains me to have to announce that I will probably not be able to attend Summit, and will only be able to carry on the face-to-face conversations that I’ve had with many folks over the years via e-mail.


And, make no mistake about it – it sucks to lose MVP status.  I have valued it and have carried it with a great deal of pride.


But, it is time to move on.


The reason for this happening?  Much like Alun Jones, Philip Renouf, and many other incredibly bright and talented people, I accepted a position with Microsoft.  I start July 11 as a Consultant in the MidAmerica Region of Microsoft Consulting Services.  I get to stay in Omaha (bonus for the wife and kids) but will likely travel a bit.


As to the MVP – it’s VERY bittersweet.  But, all in all – it’s a fair trade.


And, to that – I owe MANY of you a very BIG thank you.  I’ve learned from many of you – possibly through your trials that we worked through in lists, Web based forums, news groups, voice and face to face.


Thank you.  I’ll not be a stranger – just a new e-mail alias!


Rick


 

Securing Windows Server 2003

For those of you who have not yet met Mike Danseglio, you’re not quite prepared for the surpise, as well as the pleasure of getting to know him.  Mike, for me at least, ended up being nothing like I pictured him.  I’ll not describe him, as the event has merit for each individual.  Suffice it to say Mike is a technologist with an interesting flair.  Not quite as ‘scholarly’ as Jesper Johanssen, but not as flamboyant as Steve Riley.  However, he does rate the comparison to the two latter – he’s really that good with this stuff.


So, why the introduction and diatribe on Mike?  Well, his book just recently hit the shelves – just in time for that holiday gift giving for the Security geek that you know and love (even if that Geek is you!).


The book is published by O’Reilly and is edited by Robbie Allen (Active Directory, Active directory Cookbook, fellow MVP – just to name a couple).  Appears that Robbie is managing a series of books for O’Reilly – but that’s my take, not to be confused with the truth.


Securing Windows Server 2003 (which I had the honor and pleasure of tech editing) is a concise and fairly complete treatment of what is available in the Server platform to secure the server as well as communications to and from it – plus, it extends out to client and peer system security as well.  Mike’s treatment of the subject is very readable – at least as readable as technical material goes.  But, make no mistake – just because it’s readable, it shouldn’t be passed over as being marginal.  This is really good, accurate information on how to secure your server and to mitigate those day-to-day issues that we face as security professionals.


The Table of Contents reads as such:


1.  Introduction to Windows Server 2003 Security


2.  Basics of Computer Security


3.  Physical Security


4.  File System Security


5.  Group Policy and Security Templates


6.  Running Secure Code


7.  Authentication


8.  IP Security


9.  Certificates and Public Key Infrastructure


10. Smart Card Technology


11. DHCP and DNS Security


12. Internet Information Services Security


13. Active Directory Security (written by Derek Melber)


14. Remote Access Security


15. Auditing and Ongoing Security


Appendix: Sending Secure Email


 

Google Desktop Engine is a Threat to VPNs

Reading the article in Network World this week, (11/22/2004, Google search cache spawns SSL fears) a reaffirmation of the obvious was once again proven true – for most people (including developers, Companies, end users, Infrastructure techs, etc.) security is ABSOLUTELY the last thing that is ever considered.

The article contends – and correctly so, that the Google Desktop Engine caches content to the local system – even that stuff that you’re trying to protect on your Corporate network that you’ve set the VPN up to protect.  Typically, when a user logs off, the data is gone as well.  Yes – there is some data that is cached via various browsers, etc. but this is typically mitigated by most VPN clients and tools that are distributed by the knowledgeable InfoSec group or Network Security group that will clean the cache of any elements that were stored there while on the VPN.  Sadly, Google is using a proprietary cache mechanism that is currently not controlled or controllable by these methods.

It’s also stated that most people using the engine would not be very happy if the cache was purged anyway.  Simply put, the security of the Corporate network comes second to the user of the engine who would have to rebuild the cache each time they left the VPN – taking some amount of time.  Knowing most users, any inconvenience is too much.

However, Google is “Thinking” about implementing hooks to allow the engine to be purged.  The scenario above, of purging the cache, is only fantasy today.  Google would need to enable this possibility.  I’m glad to hear that Google is “Thinking” about it…..

Some might wonder, OK – so what’s the big deal?  Well, let’s just say that you used a friend’s PC at their home to log into the office to check your e-mail, OK some documents, whatever.  Your e-mail contains an urgent message that requires your approval on a document that consummates a deal that has been in the works for some time – the acquisition of a company that will allow your company to heavily leverage a new segment of business.  But, the only way that it can succeed is if the acquisition remains confidential until the public announcement, which is not for some three weeks once the deal is final.  No problem – you’re on the VPN.  The e-mail stream is encrypted in the VPN tunnel, and the attached document is protected.  You open the attachment, read over the document, send your approval and ensure that the document is gone – erasing any possibility of the disclosure before the appropriate time.

Little do you know that you’ve unknowingly compromised this very confidential secret.

Your friend has installed the Google Desktop and it has cached and indexed your acquisition document.  Your ‘friend’ finds it later that night and makes a public disclosure that ends up killing the deal.  You lose your job, your company goes under, and a virus takes over your town and raises the dead….(ooops…sorry – that’s Resident Evil…..)

I’ll bet that Google had no intent of harm in respect to their engine.  However, I’ll also bet that, if they even built a threat model detailing the vulnerabilities, side effects, and the problems that needed to be addressed with the Desktop Engine, it never took into account the ‘VPN Problem’.  It never really addressed the ‘Corporate Desktop’ issues.  More likely, the threat model assessed the threat to their product – not the security of their customers data.

Developers are vital in the Security battle.  There is no greater example than Microsoft itself.  Network Engineers, InfoSec personnel, etc. can put policy, standards, models, procedures, etc. all in place – and be completely circumvented by a poorly written application that has not taken any precaution, any effort in implementing even the simplest of practices for securing an application.  No checks for proper data behavior, input validation, url strings, buffer overflow, stack checking, etc, etc, etc.  Sadly, most attack vectors that we watch are going to catch the compromise of a badly written app.

The other question – that I’ll leave for thought on another day is this:

What should Corporate America be doing to protect themselves from the software like the Google Desktop installed on their user’s desktops or laptops?  Granted, we can have policy and measures for the Corporate asset, but it’s a bit harder (read: Impossible) to control a non-Corporate asset.  Know that NAP (Microsoft’s Network Access Protection) and NAC (Cisco’s Network Access Control) are some couple of years off – the dreaded “Longhorn Timeframe”.

What is the Corporate environment to do with the daily new and interesting threats?  I’ll talk about my thoughts in the next couple of days.

-rtk

 

New and Interesting from Microsoft today…..

Troubleshooting Group Policy in Microsoft® Windows® Server

This white paper helps you troubleshoot the most common problems affecting the deployment of Group Policy in a Windows Server 2003 or Windows Server 2000 environment.

ASP to ASP.NET Migration Assistant Documentation

The ASP to ASP.NET Migration Assistant is designed to help you convert ASP pages and applications to ASP.NET. It does not make the conversion process completely automatic, but it will speed up your project by automating some of the steps required for migration. The EXE available for download on this page contains the online help for the ASP to ASP.NET Migration Assistant to help you understand the error messages you encounter when going through the conversion process.

PHP to ASP.NET Migration Assistant Documentation

The PHP to ASP.NET Migration Assistant is designed to help you convert PHP pages and applications to ASP.NET. It does not make the conversion process completely automatic, but it will speed up your project by automating some of the steps required for migration. The EXE available for download on this page contains the online help for the PHP to ASP.NET Migration Assistant to help you understand the error messages you encounter when going through the conversion process.

Windows XP SP2

If you’re living under a rock – first, you’re not reading this, and second – you have no clue as to what Windows XP SP2 is.  Let me just say, plainly and simply – SP2 is to Windows Security what gasoline is to a car.  It’s vital, necessary, and you’re not getting very far without it.

Some folks are a bit perturbed that this type of enhancement (yes – this is a BIG enhancement involving BIG chunks of code….) is not finding it’s way to Windows 2000 Professional.  Likely, it won’t.  Reason being is pretty simple.  One, as just mentioned – it’s a big change.  Right, right – service packs are not supposed to be BIG changes in functionality.  Well, guess what.  Microsoft changed its mind.  Service packs ARE a big change with crap loads of feature and enhancement.  And, because everyone and their little dog has been beating Microsoft up about its apparent (and quite accurate) lack of emphasis on security – you get a couple of really BIG service packs that are going to focus directly on security as the core feature.  (Right – I said Service PackSSS – you’ve heard rumored this SP1 for Windows Server 2003?  Yeah – that would be it….)

So, why no update for Windows 2000, as I understand it?  Well, IBM – when a program, OS, whatever, reached a stage in its life when the next version was out and it was just time to maintain the old until everyone moved by choice or by enticement (yeah – the old one no longer had support…), they would call the software “Functionally Stable”.  This simply means that it works, we provide bug fixes, but there isn’t much new that’s going to happen with it because it works as intended, Thank you very much.

If I was anyone on Windows 2000 Pro or server, figure out what it’s going to take to get to XP and Server 2003.  If you have security issues on 2000, who are you going to blame?  Writing has been on the wall for some time now.  I’m tired of the complaining about security.  Microsoft has made a big step.  It’s your turn now.

What are you waiting for?

 

I’m Back!!!

Okay – I’ve been – MIA from this Blog (but not missing in any way from the Security and Directory Services scene) but I have some new tools that should make it easier for me to do what I need to do to get more timely information up to the blog.

For those of you that have been patient (I can’t imagine that there are many) thanks.  For those of you that check now and then – look for more consistent updates to the posts here.

BTW – we’re in the new house and things are great (yeah, we’ve been here since February 2004)

-rtk

Dwelling Pronto – My Absence Explained

Many of you that know me know that I am very active in circles where my expertise is strong.  Over the past 6 months, I’ve spread a little further into the Security realm, and this has been an eye opening move.  However, it’s also a good growth step.


But – this has nothing to do with any of this.  My wife and I have purchased a new house and we are busily trying to get our current one on the market by the end of October.  I live in Nebraska, and once Football season starts and the snow flys, the house market begins to slow.  Football season has started, so all I’m waiting for is the snow to assure that houses will go unsold until the Nebraska tundra turns green again.


So, if this space is sparse (I’m still trying to figure out the theme and direction…. this blogging is no where near as easy as I though it was going to be.  It requires CREATIVE thought.  ;o), you know what I’m doing.  Also, once we get into the new house – Mid-January to Early February, I’ll post some pictures.


Rick Kingslan
Microsoft MVP – Active Directory


 


 

Coming to a Theater Near you! Linux vs. Windows – Part 10,000,562

Like a bad horror flick sequel, the argument keeps getting dredged up, propped into position, and sent out on it’s merry way to cause senseless death and destruction.  The initial arguments of ‘My OS is better than your OS’ were bad – now they’re just getting ludicrous.  And, much like the junk that Hollywood churns out to continue movie franchises that never should have made it past the first movie, the battle just moves to more unbelievable territory.


The Linux Camp will have you believe that Linux, by default, by design, by golly, is more secure.  It’s not subject to worms, virus attack, Act of God, or bad hair days.  If you mess it up – it’s your fault.  Now, that’s a way to win friends and influence people.  But, we’re going to get to that – it’s an endemic problem.


Similarly, the Windows Camp would have you believe that Windows is now ‘Secure by Default’, is a strong contender in the secure OS arena, and is just the victim of bad publicity by folks that just don’t like the idea that a publicly held company wants to protect its intellectual property to make money.  I really hate it when capitalism and the American Way creates a roadblock to progress.


Two articles, point and counter-point, (I wonder if these folks will get sued by 60 Minutes?  I mean, why not?  I’m sure that 60 Minutes is just as litigious as the rest of America, and it just seems chic these days to sue a computer company or computer people in general.) present good arguments either way.


One proposes that Microsoft’s Windows is a festering pool of code, waiting to be infected by worms, virus, demons, and should be spewing pea soup anytime soon.  The other defends the Windows OS by proposing that Windows is not the only OS that has issues with exploits and exposures – in fact, Linux has 3 to 5 times the number of vulnerabilities as Windows.  In both articles, the browser seems to come under direct fire, and rightly so.  IE (Internet Exploder) in this corner, Mozilla (Bugzilla) in this corner.  Freddy vs. Jason…..


All in all, the articles present compelling evidence that, regardless of which OS you choose, it’s probably a good idea to be security aware.  Wow – like this is some kind of earth-shaking revelation.  Anyone who has spent more than 3 days supporting an OS in a business setting is aware of this.  It’s like watching that horror flick and really being surprised that the villain has to be killed 5 different times at the end of the film just so the one lone heroine can walk proudly (though drenched head to foot in water, mud, blood, etc) out of the house at dawn.  Yawn.


The mantra that Microsoft put out as the initial rally cry, even in advance of the now famous Bill Gates memo on the ‘Trusted Computing Initiative’, is ‘Get Secure, Stay Secure’I’ve been critical of this particular stance in light of the fact that illegal software cannot be patched in the primary methods that Microsoft proposes to make the task easier, but the stance of getting and staying secure is a correct one.  The challenge is how do you get all of those 600 million copies of Windows  secure?  And, to that same point, how does one keep those uncounted numbers of Linux secure?  Again, putting on the OS agnostic hat, an insecure system is an attack platform just waiting for the launch orders to be given.


Should all computers have a smart card reader (non-removable – unless however, you don’t mind destroying the system) attached – and the OSs made aware of the requirement and refuse to work if a valid smart card is not available?  Think about it – if a smart card is REQUIRED to operate the PC, then we can start treating this like a Driver’s Exam.  Show us that you can Safely and Securely operate your PC, and that you know HOW to update the system – then a smart card will be issued to you.  If you go out of security compliance, or you operate your PC in a manner which harms others – Zap!  Certificate revoked, thanks for playing.


Yes, I know – literally impossible to implement.  Plus, the technical challenges are far from trivial, or even manageable.  It’s also impossible to enforce.  If I can’t get Porn Mongers out of my Library, how the heck am I ever going to convince anyone that ‘Certified Computer Operator’ is a good idea?


So, barring this – let’s just blame the OS.  Clearly the OS must be the problem.  Obviously, the code is faulty (and, yes – in some cases it is – I’ve said this before, Get over it.  People write code.  People err.  Any questions?)  I’d suggest a different tact.  Stop blaming the OSs and start attacking the real problem.  Educate People.  Last I checked, someone still had to set up and operate the computer.  Or, did I really miss something, and the machines have taken over and I just haven’t been put into my little pod in the ‘energy collection tower’?


I guess if that happens, the fight over the OS is going to end.  It’s about time.


Rick Kingslan
Microsoft MVP – Active Directory


 


 

The Issue of Illegal Software and Patching

In Omaha, NE (the quaint city in the middle of nowhere that I make my home), we have really only two claims to fame.  We’ve got a really cool Air Force Base just south of the city, Offutt Air Force Base which is the home of STRATCOM.  You might remember it – Offutt AFB is where President Bush went on 9/11/2001 to determine what the threat was and to confer over super secure, super secret communications equipment with his advisers,while sitting in the security of a bunker complex that would awe the general public beyond belief.


But, to many football (and non-football) fans Nebraska’s real claim to fame is what is in a city just 45 minutes South West of Omaha – Lincoln, NE – Home of the University Of Nebraska at Lincoln, or just NU.  Yeah, The Huskers, The Big Red.  And, folks in Nebraska take the Big Red very seriously.  In some cases, it’s taken to an unhealthy obsession, but that’s just my opinion.  For goodness sakes – it’s just a game played by a bunch of young 18 – 25 year old guys.


I do know one other thing – when you get a collection of 18 – 25 year old students together, away from home for the first time, lots of things are going to happen.  One of those things will be something that seems so innocent, so trivial – they are going to find and steal software.  IRC, alt.warez newsgroups, their buddy, mail order from Hong Kong – doesn’t matter.  Students typically don’t have a lot of cash, and sometimes, once you’re out from under the watchfully eyes of Mom and Dad – morals slip.  Yes, I know that this is a shock to many of you (OK, unless you watched ‘Animal House’ - trust me – it’s closer to the truth than you really want to know…..)


Many of the copies of Windows 2000, Windows XP, Windows Server 2003 that are in the dorms and off-campus apartments of the typical college student is not a ‘legally obtained or rightfully owned’ copy.  This may come as a huge surprise, but students steal.  And, they also share the wealth.  But, this is not unique to Lincoln, NE.  This is rampant across the country, and I dare say, is even more prevalent outside the United States.


I traveled to Japan on business a couple years ago and was able to make it to the Akihabara district of Tokyo.  This area of the city is known as an electronic mecca where shops the size of a WalMart down to those the size of a closet co-exist.  We’re talking blocks and blocks of nothing but shops catering to the electronc and computing nerd and consumer.  And, you can buy ANYTHING on any given day if you know who to ask.  Illegal software is just a nudge, nudge wink, wink away.  And cheap, too.  $15 to $30 US is what I found typical for a copy of Windows 2000 Pro.  Windows 2000 Server, $50 US.  Granted – no warranty, no support, no return – all sales final, blah, blah.


By now, you’re wondering what the heck is he getting at?  Is there a point to all of this?  Yes.  There is.  We know and are all very aware that Microsoft has been beating the drum for patching our systems: ‘Get Secure, Stay Secure’.  But, honestly – this only works if everyone does it, too.  I can train a monkey to go to Windows Update and to get the latest and greatest updates, and security fixes.  It’s not hard – my 70 Year old Mom can handle this one (no comparison between you and the monkey here, Mom – honestly!).


But, are you aware that the illegal software from Windows XP and onward cannot go to Windows Update?  Microsoft does ‘blacklist’ the illegal keys, and will not service a system that has not been properly activated via WPA (Windows Product Activation).  Most illegal software has been circumvented in some manner that is not going to allow it to be properly activated – and those who steal it aren’t interested in doing so anyway.  Therein lies the crux – if you’re blacklisted, no updates.  If you don’t activate, no updates.  How many of these illegal systems are attached to the Internet, would you suppose?  How many are attached to networks with fully compliant and legal netizens?  How many are on your local cable segment with a clear shot at you once they are infected with Nachia, MSBlaster, or worse?


The counter-argument to this is – Microsoft has every right to protect their intellectual property and not allowing the software to be updated is one way to force users into compliance.  In my opinion, I fully support the right to protect the property , but the whole argument doesn’t hold water.  If the illegal software is infected AND does damage to other systems, then who really gets hurt?  The thief, or the law abiding citizen?


I said in one post, arguing this point, that I’m not willing to be the innocent bystander who gets hit in the forehead  by a bullet in the war on piracy.


Anything that is going to apply a Security Patch must be allowed on all systems – legal or not.  Make no mistake – I’m not advocating making it easy on thieves.  I think they should be caught and prosecuted fully.  And, that they should not be gaining any added function and feature through service pack or other enhancement.  However, it’s been a stated policy that there will be no added feature or function to Service Packs, but we’ll see if that trend truly continues.


Microsoft, you lose nothing by allowing hot-fixes and security patches to be applied to illegal systems.  You gain EVERYTHING in the public eye BY allowing patching of ALL systems.  If the interest is to continue to look like the newer, kinder Microsoft is truly accurate, then this is a big step in the right direction.  Your number one priority in the Security game must be to secure the current products.  Your second, but a very parallel, goal must be to “Cause no harm”.  Until you have all systems patched, you will cause harm by inaction.  Can you really afford that?


Do the right thing – allow the patching of all systems, regardless of legal status.  Protect your customers from those who steal from you.  We’re just the innocent by-standers.


Rick Kingslan
Microsoft MVP – Active Directory


 


 

Partner Event Sees New Directions in Security initiative

Microsoft CEO Steve Ballmer addressed the Worldwide Partner meeting in New Orleans, indicating that the next front for the security initiative is on the desktop – providing more tools and….. oh, yeah – that patch management thing again – in trying to stem the tide of difficulties that the Company has faced.


During his keynote, he asked how many people had deployed SUS (Software Update Services) internally, and to customers?  Getting the response, he indicated that this was the point he had been making to his internal people – that it wasn’t getting done.  But, there was one more question to quantify what he thought he already knew:


“How many people really KNOW what Software Update Services 1.0 is?  OK, that’s kind of what I was afraid of….”


These are the PARTNERS, folks.  These are the people that train, consult, develop – if they don’t know what it is, how does anyone in Redmond truly expect that the average small to medium business (not to mention Mom and Pop shops) is going to? 


I know from personal experience that SUS is a good tool.  It’s not great – but I’m anxiously awaiting SUS 2.0 – due maybe Q1 2004.  But, it’s a lot better than a team of techs going from machine to machine with a floppy, CD, USB storage device, what have you.


In my most humble opinion, the response in New Orleans indicates one good reason why security is a problem on Windows systems:  The tools that are available are not being leveraged.  Point the blame where you will, but the bottom line is Microsoft cannot patch your machine for you.  That’s your job.  If you think that Windows or Microsoft products in general are the only ones with problems, I suggest you take a look at a more impartial outlet – say, SANS?  They published the Top 20 Vulnerabilities, 10 going to Windows / Microsoft, the other 20 going to *NIX.  Oh, and just for fun – trot over to Red Hat and see how many security bulletins are posted for their Linux 9.0 – 53.  Yes, that is a Fifty, with a Three added on.  I’m not bashing Red Hat or Linux in general – I’m simply trying to bring things into perspective.  I admit that Windows has problems – but the work continues to correct the issues – political, technical, monocultural.


Operating systems, regardless of who puts it out, are vulnerable to flaw.  That’s it – simple, concise.  the good thing is that there are smart people out there (and whether it’s for personal gain or not – I don’t really care) who report these flaws.  Some are reported to the vendor (Microsoft, Red Hat, etc), and then findings divulged with the vendor and credit given, while others are posted directly to the public forum.  Obviously, some get their tail feathers ruffled by the latter.  If the outcome is a patch to fix the hole, it’s a ‘good thing(TM)’.


Humans write code, humans make errors, code has errors.  Remember the movie “Westworld” (OK, not Oscar material – whatever) “Where nothing can possibly go worng”  That’s your software development cycle in action – and after the product has shipped. 


Rick Kingslan
Microsoft MVP – Active Directory