Using Built-in Functions to Achieve Single Sign-on in Windows

Password resets are more or less the bane of the help desk agent’s existence. Carrying that through logically, they also represent a significant expense for the organization to pay for the lost productivity of the employees and the time and effort of the help desk agent to get the issue resolved. So, many organizations seek single sign-on (SSO) solutions to minimize the number of usernames and passwords that users have to keep track of and hopefully reduce the amount of help desk calls.

This article that I wrote for the Midmarket Security Strategies and Tactics site at TechTarget examines a couple of ways to achieve SSO using protocols and technologies already built in to Windows. On the network server side, you can use Kerberos to achieve SSO, while users can make use of the Credential Manager feature in Windows XP and Windows Vista (and Windows 7) to store passwords and create their own SSO. Read  How to use Kerberos and Credential Manager for Windows single sign-on to learn more. 

Follow me on Twitter

Take a Virtual Tour of Windows 7

Windows 7 marches on and is projected to be on retail shelves this October. Microsoft is providing free upgrades from Windows Vista to Windows 7 for consumers and businesses who purchase computer systems right now (albeit with some limitations). Microsoft has put together some animated video presentations to illustrate some of the new features and functions of Windows 7. You can view the Windows 7 videos on the Tour Windows 7 site.

Follow me on Twitter

Microsoft Windows RMS enables granular access control over sensitive data

This article that I wrote for the Midmarket Security Strategies and Tactics site at TechTarget focuses on the file access control possibilities of Windows Rights Management Services. Traditional NTFS file and folder permissions are effective for preventing unauthorized users from accessing data, but provide no control over what authorized users can do with the data once they access it. With Windows Server 2003 and Windows Server 2008 you can enable Windows Rights Managements Services (RMS) and be able to exercise control after files have been accessed and downloaded and even revoke access if necessary. You can learn more about Windows RMS and how you can use it to control and protect your data by reading Microsoft Windows RMS Enables Granular Access Control Over Sensitive Data.

Follow me on Twitter

Understand the Basics of Microsoft BitLocker Encryption

I recently wrote an article for TechTarget’s SearchMidmarketSecurity site. The new Mimarket Security Strategies and Tactics site focuses on practical knowledge and advice for SMB organizations. The article covers the basics of BitLocker- the scope of what it can protect and how it works. It also explains how BitLocker works with TPM (Trusted Platform Module) chips to provide even better protection of data and how to work with BitLocker keys to ensure that you don’t lock yourself out of your own data. Check out the article here: Understand the Basics of Microsoft BitLocker Encryption.

Follow me on Twitter

Is Windows 7 a Grand Slam Hit?

Recent surveys suggest that businesses are ready to embrace and deploy Windows 7 en masse as soon as Redmond makes it available. Traditionally, businesses are slow to adopt new operating systems. Its like waiting for the second model year of a new automobile make. You want some other sucker to take care of the extended Beta testing affectionately known as the initial release.

That philosophy has led many organizations to hang on to Windows XP and forego Windows Vista entirely. Some organizations simply waited for Windows Vista Service Pack 1 (SP1), but by that time Vista had gotten a lot of negative press and developed somewhat of a bad reputation. One can debate whether the press was factual or whether the reputation was deserved, but the bottom line is that many enterprises simply decided that Windows XP was comfortable and that Windows Vista wasn’t worth the risk.

Windows 7 on the other hand has been getting rave reviews since the Beta version has been available. Computer experts from all fields all the way down to consumers love the new operating system. Features such as DirectAccess and BranchCache also provide solid business justifications for upgrading and have the potential for changing the way enterprises work with their growing remote sites and roaming work force.

 Follow me on Twitter

Microsoft Assists Unemployed with Free Computer Training

Do you live in Washington state? Are you one of the millions of Americans currently unemployed and desperately seeking a new career? Finding a new career is never easy, but given the state of the economy and the fact that it seems like for every new job opening there are three new layoffs, it is even more important to have skills that employers need and to set yourself apart from the crowd.

Microsoft feels your pain and they want to do their part to help out. Microsoft announced that they will be giving away 30,000 vouchers over the next 90 days to unemployed individuals in Washington to help them learn new skills. The vouchers will entitle people to receive free training in computer skills and even to take Microsoft certification exams for free or at a discount. The training classes may be taken online or in person.

This is just the beginning of the program which Microsoft announced earlier this year at the National Governors Conference. The plan is to continue the program and expand it to other states. So, if you don’t live in Washington just keep an eye out for the program to come to your neighborhood (a.k.a. state).

Follow me on Twitter

Explore Windows 7 BranchCache

Many organizations have branch and remote offices. They might be across town, across the country, or around the world. A common problem facing organizations like this is having all of the various sites share information and work with data. Each site can’t maintain their own files, spreadsheets, databases or other files. That would be too cumbersome to correlate and try to ensure that everyone is on the same page. The solution for that is to house the data in a centralized data repository at the headquarters location or a common data center.

That solution comes with its own issues though. Opening and working with large files over a remote network connection can be painstakingly slow. One or two users accessing data over the network from the central repository can also tie up a significant chunk of bandwidth, making the network slow and unresponsive for others as well.

Windows 7 has a solution to help remote and branch offices work with data more efficiently while reducing the impact on network bandwidth- BranchCache. Essentially, BranchCache acts as a proxy, storing (or ‘caching’) data that is accessed so that subsequent queries for the same data can be served up locally rather than being sent across the network each time. I am not really doing the feature justice though. If you really want to learn about BranchCache and understand how it can help your organization or your customers, check out the Windows 7 Feature Walkthrough for a short video overview of BranchCache.

Follow me on Twitter

Application Compatibility Toolkit for Windows 7

Windows 7 will be here before you know it. So far, Windows 7 is getting much attention and rave reviews in its Beta version. The improvements from Windows Vista to Windows 7 are exciting and the new features like DirectAccess and JumpLists have many enterprises and users chomping at the bit.

Well, you don’t need to sit by idly waiting. In fact, I recommend that you don’t. Even if the operating system was available tomorrow there is a lot of planning and preparation that has to be done before you can just deploy it on your network. Some of the features require Windows Server 2008, so if you are still using Windows Server 2003 you should start to look at migrating to Windows Server 2008 so you are ready to capitalize on the new Windows 7 features.

Another thing that you can do to prepare is to validate that the applications your business relies on will work in Windows 7. Microsoft has released ACT (Application Compatibility Toolkit) 5.5 which you can use to begin verifying your applications for Windows 7. Conducting this exercise now will give you months to work with vendors to update any applications that have issues, or allow you to find other workarounds, or replacement applications that will work with Windows 7. Check out this interview between Stephen Rose and Jeremy Chapman to learn more about the updates and changes in the Application Compatibility Toolkit.

Follow me on Twitter

Help Microsoft Help You With Windows 7

Are you an IT Pro? Have you installed the Beta of Windows 7 and started to work with and begin to understand it so you can be prepared to support it in your organization or with your customers? If so, Microsoft is looking for your feedback. Click on the link below to go to the survey and provide your input to Microsoft regarding your Windows 7 experience and the kinds of support and resources they should create to help you do your job and to help you help your customers adopt and implement Windows 7. Act fast- the survey closes today at 12:00 pm Pacific (you have less than 2 hours)! 


Follow me on Twitter


Why Didn’t You Exploit IE?

At the CanSecWest Security Conference in Vancouver this week, Charlie Miller made headlines by exploiting a Safari vulnerability on a fully patched Mac OS X system with a fully patched Safari web browser in mere seconds to claim the Pwn2Own prize. Ryan Naraine interviewed Charlie Miller for a ZDNet article and asked him why he exploited Safari- why not exploit Internet Explorer or Firefox. His answer?

“It’s really simple. Safari on the Mac is easier to exploit.  The things that Windows do to make it harder (for an exploit to work), Macs don’t do.  Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.

It’s more about the operating system than the (target) program.  Firefox on Mac is pretty easy too.  The underlying OS doesn’t have anti-exploit stuff built into it.

With my Safari exploit, I put the code into a process and I know exactly where it’s going to be.  There’s no randomization. I know when I jump there, the code is there and I can execute it there.  On Windows, the code might show up but I don’t know where it is.  Even if I get to the code, it’s not executable.  Those are two hurdles that Macs don’t have.”

This is a commentary on Windows more than Internet Explorer. As Miller pointed out, “it’s more about the operating system than the program”. This is a testament to the security controls in place in Windows Vista and Windows 7. The combination of least privilege access enforced by UAC, with DEP (data execution prevention), ASLR (address space layout randomization), and Protected Mode IE provide additional layers of protection which make it harder to exploit vulnerable software. It was the ASLR in particular that Miller pointed out as the hoop that complicates exploits on Windows.

Miller even goes on to suggest that Firefox, and particularly Google’s Chrome browser might be even harder than Internet Explorer to exploit, but its primarily due to the hoops an attacker would have to jump through to exploit a vulnerability in Windows. Seems like fairly high praise for Microsoft’s efforts to build a more secure operating system, especially coming from the guy who just blew a fully patched Mac OS X with a fully patched Safari web browser out of the water in under a minute.

Follow me on Twitter