Industry Insiders from Microsoft

Recently I have been asked if I wanted to join the Microsoft Industry Insiders community. Here is the security article I wrote.

There are some very interesting articles here, check them out and feel free to comment

User Account Protection.. Introduction

User Account Control aka UAP/LUA How does it work?

2 years ago I was partaking in an annual geekfest referred to as Microsoft IT Forum which was hosted in Barcelona.
As Vista's proposed features were being demo'd a shocked gasp resounded through the auditorium. Yes flip 3D was here (hey, I did say it was a geekfest!)

I thought it was interesting that there was an hour seminar on how to run all your enterprise users run as non admins (standard users to borrow Vista parlance) on Windows XP without breaking all the apps.

Shortly afterward a seminar showing how Vista accomplishes the same thing automatically was presented.

Love it or hate it. User Account Control is the offspring of the Limited User Account/User Account Protection concept.

We have all seen this coming, and much like the days when we all knew we should wear seatbelts, now it is being enforced some are naturally finding it a little inconvenient at first.

In the next few articles I will explore a little about UAC and how it works.

What is token filtering and how does it work?
How is Vista similar to a military operating system?
What does this mean for you?
Why you shouldn't disable UAC or enable the built in Admin account (Its disabled by default as you probably noticed!)

...are just some of the topics I will be covering.

One last thing...If there was a crime of Mobile phone abuse, Steve Lamb would be guilty for the repeated merciless remote wipes of his device @ the TechEd roadshow. Well done for getting through the demo in a professional manner despite the PA conspiring against you!

Is your laptop worth 1 million pounds?

Is your Laptop worth £1 million pounds?

Laptops are getting a lot cheaper to buy. Of course if you buy a nice Sony Vaio, you could pay up to £2,000. At the other end of the scale I have seen budget laptops from £299.00.

Portable computer security has long been of big concern to security solution advisors such as myself. The hardware is normally the cheapest thing to replace.

Many people back up their personal data on portable computers, but not everyone.

The loss of business critical data could be disastrous with no adequate backup’s. Perhaps more of an issue would be the value of your customer relationships, their contact details and their credit details in the hands of your direct competitors.

People involved with risk know how to calculate predicted annual loss from certain unforeseen events. This is normally done by calculating the likelihood of an event occurring (Annual Rate of Occurrence) and then multiplying this by the Single Loss Event (SLE) dollar amount.

After this has been calculated, you can establish how much money you can afford to spend to prevent these events from occurring.

To take this a step further, once controls are in place, their effectiveness can be measured and Return on Investment calculated.

One of the key costs that Risk Analysts consider, is the cost of financial sanctions or penalties.
Nationwide Anglia discovered this the hard way this week after being fined a record 1 million pounds. A member of Nationwide Anglia staff had a laptop stolen, but didn’t report it promptly.
After the fact was discovered, the FSA found NA to be negligent in disclosing exactly what the value of the data was on this computer.

Most interesting of all, Nationwide Anglia was criticised for not having a clear and understandable policy for the protection of critical, highly confidential data.

In summary, the value of a clear, understandable and enforceable security policy cannot be over emphasised.
Data is our most valuable resource and we should protect our customers from potential harm by appropriate controls on their information.
When considering the cost of security and technology, we must remember the ‘hidden’ costs. £1,000,000 seems a lot for a single laptop, but this just goes to prove how seriously the FSA and other regulatory bodies take negligence when it comes to protection of customer’s data.

Back to Vista tomorrow!

Windows Vista - Security Virtualisation

If you read through previous posts of mine, you will know that I recommend running as a local user in XP and only using administrative credentials to install programs.
Usually this works quite well until a legacy application tries to write data to a file or registry location that a normal user has no access to (such as high res mode on Microsoft Flight Simulator 2000)
Vista, with it's 'Run everything with least privilege', gets around this by 'virtualisation' of the filing system and the registry.
How does this work in practice?
When Vista detects a write action to a restricted area, it redirects it to a per-user virtual location. Program file information typically gets written to %LocalAp
pData%\VirtualStore. Subsequent read requests will also be redirected.
You can browse to where these virtualised writes have taken place, say in the Program Files directory, and a 'Compatibility Files' button will be present on the new 'Command bar'.
A similar redirection takes place when writes to restricted areas of the registry takes place, storing data that traditionally would end up in HKLM\Software in places such as HKLM\Software\Classes\VirtualStore

Whatever your opinion of Microsoft, you can't deny the efforts being made in the least privilege space to increase security.

Internet Explorer 7+

Ok, you have installed Vista, we know how it fires up and you have logged on. Chances are after you have played around with the AERO interface (Authentic, Energetic, reflective and Open...who thought that one up??), you will be heading over to check out IE7.

Now if you have been using IE7 for XP, you may be thinking that this is identical, well you'd be kinda right. It is very similar, but it has some important differences. Vista's version of IE7 is correctly named IE7+ and operates in a 'least privilege' mode known as Protected Mode. Protected Mode is designed to make it much harder for malicious software to install via the browser interface.
Internet Explorer runs in the context of a very restricted user and can only write information to certain file areas (such as the Temporary Internet files location).

If your like me and rather miss the Menu bars, worry not, ALT will become your helpful companion. Pressing ALT brings the old fashioned menu's scurrying back. I find this most helpful in IE and Explorer.

AutoComplete has been designed to be much more customizable. If you feel comfortable your PC is secure, you can configure AutoComplete to remember all your usernames and passwords on a per-site basis.
In addition to this, AutoComplete can also remember form information and web addresses (to customise goto Tools> Internet Options> Content).




















If like me you are interested in how Windows stores these credentials, they are stored in Registry, encrypted with 3DES (512bit key)and can only be 'got at' by the DPAPI (Data Protection API), which appears to be a much better interface from a security perspective than Windows XP 'Protected Storage' (PStore).

One final tip, have a go at using F11 to switch to full screen. Moving the mouse to the top of the screen gets your menu's back and F11 again reverts. I don't normally like ALT-Enter style full screens, but I am starting to really like this feature.

Hello Vista

Right...It's here at last. Better late than never and for some of us who have been using various Beta's for a while, some of the excitement may have waned slightly.
But that aside, VISTA and for that matter the rest of the motley EVO crew (Exchange,Vista, Office) is here now.



As I have been a busy bee with CISSP, I am a bit slow off the mark here, but in order to make up lost time, the blog will now continue in earnest.





WHAT YOU NEED TO KNOW ABOUT VISTA...in bite size security flavoured nuggets!

Hit the power button, sit back and...... WHAT?? No NTLDR, No BOOT.INI? Isn't this just XP 'repackaged' according to Steve Golds?

Nope, this is not NT6, this is Longhorn. New ball game.

When you boot;
The BIOS heads for the MBR on the disk defined as the boot disk

• Transfer control goes to the MBR (Master Boot Record).
• Bootmgr.exe is now called.
• This calls information from the Boot Configuration Data Store (similar but more sophisticated than Boot.ini)
• If Vista is cold booting then it loads Winload.exe
• If Vista is resuming then it loads Winresume.exe
• If you multiboot with an earlier OS, then it loads the legacy NTLDR file.
  
  NTOSKRNL.exe and HAL.dll (Hardware Abstraction Layer) are still there, which will be followed by the starting of the session manager SMSS.exe, Windows startup WININIT.exe and the Local Security Authority LSASS.exe.
  
  So, some new face and some old. One thing is for sure...this is going to be a totally different animal.
  

ISA 2006 screenshots.

Anyone who has studied for Microsoft's exams knows the value of having a 'lab' to practice upon. With Microsoft's Virtual Server/PC or VMwares's ESX/GSX you don't even have to have physically separate boxes providing you have a server with plenty of RAM and processor speed.
However with the release of Vista, Office 2007, Exchange 2007 and ISA 2006, purchasing all these products just to get familiar with them would be prohibitively expensive. You can of course use evaluation copies, but it is a pain keep reinstalling them.

This is where the Microsoft Action Pack Subscription (MAPS) is so valuable. For a fixed fee (£230 in the UK), you get a years worth of software for testing and studying purposes.

There are a few conditions so check out the Microsoft web site or Daniel Petri's excellent synopsis http://www.petri.co.il/ms_action_pack_subscription.htm

I have just installed ISA 2006, upgrading ISA 2004 as my DMZ firewall. For those of you unfamiliar with the product ISA (Internet Security & Acceleration server) is Microsoft's application firewall and caching/proxy server.

One of the functions of ISA is to proxy internal traffic out to the Internet, but to also securely publish internal services. I use ISA to publish my Exchange 2003 server.

I haven't managed to play too much with ISA 2006, but there are a few immediate differences from 2004. There is now no firewall share for distributing the firewall client application, and the SMTP message screener is no more, so you will need to uninstall these and enable the Background Intelligent Transfer service to start automatically before you upgrade.

The other very noticeable difference is when you log onto OWA with ISA 2006 publishing...the OWA screen is no more!

There are many other improvements that I haven't had a chance to explore, such as multiple certificate support for web site publishing and better Denial of Service protection.

Will blog more when I have had a chance to play......its going to be a busy year!