| | Trustworthy Computing | February 2015 | | Microsoft Security Newsletter | | | | | | | Note: We are resending this month's newsletter with two corrections. First, "Simplify Secure Infrastructure Management with System Center" was authored by Microsoft MVP Jayson Ferron, and was intended to be the "Microsoft MVP Spotlight." Second, Frank Simorjay's Security Tip of the Month, "Protect Your Highly Sensitive Information" was omitted and has now been included in this corrected edition. | | Welcome to February 2015’s Security Newsletter! | This month, we are focusing on security management. While it is, of course, crucial to put measures into place that protect your organization’s information, it is equally important to ensure that those measures remain effective as your business evolves. This requires constant monitoring—of your systems, services, and user base. It also requires that you continue to implement new procedures and practices, such as multi-factor authentication, as new risks or business needs emerge.
In this month’s newsletter, we offer tips to help you simplify the process of managing a secure infrastructure using Microsoft System Center and Microsoft Intune, and resources to help you better protect data using multi-factor authentication.
| | Best regards, Tim Rains, Chief Security Advisor Microsoft Worldwide Cybersecurity & Data Protection | Want to share this newsletter with a friend or colleague? Click here for the online edition and subscription options. Have feedback on how we can improve this newsletter? Email us at secnlfb@microsoft.com and share your ideas.
| | | Top Stories | | | | | KRBTGT Account Password Reset Scripts Now Available for Customers Although pass-the-hash credential theft and reuse attacks aren’t new, more recently security researchers have been focusing on attack methods for Kerberos authentication. One way to help mitigate the risk is to periodically reset the krbtgt account password. Get a script and guidance to help you perform the reset in a way that reduces the likelihood of authentication errors caused by delayed distribution of the new krbtgt account keys in your environment.
Putting Information Sharing into Context Download a new white paper that explores the various types and methods of information exchanges and discusses how to better harness the practice for risk reduction to help move policy and strategy debates forward and support better defense of cyber assets and infrastructure.
New Version of BinScope Binary Analyzer Created more than a decade ago as part of Update Tuesday to broadly communicate, in advance, about the security updates being released for Microsoft products and services each month, Microsoft’s Advance Notification Service (ANS) is changing in 2015. Find out why ANS information will now be provided directly to Premier customers and current organizations involved in Microsoft security programs, versus made broadly available through a blog post and web page, and how you can receive security bulletin information tailored only to those applications running in your environment.
| | | Security Guidance | | | | Security Tip of the Month: Protect Your Highly Sensitive Information By Frank Simorjay, CISSP, ISSA Distinguished Fellow, and Microsoft Senior Content Developer Data comes in all shapes and sizes, when protecting your data it's important in understanding that classifying your data can be one of your organization's most complex and important issues to address. Classifying data requires that you balance security efforts with cost as your company's most sensitive data needs to be quantifiable before you invest in securing it, in other words you should know where it is and what it is. Additionally your sensitive data's value should be measurable and a cost should be associated to it. It's fair to say that if your organization deals with data that, if lost, could result in loss of life, damage to the national infrastructure, and possibly fines by regulators, then that data can be classified as highly sensitive or high value. In addition, many organizations have data such as encryption keys, factory automation pre-patented IP, and corporate trade secrets, that if lost, damaged, or destroyed would put the organizations survival in to jeopardy, and is also high valued assets.
In contrast to security assessments for protecting low value information assets, protecting High Value Assets (HVA) requires a different mindset for building security safeguards. For starters, using a risk management framework (PDF) and guidelines such as those described in the Microsoft Security Risk Management Guide can be used to evaluate the overall risks for protecting high valued assets.
It's important to illustrate that the cost of protecting data grows considerably as its sensitivity increases. For instance, if the cost of protecting as single record costs $145 (based on a loss of data as a result of cost to recovery data from a breach) the cost to protect HVAs can cost upwards of 10 times the amount sensitive data.
An organization that is considering HVA protection should also carefully consider the following:
Protection of HVA Several considerations must be addressed in protecting HVAs. Included in this are items such as: Facility security, Network infrastructure security, Incident management, and operational safeguards.
Security measures needed to protect HVA require a unique operational effort. In looking at operational safeguards we see that you cannot do too much when it comes to securing HVAs. Consider the following:
• | Operations staff should be specially trained to understand the value and risks associated with HVAs. In most IT organizations, there's an operations team for identity management, one for line of business applications, one for Active Directory management, and so on. You should also have a team dedicated to understanding the special permissions and privileges required for protecting HVAs. Each employee with access to an HVA solution should be vetted and also trained so that they have the special skill sets required to provide the high level of security required for HVAs. | • | Role based access control (RBAC) is used to ensure that only those personnel with Need to Know (read access) as well as Need to Modify (write access) have access to HVA data. Using a solid role-based access control model is essential for managing the protection methods. | • | The custodian of an HVA should be a person or organization that can ensure the HVAs integrity. The result of the process of determining accessibility and identifying custodians will be a collection of protection profiles that will be used to establish the WHO, WHAT, WHERE, WHEN, and WHY – specifically, WHO has access, WHAT is being protected, WHERE will it reside, WHEN it was used, and WHY is it being protected. Technology such as just enough admin (JEA), and Just in time administration (JIT) provides assurance that administrative rights are provided only to the right person, to the right resources, in the right environment, and when it's needed. The goal of using technologies such as JIT, and JEA can provide a means to ensure, all administrative rights are revoked daily for instance and the requests for rights are granted for the right person, at the right level, at the right time with audit and logging. |
The security model for protecting HVAs should align to protect against modern sophisticated attacks that target administrators. For example, using the "kill chain" principle to defend against specialized, targeted attacks. The model is designed to stop malicious intrusion by obstructing an attacker at several points along the path to HVAs. Each zone in a kill chain is designed to detect, deter, and slow attackers and prevent them from realigning their attack vector from different zones in the chain. With detection, audit, and control mechanisms in place in each zone, a kill chain becomes more effective at stopping advanced persistent threats and attacks that traditional security measures may not be as effective against. This approach is an effective way to help prevent attacks on HVAs, and is described in the white paper "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains". In the figure, the request for an HVA is shown to be initiated in the organization and passed to the HVA asset zones. Effective HVA solutions minimize access points, transport mechanisms (both physical and virtual), and other connection methods to reduce the number of ways that HVA assets can be accessed.
The kill chain concept provides a series of controls that detects and hampers an attacker at several points along the path to HVAs. Organizations that are concerned about protecting HVAs need to perform a risk/benefit analysis before implementing an HVA solution, as it could turn out that the cost to secure the HVAs is more than the value of the information itself.
Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications Explore the authentication mechanisms available in Active Directory Federation Services (ADFS) and see how you could use ADFS to enable multifactor authentication based on user’s group membership. Not familiar with ADFS? See the Active Directory Federation Services Overview for more information.
Manage Risk with Conditional Access Control Access control in ADFS is implemented with issuance authorization claim rules that are used to issue a permit or deny claims that will determine whether a user or a group of users will be allowed to access ADFS-secured resources. Learn how to enforce conditional access control based on user identity or group membership, network location, device (whether it is workplace joined), and the authentication state (whether multifactor authentication was performed).
Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications Intune integrates multi-factor authentication to allow you to better secure your corporate resources by requiring additional verification from users beyond their usernames and passwords. Explore the on-premises infrastructure requirements and learn how to enable ADFS multi-factor authentication during the enrollment of Windows 8.1 and Windows Phone 8.1 devices.
Two-Factor Authentication and Office 365 Two-factor authentication is an optional feature available with Office 365 Dedicated plans and ITAR-support plans. Explore the two-factor authentication methods that can be used with Office 365 services and quickly access implementation guidance, requirements, and limitations for each method.
Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications Explore key deployment considerations when configuring a Lync Server 2013 environment to support two-factor authentication then find guidance on configuring and using two-factor authentication with Lync.
| | | Community Update | | | | Microsoft MVP Spotlight: Simplify Secure Infrastructure Management with System Center By Jayson Ferron, Microsoft MVP, CEH, CISSP, CRISC, CVEi, MCITP, MCSE, MCT, and NSA-IAM IT security is one of the most difficult challenges that every organization must deal with. Although security is much broader than this, you can make the goal of maintaining a secure, well-managed infrastructure easier to achieve by standardizing, and therefore simplifying your systems. Knowing what programs are installed and configured and how your systems are built helps you get to that goal.
In this article I will focus on the 20,000-foot view of how you can accomplish this task by using the Microsoft System Center suite of tools. I will not go into step-by-step details, but will focus more on the tools you can use to assist you in meeting the goals of building standard images to reduce the risks that can occur when manually building and deploying systems. I have included in this article links and more information on the tools I will discuss.
As an IT administrator and security professional, there are many questions about security that I ask about, but for this article I will focus on the following:
• | What systems are you using? | • | Do you have policies and procedures that you follow? | • | How do you verify and confirm that policies are being followed? | • | What tools do you use to support the automation of your processes? | • | How do you test configurations? | • | And my favorite, what services are running on what computers? | The reason I ask these questions is to understand how well documented a company’s IT structure is. Often, when I ask questions like, "How are your servers and desktops configured?" or "Do you have a document that shows what ports, services, and processes are running on your servers or workstations?" the answer I get 90% of the time is, "No."
This becomes the major focus of IT security and I’ll explain it this way. If you cannot tell me what is running in your environment, then how do you know if I added a new application to your network? If you do not know what services, applications, or ports are in use, how do you know what has been changed? This lack of knowledge can allow a hacker to add applications and remote access tools, and gain access to your company data.
Create a baseline A baseline is a state of being that gives you a known configuration to test against. Most organizations have a collection of software and settings that should be present on all computers. This article shows you techniques that allow you to easily create, deploy, and maintain a standardized configuration. This could include operating system patches, applications, security policy settings, antivirus software, and more. If you build an image for a workstation or server, this becomes your baseline(s), or master image(s). You then have a starting point for all future workstations or servers – as you add more software you can create additional baselines.
By creating a baseline, or master image, you can create multiple new servers or workstations that match all existing documented build guides. This allows you to easily add and have the same configurations on systems of the same type. This will assist you in documenting, testing, and patch management, and also during audits to verify that configurations are being built to specifications. We are going to use the System Center suite to accomplish this.
What’s included with System Center Let’s start by reviewing the System Center suite of products and the primary functionality of each product.
System Center Configuration Manager: Configuration Manager lets you perform tasks such as the following:
• | Deploy operating systems, software applications, and software updates | • | Track and remediate computers for compliance settings | • | Track hardware and software inventory | • | Remotely administer computers | System Center Orchestrator: Orchestrator is a workflow management solution for the data center. Orchestrator lets you automate the creation, monitoring, and deployment of resources in your environment.
System Center Virtual Machine Manager: Virtual Machine Manager (VMM) is a management solution for the virtualized data center that lets you configure and manage your virtualization host, networking, and storage resources in order to create and deploy virtual machines and services to private clouds that you have created.
System Center App Controller: App Controller provides a common self-service experience that can help you easily configure, deploy, and manage virtual machines and services across private and public clouds.
System Center Operations Manager: Operations Manager provides infrastructure monitoring that is flexible and cost-effective, helps ensure the predictable performance and availability of vital applications, and offers comprehensive monitoring for your data center and cloud, both private and public.
System Center Endpoint Protection (included with Configuration Manager): Includes an operations, configuration, data-protection, service, and virtual machine manager, as well as advanced endpoint protection. It provides a single, integrated platform for managing policies, endpoints, software deployment, data-loss prevention, and Internet security.
System Center Service Manager: Service Manager provides an integrated platform for automating and adapting your organization's IT service management best practices, such as those found in Microsoft Operations Framework (MOF) and Information Technology Infrastructure Library (ITIL). It provides built-in processes for incident and problem resolution, change control, and asset lifecycle management.
System Center Data Protection Manager: Provides Data Protection Manager (DPM) to back up servers, computers, Microsoft workloads, system state, and bare metal recovery (BMR).
Although the full System Center suite is helpful in reducing errors and controlling your environment by the use of automation, the tips in this article focus on Configuration Manager, VMM, and Service Manager.
Using Configuration Manager To begin the process of building an image, you must first write down everything that has to be included. After you have your checklist, you can do it all manually, but by using the Operating System Deployment (OSD) functionality in Configuration Manager, you can create a series of deployment images that you can push out to your new server and ensure that each new computer (whether it be physical or virtual) meets the same standards and follows your best practices.
Think about this: If we create all web servers using a master image, then all web servers should have the same ports, services, and apps installed and then we can look for changes.
Since I have said that there is a need for enterprise baselines let's discuss that process. How can you create, manage, and validate configurations through imaging, patching, and control using System Center modules?
Start by writing down everything that has to be included (operating system, antivirus, applications, patches, policies, backup agent, monitoring agent). For example, let’s create a Windows Server 2012 R2 computer with web server and Hyper-V roles, the Data Protection Manager Client, Endpoint Protection Client, and Operations Manager management packs.
You now have your checklist. You can use this master image as the basic image for all new web servers. You can build these servers manually, but then each time you build another server you might configure it differently, and human error will continually be a factor.
To build desktop images, you can use the Windows Assessment and Deployment Kit to create the image. However, if you download the Microsoft Deployment Toolkit (MDT), you can then use a graphical tool to create standardized images. See Deploy Windows 8.1 with Configuration Manager for more information.
You can also use Operating System Deployment (OSD) functionality in Configuration Manager. For more information about OSD, take the TechNet Virtual Lab. To download OSD, visit the Microsoft Download Center.
Now you have created a series of deployment images that you can push out to your new server or workstation and ensure that each new computer (whether it be physical or virtual) meets the same standards and follows your best practices.
You have built a master image for all new web servers or workstations. Using Configuration Manager you can deploy your new master image to all new web servers and know that all web servers have the same configuration. You can scan what ports are open and create a baseline document and also scan what ports are open by the use of a third-party tool. You can also use System Center inventory tool to notify you of any software that is installed on the computer that was not pushed by IT. Then you can create a document for each server using Service Manager or some other tool that records any changes or updates to your configuration. This will become your audit trail and a resource you can check for approved changes and document any issues.
After you install baseline images that you can push to bare metal or virtual machines, you can then add configurations or software by using Group Policy or packages hosted in System Center. A nice addition to your security portfolio that you may not be aware of, is the new Windows PowerShell Desired State Configuration (DSC) tool set. You can learn more about DSC in the Windows PowerShell Desired State Configuration Overview.
DSC can do many things, but for our purposes it does the following:
• | Deploy new software | • | Take a baseline, and then fix configurations that have drifted away from the desired state | • | Discover the actual configuration state on a given server | In addition, you can create custom resources to configure the state of any application or system setting. Once again, be sure to document the newly configured server in Service Manager.
Next steps So, at this point, you have a functional, baseline, documented master image for your initial server installation; but things can change over time, so how do you handle issues like security patches, updates, and so on?
We all know that we should perform testing before putting anything in production, but how? We do not want to create a "Resume Generating Event" if the change we put into production hurts the company or risks your job.
Before you deploy patches or updates to your servers you should perform the proper tests. By using VMM you can make a copy of your production environment and create an isolated network on your Hyper-V infrastructure. You can then test updates and patches without any danger to your production environment.
As an administrator you can control when and where you will deploy a patch or update by using Configuration Manager. By creating multiple development, test, and production OUs you can leverage them to test and validate patches and pushes of updates to systems. After you verify that the updates work as expected, and only then, you can approve them for your production systems. Then you can update both the production computers and the master image so that all new servers have the updates applied. Remember to document that change to the image in Service Manager.
In addition to what I have discussed here in this article, there are third-party tools you can use to look at files, folders, and registry changes that can further support security and add additional real-time baselines to those applications and servers that require extra vigilance. These tools can report, and if allowed, can revert any unauthorized changes.
In this article I have discussed how you can create baseline images, as well as test, patch, and document changes that have been made in your system. If you do not have your systems documented, it is nearly impossible to tell when something has changed; and, if by chance you do detect a change, if you have not implemented proper monitoring and auditing you cannot know who made the change, or if it was authorized or unauthorized. By using baseline images you create with Configuration Manager and Service Manager to document changes, you are better enabled to secure your IT structure and reduce security risks.
Protecting Hyper-V Virtual Machines with System Center DPM 2012 Get an overview of Data Protection Manager (DPM) Hyper-V protection scenarios, and guidance on how to set up protection including protecting virtual machines in clusters with Cluster Shared Volume (CSV) Storage.
| | | This Month's Security Bulletins | | | | | February 2015 Security Bulletins
| | February 2015 Security Bulletin Resources: | | | Security Events and Training | | | | | TechNet Virtual Lab: IT Service Management with Service Manager Explore Service and Request Offerings and learn how Service Manager integrates with other products, such as Orchestrator and Virtual Machine Manager.
Microsoft Virtual Academy: Identity and Access Management Need tips for moving your Active Directory Federation Services (ADFS) workload to Microsoft Azure, the powerful platform leveraged by IT specialists to provide a range of services and tools to end users? Look no further! Get expert advice on design, deployment, maintenance, and more so you can smoothly manage the transition of your ADFS workload to Azure. Explore the various forms of identity, and learn to transition the tools that provide identity services into Microsoft Azure. Plus, see how to resolve common issues.
Microsoft Virtual Academy: Azure Active Directory Core Skills Jump Start March 26, 2015 – 9:00 AM Pacific Time to 5:00 PM Pacific Time Constantly resetting customer passwords? Want to extend your on-premises Active Directory? Explore Azure Active Directory (Azure AD) as Microsoft Virtual Academy kicks off its "Enterprise Mobility Core Skills" series, arming you with key knowledge to enable enterprise mobility management and prepare your environment for Windows 10.
| | | | | | | | | | | | microsoft.com/about/twc | Trustworthy Computing | | | | | | This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.
© 2014 Microsoft Corporation Terms of Use | Trademarks
Microsoft respects your privacy. To learn more please read our online Privacy Statement.
If you would prefer not to receive the Microsoft Security Newsletter from Microsoft and its family of companies please click here. These settings will not affect any other newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services.
To set your contact preferences for other Microsoft communications click here.
Microsoft Corporation One Microsoft Way Redmond, WA 98052 USA | | | | | | | |