Learning to Fly - Mika's Blog : Security

BitLocker Recovery Password Viewer for Active Directory Users and Computers tool

mika — Tue, 23 Jan 2007 04:20:00 GMT

A tool for viewing Bitlocker recovery passwords is now available: http://support.microsoft.com/?kbid=928202. It is supported when installed on Windows XP SP2 or Windows Server 2003.

Guide for Configuring AD to Back up BitLocker and TPM Recovery Information

mika — Fri, 12 Jan 2007 06:10:00 GMT

The above guide is finally available: http://www.microsoft.com/downloads/details.aspx?FamilyID=3a207915-dfc3-4579-90cd-86ac666f61d4&displaylang=en. Go and get it! The package contains:

48 page excellent guide
LDIF file for extending Windows Server 2003 SP1/R2 schema
Script for modifying ACLs for computer objects in order to store TPM information and another for listing the permissions
Script for accessing BitLocker recovery info in AD
Script for accessing TPM recovery info in AD

According to the document, this schema update is supported for production use.

In addition to the tools within the package, you should also check a versatile manage-bde.wsf script that is included in Vista. Although it is possible to use this script to enable Bitlocker encryption on other partitions apart from boot partition (containing Windows), I wouldn't recommend it since additional steps are required and key recovery is rather complex. http://www.windowsecurity.com/articles/Best-practice-guide-how-configure-BitLocker-Part1.html includes a concise summary of the steps.

Now if only more manufactures could make updated BIOS versions available in order to use TPM. So far, I've played around with Lenovo Thinkpad T60 (BIOS version 2.06 and 2.07) and it's working perfectly :)

Windows Vista Security Guide 1.0 available

mika — Thu, 09 Nov 2006 19:50:00 GMT

Microsoft sticked to its behaviour on the release of the Vista Security Guide as it was made available the same day that the bits went to production. The final 1.0 version is available on http://go.microsoft.com/fwlink/?LinkId=74028 :)

As you may have noticed, the security templates are no longer the primary means of defining the baseline security settings. They can still be used and are also included in the security guide package. However, the primary means for defining the baseline policies is to use the included GPOAccelerator Tool (a script) to implement the GPOs that come with the tool. The Guide comes with eight GPOs being a set of four GPOs for the Enterprise Client (EC) scenario and another set for the Specialized Security Limited Functionality (SSLF) scenario. The Guide also includes Word and Excel documents detailing the settings in each template/GPO. Go and get it!

P.S. It's also available online (without the tools) on http://www.microsoft.com/technet/windowsvista/security/guide.mspx

Windows Security Guides updated again

mika — Thu, 29 Jun 2006 06:17:00 GMT

While looking for security info, I found that the Windows Server 2003 and XP security guides have been updated. Both have minor corrections in the text as well as updates to security templates.

Windows Server 2003 Security Guide (now version 2.1, released April 26, 2006)

Download Center: http://go.microsoft.com/fwlink/?linkid=14846
TechNet online: http://go.microsoft.com/fwlink/?linkid=14845

Windows XP Security Guide (now version 2.1, released April 13, 2006)

Download Center: http://go.microsoft.com/fwlink/?linkid=14840
TechNet online: http://go.microsoft.com/fwlink/?linkid=14839

Some great security info

mika — Fri, 27 Jan 2006 19:56:00 GMT

I've been extremely busy with courses & seminars over the last few weeks - dare I say it's been one of the busiest January that I can recall. However, in between I've come across some great security related info:

The "RunAs Guru", Aaron Margosis, posted that the LUA White Paper has been released. It's available on http://go.microsoft.com/?LinkId=58445.
Ian Hameroff has written a great summary on IPSec and its evolving role in securing corporate LANs.
WSSRA Virtual Environments for Development and Test was released few weeks go. I wish I had time to set up some of those scenarios...
Jason Fossen has posted a great set of scripts and other info on ISAscripts.org as a downloadable zip file.
Last but not least, Technet Virtual Labs have nice testbeds for you try out the most common scenarios for a number of Microsoft products without need to set up your own lab.

Updated "core" security guides

mika — Mon, 26 Dec 2005 20:36:00 GMT

Microsoft has revised its "core" security guides.

Windows Server 2003 Security Guide
http://go.microsoft.com/fwlink/?linkid=14846
now integrates info on Service Pack 1 and Security Configuration Wizard. Three scenarios have been slightly modified and are now called Legacy Client (LC), Enterprise Client (EC), and Specialized Security – Limited Functionality (SSLF). The version history (from ReleaseNotes.txt):
v2.0 Released: December 27, 2005
v1.3 Released: January 22, 2004
v1.2 Released: August 14, 2003
v1.1 Released: April 28, 2003
v1.0 Originally Released: April 24, 2003

Threats and Countermeasures Guide
http://go.microsoft.com/fwlink/?linkid=15160
From ReleaseNotes.txt: “Multiple changes to most of the chapters to reflect the new settings that are included in Windows Server 2003 Service Pack 1 and Windows XP Service Pack 2.” The version history (from ReleaseNotes.txt):
v2.0 Released: December 27, 2005
v1.2 Released: January 22, 2004
v1.1 Released: August 14, 2003
v1.0 Originally Released: April 24, 2003

The last one was updated already earlier:

Windows XP Security Guide
http://go.microsoft.com/fwlink/?linkid=14840
Content quite heavily revised. The version history (from ReleaseNotes.txt):
v2.1 Released: October 20, 2005
v2.0 Released: August 25, 2004
v1.5 Released: January 22, 2004
v1.0 Originally Released: May 22, 2003

WS03 User based auditing & simple logon script to connect printers

mika — Wed, 03 Aug 2005 22:24:00 GMT

A relaxing summer vacation is over. I managed to stay away from computers for most of the three weeks’ period J Prior to that I participated my first TechEd in Amsterdam and enjoyed it tremendously. Lot’s of interesting stuff and I also met a lot of nice people. My special thanks go to Ronald Beekelaar for organizing work for us to do!

Last week I couldn’t resist the temptation of installing beta 1of Vista. It was working surprisingly smoothly on VMware 5.0 guest on the internal hard disk of my laptop following Ipsi2000’s tips on http://www.vmware.com/community/thread.jspa?threadID=19960&start=15. On Monday this week I also installed Longhorn Server Beta 1 on Virtual PC 2004 SP1 guest and after installing VPC additions, things were rolling smoothly on that machine as well J I’m not sure what went wrong but I had to create the system partition with Windows Server 2003 Setup CD before setup continued past partition selection.

I thought I’d share few things. First off is the Windows Server 2003 user based auditing (officially called Per-User Selective Audit). I initially learned about it a long time ago but never figured out how to make it work. Now there is an article on this topic in the July issue of Windows IT Pro magazine. Unfortunately, you can only see the beginning (http://www.windowsitpro.com/Windows/Article/ArticleID/46625/46625.html) unless you’re a subscriber. Fortunately, there is information on this topic almost directly from Redmond on Windows auditing team’s blog (http://blogs.msdn.com/ericfitz/archive/2004/12/20/327478.aspx). To summarize, the built-in command auditusr can be used in Windows Server 2003 SP1 and XP SP2 to include or exclude certain user(s) from auditing of other categories than object or directory access. The command simply wasn’t there in Windows Server 2003 RTM (Released to Manufacturing) so no wonder I couldn’t find it…

The second issue to share is a basic logon script for connecting two printers for certain users. Used with the (Computer configuration\Administrative Templates\System\Group Policy\)User Group Policy Loopback Processing group policy setting in Merge mode, it is easy to connect two printers for users based on the location of computer object (rather than user object which is the default behaviour) in the OU structure. The script is here:

Option Explicit

On Error Resume Next

Dim wshShell,ConnectPrinter1,ConnectPrinter2,SetDefaultPrinter

Set wshShell = WScript.CreateObject("WScript.Shell")

ConnectPrinter1 = "rundll32 printui.dll,PrintUIEntry /in /n\\printserver\printer1 /q"

SetDefaultPrinter = "rundll32 printui.dll,PrintUIEntry /y /n\\printserver\printer1"

ConnectPrinter2 = "rundll32 printui.dll,PrintUIEntry /in /n\\printserver\printer2 /q"

wshShell.Run ConnectPrinter1,0,True

wshShell.Run ConnectPrinter2,0,True

wshShell.Run SetDefaultPrinter,0,True

Set wshShell = Nothing

WScript.Quit()

Thanks for Kari Lehtinen in Hyvinkää for helping to fully utilize the power of the script! BTW, you can find the syntax and examples of the command by running (Start - Run)

rundll32 printui.dll,PrintUIEntry /?

The parameter is case-sensitive!

Windows Server Update Services (WSUS) RC is out

mika — Wed, 23 Mar 2005 05:05:00 GMT

The successor to Software Update Services (SUS) is nearing its completion :) You can register for eval and download it on http://www.microsoft.com/windowsserversystem/updateservices/evaluation/trial/default.mspx

Highlights to follow...

Hectic February is well over

mika — Sat, 05 Mar 2005 23:13:00 GMT

What a hectic month February was! It started with some Windows Server 2003 & Active Directory training. In between I had an opportunity to fly over to UK to "cure" one Active Directory. And then towards the end of month I dug deep into Group Policy. Simultaneously, I was trying my best to be active in R2 beta programme which has been the best beta I've ever participated. Lots of action although some of it took place during day time - PST. We're ten hours ahead of it here in Finland ...

Last Thursday we had the first annual Technet Pro seminar with some 1300 people! The MVP status was lifted into the spotlight when with another MVP, I had an opportunity to speak in the keynote! I started by presenting the Windows Server roadmap and continued by demonstrating Windows Server 2003 SP1 Security Configuration Wizard and "R2" Branch Office technologies such as improved DFS (Distributed File System) and printer management. Interesting stuff!

Later I had a 45 minute talk on securing intranet and its services.The biggest challenge was trying to squeeze all services into as few virtual machines as possible in order to be able to demo them. Some challenges propped out during the demo as well...

Some of the gems I've come across during these busy weeks are:

http://www.microsoft.com/ISAServer/ has links to downloading eval for the Enterprise Edition which was launched last week. This is the first Microsoft product to store its configuration in ADAM (Active Directory Application Mode) directory. Enterprise Edition is available for download in MSDN for subscribers. Few days earlier, Service Pack 1 for Standard Edition became also available.

Darren Mar-Elia has a lot of great technical info on Group Policy on his site http://www.gpoguy.com/. The discovery of the months was his info on modifying the registry so that the Properties tab on Active Directory object (site, domain, OU) in ADUC (Active Directory Users and Computers) would show the "legacy" interface after installing GPMC (Group Policy Management Console). In quite a few GP demos before, I have had two DCs so that I can demo both tabs. After all, there is not much to show after GPMC is installed since there is only the Open button for accessing GPMC.

At the end of January (and I tell about it only now...) AutoProf changed its name to become DesktopStandard Corporation. Their PolicyMaker was awarded as SearchWin2000.com product of the year for 2004. I strongly recommend anybody wishing to learn extensibility of Group Policy to get familiar with DesktopStandard's products. Best of all, they've made one of the extensions available in a FREE tool PolicyMaker Registry Extension.

In order to learn how Group Policy processing really works (or doesn't work), you should enable the user environment debug logging. Technet kb article 221833 has the necessary info on modifying the registry. SysPro Software's Policy Reporter makes it much easier to interpret the output of the log file, userenv.log.

TechEd 2005 sessions have also become available. That's all for now, folks!

Publishing Sharepoint Services with ISA Server 2004

mika — Sat, 29 Jan 2005 13:57:00 GMT

Just came across Technet (web-only) white paper "Reverse Proxy Configurations for Windows SharePoint Services and Internet Security and Acceleration Server". This inspired me too "google" and lead me to a fellow MVPs (German) blog where there is a reference to another (downloadable) white paper "Deploying on an Extranet by Using ISA Server 2000 and ISA Server 2004". The latter is much more detailed with 5 different scenarios. The Word documents spans over 116 pages.

I shall finish combing through the docs by latest the 3rd of March when I will be presenting a talk "Securing Messaging and Intranet Services with ISA Server 2004" in Technet Pro 2005 seminar.

First comments on Microsoft AntiSpyware (beta)

mika — Mon, 10 Jan 2005 05:43:00 GMT

I guess it's about the time to switch from holiday mode back to business. I've had a nice holiday between Xmas and New Year and also did a bit of travelling last week with my family. Came across with my cousin's brand new desktop PC which used to shut down almost everyday by itself - no fun for a home user not to mention the IE crashing sometimes several times a day :( I suspect memory or motherboard failure. The courier company picked up the PC to be repaired the same morning we left...

If you didn't hear this from somewhere else, last week Microsoft released the public beta of AntiSpyware. I've now installed it on three machines and nothing special has come up. The product works very well considering its beta status. The only problem I had with it was when I tried to start it as an ordinary user. With runas, no problems so far. BTW, I've referred my students frequently to Aaron Margosis' WebLog where Aaron has written great info on running apps as admin while locked on as an "normal" user. Yesterday, I also came across Michael Howard's article "Browsing the Web and Reading E-mail Safely as an Administrator" which also includes DropMyRights application and info on process tokens when using the app. You can also find a shell extension & some further discussion on http://blogs.msdn.com/michael_howard/archive/2004/12/23/331606.aspx.

On my production machine (Windows Server 2003 Std & ISA 2004 Std & Symantec SAVCE), the only threat that AntiSpyware reported was MSN Messenger add-on MessengerPlus! and its optional adaware called C2Media. I've got to like MessengerPlus! and its functionality and in this case usability takes over security...

I'm not going to write a comprehensive report on the functionality of the AntiSpyware, since Paul Thurrot has already done that. I found the most interesting part of the application to be the Advanced Tools that included System Explorers to find out details that might be hard to do otherwise. I've yet to study whether Microsoft has dropped some of the advanced tools that Paul mentions. Of course, some other companies have written similar apps, such as SysInternal's Autoruns utility which provides the info on the programs starting automatically.