Jerry Bryant's Security Blog : General Security

Shared Computer Toolkit for Windows XP

jbmsft — Mon, 26 Sep 2005 15:08:00 GMT

Here is a technology a lot of people are interested in...

Overview

Shared computers are commonly found in schools, libraries, Internet and gaming cafés, community centers, and other locations. Often, non-technical personnel are asked to manage shared computers in addition to their primary responsibilities.

Managing shared computers can be difficult, time-consuming, and expensive. Without restrictions, users can change the desktop appearance, reconfigure system settings, and introduce spyware, viruses, and other harmful programs. Repairing damaged shared computers costs significant time and effort.

User privacy is also an issue. Shared computers often use shared accounts that make Internet history, saved documents, and cached Web pages available to subsequent users.

The Microsoft Shared Computer Toolkit for Windows XP provides a simple and effective way to defend shared computers from untrusted users and malicious software, safeguard system resources, and enhance and simplify the user experience. The Toolkit runs on genuine copies of Windows XP Professional, Windows XP Home Edition, and Windows XP Tablet PC Edition.

Tools Summary
The Toolkit includes several command-line tools and the following graphical tools:

Getting Started. Provides access to computer settings and utilities and helps first-time operators learn the Toolkit basics quickly.
Windows Disk Protection. Protects the Windows partition (typically drive C) that contains the Windows operating system and other programs from being modified without administrator approval. Disk changes made are cleared with each restart unless the administrator chooses to save them.
User Restrictions. Restricts user access to programs, settings, and Start menu items. The tool also allows you to lock shared local user profiles to prevent permanent changes. (This tool is specifically for use in workgroup environments that do not use Active Directory and Group Policy. A Group Policy template is also included for use in Active Directory environments.)
Profile Manager. Creates and deletes user profiles. You can use this tool to create user profiles on alternative drives that will retain data and settings even though Windows Disk Protection is on. You can also use the tool to completely delete profiles that have been locked by the User Restrictions tool.
Accessibility. Makes Windows accessibility options and utilities such as StickyKeys, FilterKeys, and Magnifier available to users who have been restricted from accessing Control Panel and other system settings.

http://www.microsoft.com/downloads/details.aspx?familyid=7256d456-e3da-42ea-857d-92b716077a84&displaylang=en

Anti-Phishing White Paper

jbmsft — Mon, 26 Sep 2005 15:03:00 GMT

IE 7.0 will have Anti-Phishing built in and this capability will be added to the MSN toolbar as well. This white paper describes the basic workings of this technology. From what I've seen, this will be a great addition for customers. Download the white paper here:

http://www.microsoft.com/downloads/details.aspx?familyid=b4022c66-99bc-4a30-9ecc-8bdefcf0501d&displaylang=en

Having problems with a security update? Call us!

jbmsft — Tue, 19 Apr 2005 14:46:00 GMT

Sometimes after releasing a security update we hear of customers having issues. The only way we can validate those issues is to work directly with the folks that are having the problem. Once we find a problem we can then develop a solution. In other words, we need to be able to reproduce the problem before we can figure out how to address it.

For problems with a security update, you can call 1-866-PCSafety (1-866-727-2338) in the US. All others should contact your local subsidiary. I hear feedback that people don't believe that this is a free call. As standard procedure, you may be asked for a credit card in case your issue is not actually related to the security update and you still want help. However, if your issue is with the security update you will not be charged.

So please, if you are having a problem with a security update, give us a call. All numbers can be found at http://support.microsoft.com.

Announcement of Upcoming Release of Malicious Software Removal Tools

jbmsft — Thu, 06 Jan 2005 17:28:00 GMT

Starting from January 11th, 2005, Microsoft will provide Windows customers with Malicious Software Removal Tools. New versions of these tools will be available monthly (second Tuesday of every month on the same schedule that Microsoft already delivers other security updates) or more frequently if necessary.

These removal tools are an extension of virus or worm specific removal tools that Microsoft released in 2004. While tools released in 2004 have been specific to a single virus (and some of its variants), the new removal tools provide more convenience for customers by rolling up all viruses and variants targeted into a common removal tool.

Microsoft will provide new versions of this tool updated to remove malicious software that is found to be prevalent for that month. The first version of the tool available in January will be able to remove Blaster, Sasser, MyDoom, DoomJuice, Zindos, Berweb (also known as Download.Ject), Gailbot and Nachi viruses / worms.

These removal tools will be made available to customers through the following delivery vehicles:
- As a download through the Microsoft Download Center
- As a critical update through Windows Update and through Auto Update for those customers who have Auto Update turned on
- As an ActiveX control also available at www.microsoft.com/malwareremove

Microsoft Anti-Spyware Public Beta

jbmsft — Thu, 06 Jan 2005 17:22:00 GMT

This alert is to make you aware of the public availability of a beta version of Microsoft Windows AntiSpyware. This beta version is available at the following location: http://www.microsoft.com/athome/security/spyware/software/default.mspx

Support for Beta of Microsoft Windows AntiSpyware

At this time, support for the beta version of Microsoft Windows AntiSpyware is being provided through the following Microsoft
newsgroups:
- microsoft.private.security.spyware.announcements
- microsoft.private.security.spyware.appcompat
- microsoft.private.security.spyware.general
- microsoft.private.security.spyware.install
- microsoft.private.security.spyware.networking
- microsoft.private.security.spyware.signatures
- microsoft.private.security.spyware.onlinecommunity

These newsgroups can be accessed via NNTP or HTTP.

To access these newsgroups using HTTP, please go to the following
location:
http://communities.microsoft.com/newsgroups/default.asp?ICP=spyware&sLCI
D=us

To access these newsgroups using NNTP, please use the following information for your NNTP client (such as Microsoft Outlook Express):
- NNTP Server: privatenews.microsoft.com
- Account name: privatenews\spyware
- Password: spyware

NOTE: No password will be required via the HTTP link

Objective Spyware Criteria and Vendor Dispute Information

Information about the criteria that is part of a scoring system that determines whether a program is added for detection is available at this
location:
http://www.spynet.com/info_spywarecriteria.aspx

Vendors of products that are detected who feel the listing in the library is incorrect should fill out the request form located at this
location:
http://www.spynet.com/vendors.aspx

Additional Information

For additional information about today's announcements regarding Microsoft Windows AntiSpyware and Microsoft Malicious Software Removal Tools, please see the public press release located here:
http://www.microsoft.com/presspass/press/2005/jan05/01-06NewSolutionsPR.
asp

For additional, general information about Microsoft Windows AntiSpyware and Microsoft's acquisition of Giant Company, please see the public press release located here:
http://www.microsoft.com/presspass/press/2004/dec04/12-16GIANTPR.asp

How to help protect against a WINS security issue

jbmsft — Mon, 29 Nov 2004 19:55:00 GMT

An investigation is underway regarding reports of a security issue with the WINS service (Windows Internet Name Service). We have released the following KB article describing ways to mitigate:

http://support.microsoft.com/default.aspx?scid=kb;en-us;890710

WINS is a server service so can be installed on Windows NT 4.0 Server, Windows 2000 Server and Windows Server 2003 but is not installed by default and should NOT be an internet facing service.

Basically the advice for mitigating potential risk is to block TCP port 42 and UDP port 42 at your firewall or to uninstall the WINS service if you do not need it.

See the KB article for more details.

Windows 2000 Update Rollup

jbmsft — Mon, 29 Nov 2004 19:46:00 GMT

To make it as easy as possible for customers to maintain the security and stability of their Windows 2000 systems, Microsoft will produce an Update Rollup for Windows 2000 Service Pack 4 (SP4), with a planned release in mid-2005.

Here's the announcement:
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/rollup.asp

And an FAQ:
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/rollupfaq.asp

Security Resource Guide - November 2004

jbmsft — Thu, 25 Nov 2004 02:05:00 GMT

Microsoft continues to be committed to building software and services that will help better protect our customers and the industry. Because there is no one solution, our approach to security includes technology innovations to improve the ability to isolate malicious code, improvements in tools and processes for security updates, ongoing work on engineering excellence, and enhancements and improvements for managing user authentication and authorization. This includes improving our tools and training and providing better prescriptive guidance. BillG executive email of March 31: http://www.microsoft.com/mscorp/execmail/2004/03-31security.asp

Tools

Microsoft Baseline Security Analyzer (MBSA)

http://www.microsoft.com/mbsa

Use this tool to identify common security misconfigurations and missing security updates. MBSA runs on the Windows Server™ 2003, Windows® 2000, and Windows XP operating systems and will scan for vulnerabilities in multiple products and technologies, including Microsoft Internet Information Services (IIS) and SQL Server™.

Software Update Services (SUS) / Windows Update Services (WUS)

http://www.microsoft.com/wus

Quickly and reliably deploy the latest security updates, and service packs with Software Update Services. This new site now has the latest info on WUS.

Windows Update

http://windowsupdate.microsoft.com/

Scans your computer and provides a selection of updates tailored for your operating system, software, and hardware.

Microsoft Office Product Updates

http://office.microsoft.com/productupdates/

Scans and updates Microsoft Office products.

IIS Web Server Lockdown Wizard

http://www.microsoft.com/technet/security/tools/locktool.mspx

Reduces the attack surface of Internet Information Services (IIS) and includes URLScan to provide multiple layers of protection against attackers.

UrlScan Security Tool

http://www.microsoft.com/technet/security/tools/urlscan.mspx

Helps prevent potentially harmful HTTP requests from reaching IIS Web servers.

Removal Tools:

Mydoom, Zindos and Doomjuice worms: http://support.microsoft.com/?kbid=836528

Blaster Removal Tool for Windows XP and 2000:

http://www.microsoft.com/downloads/details.aspx?familyid=e70a0d8b-fe98-493f-ad76-bf673a38b4cf&displaylang=en

Sasser (A-F) Worm Removal Tool: http://support.microsoft.com/?kbid=841720

MS04-028 Enterprise Scanning Tool: http://support.microsoft.com/?kbid=886988

Other Tools:

http://www.microsoft.com/technet/security/tools/default.mspx

Security Risk Self-Assessment for Midsize Organizations http://www.securityguidance.com

Updating

Understanding Update Management: Microsoft’s Software Update Strategy

http://www.microsoft.com/technet/security/topics/patch/patchmanagement.mspx

Updated white paper talks about the need for strong update management process.

Other Update Management info in the TechNet Topics Page

http://www.microsoft.com/technet/security/topics/patch/default.mspx

Isolation and Resiliency

Listing of resources for the IT Pro to evaluate and deploy XP SP2

http://www.microsoft.com/technet/winxpsp2

Network Access Protection

http://www.microsoft.com/nap

Internet Security and Acceleration (ISA) Server 2004 whitepapers updated

http://www.microsoft.com/isaserver/evaluation/whitepapers/default.asp

Read about secure remote Outlook access in the Unique Protection for Microsoft Exchange Server whitepaper, a very viable business scenario with ISA Server

Engineering Excellence

Trustworthy Computing: Security

http://www.microsoft.com/mscorp/twc/security/default.mspx

Whitepapers on Security Enhancements:

Describes the Trustworthy Computing initiative as applied to the Windows Server, Office 2003 and Exchange Server 2003 development processes respectively.

Windows Server 2003:

http://www.microsoft.com/windowsserver2003/techinfo/overview/secinnovation.mspx

Office 2003:

http://www.microsoft.com/technet/prodtechnol/office/office2003/deploy/secdesn.mspx

Exchange Server 2003:

http://www.microsoft.com/exchange/evaluation/Security_e2k3.asp

Get the Facts:

Windows and Linux: http://www.microsoft.com/getthefacts

NEW SQL: http://www.microsoft.com/sql/evaluation/compare/databasesecurity.asp

Guidance and Training
Security Guidance Centers on Microsoft.com Worldwide: http://www.microsoft.com/security/guidance/worldwide/default.mspx US: http://www.microsoft.com/security/guidance Prescriptive guidance to help provide defence-in-depth security. E-Learning Security Training https://www.microsoftelearning.com/security/ E-Learning self-paced clinics - 4 Developer and 8 ITPro modules Now available in French, German, Spanish and Japanese XP SP2: https://www.microsoftelearning.com/xpsp2 Security Guidance Kit CD (now shipping in US and Canada) http://www.microsoft.com/security/guidance/order/default.mspx CD-ROM with tools, templates, and how-to guides Microsoft IT Security Showcase http://www.microsoft.com/technet/itsolutions/msit/default.mspx#EDBAAA An insider view into Microsoft's process of deploying, and managing its own enterprise solutions. Security Newsletter http://www.microsoft.com/technet/security/secnews/default.mspx Register for our free monthly e-mail newsletter that's packed with security news, guidance, updates, and community resources to help you protect your network. Security Program Guide: Events and Training Information http://www.microsoft.com/seminar/events/security.mspx Events, webcasts and training ivailable for both IT Professionals and Developers. US Security Summit Keynote and Training Content http://www.microsoft.com/seminar/securitysummit/presentations/default.mspx Security Notifications via e-mail http://www.microsoft.com/technet/security/bulletin/notify.mspx Sign up today to get e-mail alerts when an important security bulletin or virus alert has been released. Security Update RSS Feed http://www.microsoft.com/technet/security/bulletin/secrss.aspx Security Bulletin Search Page http://www.microsoft.com/technet/security/current.aspx Search on product, technology or KB article Security Bulletin Webcast http://www.microsoft.com/technet/security/bulletin/summary.mspx Join Microsoft experts on the day after bulletin announcements to get the latest information and have the opportunity to ask questions. How to Tell If a Microsoft Security-Related Message Is Genuine http://www.microsoft.com/security/antivirus/authenticate_mail.asp Writing Secure Code, 2nd edition http://www.microsoft.com/mspress/books/5957.asp Best practices for writing secure code and stopping malicious hackers. Building and Configuring More Secure Web Sites http://msdn.microsoft.com/library/en-us/dnnetsec/html/openhack.asp Best Practices used at OpenHack. Recent Security Guidance Center additions: Windows XP Guide, includes SP2 http://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/default.mspx New Security Risk Management Guide http://go.microsoft.com/fwlink/?LinkId=30794 Windows NT 4.0 and Windows 98 Threat Mitigation Guide http://go.microsoft.com/fwlink/?linkid=32048 Microsoft Identity and Access Management Series http://go.microsoft.com/fwlink/?LinkId=14841 Antivirus Defense-in-Depth http://www.microsoft.com/technet/security/guidance/avdind_0.mspx Securing Wireless LANs with PEAP and Passwords http://www.microsoft.com/technet/security/guidance/peap_0.mspx Small Business Guidance: http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx Guidance specifically for the smaller business Configuring Windows XP 802.11 Wireless Networks for the Home / Small Business http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifisoho.mspx Consumer Information: http://www.microsoft.com/security/protect http://www.microsoft.com/athome/security/default.mspx Newsletter for home users http://www.microsoft.com/security/home/secnews/current.asp Security bulletin notifications for home users http://register.microsoft.com/subscription/subscribeme.asp?id=166

Security At Home

jbmsft — Mon, 22 Nov 2004 23:12:00 GMT

At Microsoft, we are making new efforts to educate end users on computer security. Moreover, our web site has been reorganized in a way to make it easier for this audience to find information that should make more sense to them. All the information has been organized under “Microsoft At Home”. For Security related information, see:

http://www.microsoft.com/athome/security/default.mspx

A series of videos are also being produced to better demonstrate the information like this one on phishing:

http://www.microsoft.com/athome/security/spam/phishing/video1.mspx

We would love to get as much feedback on this infromation as possible. There are several places on the site to give that feedback.

Sender ID information

jbmsft — Thu, 28 Oct 2004 14:47:00 GMT

Sender ID Framework Overview:
http://www.microsoft.com/downloads/details.aspx?familyid=81682a25-a628-4771-8481-5cb9ffddffe8

Overview of the Sender ID Framework, including the use of text files using the revised Sender Policy Framework (SPF) format, Purported Responsible Address (PRA) and Mail From checks, and the submitter Optimizations.

Sender ID: Authenticating E-Mail Specification (Draft):
http://www.microsoft.com/downloads/details.aspx?familyid=cf24ffd3-b04e-4b89-9d15-069c44aef7f2

This core document describes how the Sender ID Framework works. The specification provides an overview of the usage of Sender Policy Framework (SPF) records, how to check the validity of either the Mail From or the PRA of an e-mail message, and how to interpret the results of the check.

Sender Policy Framework: Authorizing Use of Domains in Mail From:
http://www.microsoft.com/downloads/details.aspx?familyid=d8a174b1-697c-4aea-9c92-2e70a013c30b

This document describes the content and format of the SPF record, the information that senders need to publish in DNS regarding their outbound e-mail servers. It also describes how receivers use this information to validate the Mail From domain of an e-mail message.

Purported Responsible Address in E-Mail Messages Specification (Draft):
http://www.microsoft.com/downloads/details.aspx?familyid=f8e9cb40-cc7c-46d6-8cd1-3a86a46546d5

Describes how to extract from an e-mail message the Purported Responsible Address (PRA).

Sender ID Framework Deployment Overview:
http://www.microsoft.com/downloads/details.aspx?familyid=8958ab23-f350-40fe-ba0a-2967b968fd8d

Deployment overview that describes the steps e-mail senders must take to comply with the Sender ID Framework specification.

Sender ID Framework Executive Overview:
http://www.microsoft.com/downloads/details.aspx?familyid=f23a8ddd-f4dd-4419-b7e0-2b1d189789db

Executive overview of the group Sender ID Framework, including the issues, process, and design goals.

Sender ID Framework and Intellectual Property Overview and FAQ:
http://www.microsoft.com/downloads/details.aspx?familyid=4b1c931a-57cf-40a4-91b0-80e18cfd2be1

FAQ regarding the need and use of Microsoft's royalty-free license for implementation of the Sender ID Framework.

What You Should Know About a Reported Vulnerability in Microsoft ASP.NET

jbmsft — Wed, 06 Oct 2004 19:14:00 GMT

Microsoft is currently investigating a reported vulnerability in Microsoft ASP.NET. An attacker can send specially crafted requests to the server and view secured content without providing the proper credentials. This reported vulnerability exists in ASP.NET and does not affect ASP.

Controlling block storage devices on USB buses

jbmsft — Fri, 10 Sep 2004 13:04:00 GMT

I haven't seen a lot of talk about this recently but I recall several months or even a year or so ago that this was a hot topic with all of the new USB flash drives hitting the market. I had some conversations with MVPs and members of the product teams about this. At the time, we didn't have any plans to tighten things down and give the ability to block users from writing to these types of devices but with our SP2 security push, lots of plans got changed.

So, the ability to turn USB storage devices in to ReadOnly devices has been implemented in SP2 through a registry setting.

Setting name	Location	Default value	Possible values
WriteProtect	HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Control \StorageDevicePolicies	DWORD=0	0 - Disabled 1 - Enabled

Setting name

Location

Default value

Possible values

WriteProtect

HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Control \StorageDevicePolicies

DWORD=0

0 - Disabled

1 - Enabled

More information here:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2otech.mspx#XSLTsection127121120120

More time to test Windows XP SP2

jbmsft — Thu, 09 Sep 2004 16:34:00 GMT

As you may or may not know, we have implemented a method that will allow corporations to block their systems from downloading SP2 from either Windows Update or Automatic Update. See the following link for details:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2aumng.mspx

Originally this mechanism was only going to be in place for 120 days. This has been extended to 240 days or April 12, 2005 in order to allow customers more time for deployment testing.

The “mechanism” in question is a registry setting that WU/AU looks for. After the 240 period ends, WU/AU will no longer check for that setting.

Stephen Toulouse from the MSRC on Channel 9

jbmsft — Fri, 27 Aug 2004 20:57:00 GMT

Stephen is a program manager on the Microsoft Security Response Center team. Watch his video interview on Channel 9 to get a first hand look at how the MSRC works:

http://channel9.msdn.com/ShowPost.aspx?PostID=19449

Excellent information on the new IE pop up blocker from JeffDav of the IE Core team

jbmsft — Wed, 23 Jun 2004 00:14:00 GMT

http://blogs.msdn.com/jeffdav/archive/2004/06/21/161789.aspx

STRIDE model of threat categories

jbmsft — Tue, 22 Jun 2004 12:26:00 GMT

At Microsoft, we have developed what we call the STRIDE model for categorizing software threats. These are used in security bulletins to describe the nature of a security vulnerability.

Here is a summary of the model:

Term	Definition
Spoofing identity	Illegally obtaining access and use of another person's authentication information, such as a user name or password.
Tampering with data	The malicious modification of data.
Repudiation	Associated with users who deny performing an action, yet there is no way to prove otherwise. (Non-repudiation refers to the ability of a system to counter repudiation threats, and includes techniques such as signing for a received parcel so that the signed receipt can be used as evidence.)
Information disclosure	The exposure of information to individuals who are not supposed to have access to it, such as accessing files without having the appropriate rights.
Denial of service	An explicit attempt to prevent legitimate users from using a service or system.
Elevation of privilege	Where an unprivileged user gains privileged access. An example of privilege elevation would be an unprivileged user who contrives a way to be added to the Administrators group.

This model is discussed in detail in the book “Writing Secure Code, Second Edition” by Michael Howard and David LaBlanc.

The New Wireless Network Setup Wizard in Windows XP Service Pack 2

jbmsft — Sun, 20 Jun 2004 13:36:00 GMT

Windows XP SP2 has a cool new wireless network setup wizard to help end users set up secure wireless in their homes. The wizard saves configuration information to a USB flash drive that can be carried to each wireless machine for setup.

You can read The Cable Guy's review here:
http://www.microsoft.com/technet/community/columns/cableguy/default.mspx

Or get more details in part 2 of the Changes to Functionality in Microsoft Windows XP Service Pack 2 online documentation here:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx

Improving Security with Domain Isolation: Microsoft IT implements IP Security (IPsec)

jbmsft — Mon, 14 Jun 2004 18:49:00 GMT

Situation
As part of its “defense in depth” security strategy, Microsoft IT wanted to isolate their managed computers from unmanaged (and untrusted) computers. If trusted computers could be made to ignore requests from these untrusted computers, they could be kept more secure.

Solution
Microsoft IT chose IP Security (IPsec), a standards-based approach to authenticating network traffic. With IPsec, the corporate domains can be isolated, segmenting all computers into trusted and untrusted groups.

Benefits
• Allows creation of logical secure network segments behind the corporate network perimeter.
• Works independently of network hardware, computers, and other infrastructure, providing end-to-end security to the edges of the network.
• Can be deployed and managed centrally through the use of Group Policy.

Products & Technologies
• IP Security protocols (ESP, IKE)
• Windows Server 2003
• Windows XP Professional (SP 1)
• Windows 2000 (SP3)
• Group Policy
• Active Directory
• Public Key Infrastructure and Certificate Authority (CA)

Download the white paper here:

http://www.microsoft.com/downloads/details.aspx?familyid=a97ddc48-a364-4756-bb3c-91da274118fe&displaylang=en

Free online AV scanner

jbmsft — Sat, 12 Jun 2004 14:29:00 GMT

There are a few free online AV scanners out there. They are all really helpful when you are trying to help a friend or family member with a virus issue and they don't have any AV on their machine. Feel free to post your favorite as feedback to this post. Here's one of mine:

http://www.ravantivirus.com/scan/

Exchange Server 2003 Message Security Guide

jbmsft — Sat, 12 Jun 2004 14:22:00 GMT

This is really cool:

Overview
This book discusses how, when using S/MIME, encryption protects the contents of e-mail messages and digital signatures verify the identity of a purported sender of an e-mail message. In addition, this book provides guidance on how to implement S/MIME with Microsoft Exchange Server 2003. In addition, this book provides guidance and pointers to other resources where those are necessary.

Note: A script (ListSMIMECerts.vbs) is included in this download and will be unpackaged with the guide.

Download it here:

http://www.microsoft.com/downloads/details.aspx?familyid=2305405c-faf1-488a-a856-ad467bb59b26&displaylang=en