Jerry Bryant's Security Blog : Security Resources

Two new Anti-Malware sites...

jbmsft — Wed, 02 Nov 2005 03:31:00 GMT

1. A new blog created and staffed by Microsoft's Anti-Malware Team - http://blogs.technet.com/antimalware/

2. The Windows Live Safety Center (Beta), announced / released today - http://safety.live.com. From this site, you can run a virus scan of your machine using Microsoft's Antimalware technology. The difference between this site and the online / ActiveX version of the Windows Malicious Software Removal Tool (at http://www.microsoft.com/malwareremove) is that http://safety.live.com uses our full set of malware signatures. It is likely that http://safety.live.com will eventually replace the online version of the tool, but we will continue to ship the tool to the Download Center and WU / MU / AU / WSUS.

Windows XP Security Guide v2.1

jbmsft — Tue, 25 Oct 2005 23:30:00 GMT

Version 2.1 of the Windows XP Security Guide now available.
The Microsoft Solutions for Security and Compliance (MSSC) team is proud to announce the release to Web of version 2.1 of the Windows XP Security Guide.

This guide is the first of three closely related security guides that are being updated. The other two guides are the Windows Server 2003 Security Guide and Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP.

Solution Content
This version of the Windows XP Security Guide was updated to provide additional security guidance for:

· Maintaining different levels of security and control on Windows XP client computers.

· Securing Windows XP client computers that are not members of an Active Directory domain.

· Security settings for computers that must function reliably in extremely critical roles in high security environments.

Information about the security features in SP2 was included as an appendix in the previous version of this guide. This information has now been integrated throughout the guide, and thoroughly tested templates for Windows Firewall security settings are provided. Information is also provided about closing ports, Remote Procedure Call (RPC) communications, memory protection, e-mail handling, Web download controls, spyware controls, and much more.

Where to Find the Windows XP Security Guide
The guide was developed, reviewed, and approved by teams of authoritative experts in security management. It is available on the TechNet Security Center at http://go.microsoft.com/fwlink/?linkid=14839. The guide is also available for download from the Microsoft Download Center at http://go.microsoft.com/fwlink/?linkid=14840.

For other security solutions from the Microsoft Solutions for Security and Compliance (MSSC) team, click here.

Visio Connector for MBSA 2.0

jbmsft — Mon, 15 Aug 2005 21:21:00 GMT

If you like a graphical view of your security scans, you won't want to miss this.

At a glance, you'll be able to:
· Pinpoint vulnerabilities on the color-coded diagram.
· Identify solutions in the detailed network diagram scan results.
· Prioritize actions based on the results presented in the network diagram.

See: http://www.microsoft.com/technet/security/tools/mbsavisio.mspx

How we do security at Microsoft

jbmsft — Sat, 11 Jun 2005 05:14:00 GMT

One of the topics that is requested year after year at our global MVP Summits (event where MVPs from all around the world come to Redmond for a few days) is how do we do security at Microsoft. It should be no surprise that Microsoft has one of the most attacked networks in the world. Well, we don't keep too many secrets about how we do security. Searching our Download Center, you will find numerous white papers on lots of different security topics showing you how we did it. Here are some examples:

Detailed discussion on how Microsoft IT introduced Domain Isolation to the Microsoft global enterprise network.
http://www.microsoft.com/downloads/details.aspx?familyid=a97ddc48-a364-4756-bb3c-91da274118fe&displaylang=en

Overview of why and how Microsoft IT proactively deployed Windows XP Service Pack 2. Windows XP Service Pack 2 is a critical security release that addresses Internet-based security threats.
http://www.microsoft.com/downloads/details.aspx?familyid=36648245-6eac-458e-87bd-046a16f3d385&displaylang=en

Overview discussion on what the Microsoft Corporate Security group does to prevent malicious or unauthorized use of digital assets at Microsoft.
http://www.microsoft.com/downloads/details.aspx?familyid=e959f26c-1f5c-4331-b1fb-6c720795704d&displaylang=en

Lots of new WSUS documentation!

jbmsft — Mon, 06 Jun 2005 10:23:00 GMT

The next version of Software Update Services (SUS) is WSUS (Windows Update Services) which is currently out as a “Release Candidate” (almost the final version ;-).

Lots of documentation is not available for WSUS. Here is a list:

http://www.microsoft.com/downloads/details.aspx?familyid=2478d594-a29c-483c-9dc1-9740bf3081a5&displaylang=en

Overview of WSUS.

http://www.microsoft.com/downloads/details.aspx?familyid=3ba03939-a5a9-407b-a4b0-1290ba5182f8&displaylang=en

Getting started with WSUS on Windows Server 2003

http://www.microsoft.com/downloads/details.aspx?familyid=4169c932-63b5-4629-91d3-c8901c2afa07&displaylang=en

Getting started with WSUS on Windows 2000

http://www.microsoft.com/downloads/details.aspx?familyid=e26bcdb4-ef0b-4399-8a71-9b3b00c4f4cd&displaylang=en

Comprehensive guidance on administering and troubleshooting WSUS.

http://www.microsoft.com/downloads/details.aspx?familyid=e99c9d13-63e0-41ce-a646-eb36f1d3e987&displaylang=en

Comprehensive guidance on deploying WSUS.

http://www.microsoft.com/downloads/details.aspx?familyid=150e795e-ae32-4d47-a6b8-e01f918aae93&displaylang=en

Guidance on migrating from SUS to WSUS

XP update provides support for WPA2

jbmsft — Wed, 04 May 2005 18:43:00 GMT

Wi-Fi Protected Access 2 (WPA2) support now available.

KB article with full details:
http://support.microsoft.com/kb/893357

Download location:
http://www.microsoft.com/downloads/details.aspx?familyid=662bb74d-e7c1-48d6-95ee-1459234f4483&displaylang=en

Windows XP SP2 is required and your wireless access point also has to support WPA2 so you may want to check your vendors site for new firmware.

Update: thanks to Eric Cross (Networking MVP) for pointing out this excellent article on WPA2 by our own Cable Guy:

http://www.microsoft.com/technet/community/columns/cableguy/cg0505.mspx

IT Security Training on Hacking

jbmsft — Wed, 04 May 2005 12:43:00 GMT

Just released on the download center. There is some great information here on assessing network security, security risk management and a two part presentation on thinking like a hacker.

http://www.microsoft.com/downloads/details.aspx?familyid=a171f0e2-cfbe-47a8-8d84-fc8399ac1f6c&displaylang=en

Visio Connector for MBSA

jbmsft — Mon, 02 May 2005 15:41:00 GMT

A friend of mine, Sanjay Puri, who used to be part of the Security Business & Technology Unit (SBTU) is on the team that released this new connector for MBSA. This connector allows you to view the results of an MBSA scan in a Visio network diagram. Kind of cool! Check it out here:

http://www.microsoft.com/downloads/details.aspx?familyid=8ea27d78-32b5-4f37-a7fd-99ee2aa76c62&displaylang=en

Log Parser 2.2

jbmsft — Tue, 26 Apr 2005 15:17:00 GMT

Log Parser 2.2:

http://www.microsoft.com/downloads/details.aspx?familyid=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en

Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®. You tell Log Parser what information you need and how you want it processed. The results of your query can be custom-formatted in text based output, or they can be persisted to more specialty targets like SQL, SYSLOG, or a chart. Most software is designed to accomplish a limited number of specific tasks. Log Parser is different... the number of ways it can be used is limited only by the needs and imagination of the user. The world is your database with Log Parser.

Correction/Update:
I said that Tim Rains built this tool. Sorry! That is not the case. Check it out anyway ;-) Also, check out www.logparser.com!

SPAM, Phishing and keeping your kids safe online

jbmsft — Tue, 26 Apr 2005 14:57:00 GMT

Here are a series of good articles on these topics:

Tips on reducing SPAM in your Inbox:
http://www.microsoft.com/downloads/details.aspx?familyid=658fc009-7ef3-458f-801b-01948492097f&displaylang=en

Help protect against Phishing Fraud:
http://www.microsoft.com/downloads/details.aspx?familyid=aa6cf818-62bb-4780-a0fa-5eb80682a359&displaylang=en

Practical advice on keeping your kids safe online:
http://www.microsoft.com/downloads/details.aspx?familyid=e8bb8dc5-cbaa-4f0c-b5f0-2619b886c8b6&displaylang=en

Network Access Protection (NAP) Architecture

jbmsft — Tue, 26 Apr 2005 14:50:00 GMT

Overview
Network Access Protection (NAP) is a set of operating system components that provide a platform for protected access to private networks. The NAP platform provides an integrated way of detecting the state of a network client that is attempting to connect to a network and restricting the access of the network client until the policy requirements for connecting to the network have been met.
To protect access to a network, a network infrastructure needs to provide the following areas of functionality:
• Policy validation, which determines whether the computers are compliant with security policy. Compliant computers are deemed “healthy.”
• Network restriction, which restricts access based on health state.
• Remediation, which provides necessary updates to allow the computer to get healthy
• Ongoing compliance, which permits access to the network as long as the users’ computer meets policy requirements.
The NAP platform provides enforcement for Dynamic Host Configuration Protocol (DHCP) address configuration, virtual private network (VPN)-based network connections, and Internet Protocol security (IPsec)-based communications and an architecture through which policy validation, network restriction, remediation, and ongoing compliance can occur via additional components supplied by third-party software vendors or Microsoft.
The NAP platform requires servers running Windows Server "Longhorn" and clients running Windows® XP with Service Pack 2.
The NAP platform is not the same as Network Access Quarantine Control, which is a capability provided with Windows Server 2003 to provide additional protection only for remote access (dial-up and VPN) connections.

Download the white paper here:

http://www.microsoft.com/downloads/details.aspx?familyid=2f37651e-1749-45c3-996e-53de05d44ef7&displaylang=en

Windows vs. Linux Web Server Security Research Study

jbmsft — Sun, 27 Mar 2005 03:09:00 GMT

Security Innovation this last week announced the results of a recently concluded research project comparing the security of Microsoft Windows Server Platform with two servers running Red Hat Enterprise ES 3. The results showed that Linux based servers had more than twice the number of vulnerabilities reported and/or fixed in 2004 when compared to Windows Server 2003 during the same period.

It was also announced that the research was funded by Microsoft which as you can imagine, has sparked a bit of a debate around the validity of the results. It should be noted that Microsoft participates in commisioned and non-commisioned research as part of our ongoing “Get the Facts” campaign. It should also be noted that Security Innovation has published and asked the community for feedback on the methodology used for the research. “Anyone” is invited to test the methodology.

To see both the methodology and the final analysis, go here:

http://www.securityinnovation.com/resources/linux_windows.shtml

I know there will be lots of debate over this but will it be constructive? Those who would dispute the claims of the research should only do so as a result of testing the methodology and finding demonstratable issues with it.

The Trustworthy Computing Security Development Lifecycle

jbmsft — Thu, 24 Mar 2005 21:13:00 GMT

Abstract: This paper discusses the Trustworthy Computing Security Development Lifecycle (or SDL), a process that Microsoft has adopted for the development of software that needs to withstand malicious attack. The process encompasses the addition of a series of security-focused activities and deliverables to each of the phases of Microsoft's software development process. These activities and deliverables include the development of threat models during software design, the use of static analysis code-scanning tools during implementation, and the conduct of code reviews and security testing during a focused "security push". Before software subject to the SDL can be released, it must undergo a Final Security Review by a team independent from its development group. When compared to software that has not been subject to the SDL, software that has undergone the SDL has experienced a significantly reduced rate of external discovery of security vulnerabilities. This paper describes the SDL and discusses experience with its implementation across Microsoft software. (19 printed pages)

http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp

Securing Wireless LANs with PEAP and Passwords

jbmsft — Tue, 08 Mar 2005 19:00:00 GMT

The guide is a companion to the earlier solution guide Securing Wireless LANs – a Certificate Services Solution. However, this updated guide uses passwords to authenticate users and computers to the LAN instead of digital certificates.

http://www.microsoft.com/downloads/details.aspx?familyid=60c5d0a1-9820-480e-aa38-63485eca8b9b&displaylang=en

Exchange 2003 Security Hardening Guide

jbmsft — Tue, 08 Mar 2005 18:53:00 GMT

I'm not an Exchange guru so these kinds of resources are invaluable to me. Enjoy!

http://www.microsoft.com/downloads/details.aspx?familyid=6a80711f-e5c9-4aef-9a44-504db09b9065&displaylang=en

ISA Server 2004 SDK

jbmsft — Tue, 08 Mar 2005 18:50:00 GMT

I guess most won't find this too useful but thought I'd post about it anyway. Using the ISA Server 2004 SDK you can automate tasks and create web and application filters amoung other things. I know, hard to come up with anything to improve on for ISA Server 2004 but you can try ;-)

Download is here:

http://www.microsoft.com/downloads/details.aspx?familyid=5c8121cd-3aff-43d3-bc09-bf3fddd2b9e3&displaylang=en

Windows Server 2003 SP1 Release Candidate

jbmsft — Tue, 07 Dec 2004 14:45:00 GMT

As with Windows XP SP2, Windows Server 2003 SP1 will focus heavily on security. Here are the top 10 reasons to apply the update:

Reduce your servers attack surface.
Security Configuration Wizard (SCW), one of the new features added to Windows Server 2003 in Service Pack 1 (SP1), uses an intuitive, role-based process to guide administrators through reducing the attack surface. With SCW you can disable unused services easily and quickly, block unnecessary ports, modify registry values, and configure audit settings.

Help protect newly installed servers.
In today's security environment there is a continual search for new and potentially exploitable system vulnerabilities. Post-Setup Security Updates (PSSU), another new feature of Windows Server 2003 SP1, blocks all incoming traffic to newly installed servers until the latest patches to Windows Server 2003 are downloaded and applied. PSSU also guides configuration of Automatic Updates when you first log on.

Get firewall protection from startup to shutdown.
Windows Firewall, the same core firewall technology in Windows XP Service Pack 2, is built into Windows Server 2003 SP1. Windows Firewall in Windows Server 2003 SP1 allows granular control over server and client computers through the use of Group Policy. Moreover, Windows Firewall provides boot-time protection, lowering the risk of attack just after a server is started up and while it is shutting down.

Bolster your defenses with "no execute" hardware support and software.
Data execution prevention (DEP) is a set of hardware and software technologies that performs additional checks on memory to help protect against exploitation of your system by malicious code. Windows Server 2003 SP1 fully utilizes the DEP capabilities built into servers by many manufacturers and further augments those capabilities with DEP software of its own.

Help protect your system services with stronger default settings and reducing privileges.
Services such as remote procedure call (RPC) and DCOM are integral to Windows Server 2003 and make an attractive target for hackers. By requiring greater authentication for calls of these services, Windows Server 2003 Service Pack 1 helps establishe a minimum threshold of security for all applications that use these services, even if they possess little or no inherent security.

Isolate out-of-date virtual private network (VPN) assets.
VPN Quarantine automatically provides the means for limiting network access for machines on virtual private networks that are not current with regards to security updates. This prevents you from having to write your own ad hoc scripts to affect this facet of sound network security.

Monitor and audit your Internet Information Services (IIS) configuration settings.
The metabase is the XML-based, hierarchical store of configuration information for Internet Information Services 6.0. The ability to audit this store allows network administrators to see which user accessed the metabase in case it becomes corrupted.

Leverage the power of 64-bit extended systems.
Windows Server 2003 SP1 extends Windows Server 2003 security capabilities to 64-bit hardware, making Windows Server 2003 the OS for the next generation of servers.

Help Secure Internet Explorer.
Internet Explorer now contains many enhancements to help secure Windows Server 2003. Among them, Internet Explorer more effectively stops downloads of spurious files and prevents Web pages from accessing cached objects.

Avoid potentially unsafe e-mail.
Windows Server 2003 SP1 includes additional refinements to protect the network. With Outlook Express you can now open mail in plain-text mode, preventing HTML messages from running malicious code. Outlook Express prevents e-mail from downloading external content, stopping a means by which spam senders can validate your e-mail address. Outlook Express also checks e-mail attachments with Attachment Manager, eliminating the need for your own custom code to do so.

Note that I personally don't really count these last two. While these are good improvements to IE and OE, web browsing and checking email are not things one should be doing on ones server.

You can get more info on the RC here:

http://www.microsoft.com/windowsserver2003/downloads/servicepacks/sp1/default.mspx

This document describes changes in functionality:

http://www.microsoft.com/downloads/details.aspx?familyid=c3c26254-8ce3-46e2-b1b6-3659b92b2cde&displaylang=en

Update - WINS Security Issue

jbmsft — Fri, 03 Dec 2004 14:09:00 GMT

The following KB article has been updated with more information on how to configure IPSec filters in regards to this issue as well as a link to a script that can be used to configure these IPSec filters:

http://support.microsoft.com/kb/890710

Security Resource Guide - November 2004

jbmsft — Thu, 25 Nov 2004 02:05:00 GMT

Microsoft continues to be committed to building software and services that will help better protect our customers and the industry. Because there is no one solution, our approach to security includes technology innovations to improve the ability to isolate malicious code, improvements in tools and processes for security updates, ongoing work on engineering excellence, and enhancements and improvements for managing user authentication and authorization. This includes improving our tools and training and providing better prescriptive guidance. BillG executive email of March 31: http://www.microsoft.com/mscorp/execmail/2004/03-31security.asp

Tools

Microsoft Baseline Security Analyzer (MBSA)

http://www.microsoft.com/mbsa

Use this tool to identify common security misconfigurations and missing security updates. MBSA runs on the Windows Server™ 2003, Windows® 2000, and Windows XP operating systems and will scan for vulnerabilities in multiple products and technologies, including Microsoft Internet Information Services (IIS) and SQL Server™.

Software Update Services (SUS) / Windows Update Services (WUS)

http://www.microsoft.com/wus

Quickly and reliably deploy the latest security updates, and service packs with Software Update Services. This new site now has the latest info on WUS.

Windows Update

http://windowsupdate.microsoft.com/

Scans your computer and provides a selection of updates tailored for your operating system, software, and hardware.

Microsoft Office Product Updates

http://office.microsoft.com/productupdates/

Scans and updates Microsoft Office products.

IIS Web Server Lockdown Wizard

http://www.microsoft.com/technet/security/tools/locktool.mspx

Reduces the attack surface of Internet Information Services (IIS) and includes URLScan to provide multiple layers of protection against attackers.

UrlScan Security Tool

http://www.microsoft.com/technet/security/tools/urlscan.mspx

Helps prevent potentially harmful HTTP requests from reaching IIS Web servers.

Removal Tools:

Mydoom, Zindos and Doomjuice worms: http://support.microsoft.com/?kbid=836528

Blaster Removal Tool for Windows XP and 2000:

http://www.microsoft.com/downloads/details.aspx?familyid=e70a0d8b-fe98-493f-ad76-bf673a38b4cf&displaylang=en

Sasser (A-F) Worm Removal Tool: http://support.microsoft.com/?kbid=841720

MS04-028 Enterprise Scanning Tool: http://support.microsoft.com/?kbid=886988

Other Tools:

http://www.microsoft.com/technet/security/tools/default.mspx

Security Risk Self-Assessment for Midsize Organizations http://www.securityguidance.com

Updating

Understanding Update Management: Microsoft’s Software Update Strategy

http://www.microsoft.com/technet/security/topics/patch/patchmanagement.mspx

Updated white paper talks about the need for strong update management process.

Other Update Management info in the TechNet Topics Page

http://www.microsoft.com/technet/security/topics/patch/default.mspx

Isolation and Resiliency

Listing of resources for the IT Pro to evaluate and deploy XP SP2

http://www.microsoft.com/technet/winxpsp2

Network Access Protection

http://www.microsoft.com/nap

Internet Security and Acceleration (ISA) Server 2004 whitepapers updated

http://www.microsoft.com/isaserver/evaluation/whitepapers/default.asp

Read about secure remote Outlook access in the Unique Protection for Microsoft Exchange Server whitepaper, a very viable business scenario with ISA Server

Engineering Excellence

Trustworthy Computing: Security

http://www.microsoft.com/mscorp/twc/security/default.mspx

Whitepapers on Security Enhancements:

Describes the Trustworthy Computing initiative as applied to the Windows Server, Office 2003 and Exchange Server 2003 development processes respectively.

Windows Server 2003:

http://www.microsoft.com/windowsserver2003/techinfo/overview/secinnovation.mspx

Office 2003:

http://www.microsoft.com/technet/prodtechnol/office/office2003/deploy/secdesn.mspx

Exchange Server 2003:

http://www.microsoft.com/exchange/evaluation/Security_e2k3.asp

Get the Facts:

Windows and Linux: http://www.microsoft.com/getthefacts

NEW SQL: http://www.microsoft.com/sql/evaluation/compare/databasesecurity.asp

Guidance and Training
Security Guidance Centers on Microsoft.com Worldwide: http://www.microsoft.com/security/guidance/worldwide/default.mspx US: http://www.microsoft.com/security/guidance Prescriptive guidance to help provide defence-in-depth security. E-Learning Security Training https://www.microsoftelearning.com/security/ E-Learning self-paced clinics - 4 Developer and 8 ITPro modules Now available in French, German, Spanish and Japanese XP SP2: https://www.microsoftelearning.com/xpsp2 Security Guidance Kit CD (now shipping in US and Canada) http://www.microsoft.com/security/guidance/order/default.mspx CD-ROM with tools, templates, and how-to guides Microsoft IT Security Showcase http://www.microsoft.com/technet/itsolutions/msit/default.mspx#EDBAAA An insider view into Microsoft's process of deploying, and managing its own enterprise solutions. Security Newsletter http://www.microsoft.com/technet/security/secnews/default.mspx Register for our free monthly e-mail newsletter that's packed with security news, guidance, updates, and community resources to help you protect your network. Security Program Guide: Events and Training Information http://www.microsoft.com/seminar/events/security.mspx Events, webcasts and training ivailable for both IT Professionals and Developers. US Security Summit Keynote and Training Content http://www.microsoft.com/seminar/securitysummit/presentations/default.mspx Security Notifications via e-mail http://www.microsoft.com/technet/security/bulletin/notify.mspx Sign up today to get e-mail alerts when an important security bulletin or virus alert has been released. Security Update RSS Feed http://www.microsoft.com/technet/security/bulletin/secrss.aspx Security Bulletin Search Page http://www.microsoft.com/technet/security/current.aspx Search on product, technology or KB article Security Bulletin Webcast http://www.microsoft.com/technet/security/bulletin/summary.mspx Join Microsoft experts on the day after bulletin announcements to get the latest information and have the opportunity to ask questions. How to Tell If a Microsoft Security-Related Message Is Genuine http://www.microsoft.com/security/antivirus/authenticate_mail.asp Writing Secure Code, 2nd edition http://www.microsoft.com/mspress/books/5957.asp Best practices for writing secure code and stopping malicious hackers. Building and Configuring More Secure Web Sites http://msdn.microsoft.com/library/en-us/dnnetsec/html/openhack.asp Best Practices used at OpenHack. Recent Security Guidance Center additions: Windows XP Guide, includes SP2 http://www.microsoft.com/technet/security/prodtech/winclnt/secwinxp/default.mspx New Security Risk Management Guide http://go.microsoft.com/fwlink/?LinkId=30794 Windows NT 4.0 and Windows 98 Threat Mitigation Guide http://go.microsoft.com/fwlink/?linkid=32048 Microsoft Identity and Access Management Series http://go.microsoft.com/fwlink/?LinkId=14841 Antivirus Defense-in-Depth http://www.microsoft.com/technet/security/guidance/avdind_0.mspx Securing Wireless LANs with PEAP and Passwords http://www.microsoft.com/technet/security/guidance/peap_0.mspx Small Business Guidance: http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx Guidance specifically for the smaller business Configuring Windows XP 802.11 Wireless Networks for the Home / Small Business http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifisoho.mspx Consumer Information: http://www.microsoft.com/security/protect http://www.microsoft.com/athome/security/default.mspx Newsletter for home users http://www.microsoft.com/security/home/secnews/current.asp Security bulletin notifications for home users http://register.microsoft.com/subscription/subscribeme.asp?id=166

Network Access Protection Platform Architecture

jbmsft — Fri, 19 Nov 2004 03:29:00 GMT

http://www.microsoft.com/downloads/details.aspx?familyid=2f37651e-1749-45c3-996e-53de05d44ef7&displaylang=en