Archive

Archive for the ‘Security’ Category

Boston Marathon Spam

April 17th, 2013 Comments off

It didn’t take long time for spammers to start abusing the Boston Marathon bombing sending  emails with links to various Youtube videos of the explosions at the Boston Marathon, an automatic download of a malicious binary named “boston.avi_______.exe”, embedded malicious java code and other iframed pages with malicious content.

spam
Sample email

BostonBombingMalware
Sample landing page with videos and Java 

 

Microsoft TechDays 2013 Presentations (Belgium & Netherlands)

March 25th, 2013 Comments off

The presenations from our pre-con/workshop sessions “Defending your Microsoft infrastructure from cyber threats” at TechDays 2013 in Belgium and the Netherlands are now available for download:

  TechDays 2013 Presentations download:(4.7 MiB, 877)

If you have any follow up questions about the sessions or any related topics please contact Hasain Alshakarti or Marcus Murray :)

 

Categories: Security, TechDays Tags: ,

PowerShell Scripting Week by Niklas Goude

July 2nd, 2012 Comments off

The Hey, Scripting Guy! Blog is one of those blogs I would normally recommend to any body interested in scripting Windows. But I do have a very good reason to bump that recommendation this week just to make sure everybody following my blog do not miss that my colleague and fellow MVP Niclas Goude will be writing a couple of guest posts on The Scripting Guys blog regarding security from the 2:ndto the 6:th of July.

The specific subjects will be:

Monday: Scanning

Tuesday: Brute Force

Wednesday: Shares and Metadata

Thursday: Give yourself System Permission without psexec

Friday: LSA Secrets

Enjoy Powershell!

 

Windows 8 Enhanced Security Features

June 16th, 2012 Comments off

Microsoft has published the Windows 8 Release Preview Product Guide for Business, the guide describes how Windows 8 changes the work environments and how Windows is reimagined to support people’s unique working styles.

Windows 8 provides enterprise-class security capabilities that keep clients more secure from power-on to power-off.

Windows 8 provides the following enhanced security features:

Trusted boot process

With UEFI 2.3.1 equipped devices, the UEFI Secure Boot feature helps to ensure that malware is not able to start before Windows 8. The Windows 8 Trusted boot feature protects the integrity of the remainder of the boot process, including the kernel, system files, boot critical drivers, and even the antimalware software itself. The system’s antimalware software is the first 3rd party application or driver to start. Moving antimalware into the Trusted Boot process prevents it from being tampered with. In the event that malware is able to successfully tamper with the boot process Windows can automatically detect and repair the system.

Measured boot process

On Trusted Platform Module (TPM)-based systems, Windows 8 can perform a comprehensive chain of measurements during the boot process that can be used to further validate the boot process beyond Trusted Boot. Measured boot process enables all aspects of the boot process to be measured, signed, and stored in a Trusted Platform Module (TPM) chip. This information can be evaluated by a remote service to further validate a computer’s integrity before granting it access to resources. This process is called Remote Attestation.

BitLocker Drive Encryption

BitLocker now supports encrypted drives, which are hard drives that come pre-encrypted from the manufacturer. BitLocker offloads the cryptographic operations to hardware, increasing overall encryption performance and decreasing CPU and power consumption. On devices without hardware encryption, BitLocker allows you to choose to encrypt the used space on a disk instead of the entire disk. As free space is used, it will be encrypted. This results in a faster, less disruptive encryption of a hard drive. In addition, the user experience is improved by allowing a standard user, one without administrative privileges, to reset the BitLocker PIN.

AppLocker

AppLocker enables IT administrators to create security policies through Group Policy to prevent potentially harmful or other non-approved apps from running. With AppLocker, IT administrators can set rules based on a number of properties, including the signature of the application’s package or the app’s package installer and can more effectively control apps with less management.

Windows SmartScreen app reputation service

Windows SmartScreen app reputation is a safety feature in Windows 8. This service provides application reputation-based technologies to help protect users from malicious software that they may encounter on the Internet. This technology checks reputation on any new application, helping to keep users safe no matter what browser they use Windows 8. This helps to prevent malware and other viruses from infiltrating your organization. The Windows SmartScreen app reputation feature works with Internet Explorer’s SmartScreen feature, which also protects users from websites seeking to acquire personal information such as user names, passwords, and billing data.

Claim-based access control

With Windows 8, IT administrators can dynamically allow users access to the data they need based on the user’s role in the company. Unlike previous statically-controlled security groups, Claim-based access control allows IT admins to dynamically control access to corporate resources based on the user and device properties that are stored in Active Directory. For example, a policy can be created that enables individuals in the finance group to have access to specific budget and forecast data, and the human resources group to have access to personnel files.

 

2W – Pentest & Säkerhet – med en touch av PowerShell

March 15th, 2012 Comments off

I många sammanhang brukar penetrationstester förknippas med 3:e parts verktyg och linux-distributioner. Det brukar exempelvis krävas ett antal olika produkter och tekniker för att samla in den information som krävs för att avgöra om ditt företag sitter i en säker miljö.

I den här presentationen kommer vi att fokusera på vad du kan utföra i form av penetrationstestning utifrån en standardinstallerad Windowsklient.

Vi kommer även att gå igenom olika metoder du kan använda för att säkra upp din miljö.

Hasain, MVP på Security och Goude,MVP på Powershell kommer både att ge en spännande presentation som en spännande diskussion om pentest, säkerhet och PowerShell.

Ladda ner presentationen här: 2W-Pentest-Powershell

 

Certificate Selection & Certificate Friendly Name Tool

November 4th, 2011 Comments off

The certificate selection user interface in Windows supports filtering logic to provide a simplified user experience when an application presents multiple certificates. But some applications are not designed to use filtering logic (developers not aware of functionality…) or uses filters that does not provide efficient reduction of the number of certificates presented to the user making it almost impossible for a user to know witch certificate to choose unless opening the certificate and looking at the details of template name, EKU, etc.

This is particularly true when all certificates has been automatically enrolled using the same user DN/CN attribute based on the users Active Directory user object attributes. In addition to that, Autoenrollment does not support variations in certificate subject name unless using some third party policy module installed on the Active Directory Certificates Services.

Knowing that the certificate selection UI supports certificate friendly names. Setting the certificate friendly name to include information about the certificate template can simplify the users task to select the correct certificate.

Friendly names are properties in the X.509 certificate store in Windows that can be set at any time after the certificate has been created/installed in the store.

One way to set the friendly name is through the certificate MMC SnapIn. Alternatively certutil.exe can be used in the following way:

Create a text file containing the following information:

[Version]
Signature = “$Windows NT$”
[Properties]
11 = “{text}My Friendly Name”

Save the file as friendlyname.inf

Determine the serialnumber of the certificate where the friendly name should be changed.

Run the following command at a command-line:
certutil –repairstore –user my {SerialNumber} FriendlyName.inf

Automating the friendly name can be achieved by either automating/scripting the steps above alternatively by creating a tool that enumerates all certificates in the personal store and assign the friendly name.

A proof of concept CertFN.exe tool was created to automate the above. The tool receives a parameter for the template name to use when filtering the user store, it then sets the friendly name based on the schema “Template Name – Certificate Subject Name”

  CertFN - Certificate Friendly Name Tool download:(39.3 KiB, 1,240)

  CertFN - Certificate Friendly Name Tool - The Powershell Edition download:(1.1 KiB, 3,065)

Windows 8 – Network Isolation for Metro style Apps

October 8th, 2011 Comments off

When developing Metro style apps, Network Isolation helps your product to take advantage of the isolation mechanisms that will keep the app and system secure.

The new Windows Runtime APIs enable a developer to control the security profile of an app under development. Network access is part of this application security model. Not all apps will require access to the network. However for those that do, Windows provides the appropriate level of granularity for apps to access the network securely.

With network isolation, developers can define the scope of the network access required for each process, which prevents a process without the appropriate scope from accessing the specified type of network or connection. The ability to set and enforce these boundaries ensures that compromised apps have access only to networks they have explicitly been granted access to, significantly reducing the scope of their impact in other apps or the system itself.

Download and Read more about Network Isolation for Metro style Apps http://www.microsoft.com/download/en/details.aspx?id=27534. This paper provides information about network isolation for Windows operating systems. It provides guidelines for developers to determine the network boundary that a Metro style app will operate in, and what capabilities will be necessary to access required resources.

 

IPSec StrongCRLCheck does not work on Windows Server 2008 R2-based RRAS

September 15th, 2011 Comments off

SYMPTOMS:

  • You install the Routing and Remote Access Service (RRAS) role on a server that is running Windows Server 2008 R2.
  • You configure the server to accept Layer Two Tunneling Protocol with IPsec (L2TP/IPsec) connections.
  • You run the Netsh ipsec dynamic set config property=strongcrlcheck value=2 command to configure the StrongCRLCheck setting on the server.
  • You revoke a certificate on a client computer. The certificate is used to make L2TP/IPsec connections to the RRAS server.
  • You establish an L2TP/IPsec connection from the client computer to the server.
  • The connection to the RRAS server is successful. However, you expect that the client computer cannot connect to the server.
The issue occurs because the Remote Access Service (RAS) ignores the StrongCRLCheck setting!
To correct this you need a hot fix and a new registry key as instructed by KB2351254 http://support.microsoft.com/kb/2351254

Interesting notes from the DigiNotar report

September 6th, 2011 Comments off

The notes below are extracted from the “DigiNotar public report version 1″ published at http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.html

“The most critical servers contain malicious software that can normally be detected by anti-virus software. The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong and could easily be brute-forced.

The software installed on the public web servers was outdated and not patched.

No antivirus protection was present on the investigated servers.

An intrusion prevention system is operational. It is not clear at the moment why it didn‟t block some of the outside web server attacks. No secure central network logging is in place.”

Categories: Security Tags:

Out of band update KB2607712 – Fraudulent DigiNotar certificates could allow spoofing

September 6th, 2011 Comments off

Microsoft has published an update for all supported releases of Microsoft Windows that revokes the trust of the following DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store:

• DigiNotar Root CA
• DigiNotar Root CA G2
• DigiNotar PKIoverheid CA Overheid
• DigiNotar PKIoverheid CA Organisatie – G2
• DigiNotar PKIoverheid CA Overheid en Bedrijven

http://support.microsoft.com/kb/2607712

 

How do I enable Single Sign-on for RD Gateway Server?

August 24th, 2011 Comments off
  1. Create, edit or change a group policy object for your clients
  2. Navigate to “User Configuration”, “Administrative Templates”, “Windows Components”, “Remote Desktop Services”, “RD Gateway” and select the “Set RD Gateway server authentication method” setting:
  3. Select the “Enabled” radio button.
  4. Under “Set RD Gateway server authentication method”, click on the combo-box and select “Use locally logged-on credentials”.
  5. If you want the users to be able to override this authentication method then select “Allow users to change this setting” checkbox.
  6. Confirm the changes by clicking on the “OK” button until you return back to the main Group Policy Object Editor dialog.
  7. Apply the policy and make sure it has been enforced on the client by running “gpupdate” to force the policy to be refreshed immediately on the local machine.
  8. Start up the RD client and navigate to “Options”, “Advanced”, click on “Settings” under “connect from anywhere”. You should see the status text indicate the following: “Your Windows logon credentials will be used to connect to this RD Gateway server”.
  9. The client will now be able to connect to the gateway server using locally logged on credentials

Problem in certreq.exe sign operation

August 13th, 2011 2 comments

CMC certificate requests are normally used in combination with EOBO enrollment (Enroll On Behalf Of) scenarios where additional enrollment agent signatures are required by the certification authority to accept and process the certificate request.

Generating and signing the CMC certificate request can either be done using the certmgr.msc MMC snap-in or scripted using the certreq.exe tool provided in the Windows platform. The procedure using certreq to generate and sign the CMC certificate request is defined by the following steps

1. Create a certificate request inf file describing the request, below you find a sample inf file for EOBO request

[Version]
Signature= “$Windows NT$”

[NewRequest]
RequesterName = Crisco0\Administrator
RequestType = CMC

[RequestAttributes]
CertificateTemplate = EOBO_Template

 

2. Generate the initial self signed CMC certficate request using the command:

certreq.exe -new certificate_request.inf certificate_request.req

3. Sign the initial self signed CMC certficate request with the enrollment agent certificate using the command:

certreq.exe -sing certificate_request.req signed_certificate.req

4. Submit the agent signed CMC request to the enterprise CA and receive the certificate using the command:

certreq.exe -submit signed_certificate.req new_certificate.cer

The procedure described above works as expected until you try it in Windows 2008 R2 SP1 (I have not had the chans to test other versions yet) and you will get an error message at step 3 failing the agent signing.

What happens in step 3 is that the certreq tools will try to read the referenced certificate template from Active Directory and to figure out the signing requirements and it simply fails with the error message:

Certificate Request Processor: An attempt was made to perform an initialization operation when initialization has already been completed. 0x800704df (WIN32: 1247)

After struggling with my request inf file and certificate template with the same error I decided to perform the agent signing using other tools, after some research I found this very interesting MSDN article http://msdn.microsoft.com/en-us/library/ms867026.aspx  about Creating Certificate Requests Using the Certificate Enrollment Control and CryptoAPI. The article looked nice with provided samples but I wanted something more simple so I ended up in this article http://technet.microsoft.com/en-us/library/ff182315(WS.10).aspx about “Create Enroll on Behalf of Another User Request”. Usingthe code from the “Create Enroll on Behalf of Another User Request” article I created the cmcSigner tool and the CMC request could be signed and the certificate issued without errors.

What if this version certreq.exe has some issue? To figure out that I decided to test the certreq -sing operation with an older version of certreq.exe so I grabbed the Windows 2003 Admin Tool Pack and extracted the certreq.exe and tested the signing step with no errors!

Conclusion: certreq.exe in some later versions has a problem performing a certificate signing operation.

Solution: use another version of certreq.exe or another tool like the cmcSigner tool

  cmcSigner Tool download:(258.8 KiB, 1,014)

IT Pro at Home Demonstration: Wireless Networking

August 6th, 2011 Comments off

Learn how, in Windows 7, you can connect to a wireless access point in just three clicks. With this screencast from the Springboard Series IT Pro at Home: Tips and Tricks series, you’ll see how, whether you’re sitting in a coffee shop or at the airport, connecting to a wireless network is simple and easy when you’re using Windows 7. This demonstration will also go over moving between wireless networks and provide tips to help you go from home to the office using each network seamlessly.

Download the Wireless Networking screencast here or from Microsoft at http://www.microsoft.com/download/en/details.aspx?id=1271

 

 

Maintain SDL requirement in code

August 5th, 2011 Comments off

Microsoft has released an updated version of the banned.h header file to help developers sanitizing resource which supports the SDL requirement and to remove banned functions from code. The header file simply lists all banned APIs and allows any developer to locate them in code and remove or adjust the code to be aligned with the SDL requirements.

The updated banned.h can be downloaded from Microsoft Download Center http://www.microsoft.com/download/en/details.aspx?id=24817

FIM CM 2010 links from Microsoft Donwloads

July 13th, 2011 Comments off

Best of MMS Sverige 2011

July 10th, 2011 Comments off

Hur hanterar du och ditt företag er it-miljö på bästa sätt?

Best of MMS är eventet du inte ska missa. Här får du veta allt om de mest aktuella produkterna och teknikerna från Microsoft när det gäller it-management. Under det kommande året väntas till exempel flera produktlanseringar inom System Center-familjen.

På plats är de främsta svenska it-experterna. Det blir två dagar fyllda med teknikspäckade föredrag – om ämnen som Opalis, System Center Configuration Manager 2012, IPv6, System Center Virtual Machine Manager 2012 och System Center Service Manager R2, Hyper-V Cloud med mera.

Är du nyfiken på IPv6 och hur det nya protokollet kommer att påverka båda hanteringen av Windows Server och säkerheten i dina system?

Läs mer och boka din plats redan idag på http://www.microsoft.com/sverige/bestofmms2011/default.html

 

Battling the Rustock Threat

July 10th, 2011 Comments off

Microsoft has published a document http://www.microsoft.com/download/en/details.aspx?id=26673 that provides an overview of the Win32/Rustock family of rootkit-enabled backdoor trojans.

The document examines the background of Win32/Rustock, its functionality, how it works, and provides threat telemetry data and analysis from calendar year 2010 through May 2011.

In addition, the document details the legal and technical action used to takedown the Rustock botnet and how to detect and remove the threat using Microsoft antimalware products.

 

IE – Enable Certificate Revocation Failure Notification

July 5th, 2011 2 comments

Internet Explorer 7 and later. In order to confirm the identity of organizations that host secure webpages, certifying authorities issue security certificates. These certificates are validated when you request a secure webpage.

By default, Internet Explorer performs a number of steps in order to validate the security certificate for a secure website. If a certificate is invalid, is out-of-date, or improperly identifies the website in question, Internet Explorer displays a notification to the user.

As an additional verification step, many certifying authorities also provide a service that identifies certificates that have been recently revoked. Earlier versions of Internet Explorer displayed notifications when this service could not be reached.

Because the inability to reach these services does not necessarily indicate that a certificate has been revoked, many users complained that such notifications were “false positives.” After considerable negative feedback, these notifications were disabled by default in Internet Explorer 7 and later.

When enabled, the FEATURE_WARN_ON_SEC_CERT_REV_FAILED feature displays notifications when Internet Explorer cannot reach the certificate revocation service published by a certifying authority. By default, this feature is disabled for Internet Explorer. This feature is not supported for applications hosting the WebBrowser Control.

To enable this feature using the registry, add the name of the Internet Explorer executable file to the following setting.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WARN_ON_SEC_CERT_REV_FAILED]
“iexplore.exe”=dword:00000001

The feature is enabled when the value is set to (DWORD) 00000001 and disabled when the value is (DWORD) 00000000.

TechNet videos: Security Compliance Manager 2 teaser

June 30th, 2011 Comments off

Want to take an early look at the next version of the Security Compliance Manager (SCM) 2 tool? In this three-part screencast series with Sr. IT pro Evangelist Matt Hester, he takes you on a quick tour of the tool’s features and benefits, including new features in SCM 2 like GPO import, baseline setting customization, local GPO functionality, an enhanced user interface, and an improved installation experience.Check out these new screencasts!

Use SCM 2 to harden your machines to meet industry standards

June 29th, 2011 Comments off
Microsoft Security Compliance Manager (SCM) 2 enables organizations to take better advantage of their existing knowledge and investments, and customize security and compliance settings with ease. Customers can harden their machines to industry standards, monitor for configuration drift and address the configuration requirements of hundreds of regulations like SOX, PCI and HIPAA. Learn more.

New SCM 2 features include:

  • GPO import: SCM 2 can now import Group Policy Object (GPO) Backup files to allow organizations to import and compare their existing knowledge against Microsoft baseline recommendations. This long-awaited feature effectively helps you to customize and manage your organization’s existing knowledge stored in Active Directory.
  • Baseline setting customization: Modifying baselines just got easier. Adding, extending, or deleting settings from a baseline is an effortless process in this new version of the tool.
  • Local GPO functionality: Apply security baselines directly to client and server computers using the LocalGPO command-line tool, which enables you to secure stand-alone computers and test different baselines without using Active Directory to deploy them. Use this tool to create local policy snapshots that you can import into SCM 2 using the new GPO import capabilities, which you can then compare, customize, and export as needed.
  • Additional features: These include a new and enhanced UI that provides simpler navigation in the tool, and improved installation with SQL Server 2005 and later releases of SQL Server.

Version 2 of the SCM tool will release with a full complement of Microsoft product baselines, including these new and/or updated baselines:

  • Windows Internet Explorer 9
  • Windows Server 2008 R2 Service Pack 1 (SP1)
  • Windows Server 2008 SP2
  • Windows Server 2003 SP2

————————————————————————————————————-

In more detail

Microsoft Security Compliance Manager (SCM) 2 provides security and compliance configuration recommendations from Microsoft, centralized baseline management features, a baseline portfolio, customization capabilities, and security and compliance baseline export flexibility to accelerate your organization’s ability to efficiently manage the security and compliance process for the most widely used Microsoft products and technologies. The formerly stand-alone product-specific security guides are now included in the SCM tool.

Version 2 of the SCM tool releases with a full complement of Microsoft security and compliance baselines, including a new Windows Internet Explorer 9 Security Baseline, and updated baseline versions for Windows Server 2008 R2 SP1, Windows Server 2008 SP2, and Windows Server 2003 SP2.

These new beta baselines provide:

  • Setting severity ratings, allowing you to quickly sort, prioritize, and apply Microsoft security and compliance recommendations.
  • Consolidated product baselines that eliminate EC and SSLF baseline components, and make viewing, customizing, and implementing your security baselines easier than ever!
  • New compliance-based settings groups allow quicker and easier compliance reporting and audit preparation, when used with the  GRC management solution within System Center.

Additional product baselines are currently in development, including baselines for: Windows 7 SP1, Microsoft Exchange Server 2007, Exchange Server 2010, SQL Server 2008 and SQL Server 2008 R2 (multiple roles), Office 2010, Windows Vista SP2, Windows XP SP3, and Windows Internet Explorer 8.

To learn more about the Security Compliance Manager tool, visit the TechNet Library.