Journaling: to keep or not to keep that is that is the question.  This same question has been constantly haunting compliance officers and messaging administrators. Message Journaling consists of electronically retaining incoming and outgoing messages. Multiple regulatory compliance standards such as the Sarbanes Oxley act, HIPAA Final Security Rule and the Patriot Act require address the need to retain electronic copies of corporate mail.

The Problem:

During the past years, several large corporations lost significant amounts of money due to their failure to meet these compliance requirements. The financial consequences of non-compliance are real, and increasingly severe. Depending on the violation, non-compliance can be punished by a fine and/or a period of detention. Amongst the most noticeable incidents Morgan Stanley was fined over $1.45 billion due to its inability to reproduce e-mail transmissions.

What really falls in scope?

Sarbanes Oxley states in Section 802 “all audit-related information to be is retained by an auditor for a period of not less than 7 years. This includes work papers, memoranda, correspondence, communications, and electronic records (including email)”.

Deciding what and how to journal is one of the most difficult tasks for a messaging administrator. Message journal appliances are expensive and can get hard to administrate. However to comply is not to go out and buy expensive appliances or applications. In most cases compliance can be achieved with tools which you already have.

Microsoft’s Messaging Server, Exchange 2007, offers features which when configured properly, does quite a good job in journaling messages. In this blog article I will go over the necessary configuration to transform you email server into a compliant journaling solution.

The Solution:

Messaging Journaling using Microsoft Exchange server 2007:

Creating the journaling mailbox:

1. On the exchange mailbox server, create a “Compliance” mailbox. This mailbox will be the journaling recipient. The mailbox can be created via GUI or through Exchange management Shell with the following cmdlet.

Set-Mailbox <Journal Mailbox Name>

-AcceptMessagesOnlyFrom “Microsoft Exchange” -RequireSenderAuthenticationEnabled $True

Remember that:  When messages are retained as an act of compliance to a federal regulation, simply retaining the messages is not enough. There are also laws that specify that the messages must not be tampered with, and that only certain people within the company are allowed to access the archives.

Configuring the Exchange Environment:

1. Log on the the Exchange Hub Transport Server.
2. Run the Exchange Management Shell.

1. Type in the following command:  Get-TransportAgent

This command will indicate whether or not the journaling agent is enabled on the server by either displaying true or false.

1. If the above command returns false, then you will have to enable the journaling agent. To enable journaling on the server, enter the following command:

Enable-transportagent

When prompted for the identity, type in a name for the journaling ex: Sox Journaling.

1. Enter the Get-TransportAgent command once again to confirm that the journaling agent has been activated.

Configuring Journaling on the Hub Transport Server:

1. Log on to the Hub Transport Server.
2. Open the Exchange Management Console
3. Click on Organization Configuration.
4. Click on Hub Transport.
5. Select the Journaling Tab.
6. Click on New Journal Rule link.

1. In Rule Name enter a descriptive name for the journaling rule ex: Sox Journaling Rule.
2. In the Send Journal Reports to E-Mail Addresses field supply the name of the mailbox we created in the beginning ex: Compliance-MailBox.
3. In the Scope section, Select either internal, external, or all messages as you wish.

Internal scope: Journals messages sent and received by mailboxes within the organization.

External scope: Journals messages sent and received to recipients outside of the organization.

Global scope: Journals all messages passing through your organization, regardless of where they have come from or who they are being sent to.

1. In the Journal Messages for Recipient field specify the mailbox or group for which you want to enable journaling.

For example, if you wanted to create a journaling rule to journal messages sent by John Doe, this is where you would enter John Doe’s mailbox name.

1.  Click on the New button and the Exchange 2007 journaling rule will be created.

Daniel de Carvalho MCSE+S, CISSP, CEH, QSA

In 1979, to the joy of millions of children nationwide, McDonalds debut the Happy Meal. Children were dazzled to find out what surprised awaited them inside the pretty little Happy Meal box. However the surprise not always was what they expected. With the advance of the internet and computer technology, hackers started creating their own little happy meals, stuffing legitimate programs with malicious code and applications.

The problem:

The problem is more complex than it seems. How many times have you ever downloaded and application, and after installing it you realized a series of applications you don’t recall installing appears on your desktop such as: Free Poker, E-Casino, Free Online Games etc.? The internet today is packed with millions of download sites, in many different languages, shapes and sizes. The problem is that hackers take advantage of this diversity to prey on innocent users, infecting their computers and robbing critical and sensitive information. In this blog article, I will teach you how to know if the software you are downloading is legitimate and does not have any “extra” malicious features.

The solution:

It is true that just like your body cells have exclusive DNA signatures, all applications also have unique signatures. This process of creating an application signature is done by hashing the application executable. A Hash is a one way mathematical function which by the properties of the elements introduced to it outputs an exclusive output or signature also known as the message digest. The message digest ensures the integrity of the executable, if one single bit is altered or added inside the executable, the message digest will be completely different from the original signature. Most of today’s software vendors publish the legitimate message digest of their applications.

Now that you know where to find the legitimate signature, how can you test to see if the application you just downloaded is in fact the real application? The answer is simple: download an md5 application hasher. MD5Sum is a free and simple to use, cross platform MD5 hasher.

The example:

Let’s see an example:

1. Download MD5Sum:  Download Link: http://www.pc-tools.net/win32/md5sums/
2. Extract the MD5Sum application to a folder (Ex: c:\md5).
3. Visit the Software vendor’s website, in our example the Spybot search and destroy.

http://www.safer-networking.org/en/download/index.html

1. If you pay close attention, Next to the download link, there is an md5 message digest for the legitimate application.

As seen above the MD5 digest for the 1.6.2 version of Spybot Search and Destroy is:

md5: 54ACBA9CFD7154C02CEACF6310CF3CFA.

1. Download the target application.
2. Open the folder containing the MD5Sum application.

1. Drag the target executable or installer over to the MD5Sum.exe

1. A command line window will open displaying the md5 signature of the dragged executable.

1. Compare the results. 

• On the website it stated that the MD5 signature was:

54ACBA9CFD7154C02CEACF6310CF3CFA.

• MD5Sum stated that the signature was:

54acba9cfd7154c02ceacf6310cf3cfa.

Result: Legitimate.

You may now install the application with no worries.

Before I forget, the MD5 value of md5sums.exe is: da1e100dc9e7bebb810985e37875de38…enjoy!

Daniel de Carvalho MCSE+S, CISSP, CEH, QSA

USB Drives have been considered one of the best and worst gadgets of the past decade. It is sometimes seen as the worst gadget due to the risks which it inflicts on the corporate world. Back in the day a 128 MB USB drive was costing a fortune, however today everyone has at least 1 USB drive of at least 1GB. The fact that the number of removable media devices grew exponentially over the past decade has also increased the number of USB related security breaches. The breaches range from malicious hidden code which auto run once the USB drive is connected, to scandalous sensitive data leaks.

The Problem:

Regulatory compliance Standards such as the HIPAA Final Security Rule address the risks related to “information leakage” through USB drives.  In the United States, laws such as the Gramm-Leach-Bliley Act demand that companies build up strategies to prevent data leakage, facing serious penalties for non compliance.

Data Leakage has become a serious worldwide security issue, especially when it comes to removable media such as USB Drives. In February 2006, a Deloitte & Touche consultant left an unprotected media with personal records of 9,290 McAfee employees in an airline seatback. In 2007, reports surface that USB flash drives with sensitive military information are being sold in street markets in Afghanistan. The question is not only protecting the information, but yes preventing it from being there in the first place.

The Solution:

The fact is that in today’s business, employees play a key role in a company’s security and that many workers still do not understand the danger of USB drives. Unfortunately we cannot always rely on the end user for safety and protection. Data Loss Prevention applications are sometimes cumbersome and excessively expensive, dividing companies into those who have and those who can’t afford. Given those circumstances I will demonstrate a simple, free and yet effective way to protect USB drives and sensitive corporate information.

Microsoft Windows XP SP2 can be tweaked to prevent write functions to the USB port. It basically consists of a registry hack. This configuration can be later be deployed via script through a GPO.

Note: Before making any changes to the registry, it is highly advisable to create a backup of the registry hives.

1. Log on to a Windows XP SP2 Machine.

1. Open Registry Editor. (Start – Run – Regedit).

1. Navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies

** If the Key and hive do not exist, please create the above structure.                                                                                                                    

1. Once on the location above, create the following value :

• Type = DWORD
• ·         Name = WriteProtect
• ·         Value = 1

1. Close Registry Editor and reboot the computer for changes to apply.

All users trying to write to any USB Removable Disk will now get an Access Denied message.

RollBack:

To return to the default configuration and enable your computer’s ability to use USB Removable Disks follow these steps:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies

1. Go to the registry path found above.

1. Locate the following key: WriteProtect and give it a value of 0, and reboot the machine.

Daniel de Carvalho MCSE+S, CISSP, CEH, QSA

Local Administrative privileges have been a long term nightmare for any corporate network and security administrators. A recent study conducted by the UK Information Security Breaches Survey (UKISBS) shows that 90% of internal breaches were caused by excessive privileges. Local Administrative privileges have been addressed and condemned by multiple security standards such as the PCI DSS, ISO and HIPAA Security Rule as the principal of least privilege.

Definition:

According to Wikipedia the  the principal of least privilege is defined as: “A basic principle in information security developed by the Department of Defense over 30 years ago that holds that entities (people, processes, devices) should be assigned the fewest privileges consistent with their assigned duties and functions.

The Problem:

The truth is that Least Privileges aids in a preventing a series of security breaches, such as preventing malicious codes to be executed with high administrative privileges. When a user logs on with a highly privileged account, any programs that they run, such as browsers, applications, e-mail clients, and instant messaging programs, also have administrative rights, granting malicious software the ability to install itself, manipulate services such as antivirus programs, and even hide from the operating system.

In most of the cases, these breaches happen without the users consent, for example, by visiting a compromised Web site or by clicking on a link in an e-mail message. Excessive privileges also grants a ill intentioned user to install a wide variety of unapproved corporate applications, causing serious damage to the network and company brand if it were to suffer any sort of compromise or copyright infringement.

The Real World, compatibility issues:

The world would be a better and easier place without local administrators; like always there are both sides of the story which need to be contemplated, and unfortunately, these accounts exist for a reason. Many applications and job functions demand administrative privileges in order to work.  If there is ever the need to bear such privileges, these accounts need to be carefully audited and monitored. In an operating system, privileges can be broken up into two fractions:

• File and Directory Permissions.
• Registry Keys and Hive Permissions.

Applications sometimes need read /write access to specific operating system files and directories or registry values. By granting an account administrative privilege, this account is able to read / write the necessary values to operate, however, it also grants the application / user the full power to modify important operating systems security features.

The Solution:

You may be questioning, is there a solution, and is there a common ground between full administrative privileges and no privileges? The answer is YES. Microsoft issued a series of tools called RegMon and FileMon, which aids network and security administrators to grant the appropriate privileges to their users.

Even though these tools are not directly involved in granting access and privileges, they can be used to monitor the behavior of an application, revealing which files and folders they access, which registry keys they need to operate. Based in the discovered information, appropriate file and directory level permissions can be granted, as well as appropriated changes to registry hives and keys.

RegMon:

RegMon displays registry access activity in real time, listing each call to the registry that an application makes, and logging the outcome. This tool allows you to identify when an application cannot access a registry key.

1. Download RegMon: Http://technet.microsoft.com/en-us/sysinternals/bb896652.aspx
2. Log on to the operating system with the default level permission of a common user (Simple User).

1. Click on RegMon icon to start the application.

1. Click on Options -> Filters to configure the appropriate filters.

1. In the Include field, add the application name which you want to monitor. The * value will monitor every process and application running on the host. This is ideal when you are testing the necessary permissions to execute a job function or role.

1. In the Exclude field, add the expressions which you want to exclude form the results. In our case, as we want to focus on denied access, it would be a good idea to exclude the SUCCESS access.

1. In the Highlight field, add the expressions which you want to highlight in the results. By typing ACCESS DENIED in this field, will highlight all the access denied events.

1. The Log Opens section, its best to use the default configuration, which logs all events.

1. Click on Apply then OK.
2. Click on the Magnifying Glass Icon to start the registry monitoring.

1. Start the desired Application or execute the function which the user needs access to.

1. Closely monitor the RegMon screen to identify the highlighted ACCESS DENIED events.

1. By Right clicking on the highlighted event, you will be able to navigate to the affected hive and registry key. By right clicking on the hive or key, you will be able to grant access to the target user or group.

FileMon:

Similarly, FileMon displays file system activity in real time, listing each system call that an application makes and registering the outcome.

1. Download FileMon: http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx
2. Log on to the operating system with the default level permission of a common user (Simple User).

1. Click on FileMon icon to start the application.

1. Click on Options -> Filters to configure the appropriate filters.

1. In the Include field, add the application name or path which you want to monitor. The * value will monitor every process and application running on the host. This is ideal when you are testing the necessary permissions to execute a job function or role.

1. In the Exclude field, add the expressions which you want to exclude form the results. In our case, as we want to focus on denied access, it would be a good idea to exclude the SUCCESS access.

1. In the Highlight field, add the expressions which you want to highlight in the results. By typing ACCESS DENIED in this field, will highlight all the access denied events.
2. The Log Opens section, its best to use the default configuration, which logs all events.

1. Click on Apply then OK.
2. Click on the Magnifying Glass Icon to start the file / directory monitoring.

1. Start the desired Application or execute the function which the user needs access to.

1. Closely monitor the FileMon screen to identify the highlighted ACCESS DENIED events.

1. By Right clicking on the highlighted event, you will be able to navigate to the denied file, folder or directory. By right clicking on the file or folder, you will be able to grant access to the target user or group.

Conclusion:

By granting access only to the denied registry and file objects, the user will be able to carry out the necessary roles or applications without needing excessive administrative privileges, solving once and for all the local administrator dilemma.

Daniel de Carvalho QSA, CISSP, CEH, MCSE+S.

Solving the Local Administrator dilemma with RegMon and FileMon.

Who said analyzing firewalls and network devices was something tedious and cumbersome? Well your problems are over: Introducing Nipper, the network device configuration parser. I have found that nipper aids tremendously in helping audit and analyze network devices during our assessments, reducing tremendously the time it takes to analyze a network device configuration file. Nipper offers comprehensive and detailed reports which anyone can understand. Nipper helps security administrators to check their network devices for known vulnerabilities and configuration flaws, and attending the need for industry standards and compliance controls such as PCI, HIPAA, ISO and BITS, and the best part of using Nipper is the fact that this tool is absolutely free.

Supported Devices

• Checkpoint VPN-1/Firewall-1
• Cisco Catalysts
• Cisco Content Services Switch.
• Cisco Routers
• Cisco Security Applicances (PIX, ASA and FWSM)
• Juniper NetScreens Firewalls
• Nokia IP Firewalls
• Notel Passports
• Sonicwall SonicOS Firewalls

How to use Nipper

1. Download Nipper for free at : http://sourceforge.net/forum/forum.php?forum_id=722046
2. Unzip the file to a working directory ex: c:\nipper
3. Open the command line ( start > run > cmd )
4. Create a folder inside the working directory called config ( c:\nipper\config )

1. Obtain a copy of your device’s config file.

 Example on how to get the config of a Cisco Router.

      A.    Log on to the device IOS or Console.

1. B.    Authenticate with your credentials.
2. C.    Type at the command line:  show running config
3. D.    Copy the contents displayed.
4. E.    Open notepad  (start -> run -> notepad)
5. F.    Paste the contents onto notepad and save it as .config

1. Copy the configuration file created above  to the config directory ( c:\nipper\config)

1. Open the command prompt  and type the following command to start the analysis process:

Command:

Nipper.exe – –input=c:\nipper\config\file.config –output=report_.html

List of device type and Output:

 Example of a Nipper report:

Below is an example of a Nipper HTML Report.

Nipper Functionalities and Benefits:

• Provides a series of recommendations to disable services that might lead to unauthorized access to the router or network.
• Checks device OS version for vulnerabilities linking them to known vulnerability Databases.
• Commands and recommendations to harden the network devices.
• Help configure logging and monitoring.
• Preform Security Audits.
• Password complexity check.

Ever since it’s debut, Microsoft Windows 2008 Server has awed security and systems administrators with its complex and innovative features. With threats becoming each day more immanent and efficient, security system administrators face the tedious task of protecting Microsoft’s new giant. In this article we compiled some of the industries best practices such as NIST to show you some of the features and ways to reduce your windows 2008 servers’ exposure. 

1. Configure a security policy

The first step in securing the 2008 server is to configure a security policy. In order to configure a security policy, you will need to use the SCW (Security Configuration Wizard), which can be installed through “add and remove windows components”. The SCW detects ports and services, and configures registry and audit settings according to the servers “role” or installed applications. The SCW uses a set of XML templates which can easily be deployed and managed. The version of SCW in Windows Server 2008 includes over 200 server role configurations and security settings than the version of SCW in Windows Server 2003. Also, by using the version of SCW in Windows Server 2008, you can:

• * Disable unneeded services based on the server role.
• * Remove unused firewall rules and constrain existing firewall rules.
• * Define restricted audit policies.

The server’s operating system will be changed according to the profile or template selected. Administrators can create custom profiles and deploy them using a set o XML files.

2. Disable or delete unnecessary accounts, ports and services

Attackers often gain access to servers through unused or not configured ports and services. To limit entry points, server hardening includes blocking unused ports and protocols as well as disabling services that are not required. Although this can be done as seen above using the SCW, the server administrator would need to double check to see if all the services are configured properly and that only the necessary ports are open.  During the installation of the 2008 server, by default, three local user accounts are automatically created: the Administrator, Guest and Help Assistant. The Administrator account bears high privileges, and requires special diligence. As a security best practice the administrator account should be disabled or renamed to make it more difficult for an attacker to gain access. Both Guest and Help Assistant accounts provide an easy target for attackers which exploited this vulnerability before on the earlier Windows Server 2003.  These accounts should be disabled at all times.

3. Uninstall Unnecessary Applications

Remember, your server is a vital part of your network and services that you provide. The number of applications installed on these servers should be role related and set to a minimum. It is a good idea to test these applications out in a separate environment before deploying them on the production network. Some applications make use of service backdoors, which can sometimes compromise the overall security of the server. After installing each application, make sure that you double check to see if the application created any firewall exception or created a service user account.

•  
  •  
    • * Belarc Advisor : The Belarc Advisor “builds a detailed profile of your installed software and hardware, missing Microsoft hot fixes, anti-virus status, and displays the results in your Web browser.” This tool is free for personal use. Commercial, government, and non-profit organizations should look at their other products which include many more features for managing security on multiple computers.

•  
  •  
    • * Microsoft SysInternal Tools: Microsoft provides a set of tools which can be used to monitor the server’s activity. These tools include: REGMON, FILEMON, Process Explorer, Root Kit Revealer. These tools are great for understanding what a certain application or software does “under the sheets”.

4. Configure the windows 2008 Firewall

Windows 2008 server comes with a phenomenal built in firewall called the Windows Firewall with Advanced Security. As a security best practice, all servers should have its own host based firewall. This firewall needs to be double checked to see if there are no unnecessary rules or exceptions. I have outlined some of the new features that the Windows Server 2008 provides.

•  
  •  
    • * GUI interface: a MMC snap-in available for the Advanced Firewall Configuration.
    •  
    • * Bi-directional filtering: the firewall now filters outbound traffic as well as inbound traffic.
    •  
    • * IPSEC operability: now the firewall rules and IPSEC encryption configurations are integrated into one interface.
    •  
    • * Advanced Rules configuration: you can create firewall rules using Windows Active Directory objects, source & destination IP addresses and protocols.

5. Configure Auditing

One of the most significant changes on Windows Server 2008 auditing is that now you can not only audit who and what attribute was changed but also what the new and old value was.

This is significant because you can now tell why it was changed and if something doesn’t look right you’re able to easily find what it should be restored to.

Another significant change is that in the past Server versions you were only able to turn auditing policy on or off for the entire Active Directory structure. In Windows Server 2008 the auditing policy is more granular.

As a security best practice, the following events should be logged and audited on the Windows Server 2008.

•  
  •  
    •  
      • * Audit account logon events
      • * Audit account management
      • * Audit directory service access
      • * Audit logon events
      • * Audit object access
      • * Audit policy change
      • * Audit privilege use
      • * Audit process tracking
      • * Audit system events

Most log events on the event viewer have registered incident ID numbers; these numbers can be used to troubleshoot the server. http://www.eventid.net/ is a good site which aids security and system administrators in finding out what actually happened with their servers. A best practice would also be to forward these audit logs to a centralized server as required by PCI DSS 10.5.3 and other industry standards. Windows Server 2008 offers a native log subscription feature which forwards all system and security audit logs to a centralized server.

6. Disable unnecessary shares

Unnecessary shares pose a great threat to vital servers. After a server or application deployment, system and security administrators should check to see if the server has any unnecessary shares.  This can be done using the following command:

• Net Share

This will display a list of all shares on the server. If there is a need to use a share, system and security administrators should configure the share as a hidden share and harden all NTFS and Share permissions.

C:\Documents and Settings>net share

Share name   Resource                        Remark

——————————————————————————-

ADMIN$       C:\WINDOWS           Remote Admin

C$                C:\                             Default share

IPC$                                              Remote IPC

In order to create a hidden share, put a $ sign after the share name. The share will still be accessible; however it will not be easily listed through the network. Example:

• Accounting$

7. Configure Encryption on 2008 server

According to industry best practices, such as HIPAA and GLBA require that certain servers which host sensitive information should make use of encryption.  Windows Server 2008 provides a built in whole disk encryption feature called BitLocker Drive Encryption (BitLocker). BitLocker protects the operating system and data stored on the disk. In Windows Server 2008, BitLocker is an optional component that must be installed before it can be used. To install BitLocker, select it in Server Manager or type the following at a command prompt:

• ServerManagerCmd -install BitLocker –restart

8. Updates & Hot fixes

Updates and hot fixes are key elements when hardening a server. System and security administrators should be constantly updating and patching their servers against zero day vulnerabilities. These patches are not limited to the operating system, but also any application which is hosted on them. Administrators should periodically check the vendor’s websites for updates. Windows Server 2008 offers a set of tools which helps administrator update and patch their servers.

• * WSUS:  Windows Server Update Services (WSUS) provides a software update service for Microsoft Windows operating systems and other Microsoft software. By using Windows Server Update Services, administrators can manage the distribution of Microsoft hot fixes and updates released through Automatic Updates to computers in a corporate environment. WSUS helps administrators track the “update health” of each individual server.

• * MBSA: Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems.

9. Anti Virus & NAP

Anti Virus software is also a crucial step for hardening a server. Windows Server 2008 offers a set of tools which can help combat unauthorized network access and malicious code execution.

Windows Server 2008 offers a Network Access Protection (NAP), which helps administrators to isolate viruses from spreading out into the network. Windows server 2008 NAP uses a set of policies which cleans the affected machines and when they are healthy, permits them access to parts of your production network.

NAP consists of client server technology which scans and identifies machines that don’t have the latest virus signatures, service packs or security patches. Some of the key functions of a Windows Server 2008 NAP server includes:

•  
  •  
    •  
      • * Validating Machines:  The mission of NAP is to preserve the integrity of the network by allowing only healthy machines to have IP addresses.

•  
  •  
    •  
      • * Restricting Network Access:  Computers or servers which don’t meet the established policy standards can be restricted to a “quarantine” subnet where they would later be remediate the security issues. 

•  
  •  
    •  
      • * Fixing Unhealthy Machines:  Windows Server 2008 NAP has the ability to direct hosts to a remediation server, where the latest antivirus signatures and patches are deployed through SMS packages.

10. Least Privilege

The concept of least privilege has been adopted by many of today’s industry standards. A hardened server needs to have all its access reduced to a bare operational minimum. Most of the known security breaches are often caused by elevated privileges bared by accounts. Server services should not be configured using enterprise wide administrator accounts. Windows Server 2008 has a couple of tools which can aid administrator to grant or revoke access to specific sections of the server.

• * Script Logic’s Cloak: Script Logic Cloak is a product which enhances the Windows NT File System (NTFS) by providing increased security, more accurate audits and a vastly streamlined experience for users of the network.

• * PolicyMaker Application Security: PolicyMaker is an add-on for the Group Policy Management Console (GPMC). This tool allows administrators to adjust application privilege levels to the lowest possible point in order to limit damages stemming from network attacks or user error. The ability to control security at such a granular level also helps organizations comply with regulatory mandates such as the Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley acts.

On the next Post I will go over each feature here described, creating a setp by step guideline on how to configure and install the following features:

* SCW

* Bitlocker

* NAP

* Windows Firewall with Advanced Security

Stay Tuned.

Daniel de Carvalho : MCSA, MCSE, MCTS, MCITP : Windows 2008 Enterprise Administrator

By: Daniel de Carvalho MCSE+S, CEH, CISSP,  MCITP

The use of a centralized log server has often been highlighted in many of today’s security best practices. The constant need to collect, retain and protect these sensitive security event log files sometimes overwhelm security and systems administrators, especially in large corporate environments. When properly configured, security event logs are used to track user activity and access on specific systems or objects, and is a key element when tying to piece up the chain of events leading to a security incident. Many security administrators might know how cumbersome it is to manage such security event log files, and sometimes seek third party vendors to help them manage their security log files.  The truth is that many of these problems can be solved using native features of your server operating system.

As a successor to Windows 2003 server, the new windows 2008 server has a security event log forwarding feature natively installed.  Windows 2008 breaks up security event forwarding into parts: the source and the collector. The source computer or server is the actual machine in which the security logs are fetched. The collector is the centralized server which collects, consolidates and protects the sensitive event log files. On Windows 2008 server, both source and collector need to be configured so that this feature can be used.

To configure a security event log forwarding on Windows 2008 server, you should log on to the source and collector computers using a domain administrator account.

Source Configuration:

On the Source computers, you must configure windows remote management by executing the following at the command prompt:

1.       winrm quickconfig

This command preforms the following changes to the operating system:

         *  Sets the WinRM and WinRM Listener services to auto start (which usualy are set to manual)

         *  Creates Firewall exceptions and application associations for port 80 and 443 with WinRM services.

      2.       Add the Collectors computer account of the source computer’s local Administrators group.

** Group Policy can be used to automatically configuring and deploy multiple sources.  

Collector Configuration:

On the Collector server, you must configure the Windows Event Log Collector Utility by executing the following at the command prompt:

1.       wecutil qc

This command will initialize the Windows Event Log Collector on the server. At this point the Collector server is ready to

create subscriptions to multiple sources.

To configure security event subscriptions:

2.       Open Event Viewer on the Collector computer, right-click Subscriptions
      in the left pane and select Create Subscription.
** Subscriptions can only be established to properly configured Source 
   computers.
3.       Click on select events and choose the event which you want to collect.
      In our case, choose the security events.
4.       Configure the time and frequency options on the collector server.
      By default, the server will subscribe its logs after an event is written.
5.       Configure the destination of these log files (ie: repository) this location
       should be a WORM (Write Once Read Many) repository.
  
Advanced Configurations:
You can configure optimal subscription configurations such as bandwith,
protocols and account information. The default values are shown below.
*   As a security best practice, personal usernames should not be used to configure this service.
Administrators should use the computer account or a special service account to perform the subscriptions.
 
*  If by any chance subscription service are configured to use any other port other than port 80 and 443,
      proper firewall configuration will need to be made at each source.
      Test Event Forwarding
If all of the Event Forwarding components are functioning a test event created on the
Source Computer should arrive in the Collector's "Forwarded Events" log within 60 seconds.
To create a test event, type in the following command at the command prompt:
 
eventcreate /id 100 /t error /l application /d "Event Forwarding Test"
 
The event should appear on the colletors Forwarded Events as seen below: 
 

While conducting most of our penetration tests, we often find a very common DNS vulnerability. In order for us to understand this vulnerability, we first need to know what a DNS server is. DNS servers are responsible for name resolution, converting Name Addresses to IP addresses. It is true that a company’s DNS server contains records of a variety of objects such as hosts, server and services. In order to synchronize and  update, DNS servers transfer their records to other requesting DNS servers. DNS servers should only transfer zone information between authorized servers.  This is where the problem resides; sometimes these servers are configured to allow “anonymous” transfers, meaning that anyone can request a zone transfer without proper authentication or authorization. By not restricting Anonymous Zone Transfers, companies sometimes jeopardize the overall security of their infrastructure.   

The following procedure shows you how to check if your server is vulnerable and allowing “anonymous” zone transfers.

Open the command line and type:

nslookup

set query=ns                  <- this command will seach for a domains name server.

acme.com                      <- Specify your domain.

set                  <- Specify what type of record you want to get.

server ns1.acme.com      <- specify the name server.

ls acme.com                  <- this will request a record listing or transfer.

If the results appear to be something like this, then your DNS server is configured to allow anonymous zone transfers.

[ns1.acme.com]

acme.com.                     A      hhh.hhh.hhh.hhh

acme1.com.                   NS     server = ns1.acme.com

acme2.com.                   NS     server = ns2.acme.com

mail1                             A      uuu.uuu.uuu.uuu

mail2                             A      ddd.ddd.ddd.ddd

www                              A      uuu.uuu.uuu.uuu

web2                             A       iii.iii.iii.iii

Remediation: How to correct this problem on Windows 2003 Server.

1. Log on to your DNS server.

1. Go to the Administrative tools and Open the DNS management console.

1. Expand your local server and crawl down to your primary lookup zone.

1. Right click on the zone and select properties.

1. Go to the Zone Transfers tab.

1. Make sure the Allow Zone Transfer box is checked.

    7.   Select the option Only to servers listed on the Name Servers tab

         Before:

 After:

1. 8.    Select OK.

Remediation: How to correct this problem on UNIX or Linux.

To secure your BIND server, you must open the /etc/named.conf (or /etc/named.boot) file in a text editor and find the line marked “allow-transfer { any; };” which indicates that any IP address is allowed to get zone information. In this example, I want to allow zone transfers to take place only between my Red Hat 8 server, my Windows NT server with IP address 192.168.1.4, and another server with IP address 172.16.1.5. Therefore, I will change the allow-transfer line to read like the following:

allow-transfer{192.168.1.4; 172.16.1.5; };

SPAM: you have mail!

How many times has your email inbox been flooded with unsolicited email messages? How many times do you have to say that you do not want Viagra, nor interested in any sort of pharmaceutical drugs offered on these messages? Do you catch yourself sometimes thinking how good it would be if you could get rid of all that spam?  The bottom line is that all of us get spammed every day.

What is spam?

You may have heard of spam, and might fight with it daily, but have you ever questioned yourself what is Spam?  According to Wikipedia Spamming is “the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages to multiple recipients”.

Many say that unsolicited messages are codenamed “Spam” due their similarity to the  actual product SPAM which is know to contain suspicious ingredients such as pig shoulders and lips. Others may state the name “spam” originated from a Monty Python Skit where the only thing offered on a menu was SPAM, SPAM, and SPAM!

Independent of its origins, spam has become a corporate nightmare for messaging administrator and users. According to the Messaging Anti-Abuse Working Group, MAWG, 85% of incoming corporate email is “Spam”. The total volume of spam has been calculated at over 100 billion emails per day just in the US. Spam has become such an issue that The California legislature found that spam cost United States organizations alone more than $13 billion in 2007. The costs entail the lost productivity, the need to purchase appropriate anti-spam equipment and software, and the extra manpower needed to combat the problem.

Internet-based communication technologies grow rapidly each day, but unfortunately so do the methods individuals use to send you these unwanted messages.  According to recent studies, the numbers of spam-related messages being distributed are increasing every day. 

Who is sending me this?

Have you ever asked yourself who could be sending these unwanted messages? How did they get your email address, and how in the world do they know your name?  Rescent studies show that only  20% of all spam that is sent out worldwide can be traced back to the actual spammers. The whole problem is that humans are not the only ones which send out spam. Botnets, which are software “robots” send out automatically most of the bulk unsolicited messages.

Spam is also sent out by multiple networks of virus-infected computers scattered all over the world often reffered to as “infected clusters”, which when triggered send usnsolicited mail to multiple targets worldwide. Together these agents are responsible for  sending out 80% of the spam worldwide. Spamming is a very cost effective advertisement method, and prefered mainly by underground communities. The first spam incident was reported way before the dawn of the internet. Back in 1978 Gary Thuerk “spammed”  information of a new digital equipment model to 393 recipients on ARPANET.

What are the types of Spam?

Though you may think that all junk email might look the same, spam continues to mutate daily, varying from innocent informational emails to lethal attacks.

These messages can arrive in the following “ flavors” :

• Advertising: Spam is used to promote a wide variety of products and services, from the latest gadgets to questionable pharmaceutical offerings.
• Malware Delivery: Spam is currently one of the main distribution channels for delivering viruses and other types of malware and spywares. Users believe they have received an important document or media file, which turns out to be a link to a malicious code.
• Scams: sometimes spam messages disguise themselves as institutions for poor and needy children, ridiculously cheap paradise vacations and other fictitious institutions, these scammers often prey on the recipients’ sympathy and greed.
• Phishing: Hiding behind the names of respected financial institutions, businesses, and government bodies, spammers attempt to lure recipients to fake Web sites where they steal personal financial or identity information.

How did I end up there?

You may be asking yourself how in the world your email ended up in the wrong hands.   A single spam agent may target tens of millions of possible addresses, many of which are invalid, malformed, or undeliverable.  Sometimes, if the sent spam is “bounced” or sent back to the sender by various programs that eliminate spam, or if the recipient clicks on an unsubscribe link, that may cause that mail address to be marked as “valid”, which is interpreted by the spammer as “send me more”. Today’s spammers use a variety of techniques to discover and harvest your personal or corporate email address. 

The most common tactics are:

Dictionary Attack: Most of the free email providers like Hotmail or Yahoo are a spammer’s paradise, when it comes to finding spammable addresses. In these scenarios, millions of users share one common domain name, spammers send messages to variety common names such as mike@hotmail.com, where “mike” is a fairly common name. Spammers will select a domain and send spam messages to common guessable email addresses.

Brute Searching Force: Another common tactic used by spammers to harvest emails, is to scan multiple   websites for valid email addresses. Spammers use “Search Robots”, which scans the target websites contents, searching for anything with the “@” character.  Spammers will usually target web forums, chat rooms, blogs and corporate websites.

Spam Zombies: To avoid being detected, spammers send their emails from a distributed network of infected computers.  These infected computers are often called “Spam Zombies”, these computers are infected by computer viruses, which load small undetectable programs used to send out the unwanted messages. These unauthorized and covert applications also scan the user’s email address book and files, searching for valid email addresses.  

What to do?

Although spamming will never stop, there are some ways in which you can reduce the amount of spam you receive. These are the main tools that can keep spam under control:

Spam Filters: A growing number of technology vendors are targeting spam with products that are designed to block and quarantine suspected messages. They often use complex algorithms, which scans each incoming message for spam “red flags”. These filter search for tags such as “Viagra” or if the message comes from an open relay etc. Spam Filters can also work against your company; they can sometimes block important messages, especially if the nature of your organization deals with some of the products offered by spam.

Anti-Malware Filters: Anti-malware filters can block dangerous message attachments from reaching your employee’s inbox. It is important to constantly check if your computer is properly patched with the latest security patches and that you have some sort of anti virus and firewall in place.

Client Control: Leading email clients, such as Microsoft Outlook and Outlook Express, offer built-in controls that are designed to minimize inbox spam.

White Lists/Black Lists: This feature is found and used by many spam filters. White lists of trusted email addresses allow messages to proceed to the user’s inbox. Black lists work in the opposite way, routinely blocking incoming email from known offenders.  Some institutions sometimes use a Real Time Block Lists (RBL), a dynamically updated list used to filter out known offenders.

Legal Action: While it’s rare for an individual business to sue a junk-mail sender, a growing number of law-enforcement bodies are targeting spammers, particularly organized crime rings that use the technology for financial and identity theft.

Policies: All businesses need a comprehensive anti-spam policy. Besides mandating the use of filtering and other good spam-fighting technologies, employees need to be trained with security best practices. Business Web sites, for example, should never publish visible email addresses that can be “harvested” by spammer software. Employees should also be encouraged not to post business email addresses on message boards, social-network sites and personal Web pages.

Reporting: There are a number of sites which monitor spam activity. All users which receive spam are encouraged to report them to anti spam enforcement agencies such as Spam Cop. These institutions help identify offenders and maintain multiple blacklists.

Education: The simple task of training employees not to open unknown attachments and messages can help any business minimize spam’s impact. Remember it only takes one internal email to tell spammers that you domain is valid.

For more information on spam:

http://www.ftc.gov/bcp/conline/edcams/spam/index.html

http://www.spamcop.net/

          They are everywhere from Airports to Starbucks, at every corner, users have access to complementary free internet. But have you ever wondered what lurks beneath those innocent hotspots? Companies spend thousands on security every year, fortifying the corporate network against a variety of security threats. However what happens when company laptops leave the snugness of the corporate network and connect to free public hotspots?

So if it’s risky, why do we use them?       

With globalization at its peak, employees sometimes are forced travel on behalf of organization. Most likely these employees bring along their laptops so they can be productive while they are away. And because “Free” wireless internet can be found almost in every corner, employees probably take advantage of these opportunities to read the latest news, check corporate email, log in to the company’s  VPN or simply check online agendas. Many employees think that these free internet connections are as secure as their corporate networks, causing them to ignore basic security measures, making them vulnerable to a series of security threats.

What are the risks?      

 Generally public hotspots lack any sort of security measures or mechanisms, making it possible for other people using the same wireless connection to intercept sensitive information sent across the Internet. There is a broad range of existing security threats which can be lurking under these hotspots, such as:

• Sensitive information that is not encrypted, or that is encrypted with poor cryptographic algorithms, which are transmitted between two wireless devices may be intercepted and disclosed.
• Attackers may capture employee’s usernames and passwords, and later on using it to gain access to the corporate network.
• Attackers may deploy unauthorized wireless equipment, also known as “Evil Twins” to lure laptop users to use their “Spoofed access point”, capturing users every move.
• Attackers may alter the access point’s DNS, causing it to relay to name resolution requests to cache poisoned DNS server, providing users spoofed websites full of key logging applications.
• Sensitive corporate data may be extracted without detection from improperly configured devices.
• Attackers may, through wireless connections, exploit a VPN split tunneling connection, connecting to organizations with the purposes of launching attacks and or stealing sensitive corporate information.

How to protect yourself?

There are a few things one can do to minimize their risk and exposure on public hotspots. The main thing to keep in mind is that security is not a product or software, but yes a process.

• Before connecting to any public network, look around and locate a sign that advertises the network you are connecting to and verify that the network name is the same as the advertised connection.
• Disable your wireless card if you’re not planning to connect to the Web or another machine. It will protect you from intrusion and save your battery life.
• Beware of the information you share in public locations. Even innocent logins to Web-mail accounts could give hackers access to sensitive information, since most people utilize the same password for almost all online activities.
• Utilize a VPN whenever possible to encrypt your data, and stronger tools if you need to conduct secure transactions.
• Turn off your laptop’s shared folders. If you join a compromised access point, a hacker could easily load spyware agent to follow you even after you leave the public location.
• Make sure your laptop is properly patched with the latest security and OS patches. Use security mechanisms such as disk encryption, firewalls and any sort of IPS or IDS system.
• Set up email forwarding to a disposable address that you only access using public hotspots. That way, even if an attacker gets access to that email account, he or she can’t access the primary account.

For more information on wireless security visit: http://www.sans.org/reading_room/whitepapers/wireless/1629.php