Elevation of Privilege is the easy way to get started threat modeling. Threat modeling is a core component of the design phase in the Microsoft Security Development Lifecycle (SDL).
The Elevation of Privilege (EoP) card game helps clarify the details of threat modeling and examines possible threats to software and computer systems.
Read more and get it at http://www.microsoft.com/security/sdl/eop.aspx
Bruce Schneier have an abstract of a paper which claims that enabling users to get the access they need while auditing the access is better than a centrally controlled setup.
Read it for yourself – at least read the abstract.
What is Fiddler?
Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language.
Fiddler is freeware and can debug traffic from virtually any application, including Internet Explorer, Mozilla Firefox, Opera, and thousands more.
Came across this tool today, and I’m quite impressed.
Watch the videos! I’ve been looking for a tool like this for long.
A warning: You have to stretch you security if you want to monitor Outlook traffic, as Outlook requires a valid certificate. Read more here.
Yes – read here.
I normally use Jungledisk for cloud-based storage but in certain scenarios Live Mesh is better: Sharing with others and when I have to synchronize files from a place where I do not want to use my JungleDisk encryption keys. JungleDisk encrypts data before they leave the computer.
BTW, I tested Live Mesh with an EFS-encrypted file. As it can read the file, it simply meshes the file up – so beware that you do not compromise security – and remember that Microsoft can read your data.
JungleDisk will not copy the file, but that may simply be a side effect, as JungleDisk runs as a service and thus does not have access to my EFS-decryption keys.
So you have published your Exchange server and your are using forms based authentication (FBA). But when you use Outlook Anywhere or ActiveSync (MSRPC), it bypasses FBA. Why does it do that and how does that work?
Well, thanks to my coworker Claus-Ole Olsen, I got the question answered. ISA uses the User-Agent header/string to decide whether it will actually use FBA or not! You can also select different forms based on the value - for different device capabilities.
The ISA GUI tells you it uses FBA, but you just cannot trust that as the User-Agent header will modify the rule!
Read it all here on TechNet Microsoft Internet Security and Acceleration Server 2006 Managing User-Agent Mappings, including scripts for viewing and setting the values.
If you want to avoid the VBScript, you can use PowerShell. This is Get-IsaUserAgentMapping.ps1 -
param([switch]$pretty)
$root=new-object -com fpc.root
$isaArray=$root.GetContainingArray()
$mappings=$isaarray.ruleelements.UserAgentMappings |
select PersistentName,UserAgent,Description,Enabled,@{n="FBAFormsType";e={
# For values, see http://technet.microsoft.com/en-us/library/bb794715.aspx
switch ($_.FBAFormsType) { 0 {"HTML 4.01"} 1 {"cHTML"} 2 {"XHTML-MP"} 3 {"Basic"} }
}},order
if ($pretty.isPresent) {
$mappings | Sort Order | Format-Table -auto UserAgent,Description,Enabled,FBAFormsType,Order
}
else {
$mappings
}
Adding and modifying is left as an exercise for yourself ;)
The other day, I could not install AVG8 on someone's PC. Everything worked fine, but it could not register with Security Center. It turned out to be a WMI problem. I solved the problem with winmgmt and the /verifyrepository and /salvagerepository switches.
Read all the documentation about the command line switches here at MSDN.
Following security Best Practices is the key to maintaining strong security
in a virtualized IT environment. Read below to get guidance on implementing and
maintaining your virtual infrastructure with Best Practices for secure design,
deployment, operations and networking
Suddenly, it seems like you can do that now. I checked it out when Passport first came out and at that time you had to pay a lot to use the service. Now it seems to be free! I wonder whether you can integrate it directly into IISv6 - could be nice for customer access to our site and I could also see it used in combination with hosted Sharepoint (that I'm running for a small club - no more messing with passwords and email).
Benefits of Web Authentication
The benefits of incorporating Windows Live ID into your Web site include:
- The ability to use Windows Live gadgets and controls to incorporate authenticated Windows Live services and data into your site.
- An HTTP-based, platform-neutral interface for implementing Windows Live ID authentication in your existing site, even if it is hosted by a third-party.
- Freedom from the technical details of authentication! The Windows Live ID authentication service handles this for you.
- A huge user base: any of the millions of users who have a Windows Live ID can become a user of your site.
Read more in the SDK and get it here.
As soon as Live Id starts to support CardSpace (formerly Infocards) (seems like it is in progress), things are both easy for as well the administrator as the user.
A new kid is in down: GPDBPA. Give it a spin and see if your Group Policies and associated infrastructure are in shape. Find it at MS Downloads using this search.
Group Policy settings - including Software Restriction Policies - can easily be disabled - even by a standard user. Terrible! Read the full story in Security UPDATE from WindowsITPro magazine this week. The article sums up the story so far and contain links to other relevant articles.
Some of those articles require an account to read, so if you want to get to the hard facts right away, see the GPCul8r tool. I exteacted this from the readme.txt -
============
How it works
============In order to do its thing, GPCul8r.dll needs to be loaded into the process space of whatever program needs to bypass group policy. Once loaded, GPCul8r works by detouring calls to the ZwQueryValueKey function to see if the program is querying one of the keys related to a group policy setting we want to bypass. If so, GPCul8r returns STATUS_OBJECT_NOT_FOUND, thereby tricking the caller into thinking the key doesn't exist.
GPCul8r being a quick & dirty little tool is not configurable. The targeted key names are hard-coded in the source. They are:
- TransparentEnabled (controls software restriction policy settings)
- ProxySettingsPerUser (controls access to the IE proxy settings dialog)
- DisableRegistryTools (duh)
- DisableTaskMgr (duh)For more on the technique that GPCul8r uses, see Mark Russinovich's original article on the subject:
http://blogs.technet.com/markrussinovich/archive/2005/12/12/circumventing-group-policy-as-a-limited-user.aspx
The consequence: Everything below User Settings\Administrative Templates - e.q. every policy user level (as compared to kernel level or system level) code pulls out of the registry can be bypassed! If you want to counter this - read Mark's comment -
The bottom lines is that full control of an end-user environment is possible only with strict lock-down of the programs users run, something that you can accomplish by using SRP in white-list mode, for example. It's also important to note that the ability of limited users to override these settings is not due to a bug in Windows, but rather enabled by design decisions made by the Microsoft Group Policy team.
I do not know, whether Vista improves this - but I certainly hope!
I have used a lot of time educating my grandma (who is >80 years old) on how to use the Internet, Live Messenger and her Webcam (Which she called me last summer to request "Can I also get one of those camera thingies that your children have").
Luckily she listened to me, because today she called me that she was getting strange messages from her family members on Live Messenger (Soon 24 great-grandchildren in total).
So if you receive a message from one of you Live Messenger contacts saying "look at my summer pictures http_//paulina2k8.tripod.com/summer2008.zip" then DON´T click the link.
If one of your friends downloaded the file, it will also try to do file transfers of files called "images052.zip", "photo9.zip", "album29.zip" and others to your computer (And to all of your buddies if you are stu... enough to transfer and open the file). In this case it actually also wrote "Hey, acceptera mina bilder" and other messages in Swedish from her daughter based in Sweden (We are from Denmark).
There are no hits on Live Search and only a few on Google so it´s appears to be a fairly new variant.
I actually recently wrote a security whitepaper on Office Communications Server 2007 security explaining and showing the dangers in using Public IM and VoIP clients generally and especially in businesses (Honestly anywhere if you are not well educated IT Pro ... or my grandma ;-) and this again shows that IM is a fantastic tool but not without associated security issues.
Well this was just a short warning ... the hot chocolate and buns are waiting for me.
I will be back with more content when OCS 2007 has been officially RTM'ed !
The demo walks through our three pillars; Advanced Mobile Communications, Increased Mobile Productivity, and Integrated Mobile Business Performance. It is targeted at customers who would like to learn more about our native capabilities, mobile messaging, security and device management.
There are some nice features in WM6 -
So how would YOUR organization fair against a spear phishing attack
like the ones hitting the DoD?? Are your employees aware of the threats
posed by seemingly legitimate emails with seemingly 'innocent' / 'safe'
attachments?
