Windows Management and Scripting

A wealth of tutorials Windows Operating Systems SQL Server and Azure

Archive for the ‘Security’ Category

Articles , Tutorials and reviews about Microsoft Security

Free and open source tools for discover Windows security flows

Posted by Alin D on March 10, 2012

There’s no shortage of free and open source security tools to help you stay on top of desktop security and fix Windows flaws.

You’re no doubt being pressured from every possible angle (business partners, customers, industry bodies, the government, etc.) to keep your Windows systems secure, yet you continue to struggle to get the money needed to buy the best services for keeping enterprise systems in check. I see this scenario time and again.

What can you do about it? Well, you can drown your sorrows, or you can move ahead with some well-known freebie alternatives that can not only help you get by, but also move forward with Windows security testing. Here are some free open source security tools you should know about for finding and addressing Windows flaws:

Password crackers

John the Ripper — A password-cracking tool for Windows LANManager (and other programs) that has provided the foundation for most other password crackers.

Brutus — A Web, FTP, Telnet, etc. password cracker that’s old and often unstable, but it still works in many situations.

Cain & Abel — A password cracker and network analyzer that’s great for showing how weak passwords, Voice over Internet Protocol conversations and other content travel in clear text.

Ophcrack — Live boot disk for cracking Windows passwords using Rainbow Tables; great for demonstrating why you need full-disk encryption.

THC-Hydra — Password cracker similar to Brutus that’s great for cracking weak passwords running on Windows desktop services.

Port and vulnerability scanners

Microsoft Baseline Security Analyzer — Good overall scanner for uncovering the very basic Windows flaws.

Nexpose Community — Commercial-powered vulnerability scanner for up to 32 hosts without the commercial price tag.

OpenVAS — Open source branch of the now-commercialized Nessus tool that everyone used to clamor over.

SuperScan — Graphical user interface-based port scanner that helps when looking for live hosts and open ports.

Web and SQL Server security tools

Sqlninja — Perl-based SQL Server hacking tool for exploiting all sorts of SQL Server flaws on overlooked systems that you forgot you had running on Windows desktops.

SQLPing — SQL Server discovery tool with built-in password cracking.

Open source security tools for Wi-Fi

Aircrack-ng — Oldie but goodie WEP and WPA-PSK cracking program.

Hashcat — Graphics processing unit-based cracking tool for Wi-Fi Protected Access (WPA) and WPA Version 2.

Reaver — Wi-Fi Protected Setup (WPS) attack tool for exploiting the new side-channel flaw in WPA.

Miscellaneous open source security tools

BackTrack Linux — All-in-one toolkit with niche Linux-based tools for poking and prodding around on the network.

Metasploit — Exploit framework that allows you to exploit vulnerabilities you uncover with vulnerability scanners to show tangible evidence of what can happen.

Social Engineer Toolkit — Tools for human hacking to bring out the worst in your users.

Sysinternals — Toolset that allows you to get to the innards of Windows unlike any others.

Windows XP Mode and VirtualBox — Virtual machine environments where you can load and run testing tools without gumming up your main Windows systems.

Wireshark — Tried and true network analyzer that’s an excellent security tool (download PDF) no Windows admin should be without.

The bottom line on open source security tools

Keep in mind that this is not a comprehensive list, but rather a grouping of free and open source security tools that can be used for testing Windows flaws. Most of these tools are being kept up to date by their authors and/or the community — an often-overlooked, yet important, characteristic of security testing tools. Also, some are more enterprise-ready than others, so your mileage will no doubt vary.

Finding Windows flaws will still take time when using free and open source security tools, but that doesn’t mean they’re not worth using. If these tools don’t offer quite enough, there are cheap commercial security testing tools for Windows environments from companies such as TamoSoftNorthwest Performance Software and Elcomsof Proactive Software.

Any amount of security testing and controls is much better than the alternative. Finding Windows flaws is critical, but so is your analysis of the results. Experience goes a long way here, regardless of how you uncover the flaws. This list of free and open source security tools is just a starting point for putting you ahead of the curve.

Posted in Security | Leave a Comment »

Mobile security should not be ignored – ten reasons

Posted by Alin D on March 10, 2012

How does your IT staff handle mobile device and tablet security? Does it use in-house security standards and policies? Or does your company have an “anything goes” situation? Plenty of companies tell their employees there’s no mobile computing at all. The point is, when it comes to mobile device security, businesses are all over the map — and that’s scary.

I’ve been presenting on and writing about mobile device security since before information security was mainstream and things like HIPAA and Sarbanes-Oxley were on everyone’s minds. Not much has changed in the past decade or so, but I believe that IT needs to get serious about mobile security. Not only must enterprise IT shops support mobile devices in addition to desktops; these devices have also become a huge business liability.

Here are my top 10 reasons why we can no longer afford to ignore mobile device security’s impact on the enterprise:

1. There is an untold number of mobile devices across any enterprise, representing unique opportunities for security compromises. These devices create thousands of islands of information that need to be protected.

2. No one really knows exactly what information is where on these mobile devices. Corporate counsel and compliance managers can eagerly show you their information classification policies, but the reality is just not that simple.

3. Many employees claim there is nothing of substance on their mobile devices. Again, this is simply not true.

4. Executives don’t fully understand how much information is put at risk on mobile devices. Sensitive business assets are being brought places they’ve never gone before, from bathrooms and amusement parks to football games and taxi cabs. Data exposure is greater now in our society than it has ever been.

5. Many in management claim that devices are password-protected and are therefore secure. Attackers, however, have plenty of tools to negate smartphone-password protection — if they’re even needed at all. They’re often not, according to a Confident Technologies survey.

6. Organizations often trust employees to be responsible when it comes to handling mobile devices and information security, but they shouldn’t.

7. Even though your IT shop may support one or two mobile operating systems, workers are likely using multipleplatforms. In addition to making it tricky to have standard mobile device security controls, it’s tough to ensure that things check out across the board.

8. Employees, contractors and consultants all use their personal phones and tablets for business purposes, even though many claim not to. This “non-business use” puts email, unstructured files, virtual private network connections and related information and systems at risk.

9. The general assumption is that mobile device security is someone else’s responsibility. Management says it’s on IT, IT says it’s on the users, and human resources just wants everyone to get along. Like Merle Martin said: “If more than one person is responsible for a miscalculation, no one will be at fault.” The lack of accountability marches on.

10. Your business information is not only at risk on the mobile devices themselves, but it’s also scattered across countless PCs at home and cloud-based backup and file-synchronization systems. Users may claim that their home computers are protected, and cloud providers will shove their SAS 70 Type II audit reports in your face, but they don’t mean your information is truly secure.

Everyone — IT, users, management — has a new set of responsibilities when it comes to mobile computing. We know traditional desktops need hardening; we just need to get there with mobile devices as well.

Posted in Security | Tagged: , , , , , , | Leave a Comment »

Internet Explorer 9 is most secure in Social Engineering attacks

Posted by Alin D on July 20, 2011

Microsoft Internet Explorer 9 security features block social engineering attacks far more than rival browsers Google Chrome, Mozilla Firefox or Apple Safari, according to NSS Labs Inc.

The Carlsbad, Calif.-based independent testing firm tested a group of popular browsers by exposing them to a set of malware URLs targeting European users. The firm said Internet Explorer 8 (IE8) achieved a blocking rate of 90%. Internet Explorer 9 (IE9), the latest iteration of Microsoft’s browser, earned a 100% blocking rate when its application filtering technology was enabled.

“Internet Explorer 9 was by far the best at protecting against socially engineered malware,” NSS Labs said in its Web browser security report. “The significance of Microsoft’s new application reputation technology cannot be overstated.”

The NSS Labs team said Microsoft’s blocking success is based on its Smartscreen URL Filter, which checks URLs against a master database. The SmartScreen Application Reputation service, which is embedded in IE9, adds to the URL filter to block unwanted downloads. It gives added context so the user can determine whether the source of the download can be trusted.

Google Chrome, Firefox 4 and Safari 5 garnered a 13% blocking rate when tested against the same malware URLs. The three browsers use an engine that checks sites against a list of reported phishing and malware sites provided by Google and The Opera browser, which uses endpoint security vendor AVG to thwart social engineering attacks, came in last, earning a 5% blocking rate.

Neither Mozilla nor Google responded to a request for comment. The NSS Labs test exposed the browsers to a set of 650 known malicious URLs over the course of 19 days in April.  The URLs were known to target users in European Union countries. The testing firm invited the popular browser makers to participate at no cost. The company said it received no vendor funding to produce the report.

Socially engineered malware attacks are extremely common. A recent report from Cisco Systems Inc. found the number of spear phishing campaigns rising over mass email phishing attacks. Spear phishing attacks can target people with similar interests using a phony email message, prompting them to click on a URL to download a malicious file containing malware.  The cybercriminals can use information gathered from social networks and blogs to target individuals or a specific group of people within an organization. The goal is typically to obtain account credentials and other sensitive data and ultimately gain access to corporate information.

Browser protections
Browser makers have added protections to warn users of potentially dangerous sites. Most use a reputation-based system, which adds malicious sites to a black list or assigns a score for the browser user. NSS Labs said some vendors use feedback from user agents on their customers’ endpoints to report to reputation systems, while others crawl the Internet, proactively setting up black lists. Most browsers are set up to connect to Web-based reputation systems and check a URL against the list.

NSS Labs also tested the average response time to block malware, rating the browser for the time it took to add a blacklisted site to its block list. IE9 earned a perfect score using its Application Reputation engine. Chrome, Firefox and Safari, according to NSS Labs, took five to eight hours to add a known trouble site to its block list. Without the Application Reputation engine, IE8 and 9 took up to 16 hours to add a site to its block list.

Posted in Security | Tagged: , , , , , , | 1 Comment »

Microsoft Offers a reward for Rustock bot Operators

Posted by Alin D on July 20, 2011

Microsoft is trying to use its financial clout to bolster its investigation into who may be behind the notorious Rustock spambot.

The company is offering a $250,000 reward for information leading to the arrest and conviction of the Rustock botnet operators.

The Rustock spambot is responsible for sending billions of spam emails touting counterfeit pharmaceuticals, porn and scams. At its peak, it is estimated that the botnet had about a million infected computers operating under its control. Rustock has been inactive since March 16, when Microsoft got a court order to seize affected servers from hosting providers in seven cities in the U.S.  The action severed the communication between the command-and-control servers and the infected computers under its control. The software giant is also working with ISPs to get zombie machines disinfected.

 “While the primary goal for our legal and technical operation has been to stop and disrupt the threat that Rustock has posed for everyone affected by it, we also believe the Rustock bot-herders should be held accountable for their actions,” Richard Boscovich, a senior attorney with the Microsoft Digital Crimes Unit, wrote in the Official Microsoft Blog.

Microsoft issued a special edition of its Security Intelligence Report July 5 outlining Rustock’s demise. The company worked with pharmaceutical giant Pfizer to take legal action. Security researchers at security vendor FireEye and the University of Washington provided analysis of the Rustock malware. A forensics team studied 20 seized hard drives to gain information about how the botnet works.

Boscovich said hundreds of thousands of computers remain infected with the Rustock botnet malware.

Microsoft has been on a legal crusade to gain control of some of the largest botnets. Last year the software giant took legal action to shut down the malicious domains used by the Waledac botnet, a notorious spambot that produced an estimated 1.5 billion spam messages daily.

Rustock was more difficult to take down, according to Microsoft, because its infrastructure was much more complicated. It relied on “hard-coded IP addresses rather than domain names and peer-to-peer command-and-control servers to control the botnet.”

Anyone with information about the Rustock botnet operators can contact Microsoft by email to Residents of any country are eligible for the reward pursuant to the laws of that country.

Microsoft has offered rewards for information about criminal activity in the past. The company created an antivirus reward program with an initial funding of $5 million in 2003. It offered a reward for information on those responsible for the Conficker worm, which targeted vulnerable Microsoft systems. It also offered $250,000 for the arrest and conviction of the Mydoom-B author and a similar reward for the Sobig virus author, the Blaster creator and Sasser perpetrator.

Posted in Security | Tagged: , , , , , , | Leave a Comment »

Microsoft’s Desktop Optimization Pack 2011 will brings new security management tools

Posted by Alin D on July 13, 2011

IT shops that use Microsoft’s Desktop Optimization Pack will receive expanded encryption and security management features in a new release of the software due out next month.

Microsoft released the Microsoft Desktop Optimization Pack (MDOP) 2011 R2 at its Worldwide Partner Conference 2011 in Los Angeles this week. Microsoft typically releases MDOP tool updates twice per year, and this is the second update.

MDOP 2011 R2 will offer BitLocker Administration Monitoring, as well as the Diagnostic and Recovery Toolset 7.0 and other updates that add desktop security and management features to the product suite. Microsoft BitLocker Administration and Monitoring (MBAM) helps IT pros who want to centrally manage full disk encryption and enforce encryption policies, particularly on laptops, said Donald Retallack, an analyst at Directions on Microsoft, an independent firm based in Kirkland, Wash.

“Providing BitLocker as a part of a Windows 7 deployment will speed provisioning without impacting the end user,” Retallack said. “The tool also makes it easier for companies to record compliance and, of course, BitLocker itself reduces the risk of information leakage or theft.”

Other features in MBAM 1.0 include the ability to retrieve recovery keys via a webpage for helpdesk administrators and a way to protect recovery keys by storing them in an encrypted database. MBAM beta initially became available in March.

Although the new release adds MBAM and updates other components, many IT shops value MDOP for the desktop virtualization technologies it contains — namely, App-V and MED-V, Retallack said.

Earlier this year, Microsoft updated those virtualization tools with the release of App-V 4.6 SP1 and Med-V 2.0. App-V is for application virtualization and Med-V lets IT run applications that aren’t supported or tested on Windows 7 in a virtual Windows XP environment. Med-V version 2.0 also supports running App-V within a MED-V environment.

What’s new in MDOP 2011 R2

In addition to adding a BitLocker tool, Microsoft updated its existing MDOP software.

The Diagnostic and Recovery Toolset (DaRT), which lets IT pros remotely diagnose and fix problems with end user computers. Without DaRT, admins have to go to end users’ desks to do offline machine boots to collect information using a USB stick, diagnose the issue, fix it, then bring the machine back online.

DaRT 7.0 also includes more customization options, so IT pros can create DaRT images that restrict end-user access to tools, while these same tools available to Helpdesk and IT staff. It also includes flexible deployment options, so IT can deploy DaRT via PXE, USB, CD, DVD or to the local recovery partition.

MDOP 2011 R2 will also include Asset Inventory Service (AIS) 2.0 with an updated/localized user interface and improved software reporting and inventory capabilities.

The two MDOP components that didn’t get updated this year include Advanced Group Policy Management and the Desktop Error Monitoring (DEM) tool, though they will be supported during the normal product lifecycle.

MDOP is available to Software Assurance customers and as an optional add-on to Windows Intune customers. MDOP is also available to customers with Virtual Desktop Access (VDA) licenses. MDOP subscriptions cost $10 per desktop, per year.

Analysts say MDOP is a good value because the price of using even a few of the tools individually is far more expensive than the cost of MDOP.


Posted in Security | Tagged: , , , , , , | Leave a Comment »

IAM security tests in Windows Server 2008 R2

Posted by Alin D on June 16, 2011

With every new Windows operating system release comes curious anticipation as to just how secure the system is out-of-the-box. I usually like to do a fresh installation of these new releases to see how they withstand the abuse of some good security scanners.

So where does Windows Server 2008 R2 stand, and does it match up to my recent positive security findings of Windows 7? Well, here’s what I discovered on a full install of Windows Server 2008 R2 Enterprise Edition.

The first thing I noticed was that I wasn’t forced to enter a password for my initial administrator-level user account. Ironically, when I tried setting one later I received the following message:

“Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.”

I guess no password is better than a simple password.

I also found that the Windows Firewall is enabled by default, but network discovery and file sharing are turned off. This is good for security, but not so much for functionality.

Stepping through the Security Configuration Wizard, I found some interesting stuff. The first thing that caught my eye is the wizard’s welcome window. As you can see in the figure below, it is recommended that all applications that use inbound ports are running.

I can see this being problematic, especially since many people will likely want to secure the system right after installation. But what about all the applications that are added tomorrow and down the road? Perhaps a re-run of the Security Configuration Wizard is in store, but I just don’t see that happening unless it’s part of some detailed change management procedures.

Another thing that stood out is how the Security Configuration Wizard walks you through audit policy settings. This is a big plus. I also noticed that lots of things are disabled from the get-go. The following figure is an example of just how pared down Windows Server 2008 R2 is out-of-the-box.


It appears that Microsoft is going to (by golly) have a secure OS from the start. Arguably, this is an approach the company should’ve had back in the days of Windows NT (though being a security consultant, I’m not complaining).

I suspect many people will be confused — if not overwhelmed — with these server configuration options to the point that they’ll just enable everything, or enable things without fully understanding the consequences. While this could totally negate many of the wizard’s benefits, I’ll choose to remain optimistic (for now).

So how does all of this stand up to security scans? Quite nicely, actually. I’m not surprised, either. After all, you can disable most functionality of any operating system and it’s going to check out sound and secure.

I used QualysGuard for an unauthenticated scan before I enabled public network discovery and applied default server role/policy settings. The only thing it uncovered was basic NetBIOS name information. Big deal, right? An authenticated test using GFI LANguard 9.0had a similar outcome, as there was nothing major that jumped out.

I intended to share specific, detailed findings and screenshots, but they’re just not there. I plan to dig in much deeper after tweaking the network and services settings to look at Windows Server 2008 R2 from lots of other angles and user roles. I look forward to doing that in real-world scenarios and writing about it in the future.

Getting back to reality though, don’t let these findings create a false sense of security surrounding Windows Server 2008 R2. My basic installation had no tweaks or third-party software and minimal human intervention – things known to create vulnerabilities in an otherwise secure system. In addition, there’s been minimal time for vulnerability discovery and subsequent exploit code development with this new version of Windows.

As with most things in security, time will tell the real story. For now, Windows Server 2008 R2 is very stout out-of-the-box. Your mission is to keep it that way.


Posted in Security | Tagged: | Leave a Comment »

Windows Server 2008 flaws fixed by June Microsoft patches released

Posted by Alin D on June 15, 2011

Microsoft this month released some 34 security fixes spread across a range of its core products including Windows Server 2008, Windows Server 2008 R2, Office 2010 and Internet Explorer.

Nine of the vulnerabilities have the maximum severity rating of “critical” with seven rated as “important.”  Of the 16 bulletins released, two have to do with denial of service vulnerabilities, two for information disclosure flaws and two others for escalation of privilege.

Thirteen of the 16 bulletins address operating systems, with several of the updates affecting core installations. Among the most critical security fixes affecting Windows include ones to resolve:

  • a vulnerability in Windows Object Linking and Embedding (OLE) automation that could allow remote code execution if users visit a web site containing Windows Metafile images;
  • a vulnerability in .NET and Silverlight that could allow remote execution on a client system if users views a Web page using a browser that runs XAML browser applications;
  • resolves a vulnerability that could allow remote code execution if a user visits a network share containing a OpenType font;
  • a vulnerability in Microsoft’s Distributed File System that could allow remote code execution when attackers send a response to a client-initiated  DFS request.

One of the issues Microsoft is addressing with the June updates is “cookiejacking” which allows an attacker to steal cookies from a user’s computer and access websites where an end user had logged in. This issue is being addressed largely in the Internet Explorer (IE) bulletins.

Two of the bulletins classified as critical stitch up holes in Internet Explorer versions 6 through 9, according to Microsoft. One security update for IE resolves 11 reported vulnerabilities, according to the company, the most severe of which could allow a remote attacker to gain the same user rights as the local user.

Another update, for both Internet Explorer and Windows, patches a vulnerability in Microsoft’s Vector Markup Language The latter update is deemed critical for Internet Explorer versions 6, 7 and 8 on Windows clients. The company said version 9 is not affected.


Posted in Security | Tagged: , , , , , , | Leave a Comment »

How to Use Forefront to guard Microsoft Exchange Server

Posted by Alin D on June 12, 2011


Microsoft Forefront Server for Exchange (FSE) is a tool that will help companies deal with the threats associated with e-mail service. Microsoft Exchange is used in a large number of businesses for e-mail services. Microsoft FSE was not always so widely used, but its integration with Active Directory (starting with Exchange 2000) made it a more viable product for companies to use. The number of threats written to compromise these systems has increased as more companies implement Microsoft FSE in their infrastructure. The importance of e-mail to productivity in most companies is the reason that extra security mechanisms, like Microsoft FSE, need to be in place. Attachments and phishing scams pose serious threats to companies. The Microsoft FSE gives companies extra mechanisms to filter attachments and scan for viruses.

The Microsoft FSE server allows network administrators to centrally manage the security of the exchange servers. Administrators using FSE can conduct filtering, scanning, and job scheduling of e-mail-related attachments from a central management console. Reports can give the security professional using FSE indication of what the real problems are and help them to discern from where they are originating. Using FSE can help companies effectively deal with security issues related to e-mail.

How to implement Microsoft Forefront Server for Exchange

When you are implementing FSE you should ensure that you carefully plan your deployment to ensure that the additional load placed on your FSE servers does not negatively impact performance and that you do not inadvertently block legitimate messages.

Due to the fi ltering abilities of FSE, it is very easy to block legitimate messages. This causes inconvenience for the recipient of the message, but also creates more work for administrators who either have to provide an alternative method of sending fi les to people or retrieve the fi les from quarantine and forward them to the recipient. Depending on the amount of legitimately blocked attachments, you may have to dedicate significant resources to review and deliver quarantined attachments.

It is common within companies to block executable attachments from being sent and received. This is done to protect the company’s infrastructure from programs, which could potentially cause problems, and also prevent potentially dangerous attachments being sent to third parties. While this will help to protect your infrastructure, it can easily cause legitimate messages to be blocked causing inconvenience to the sender and the recipient.

Planning a FSE Deployment

The complexity of your FSE deployment will vary depending on the complexity of your FSE infrastructure and the types of message filtering you want to implement. In order to help with your planning it is recommended that you split this into two components, Antivirus (AV) scanning and message filtering. When you are planning the deployment of FSE, it is important to understand the FSE infrastructure. It is assumed in the course of this chapter that an FSE 2007 infrastructure is being used. In FSE 2007, the functionality has been split into five roles:

Client Access Server Allows clients to access FSE.

Hub Transport Server Transports messages between mailbox servers and to edge transport servers.

FSE Stores users mailboxes.

FSE Provides unified messaging capabilities.

FSE Allows messages to be sent and received from external sources.


The first four roles can all be installed on a single server for small deployments. The Edge Transport Server has to be installed on its own server as it usually resides in a perimeter network.

This chapter will refer to different roles when indicating where to install or how to configure FSE. It is assumed that these are installed on separate servers.

Antivirus Scanning

FSE allows you to virus scan messages as they enter and transit through your FSE infrastructure. When they are in the user’s mailbox, this is done by deploying FSE on your Edge and Hub Transport roles and on the Mailbox role. It is recommended that you deploy AV scanning on all of your servers running the FSE. This ensures that messages are virus-scanned providing for a safe FSE infrastructure.

You can use up to five AV engines to scan each message and then attempt to clean the message, remove the attachment, or log that a virus was detected. When messages are cleaned or removed, they can be quarantined allowing you to retrieve the fi les if required. You can specify different AV engines for each of the three Scan Job types—Transport, Real Time, and Manual—although it is recommended that you keep them the same.

On servers running the edge and hub roles, you can choose to scan internal, incoming, and outgoing messages. It is recommended that you choose to scan all three. This allows you to ensure that no virus-infected messages enter or leave your organization and that internal machines are not sending viruses to your own users.

By default, FSE only virus scans a message once, this allows for the best use of resources across your FSE infrastructure. This means that if a message is scanned on an edge role, it will not be re-scanned on the hub role used to relay the message through your organization.

On servers running the mailbox role, you have more control over which messages are virus-scanned. You can perform real time scanning which allows for messages to be scanned as they are accessed. This will, by default, only scan messages that have not been scanned for viruses before. These are usually public folder posts, calendar appointments, and messages in folders like Sent Items, as these messages do not pass through the hub role. While there is an overhead to scanning messages as they are accessed in terms of both resources and a delay to the end user, the impact should be minimal due to the small amount of messages that will be scanned.

You can also configure messages to be background scanned. Background scanning allows you to re-scan messages that have been received or created within the last x days by re-scanning. It is likely that new AV definitions will have been released, meaning that any new viruses will be detected. This is the only AV scan that will, by default, re-scan messages that have been previously virus-scanned. Running this scan is a considerable overhead, so you should set it to run in off-peak hours.

The fi nal option is to perform a manual scan, which can be scheduled to run at a specific time. This is most commonly used when you first install FSE, to allow you to scan and stamp all existing messages, ensuring that your infrastructure is virus free. AV stamping is used to indicate that a message has already been virus-scanned. This stamp is placed in the message header when it is being routed through the FSE infrastructure.

Once the message have been accepted into users mailbox, the AV stamp is converted into a MAPI property of the message.

For each of the Scan Jobs on the Mailbox Role, you can choose which mailboxes they scan. This can be useful if you have a large number of mailboxes and you want to use the Manual Scan Job to scan these in batches. For the Real Time Scan Job, it is recommended that you scan all mailboxes, which will ensure that your entire infrastructure is protected.

Once a message is detected as containing a virus, the recommended action is to delete the attachment. While you can opt to clean a message, this uses considerable resources and most attachments containing viruses are usually unsolicited. Therefore, there is no point in trying to clean them. Unsolicited messages are also known as spam.

These messages usually have a commercial content where the recipient has not requested this information. It is common for these messages to contain misleading attachments that contain viruses.

When you are planning your AV protection, you should ensure that all of your messages are scanned at least once to ensure that they are free from viruses. You should do this not only for incoming messages, but also for outgoing and internal messages.

By scanning these messages you are ensuring that you are not sending viruses to other companies and that your entire infrastructure remains virus free. If you opt to quarantine detected viruses you should ensure that you clean out the quarantine area on a regular basis to prevent the quarantine database from being filled up and that disk space does not run out. You can opt to automatically purge this information after a number of days. It is recommended that you enable this and purge messages after 30 days. The purge setting will also affect messages quarantined due to messages filtering.

Message Filtering

Message Filtering in FSE allows you to fi lter messages based on attachments, message content, keywords, and who is sending the message. This filtering is in addition to

filtering performed by the Exchange Edge role and is performed after the FSE filtering.

Therefore, it is likely that a large amount of unsolicited e-mail will have been rejected by this stage.

FSE Message Filtering is a lot more flexible than the filtering offered in Exchange, and allows you to quarantine the messages you filter. This allows you to recover deleted messages and attachments if required, along with being able to create highly complex and customized filters to meet your company’s requirements.

It is vital that you plan your filtering correctly, otherwise you could end up filtering messages that you never intended to. The Transport Scan Job allows you to filter messages based on their attachments and the contents of the message body. You can specify senders that you always want to receive e-mails from; these are known as safe senders. If you enable filtering on Real Time and Manual Scan Jobs, you can filter messages based on their attachments and against the contents of the Subject and Senders Domain.

It is recommended that you restrict all fi le filtering to the Transport Scan Job. This way messages are only scanned once before they are submitted for delivery. The reason for this is that if you enable filtering for executable fi les in the real time scan and a user attempts to send a message with an executable fi le attached, the message will be modified while it sits in the Drafts folder. This will result in an error when the user tries to send the e-mail. These error messages can cause confusion for the sender and may result in an increased number of calls to your Helpdesk.

By moving the fi le filtering to the Transport Scan Job, users will be able to send e-mails, but they will be checked during transit. This allows for the message to be filtered and for a notification e-mail to be sent if configured. While this has the same end effect as the message being filtered, the end user has a better experience. When you configure fi le filtering you can do this based on extension, type, and fi le size. This provides you with a large amount of flexibility when configuring the file filters. It is recommended that you filter by fi le type wherever possible, as this prevents people from changing a fi le extension to bypass the fi lter. An example of file filtering will be provided in the configuration section of this chapter.

Once you have planned your fi le filtering, you will need to plan any other filtering methods you plan to use. If you need to check the body of the message for certain phrases, this can be done using the Transport Scan Job. Also known as keyword filtering, this filter provides more control than the content filter in FSE.

When you create a keyword filter you can configure logical operators. Logical operators allow you to specify that multiple words have to be in the message body or those words having to appear multiple times. Using this technique allows you to create complex filters.

The final set of filters you can create are content filters. These are available in the Real Time and Manual Scan Jobs and allow you to specify sender domains. This allows you to filter messages from certain e-mail addresses or domains. While you can perform the same functionality using sender filtering on an FSE Edge server, this filter has the added ability to quarantine messages and can be used if you have not deployed an Edge server.

Using the content filter you can also filter messages based on their subject. This allows you to filter on common unsolicited e-mail subjects, which may be useful if you are not running an FSE Edge server. When you start to plan you FSE filtering, you should ensure that you are not duplicating workload if you are using the anti-spam filters on an FSE Edge server. You should not duplicate their work in FSE, as this places an additional work load on your servers. You should ensure that you test your filters before deploying them to make sure they only filter e-mail you want to filter (e.g., if you are only filtering incoming executables and not ones sent between internal recipients).

You should be aware that the more filtering you add, the higher the load on your servers. If you are using real time filtering this will also affect the access time for users when accessing messages.

How to install Forefront Server for Exchange

When you install FSE you can either install it locally on each machine or by performing a remote install. Remote installs are performed within the Forefront installer. When possible, it is recommended that local installations are performed. This section will take you through performing both a local and a remote installation along with how to install FSE on clustered mailbox servers. When you install FSE you have the option to perform a full installation. This can be performed on Exchange servers running the Edge Transport, Hub Transport, and Mailbox roles or a Client Installation, which installation allows you to install the Forefront Server Administrator onto administration machines and can only be installed locally.

If you have clustered mailbox servers using either Single Copy Cluster (SCC) or Cluster Continuous Replication (CCR), the installation process will differ slightly to installing on other FSE servers. The process is different for both SCC and CCR clusters. If you are using Local Continuous Replication (LCR), the installation of Forefront Server for Exchange should be the same as a normal install.

If you are using Standby Continuous Replication (SCR), you should not install FSE unless this server becomes active. Once the server is made active, you will then need to configure it as required. Fortunately, to speed up the configuration, you can use configuration templates.

When performing a local installation you should be logged into the machine as a user that has administrative rights on the machine. As part of the installation, you may be required to restart some of the FSE services; therefore, it is recommended that installation is performed during off-peak hours.

To perform a local install:

1. Run the FSE Installer.

2. Click Next.

3. Accept the License Agreement.

4. Enter User Name and Company Name and click Next.

5. Select Local Installation and click Next.

6. For a full installation, select Full Installation and click Next.

7. Select Secure Mode or Compatible Mode and click Next. When you select Secure Mode, AV scan and fi lter messages are forwarded from quarantine. When you select Compatible Mode, AV scan messages are forwarded from quarantine.

8. Select up to four AV engines (see screenshot) and click Next.

9. Click Next.

10. If you need to use a Proxy Server for updates, enter Address and Port and click Next. (If you need to use a username and password you can specify this under General Options once FSE is installed.)

11. Choose the Installation Location and click Next.

12. Choose the Programs Folder and click Next.

13. Review the Installation Options and click Next.

14. You may be asked if you want to restart Exchange Transport Service. If you want to restart this now click Next; if you want to restart this later click Skip.

15. If you choose to restart the service, click Next once the service has restarted.

16. You may be asked if you want to restart FSE Information Store. If you want to restart this now click Next; if you want to restart this later click Skip.

17. If you choose to restart the service, click Next once the service has restarted.

18. Click Finish.

19. For a Client installation Select Client – Admin console only and click Next.

20. Choose the Installation Location and click Next.

21. Choose the Programs Folder and click Next.

22. Review the Installation Options and click Next.

23. Click Finish.


How to configure Microsoft Forefront Server for Exchange


Once you have installed FSE, you will need to configure the various settings to ensure that messages are processed as required for your business.

There are two ways to configure FSE. The first option is to use the Forefront Server Security Administrator (FSA), which allows you to configure each server running FSE on an individual basis using the tool locally or remotely. The other option is to use Forefront Server Security Management Console (FSSMC), which allows for Forefront servers to be centrally administered (The Management Console is an additional product and is not included with FSE). For this reason, this section will focus on the FSA as the method used to configure FSE.

While the configuration information is stored in a number of different locations, the majority of the information is stored in a series of FDB fi les, which are located in the FSE installation directory. This information can also be stored in templates to allow for settings to be copied across servers. The remainder of the information is stored in the registry. This information is usually server specific, and the majority of the settings can be modified through the FSA.

When you are running clustered mailbox servers you should ensure you connect FSA to the Exchange Virtual Machine. The one exception to this is if you need to release quarantined fi les from a passive node. In that case, you should connect FSA directly to the passive node. All configuration information is replicated between the active and passive nodes ensuring that if a failover occurs the configuration information is available.


The Settings section allows you to configure the AV scanning options and server configuration for FSE along with the ability to create new configuration templates.

Throughout this section there will be up to three available Scan Jobs for which you can modify settings. The Scan Jobs available are dependent on the Exchange Roles installed on the server.

If the server is running the Edge Transport or Hub Transport role, the Transport Scan Job will be available. If the server is running the Mailbox Role, the Real Time Scan Job and Manual Scan Job will be available. If you add roles to the server, you will need to re-run the FSE installer for the relevant Scan Jobs to be made available. Scan jobs are automatically removed if you install a role.

Scan Job

The Scan Job section allows you to configure which messages and mailboxes will be processed by the jobs.

For each of the Scan Jobs, you can specify the deletion text that is used when an attachment is removed and replaced with a text fi le containing the specified text.

To allow for e-mail-specific information to be entered, there are a number of keyword substitution macros available.

Keyword substitution macros can be inserted by right-clicking in the Edit Text field and selecting Paste Keyword, and then selecting the Macro to insert.

Transport Scan Job

The Transport Scan Job is used to process messages on servers running the Edge or

Hub Transport Roles. This can be configured to process inbound, outbound and/or internal e-mail. The option to scan internal messages is available on servers running the Edge role, even though Internal mail should not reach the Edge.

The other configurable option is the tag text, which is used when keyword filtering is enabled for the Scan Job. Tag text allows for a subject line text and header tag text to be specified. These are applied to an e-mail when it triggers a keyword match, and the action is set to tag the message.

Real Time and Manual Scan Jobs

The Real Time and Manual Scan Jobs are used to process messages on the servers running he mailbox role. These will process messages that have not previously be scanned. This is particularly important for messages that do not use a hub transport server, including messages in sent items, public folder posts, and calendar messages.

The real time scan processes messages as they are accessed by a client; this is also known as an on access scan. By default, this will only process messages that have never been scanned before and are within a certain time range. This range in the first release of FSE is within the previous 24 hours but can be changed. If you are running FSE for Exchange 2007 Service Pack 1, this value is fixed to be every day since FSE was installed. Settings specified for the real time scan are also used for the background scans.

The manual scan can either be run on a manual basis or on a schedule. This is usually used to scan specific mailboxes or to clean up a mail server after a virus outbreak.

For both of these scans you can configure which mailboxes and public folders are scanned. There are three available options for each:

All Scans all current and future mailboxes or public folders

None Does not scan any mailboxes or public folders

Selected Scans only the selected mailboxes or public folders

If you select Selected you will need to select which mailboxes or public folders to scan:

1. Select Selected.

2. Click on the Mailbox or Public Folder icon.

3. Check the mailboxes or public folders you want to scan; you can select an entire store. If you select a store, then only current mailboxes will be included. Any new mailboxes will eed to be added as required

4. Click on the Back Arrow to exit the Selection List.

5. Click OK to save the changes.

It is recommended that you leave the real time scan set to “All” as this will ensure that messages that have not been scanned are scanned to ensure they do not contain viruses.


With the increasing number of viruses being circulated through e-mail, it is becoming more important to ensure that your FES infrastructure if fully protected against viruses and other threats that threaten your infrastructure.

FSE allows you to virus scan messages as they transit through you FSE infrastructure and when they are in the user’s mailbox, ensuring that your infrastructure remains virus free. In addition to virus scanning, you can also apply fi lters, which allow you to proactively protect against unwanted attachments, along with checking the contents of the messages.

When you are considering deploying FSE, you should carefully plan your deployment to ensure that you do not adversely affect the performance of your Exchange servers and that you do not accidentally delete legitimate messages.

When you start to deploy FES, you should do this out of hours and start with the Edge Transport Servers first, followed by the Hub Transport Servers and then the Mailbox Servers. This helps to ensure that you do not introduce any new viruses to your infrastructure once you have started your deployment.

In order to effectively manage FES across your entire Exchange deployment, you should consider using FSSMC, which allows you to centrally manage the configuration and the quarantine databases.

When deploying security products, it is possible to over-engineer their design and deployment. This can often cause unforeseen issues and a level of complexity that is not always necessary. Your initial deployment should provide the basics for what you require. You should then add additional scanning and filtering as required while ensuring that you do not overload your infrastructure, and that the end user’s experience is not adversely affected.

Posted in Exchange, Security | Tagged: , , , , , , , , , , , , , | Leave a Comment »

Office 2010 can`t be targeted by New Zero-Day Flash Attacks

Posted by Alin D on May 20, 2011

Microsoft weighed in today on the new, targeted zero-day attacks revealed by Adobe this week that hide a Flash Player exploit inside Excel spreadsheet documents — confirming that Office 2010 is safe from the attack due to built-in security mitigation features and offering stopgap protection measures for earlier versions of its software.
Adobe plans to issue a patch next week for the flaw, which affects Adobe Flash Player versions and earlier. According to Microsoft’s analysis of the exploit, the exploit loads shellcode into memory, executes heap-spraying, and then loads the Flash byte stream from memory to exploit the previously unknown CVE-2011-0609 flaw.

“Microsoft is aware of public reports of attacks using Adobe Flash Player. We encourage customers to review Adobe’s advisory. Office 2010 users are not susceptible to the current attacks as they do not bypass Data Execution Prevention (DEP). Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) offers further mitigation for this vulnerability,” says Jerry Bryant, group manager of response communications at Microsoft.

Users of earlier versions of Office should run Microsoft’s EMET, which helps block targeted attacks exploiting unpatched vulnerabilities with mitigations for third-party apps and older Microsoft apps.

“The current attacks do not bypass the Data Execution Prevention security mitigation (DEP). Microsoft Office 2010 turns DEP on for the core Office applications, and this will also protect Flash Player when it is loaded inside an Office application. In addition to that, users of the 64 bit edition of Microsoft Office 2010 have even less exposure to the current attacks as the shellcode for all the exploits we’ve seen will only work on a 32 bit process. What’s more, if an Office document originates from a known unsafe location such as email or the internet, Office 2010 will activate the Protected View feature,” according to a new blog post by Microsoft’s Andrew Roths and Chengyun Chu today.

In its analysis of the zero-day malware, Microsoft found a file that appears to have been used for fuzzing Flash files. “We suspect this vulnerability was found using fuzzing technology from clean Flash files, because we found a file on the Internet that looks like it might have been used for the fuzzing. Through differential analysis between the original clean file and the exploit file, we could confirm the vulnerability,” blog says.

But the Flash-rigged Excel file highlights an underlying problem Microsoft has not directly addressed, security expert say: the fact that software vendors are packing products with excess functionality that only opens the door for abuse.

Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab, says the ability to embed Flash SWF files inside Excel documents really isn’t necessary. “Web browsers all have plug-ins, and it’s common practice to be able to disable plug-ins … I don’t want to see Flash files in Excel. Admins should be able to disable it,” he says. “We as an industry are looking more at ways to reduce the attack surface.”

But Microsoft’s integration among its applications for productivity purposes makes sense, he says. “But Microsoft could look at the Adobe model … allowing admins to blacklist the use of certain features within Reader,” for example, Schouwenberg says. Complexity in software basically causes more security issues, he says.

It’s all about reducing the attack surface, says Brad Arkin, senior director for product security and privacy at Adobe. “If you can reduce the attack surface, hopefully, fewer things will go wrong,” Arkin says.

Meanwhile, Microsoft says there’s also a workaround in Office 2007 to protect against the Flash attacks: Change the setting in the Trusted Center to “disable all controls without notification.”

Posted in Security | Tagged: , , , , , , , , , , , , , | Leave a Comment »

SQL Vulnerability Leaves Passwords In The Clear

Posted by Alin D on May 19, 2011

A vulnerability in Microsoft SQL Server could enable any user with administrative privileges to openly see the unencrypted passwords of all other users, researchers said today.

In SQL Server 2000 or 2005, administrators can view all of the passwords used since the server went online by reviewing its process memory. Under SQL Server 2008, the problem has been partially fixed, but an administrator with local access and a simple debugger could still view the passwords.

The vulnerability is most likely an insider threat because it requires administrative privileges. However, it is also possible for a hacker to take advantage of the flaw by exploiting SQL injection..

The flaw may not directly affect the data in the database, since an administrator would have access to that data already. But many people reuse their passwords for other applications, and it is possible that the vulnerability might lead to the compromise of other users’ work or personal accounts.

Many applications are deployed with administrative privileges.

Hackers using a simple SQL injection vulnerability can now access administrative passwords, which may be used to penetrate other systems on the network, escalating the breach. This is even worse in the case of SQL Server 2000 and 2005, where this can be done remotely.

One well-known security researcher, who requested anonymity, disagrees. “This seems like a nonissue,” the researcher says. “Anyone with the ability to read process memory would also have the ability to just hook the authentication code and capture passwords that way. For once, Microsoft is right to ignore it.”

There is a big difference between being able to reset a password to either a system-generated password which the administrator would not see (or to a password the administrator chooses) and actually seeing a user’s personal password.

he latter involves much greater risk, including access to additional systems the password may be used on, potentially enabling access to user’s private data, such as bank or brokerage accounts.

Posted in Security | Tagged: , , , , , , | Leave a Comment »


Get every new post delivered to your Inbox.

Join 682 other followers

%d bloggers like this: