Information Protection Technologies

Following is a table that recommends the most appropriate data protection technology that can be used to protect High Business Impact information while sharing it on different platforms:

Technology	IRM	S/MIME	EFS	BitLocker and BitLocker To Go™
Technology description	Enables you to apply specific access permissions to documents, workbooks, and presentations to prevent unauthorized forwarding, printing, or copying; and to set expiration dates after which files no longer are available or usable.	Enables you to encrypt and/or digitally sign your e-mail messages so that only the people you specify can access them.	Encrypts your files or folders, and requires users other than you to enter the appropriate decryption key before they can access the encrypted content.	Protects data on your computer by preventing unauthorized access to the hard disk drive
Transmit with internal e-mail	Acceptable solution	Preferred solution
Transmit with external e-mail		Preferred solution
Share by using SharePoint	Preferred solution
Share by using Sharepoint Workspaces	Preferred solution
Storing on a computer New hardware running Windows Vista® or newer	Acceptable solution		Acceptable solution	Preferred solution
Storing on a computer Old hardware running Windows Vista or older	Preferred solution		Acceptable solution
Storing on removable mediaUse Windows 7 or Windows Server® 2008 R2			Acceptable solution	Preferred solution

For more information and recommendations on How to Secure Business Information, download the Securing Business Information Work Smart Guide from Microsoft IT.

Office 2010 – New Protection Technologies

Office 2010 includes new protection technologies and a new trust model that helps provide better resilience against attack through layered defenses. For example, in previous versions of Office, when a user attempts to open a Word document, Word first tries to confirm whether the file is a properly-formatted Word document. If the document being opened was a .docx file created using Word 2007 and based on the Office Open XML specification, Word validated the document by parsing it against the XSD specification for that file format. But if the document being opened was a .doc file that was created using the earlier Word 97-2003 Document binary file format, Word simply loaded the file into memory and displayed it without further validation because of the absence of any XML specification or other standard to validate the file against. The same was true for previous versions of Excel and PowerPoint.

Because of this, the Office team has engineered new protection and threat mitigation technologies into Word 2010, Excel 2010 and PowerPoint 2010. Two of these new technologies, known as Office File Validation and Protected View, are designed to help protect an organization’s resources by mitigating potentially harmful effects that can result from Office binary file format exploits. A third new feature in Office 2010 called Trusted Documents can work together with these two protection technologies to provide users with an improved experience that requires them to make fewer security decisions when working with documents that contain active content such as macros or ActiveX controls.

With Word 2010 for example, when a user attempts to open a .doc file, instead of having Word itself load the file into memory and display its contents, the file is first passed to a DLL that thoroughly validates the file against the XML specification for.doc files that was created using the results of the intensive distributed fuzzing preformed during the Office 2010 security engineering process. If the .doc file passes validation, this DLL passes the file to Winword.exe which then opens it and displays its contents with full editing capability enabled. If the file fails validation however, there is the possibility that the file may be harmful to the user’s computer. In this case, the file is then opened within an isolated “sandbox” environment called Protected View that allows the user to scroll through the document and view its contents but disables all editing functionality and any active content in the document. At this point it is a special low-privilege sandbox Winword.exe process that renders the document, not the Winword.exe host process.

Once the user has examined the contents of the document and has determined that it is from a legitimate source, the user then has the option of enabling editing for the document by responding to a prompt displayed in the Message Bar. At that point the Protected View sandbox process terminates and the document is reopened using the Winword.exe host process with full editing capability enabled, and if the document contains any active content a second Message Bar prompt will be displayed that presents the user with the choice of enabling the active content. If the user then chooses to enable active content within the document, a new feature of Office 2010 called Trusted Documents can now remember the user’s trust decision. This means that when the user later reopens the trusted document, the active content in it is automatically enabled without prompting the user again. This behavior is different to that for Word 2007 where the user was prompted to enable active content each time they tried to open a document that contained macros or ActiveX controls.

Similar DLLs to that for Word 2010 have also been included for Excel 2010 and PowerPoint 2010. These are used for validating .xls and .ppt files, and both Excel 2010 and PowerPoint 2010 also display files using Protected View if the file fails validation. Administrators can also configure Office 2010 to submit information concerning files that fail validation via the Watson error reporting channel so the Microsoft Security Response Center (MSRC) can investigate them. When new Office binary file format vulnerabilities are discovered, updates to the XML specifications are released and automatically downloaded by Office 2010 so they can be utilized by Office File Validation. A key benefit of this approach is that provides a faster response to addressing newly discovered file format vulnerabilities than the traditional software patching process.

Office 2010 – Defense In Depth

By implementing multiple, redundant security controls at different levels of an information system, security threats are able to penetrate one defensive layer can still be stopped by another layer. Office 2010 leverages this strategy by providing four defensive layers to safeguard users against threats involving maliciously crafted Word documents, Excel spreadsheets or PowerPoint presentations. Each security layer in Office 2010 implements specific countermeasures that are designed to initiate the moment a user tries to open a file using an Office 2010 application and which continue in effect until the file has been successfully opened for editing. As shown in diagram, these four layers of Office security perform the following functions:

• Harden the attack surface through improved security engineering together with key Windows operating system security features integrated into Office 2010. Support for Data Execution Protection/No Execute (DEP/NX), robust and agile cryptography, and other technologies provide a strong, first layer of defense against threats posed by malicious Office data files.
• Reduce the attack surface by limiting the types of files applications can open and by preventing the execution of certain types of embedded code. Office File Validation is a key technology at this layer, as are two other Office 2010 features file block settings and the Office ActiveX kill bit. Together these technologies reduce the number and variety of possible attack vectors that managed to get through the first defensive layer.
• Mitigate exploits so that any attack that gets through the first two defensive layers can have its impact minimized. The key Office 2010 technology at this layer is Protected View, which allows dangerous Office files to be displayed and examined without any harm to the user’s computer or the wider network.
• Improve the user experience by reducing the number of security decisions the user needs to make and by helping the user make better security decisions. The new Trusted Documents feature of Office 2010 is key here as it prevents “prompt fatigue” a condition that can afflict most users when they are faced with too many, repeated security warnings and results in them basically ignoring future warnings.

 

Defense in depth for Office 2010.

 

How Office 2010 Helps Mitigate Exploits

 

Sequence of steps that occurs when a user attempts to open a file using Word 2010, Excel 2010 or PowerPoint 2010.

 

To learn more about New Security Features in Office 2010, download this white paper on Keeping Enterprise Data Safe with Microsoft Office 2010

Technet India Security Webcasts – Jan-Mar 2010

6-Jan-10 What’s New in Forefront Protection 2010 for Exchange Server 200 Ranjana Jain 13-Jan-10 Microsoft Secure Identity and Access Management Solution 200 Ranjana Jain 20-Jan-10 Forefront Threat Management Gateway 2010 –Protection Features and Underlying Technologies 200 Ranjana Jain 27-Jan-10 LIVE Discussion – Business Ready Security with Microsoft 200 Ranjana Jain 3-Feb-10 What’s New In Windows Server 2008 R2 AD RMS? 300 Amol R Bhandarkar 10-Feb-10 Windows Server 2008 R2 AD RMS and Exchange Server 2010 Better Together 300 Vishal Shirodkar 17-Feb-10 Windows server 2008 R2 AD RMS and FCI (File Classification Infrastructure) Better together 300 Aviraj A 24-Feb-10 LIVE Discussion – Windows Server 2008 R2 AD and RMS Features 300 Microsoft Experts 3-Mar-10 Running Linux on Hyper-V (Level 200) 200 MS Anand 10-Mar-10 Hyper-Green Virtualization: Scaling Enterprise IT for Energy Efficiency (Level 200) 200 MS Anand 17-Mar-10 LIVE Discussion – Chat with experts on Hyper V 200 MS Anand Please Note: To attend these sessions, you have to install Microsoft Live Meeting. Click here to install. Incase, you are not able to get thorough to Live Meeting, please use the below information to dial in and listen to the audio. Participant Pin Code: 8109784 Dial-in-Number (Select the PoP most suitable to you) International Dial-in-Number 0091-22-67914444 / 67914455 International Dial-in-Number 0091-22-67914444 / 67914455 Mumbai & Other Indian Cities not listed below (Including BSNL & MTNL Subscribers) (022) 67914444/ 67914455 Gurgaon (HR) 9511-66553335 / 66553336 Hyderabad (AP) (040) 66554445 / 66554446 Pune (MH) (020) 66204444 / 66204455 Kolkatta (WB) (033) 65554444 Ahmedabad (GJ) (079) 66553335 / 66553336 Jamshedpur (Jharkhand) (0657) 6554444 Bangalore (KA) (080) 66683335 / 66683336 Nagpur (MH) (0712) 6623335 / 6623336 Chennai (TN) (044) 66663335 / 66663336 Noida (UP) 9511-66553335 / 66553336 Delhi (011) 66553335/ 66553336 Vizag (AP) (0891) 6654445 / 6654446 Goa (0832) 6643335 / 6643336 Vijaywada (AP) (0866) 6654445 / 6654446

Microsoft respects your privacy. Please read our online Privacy Statement. To set your contact preferences for Microsoft newsletters, see the communications preferences section of the Microsoft Privacy Statement. Microsoft Corporation (India) Pvt. Ltd. 9th Floor, Tower A, DLF Cyber Greens, DLF Cyber Citi, Sector 25A Gurgaon, Haryana, 122 002, INDIA   Sign up for newsletters | Update your profile © 2009 Microsoft Corporation Terms of Use | Trademarks | Privacy Statement

 

 

 

Live Webcast – Perimeter Security – Secure Endpoint Solution

Catch me on my live webcast on:

 

Securing the Perimeter – Forefront Threat Management GatewayBusiness Ready Security

today at 4:00 pm IST

 

 

 

 

BEWARE!! Worm Alert ! Confliker – next one after Slammer!!

Win32/Conficker is a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability ( CVE-2008-4250 / CIVN-2008-170 ).  If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.

The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as exploited in the wild by Gimmiv.A in October 2008, aka "Server Service Vulnerability."

Win32/Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting and Internet connection sharing service.

It propogates by creating an autorun.inf file on all mapped drives so that it automatically executed as soon as the drive becomes accessible.

Screenshot of the autorun.inf file is pictured below(source :SANS)

 

Up on execution the autoplay window will pop up as given below

The first part, "Install or run program" is there because the autorun.inf file containing the shellexecute keyword. However, the text comes from the Action keyword and the icon is extracted from shell32.dll (the 4th icon in the file) which is the standard folder icon which will run the worm

The worm also monitors DNS requests to domains containing certain strings and blocks access to those domains so that it will appear that the network request timed out thereby restricting users from updating their security software from those websites.

Find the details: http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A 

Use these FREE Removel Tools to prevent and clean up the system from the worm:

http://support.microsoft.com/kb/962007
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
http://www.symantec.com/security_response/writeup.jsp?
docid=2009-011316-0247-99

Prevention is better than cure. The following actions are advised in order to prevent infection from this Worm:

Disable autoplay/autorun features on all drives and devices.

Refer the following articles for relevant steps and patches:
http://support.microsoft.com/kb/953252
http://www.us-cert.gov/cas/techalerts/TA09-020A.html

Block ports 139 and 445 at the perimeter.

Install and maintain updated anti-virus software at gateway and desktop level

Install and maintain Desktop Firewall and block the ports which are not required

Use caution when opening attachments and accepting file transfers

Use caution when clicking on links to web pages

Refer the following Guidance articles from Microsoft for protection against Conficker worm.
http://technet.microsoft.com/en-us/security/dd452420.aspx
http://www.microsoft.com/protect/computer/viruses/worms/
conficker.mspx

 

References

http://www.microsoft.com/security/portal/Entry.aspx?
Name=Worm%3aWin32%2fConficker.A
http://www.threatexpert.com/reports.aspx?find=W32.
Downadup+&x=0&y=0
http://blogs.technet.com/mmpc/archive/2008/11/25/
more-ms08-067-exploits.aspx
http://www.cert-in.org.in/vulnerability/civn-2008-170.htm
http://www.cert-in.org.in/currentacts/currentact07.htm#TGAM
http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=75911
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
http://www.f-secure.com/weblog/archives/00001574.html
http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml

Forefront Client Security – What it is and isn’t gonna do

Forefront Client Security (FCS), is gonna be the

antivirus, anti-malware, anti-spyware

solution to protecting all the

IT managed infrastructure

in a corporate network. To be specific, FCS will be protecting the following range of x86 and x64 clients:

• Windows 2000 SP4+
  
• Windows XP SP2+
  
• Windows Vista Business, Enterprise and Ultimate
  
• Windows Server 2003 SP1 & R2
  

FCS at this point of time (with version 1.0) will not
be able to protect the following clients:

• Windows NT
  
• Windows XP Tablet PC
  
• Windows XP Media Center
  
• Windows XP Embedded
  
• Windows Vista Home Basic/Premium
  
• Any edition of Windows that’s not domain joined
  

FCS is basically an anti-malware solution for corporate, IT managed environments that requires a few services to be managing all the clients running the FCS Client Agent.

So where’s the FCS Server going to be?

The FCS services are installed on a Windows Server 2003 SP1 and R2 standard or enterprise Server x86. (Longhorn is expected to be supported from the next version release).

Also, x64 is not there at this time cause of some feature dependency on x86 version. To be specific, the FCS Server makes extensive use of

GPMC (Group Policy management Console)

which is not supported on x64 platform at this point of time. But it is quite assured that the product group is working in this direction of development, and will soon be able to provide an x64 bit support to GPMC and hence to FCS server also.

For monitoring the FCS client agents, the FCS uses

MOM Server 2005

SP1

at its backend. Although MOM 2007 is planned to be released in pretty much the same timeline as FCS, the product managers, plan to bring out the 1.0 version of the product that is ready to be deployed in existing infrastructures.

SQL Server Reporting services of SQL Server will be leveraged for the FCS reporting feature.

FCS embeds its own version of MOM 2005 SP1 for deployment and cannot use an existing installation of MOM 2005, reason being the number of modifications that FCS makes to MOM and SQL server in terms of patches, schema changes and more.
Moreover all the involved servers (FCS, MOM 2005 SP1 and SQL Server) will run only on

x86

architecture at present.

How it Works

1. Policy Update – Policies that specify how and which clients need to be installed with the FCS client agents, how the scanning will happen, schedules etc., are all managed using Active Directory Group Policy. The policies can also be exported into a file for applying locally.

2. Signature Distribution – The signature distribution has been optimized to happen through WSUS. Nevertheless, signatures would also be downloadable from Microsoft.com and can be distributed thru other mechanisms like SMS etc.

3. Event Collection and Reporting – The FCS embeds a modified version of MOM 2005 and the client is installed with the FCS agent and can generate events once it is connected to the domain. The events continue occurring even when client is not connected, but are reported back to the server only when client establishes back its domain connection.

Gates Crash into Security

So, one domain that Microsoft refrained from entering into for a long time, was the domain of anti-virus, anti-malware products.

Finally now, next month in April 2007, Microsoft first player in the antivirus field gets released with a brand name of "Microsoft Forefront". Its not a product in itself, but has a range of products being introduced for protecting IT resources at various levels in a corporate network.

Microsoft Forefront will have three major product lines being released in their 1.0 version:

1	Client and Server Products	Forefront Client Security		Windows 2000 SP4 +
2	Application Servers	Forefront Security for Exchange Server	Forefront Security for Sharepoint	Microsoft Exchange Server Microsoft Sharepoint Server
3	Edge Protection	Intelligent Application Gateway		Microsoft ISA Server

 

I am going to be focusing this time on Forefront Client Security (FCS).

The features of FCS are focused under 3 major pillars-

Unified Protection

Simplified Administration

Visibility and Control

 

It is basically aimed at providing unified protection to business servers, desktops, laptops in your organization with an incredibly simple way to manage and administer them all.

So there have been a number of products and features around for protecting the infrastructure like Windows Defender, MSRT (MS Spyware Removal Tool), Windows Live One Care etc. These tools have essentially been helping the individual users protect and manage their own desktops.

The basic engine that detects and removes all the recently developed viruses and spyware is the same in all these products including FCS. In addition to this, FCS provides a unified management of antivirus- antispyware tool on these systems and even allows centralized reporting by the use of SQL reporting services working in its background.

 

Memory Card Vs. Smart Card

Memory card is only a card that has the cappability to store information. Smart card on the other hand has the necessary hardware and logic to store as well as process information.

 

If a user has a memory card, he only needs to enter the user id or a PIN and then swipe the memory card against the reader. The memory card contains the user’s password. This combination of the PIN (or user id that the user entered) and the password (read from the memory card) is sent to the authentication server. If this combination is correct, then the user sees a green signal on the card reader and is allowed to access the resource. This is a two-way authentication process as the correct user needs to have the card (what you have) and needs to remember the correct PIN (what you know).

The memory cards are mostly used for entering a company’s building or facility, and are also commonly used in ATM. User enters his PIN and swipes the card against the card reader. The memory cards can also be used with the computers, but are not used often as they require a memory card reader, one for each computer, which adds cost besides complication to the authentication process.

 

Smart Cards, provide processing power to the information stored inside the card, as it has a microsprocessor and the Integrated Circuits on the card itdelf. The smart card also provides a two-factor authentication as the information stored inside the card can be locked with a PIN. So, in order for correct authentication the user must remember to put in the correct PIN (what you know)  and must have the smart card (what you have).

To get authenticated using a smart card, the user enters a PIN and inserts the smart card into the reader. The reader performs one-way transformation of the PIN and stores the result in the memory of the card reader. It then performs one-way trnasformation of the information stored inside the smart card and compares it to that it had stored in the memory (transformation of PIN entered by the user). If the two match, the user is authenticated and allowed to access the resource.

The information stored inside the smart card is secure as it is not readable until the correct PIN is entered. Also, the information can be stored inside the smart card, in an encrypted form, and can be programmed to detect any tempering to the card. In case any tempering to thecard is detected, the information on the card can automatically be erased.

Smart cards can be used as a method of authentication on computers to provide one-time passwords, or for providing the private key for authentication using Public Key Infrastructure (PKI). They are comapritively more resilient to reverse engineering, but have are a more disadvantage than memory cards, as they are more expensive and add extra cost  of the readers for every computer.

Biometric Systems

Biometrics as most of us know is a set of techniques that verifies the identity of a user based upon his unique physiological characters.

Different types of devices are used to scan different body parts, and verifies the scan to the one recorded in the refrence file. Once the pattern is matched, the user is allowed to access the facility or the system.

 

Since biometric systems need to match the scan to the database, they may need to scan the person more than once in order to store a correct record, or to verify it correctly. This may take time and may prove to be very intrusive to the users. Biometric systems are also prone to making mistakes while comparing the scans. A term called as the Crossover Error Rate (CER) of the Biometric system tells how accurate that system is. CER is the oint on the graph at which the False Rejection Rate (FRR) meets the False Acceptance Rate (FAR).

FRR value shows the number of times a given system may reject an authorized user as unauthorized in a given span.

FAR value specifies how many time a system may accept an unauthorized person as authorized in a given span.

 

The lower the CER value, the more accurate the biometric system is.

i.e. a Biometric System with a CER of 3 is likely to be more accurate than that having a CER of 4.

 

The different characteristics that are used in Biometrics to identify users are:

1. Fingerprint – checks for specific pattenrs if ridges and bifurcations  and detailed chataceristics called minutiae.

2. Palm Scan - examines the creases, ridges and grooves on the palm of the user.

3. Hand Geometry – examines the shape (length and width of the hand and fingers).

4. Hand Topoloy – examines the side-view picture of the hand looking at the peaks and valleys of the hand.

5. Retina scan - examines the patterns of blood vessels of the retina at the backside of the eye

6. Iris scan – examines the colored portion of the eye surrounding the pupil.

7. Voice Print - examines the voice of the person when he speaks a set of words given to him in different jumbled orders.

8. Facial Scan - Scans the entire face of the user for different bone structures, nose ridges, eye widths, chin shape and forehead shape.

9. Signature Dynamics - examins the way a person holds a pen while signing, speed of signing, pressure exerted on teh pen etc.

10. Keystroke Dynamics -  Speed of typing on the keyboard, hold time and flight time etc.

 

Access Control – Checking at the Entrance !

So the very first measure that we would normally take to secure an IS environment is to stop and check for a user’s validity at the entry point of the network itself.

This may be an entry point to the company’s facility, or logging on to a desktop computer on the network.

All of these processes of checking form a part of Access Control.

 

The whole process starting from a user entering his credentials to his being able to access the resource he wants to, is actually broken down into 4 components-

 

1. Identification

2. Authentication

3. Authorization

4. Accountability

 

(And you thought it was simple?? )

 

So lets talk about them in brief-

1. Identification - Process whereby a user can be known for later accountability. (e.g. username)

   meaning, "may I know who I am talking to?"

2. Authentication – Process to verify that a user is who he is claiming to be. (e.g. password)

   meaning, "May i see your photo id?" or "Proove that you are xyz."

3. Authorization – process of checking and granting the right level of access to the user for the resource he needs to access. meaning, "What do you want to do?" and "Let me check if you can do it."

4. Accountability – Process of tracking an incedent so as to hold accountability for it to a user. (e.g maintaining audit logs). meaning, "Lets check who did this!"

 

Different kinds of mechanisms exist for identification and authentication and can be orderd on the basis of surity they provide of a user being actually who he claims to be. There may be four kinds of access control techniques which can be used in isolation or in combination to one another:

a. Where you are – giving access based upon the physical location of the user. e.g in RAS

b. What you know - based upon what you remember. e.g passwords

c. What you have - based upon some physical card you have. e.g smart card

d. Who you are – based upon your unique physiological characters. e.g. biometrics

 

I ll talk about "Biometric systems" , the most trusted source of user identification, in my next blog!