• Microsoft Security Newsletter - February 2015

    From Lord Time@TIME to All on Fri Feb 27 10:58:50 2015
    Microsoft Security Newsletter - February 2015



    Trustworthy Computing | February 2015
    Microsoft Security Newsletter



    Welcome to February 2015’s Security Newsletter!

    This month, we are focusing on security management. While it is, of course, crucial to put measures into place that protect your organization’s information, it is equally important to ensure that those measures remain effective as your business evolves. This requires constant monitoring—of your systems, services, and user base. It also requires that you continue to implement new procedures and practices, such as multi-factor authentication, as new risks or business needs emerge.



    In this month’s newsletter, we offer tips to help you simplify the process of managing a secure infrastructure using Microsoft System Center and Microsoft Intune, and resources to help you better protect data using multi-factor authentication. We also highlight some of the sessions that you can attend at Microsoft Ignite this May to explore the latest in security technologies and access management.



    Best regards,

    Tim Rains, Chief Security Advisor

    Microsoft Worldwide Cybersecurity & Data Protection



    Want to share this newsletter with a friend or colleague? https://technet.microsoft.com/en-us/security/cc307424.aspx Click here for the online edition and subscription options .


    Have feedback on how we can improve this newsletter? Email us at mailto:secnlfb@microsoft.com secnlfb@microsoft.com and share your ideas.




    Top Stories


    http://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset -scripts-now-available-for-customers/

    KRBTGT Account Password Reset Scripts Now Available for Customers

    Although pass-the-hash credential theft and reuse attacks aren’t new, more recently security researchers have been focusing on attack methods for Kerberos authentication. One way to help mitigate the risk is to periodically reset the krbtgt account password. Get a script and guidance to help you perform the reset in a way that reduces the likelihood of authentication errors caused by delayed distribution of the new krbtgt account keys in your environment.

    http://blogs.microsoft.com/cybertrust/2015/01/27/putting-information-sharing-i nto-context/

    Putting Information Sharing into Context

    Download a new white paper that explores the various types and methods of information exchanges and discusses how to better harness the practice for risk reduction to help move policy and strategy debates forward and support better defense of cyber assets and infrastructure.

    http://blogs.technet.com/b/msrc/archive/2015/01/08/evolving-advance-notificati on-service-ans-in-2015.aspx

    New Version of BinScope Binary Analyzer

    Created more than a decade ago as part of Update Tuesday to broadly communicate, in advance, about the security updates being released for Microsoft products and services each month, Microsoft’s Advance Notification Service (ANS) is changing in 2015. Find out why ANS information will now be provided directly to Premier customers and current organizations involved in Microsoft security programs, versus made broadly available through a blog post and web page, and how you can receive security bulletin information tailored only to those applications running in your environment.




    Security Guidance

    http://technet.microsoft.com/security/dn916150.aspx
    Security Tip of the Month: Simplify Secure Infrastructure Management with System Center By Frank Simorjay, CISSP, ISSA Distinguished Fellow, and Microsoft Senior Content Developer

    IT security is one of the most difficult challenges that every organization must deal with. Although security is much broader than this, you can make the goal of maintaining a secure, well-managed infrastructure easier to achieve by standardizing, and therefore simplifying your systems. Knowing what programs are installed and configured and how your systems are built helps you get to that goal.



    In this article I will focus on the 20,000-foot view of how you can accomplish this task by using the Microsoft System Center suite of tools. I will not go into step-by-step details, but will focus more on the tools you can use to assist you in meeting the goals of building standard images to reduce the risks that can occur when manually building and deploying systems. I have included in this article links and more information on the tools I will discuss.



    As an IT administrator and security professional, there are many questions about security that I ask about, but for this article I will focus on the following:


    -What systems are you using?
    -Do you have policies and procedures that you follow?
    -How do you verify and confirm that policies are being followed?
    -What tools do you use to support the automation of your processes?
    -How do you test configurations?
    -And my favorite, what services are running on what computers?


    The reason I ask these questions is to understand how well documented a company’s IT structure is. Often, when I ask questions like, "How are your servers and desktops configured?" or "Do you have a document that shows what ports, services, and processes are running on your servers or workstations?" the answer I get 90% of the time is, "No."



    This becomes the major focus of IT security and I’ll explain it this way. If you cannot tell me what is running in your environment, then how do you know if I added a new application to your network? If you do not know what services, applications, or ports are in use, how do you know what has been changed? This lack of knowledge can allow a hacker to add applications and remote access tools, and gain access to your company data.




    Create a baseline

    A baseline is a state of being that gives you a known configuration to test against. Most organizations have a collection of software and settings that should be present on all computers. This article shows you techniques that allow you to easily create, deploy, and maintain a standardized configuration. This could include operating system patches, applications, security policy settings, antivirus software, and more. If you build an image for a workstation or server, this becomes your baseline(s), or master image(s). You then have a starting point for all future workstations or servers – as you add more software you can create additional baselines.



    By creating a baseline, or master image, you can create multiple new servers or workstations that match all existing documented build guides. This allows you to easily add and have the same configurations on systems of the same type. This will assist you in documenting, testing, and patch management, and also during audits to verify that configurations are being built to specifications. We are going to use the System Center suite to accomplish this.



    What’s included with System Center

    Let’s start by reviewing the http://www.microsoft.com/en-us/server-cloud/products/system-center-2012-r2 System Center suite of products and the primary functionality of each product.


    System Center Configuration Manager: Configuration Manager lets you perform tasks such as the following:


    -Deploy operating systems, software applications, and software updates
    -Track and remediate computers for compliance settings
    -Track hardware and software inventory
    -Remotely administer computers

    System Center Orchestrator: Orchestrator is a workflow management solution for the data center. Orchestrator lets you automate the creation, monitoring, and deployment of resources in your environment.


    System Center Virtual Machine Manager: Virtual Machine Manager (VMM) is a management solution for the virtualized data center that lets you configure and manage your virtualization host, networking, and storage resources in order to create and deploy virtual machines and services to private clouds that you have created.


    System Center App Controller: App Controller provides a common self-service experience that can help you easily configure, deploy, and manage virtual machines and services across private and public clouds.


    System Center Operations Manager: Operations Manager provides infrastructure monitoring that is flexible and cost-effective, helps ensure the predictable performance and availability of vital applications, and offers comprehensive monitoring for your data center and cloud, both private and public.


    System Center Endpoint Protection (included with Configuration Manager): Includes an operations, configuration, data-protection, service, and virtual machine manager, as well as advanced endpoint protection. It provides a single, integrated platform for managing policies, endpoints, software deployment, data-loss prevention, and Internet security.


    System Center Service Manager: Service Manager provides an integrated platform for automating and adapting your organizationÆs IT service management best practices, such as those found in Microsoft Operations Framework (MOF) and Information Technology Infrastructure Library (ITIL). It provides built-in processes for incident and problem resolution, change control, and asset lifecycle management.


    System Center Data Protection Manager: Provides Data Protection Manager (DPM) to back up servers, computers, Microsoft workloads, system state, and bare metal recovery (BMR).



    Although the full System Center suite is helpful in reducing errors and controlling your environment by the use of automation, the tips in this article focus on Configuration Manager, VMM, and Service Manager.



    Using Configuration Manager

    To begin the process of building an image, you must first write down everything that has to be included. After you have your checklist, you can do it all manually, but by using the Operating System Deployment (OSD) functionality in Configuration Manager, you can create a series of deployment images that you can push out to your new server and ensure that each new computer (whether it be physical or virtual) meets the same standards and follows your best practices.



    Think about this: If we create all web servers using a master image, then all web servers should have the same ports, services, and apps installed and then we can look for changes.



    Since I have said that there is a need for enterprise baselines letÆs discuss that process. How can you create, manage, and validate configurations through imaging, patching, and control using System Center modules?



    Start by writing down everything that has to be included (operating system, antivirus, applications, patches, policies, backup agent, monitoring agent). For example, let’s create a Windows Server 2012 R2 computer with web server and Hyper-V roles, the Data Protection Manager Client, Endpoint Protection Client, and Operations Manager management packs.



    You now have your checklist. You can use this master image as the basic image for all new web servers. You can build these servers manually, but then each time you build another server you might configure it differently, and human error will continually be a factor.



    To build desktop images, you can use the Windows Assessment and Deployment Kit to create the image. However, if you download the Microsoft Deployment Toolkit (MDT), you can then use a graphical tool to create standardized images. See https://technet.microsoft.com/library/dn744284.aspx?ocid=wc-nl-secnews Deploy Windows 8.1 with Configuration Manager for more information.



    You can also use Operating System Deployment (OSD) functionality in Configuration Manager. For more information about OSD, take the https://vlabs.h olsystems.com/vlabs/technet?eng=VLabs&auth=none&src=microsoft.holsystems.com&al tadd=true&labid=9882

    TechNet Virtual Lab . To download OSD, visit the http://www.microsoft.com/en-us/download/details.aspx?id=42959 Microsoft Download Center .



    Now you have created a series of deployment images that you can push out to your new server or workstation and ensure that each new computer (whether it be physical or virtual) meets the same standards and follows your best practices.



    You have built a master image for all new web servers or workstations. Using Configuration Manager you can deploy your new master image to all new web servers and know that all web servers have the same configuration. You can scan what ports are open and create a baseline document and also scan what ports are open by the use of a third-party tool. You can also use System Center inventory tool to notify you of any software that is installed on the computer that was not pushed by IT. Then you can create a document for each server using Service Manager or some other tool that records any changes or updates to your configuration. This will become your audit trail and a resource you can check for approved changes and document any issues.



    After you install baseline images that you can push to bare metal or virtual machines, you can then add configurations or software by using Group Policy or packages hosted in System Center. A nice addition to your security portfolio that you may not be aware of, is the new Windows PowerShell Desired State Configuration (DSC) tool set. You can learn more about DSC in the https://technet.microsoft.com/library/dn249912.aspx Windows PowerShell Desired State Configuration Overview .



    DSC can do many things, but for our purposes it does the following:


    -Deploy new software
    -Take a baseline, and then fix configurations that have drifted away from the desired state -Discover the actual configuration state on a given server


    In addition, you can create custom resources to configure the state of any application or system setting. Once again, be sure to document the newly configured server in Service Manager.



    Next steps

    So, at this point, you have a functional, baseline, documented master image for your initial server installation; but things can change over time, so how do you handle issues like security patches, updates, and so on?



    We all know that we should perform testing before putting anything in production, but how? We do not want to create a "Resume Generating Event" if the change we put into production hurts the company or risks your job.



    Before you deploy patches or updates to your servers you should perform the proper tests. By using VMM you can make a copy of your production environment and create an isolated network on your Hyper-V infrastructure. You can then test updates and patches without any danger to your production environment.



    As an administrator you can control when and where you will deploy a patch or update by using Configuration Manager. By creating multiple development, test, and production OUs you can leverage them to test and validate patches and pushes of updates to systems. After you verify that the updates work as expected, and only then, you can approve them for your production systems. Then you can update both the production computers and the master image so that all new servers have the updates applied. Remember to document that change to the image in Service Manager.



    In addition to what I have discussed here in this article, there are third-party tools you can use to look at files, folders, and registry changes that can further support security and add additional real-time baselines to those applications and servers that require extra vigilance. These tools can report, and if allowed, can revert any unauthorized changes.



    In this article I have discussed how you can create baseline images, as well as test, patch, and document changes that have been made in your system. If you do not have your systems documented, it is nearly impossible to tell when something has changed; and, if by chance you do detect a change, if you have not implemented proper monitoring and auditing you cannot know who made the change, or if it was authorized or unauthorized. By using baseline images you create with Configuration Manager and Service Manager to document changes, you are better enabled to secure your IT structure and reduce security risks.




    https://technet.microsoft.com/library/dn280949.aspx
    Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications

    Explore the authentication mechanisms available in Active Directory Federation Services (ADFS) and see how you could use ADFS to enable multifactor authentication based on user’s group membership. Not familiar with ADFS? See the https://technet.microsoft.com/library/hh831502.aspx Active Directory Federation Services Overview for more information.




    https://technet.microsoft.com/library/dn280936.aspx
    Manage Risk with Conditional Access Control

    Access control in ADFS is implemented with issuance authorization claim rules that are used to issue a permit or deny claims that will determine whether a user or a group of users will be allowed to access ADFS-secured resources. Learn how to enforce conditional access control based on user identity or group membership, network location, device (whether it is workplace joined), and the authentication state (whether multifactor authentication was performed).




    https://technet.microsoft.com/library/dn889751.aspx
    Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications

    Intune integrates multi-factor authentication to allow you to better secure your corporate resources by requiring additional verification from users beyond their usernames and passwords. Explore the on-premises infrastructure requirements and learn how to enable ADFS multi-factor authentication during the enrollment of Windows 8.1 and Windows Phone 8.1 devices.




    https://technet.microsoft.com/library/jj916649.aspx
    Two-Factor Authentication and Office 365

    Two-factor authentication is an optional feature available with Office 365 Dedicated plans and ITAR-support plans. Explore the two-factor authentication methods that can be used with Office 365 services and quickly access implementation guidance, requirements, and limitations for each method.




    https://technet.microsoft.com/library/dn308562.aspx
    Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications

    Explore key deployment considerations when configuring a Lync Server 2013 environment to support two-factor authentication then find guidance on https://technet.microsoft.com/library/dn308567.aspx configuring and https://technet.microsoft.com/library/dn338071.aspx using two-factor authentication with Lync.





    Community Update
    http://social.technet.microsoft.com/wiki/contents/articles/17493.protecting-hy per-v-virtual-machines-with-system-center-dpm-2012.aspx

    Protecting Hyper-V Virtual Machines with System Center DPM 2012

    Get an overview of Data Protection Manager (DPM) Hyper-V protection scenarios, and guidance on how to set up protection including protecting virtual machines in clusters with Cluster Shared Volume (CSV) Storage.




    This Month's Security Bulletins


    February 2015 Security Bulletins


    Critical

    -MS15-009:3034682
    https://technet.microsoft.com/library/security/ms15-009

    Security Update for Internet Explorer

    -MS15-010:3036220
    https://technet.microsoft.com/library/security/ms15-010

    Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution

    -MS15-011:3000483
    https://technet.microsoft.com/library/security/ms15-011

    Vulnerability in Group Policy Could Allow Remote Code Execution



    Important

    -MS15-012:3032328
    https://technet.microsoft.com/library/security/ms15-012

    Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

    -MS15-013:3033857
    https://technet.microsoft.com/library/security/ms15-013

    Vulnerability in Microsoft Office Could Allow Security Feature Bypass

    -MS15-014:3004361
    https://technet.microsoft.com/library/security/ms15-014

    Vulnerability in Group Policy Could Allow Security Feature Bypass

    -MS15-015:3031432
    https://technet.microsoft.com/library/security/ms15-015

    Vulnerability in Microsoft Windows Could Allow Elevation of Privilege

    -MS15-016:3029944
    https://technet.microsoft.com/library/security/ms15-016

    Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure

    -MS15-017:3035898
    https://technet.microsoft.com/library/security/ms15-017

    Vulnerability in Virtual Machine Manager Could Allow Elevation of Privilege


    February 2015 Security Bulletin Resources:

    - http://blogs.technet.com/b/msrc/archive/2015/02/10/february-2015-updates.aspx

    February 2015 Bulletin Release Blog Post
    - http://www.microsoft.com/en-us/download/malicious-software-removal-tool-detai ls.aspx

    Malicious Software Removal Tool: February 2015 Update



    Security Events and Training


    https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=vlabs&altad d=true&labid=12277

    TechNet Virtual Lab: IT Service Management with Service Manager

    Explore Service and Request Offerings and learn how Service Manager integrates with other products, such as Orchestrator and Virtual Machine Manager.

    http://www.microsoftvirtualacademy.com/training-courses/identity-and-access-ma nagement

    Microsoft Virtual Academy: Identity and Access Management

    Need tips for moving your Active Directory Federation Services (ADFS) workload to Microsoft Azure, the powerful platform leveraged by IT specialists to provide a range of services and tools to end users? Look no further! Get expert advice on design, deployment, maintenance, and more so you can smoothly manage the transition of your ADFS workload to Azure. Explore the various forms of identity, and learn to transition the tools that provide identity services into Microsoft Azure. Plus, see how to resolve common issues.

    http://www.microsoftvirtualacademy.com/liveevents/azure-active-directory-core- skills-jump-start

    Microsoft Virtual Academy: Azure Active Directory Core Skills Jump Start March 26, 2015 – 9:00 AM Pacific Time to 5:00 PM Pacific Time

    Constantly resetting customer passwords? Want to extend your on-premises Active Directory? Explore Azure Active Directory (Azure AD) as Microsoft Virtual Academy kicks off its "Enterprise Mobility Core Skills" series, arming you with key knowledge to enable enterprise mobility management and prepare your environment for Windows 10.







    Essential Tools


    -
    http://technet.microsoft.com/security/bulletin
    Microsoft Security Bulletins

    -
    http://technet.microsoft.com/security/advisory
    Microsoft Security Advisories

    -
    http://www.microsoft.com/security/sdl/adopt/starterkit.aspx
    Microsoft Security Development Lifecycle Starter Kit

    -
    http://support.microsoft.com/kb/2458544
    Enhanced Mitigation Experience Toolkit

    -
    http://www.microsoft.com/security/pc-security/malware-removal.aspx
    Malicious Software Removal Tool

    -
    http://technet.microsoft.com/security/cc184924.aspx
    Microsoft Baseline Security Analyzer


    Security Centers


    -
    http://technet.microsoft.com/security
    Security TechCenter

    -
    http://msdn.microsoft.com/security
    Security Developer Center

    -
    http://www.microsoft.com/security/msrc/default.aspx
    Microsoft Security Response Center

    -
    http://www.microsoft.com/security/portal/
    Microsoft Malware Protection Center

    -
    http://www.microsoft.com/privacy
    Microsoft Privacy

    -
    http://support.microsoft.com/select/default.aspx?target=hub&c1=10750 Microsoft Security Product Solution Centers


    Additional Resources


    -
    http://blogs.microsoft.com/cybertrust/
    Microsoft Cybertrust Blog

    -
    http://www.microsoft.com/security/sir
    Microsoft Security Intelligence Report

    -
    http://www.microsoft.com/security/sdl
    Microsoft Security Development Lifecycle

    -
    http://technet.microsoft.com/library/cc162838.aspx
    Malware Response Guide

    -
    http://technet.microsoft.com/security/bb980617.aspx
    Security Troubleshooting and Support Resources




    microsoft.com/about/twcTrustworthy Computing




    This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.



    (c) 2014 Microsoft Corporation
    http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Copyright/defa ult.aspx

    Terms of Use |
    http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Trademarks/EN- US.aspx

    Trademarks


    Microsoft respects your privacy. To learn more please read our online http://go.microsoft.com/fwlink/?LinkId=248681 Privacy Statement .



    If you would prefer not to receive the Microsoft Security Newsletter from Microsoft and its family of companies please http://click.email.microsoftemail. com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b6311d344a0079e5cc587f4d16330b7c3cc 8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31618dc8582d255ad13bebabd76fa1b59bdc 87ca9b4d398af74d00463e1f7cf12b3acc1a&oneClick=newsletter

    click here . These settings will not affect any other newsletters youÆve requested or any mandatory service communications that are considered part of certain Microsoft services.



    To set your contact preferences for other Microsoft communications http://click .email.microsoftemail.com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b6311d344a007 9e5cc587f4d16330b7c3cc8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31618dc8582d25 5ad13bebabd76fa1b59bdc87ca9b4d398af74d00463e1f7cf12b3acc1a

    click here .



    Microsoft Corporation

    One Microsoft Way

    Redmond, WA 98052 USA
    ---
    ■ Synchronet ■ Time Warp of the Future BBS - Home of League 10 IBBS Games