Roger Halbheer on Security » Microsoft

EMET–Protection Against Zero-Days

Roger Halbheer — Sun, 23 Oct 2011 22:27:33 +0000

The Enhanced Mitigation Experience Toolkit is definitely not new but I recently realized that not too many people know about it – and they should. EMET helps you to raise your shields against zero-days and any exploit in the wild. I do not say that it is a silver bullet but it is definitely going into this direction – a little bit.

You can find all the necessary information on EMET here:

That’s the article on our support website: The Enhanced Mitigation Experience Toolkit
Here a TechNet blog post: New version of EMET is now available
To download EMET v 2.1
And a BlueHat session

Before you start, please make sure that you have the Bitlocker recovery key ready (you are running Bitlocker, don’t you?) or that you suspend Bitlocker for the time of the configuration as EMET might change your Data Execution Prevention settings, which change your bootloader, which invalidates the Bitlocker signature, which needs to be proven.

I always love to strengthen my policies and see when something breaks and how. I started to use it and it actually provides you a fairly straight-forward interface with what is running and in which state:

You can then configure your applications and define on which level you want them to be protected. It might then happen that this pops up:

I wont tell you which application it was but I was a little bit scared…

Anyway, if you did not use it yet, I think you should!

Roger

Using the Microsoft Diagnostics and Recovery Toolset (DaRT) for Incident Response

Roger Halbheer — Wed, 19 Oct 2011 13:01:45 +0000

A few years ago I posted on DaRT after having seen it: Microsoft Diagnostics and Recovery Toolset. It is a really good an interesting tool for a lot of problems, one of them being incident response. I just stumbled across one article describing this: Using the Microsoft Diagnostics and Recovery Toolset (DaRT) for Incident Response.

An overview over DaRT can be found here. To prelude rants and questions: DaRT is part of the Microsoft Desktop Optimization package and cannot be downloaded from our website

Roger

Video on Microsoft’s Datacenter

Roger Halbheer — Fri, 29 Jul 2011 10:13:43 +0000

A very good overview over the way we run Microsoft’s Cloud. The interesting thing is – if you look at the video – that most customers are still running their datacenters on generation 1-2, which means that the efficiency (labor as well as energy) we can deliver is significantly higher – not talking of our . . . → Read More: Video on Microsoft’s Datacenter

Cloud Security in Office365

Roger Halbheer — Fri, 15 Jul 2011 08:12:29 +0000

You heard about the launch of Office365 recently and I hope you read the blog post on the application of the Cloud Computing Security Considerations to the private. cloud. If not, here it is: Security Considerations in a Private Cloud

To complete the series now, we released an additional paper on how these considerations can be applied to Office 365. It is not about the security features of Office 365. It is about how a the responsibilities between the customer and us can and shall be split. This is a really interesting paper in my opinion: Addressing Cloud Computing Security Considerations with Microsoft Office 365.

Additionally, we took a deeper look at the Cloud Security Alliance’ Cloud Control Matrix (CCM) at provided an answer for each question/control raised in this document: Standard Response to Request for Information – Security and Privacy.

These are all steps to provide you with the necessary transparency to get into the public cloud and on Office 365!

Roger

Windows Lifecycle and Support

Roger Halbheer — Tue, 21 Jun 2011 20:09:42 +0000

One of the things which surprises me often, when talking to customers is, that they do not know, when certain (key) products run out of support – and therefore no security updates will be shipped.

You should include the following dates in your plans:

Windows XP Home: Mainstream support ended 4/14/2009
Windows XP Professional: Extended support ends 4/8/2014 (if you did not yet plan to migrate to Windows 7, you should probably start)
Windows Vista Ultimate and Windows Vista Home: Mainstream support ends 4/10/2012
Windows Vista Enterprise: Extended support ends 4/11/2017
Windows NT Server 4.0: Support ended 12/31/2004 (I guess you know that)
Windows Server 2003, Enterprise Edition: Extended support ends 7/14/2015
Windows Server 2003 R2 Enterprise Edition: Extended support ends 7/14/2015

If you want to see the full lifecycle database, you will find it on our Lifecycle site.

This is the general policy:

Business and Developer products

Microsoft will offer a minimum of 10 years of support for Business and Developer products. Mainstream Support for Business and Developer products will be provided for 5 years or for 2 years after the successor product (N+1) is released, whichever is longer. Microsoft will also provide Extended Support for the 5 years following Mainstream support or for 2 years after the second successor product (N+2) is released, whichever is longer. Finally, most Business and Developer products will receive at least 10 years of online self-help support.

Consumer, Hardware, and Multimedia products

Microsoft will offer Mainstream Support for either a minimum of 5 years from the date of a product’s general availability, or for 2 years after the successor product (N+1) is released, whichever is longer. Extended Support is not offered for Consumer, Hardware, and Multimedia products. Products that release new versions annually, such as Microsoft Money, Microsoft Encarta, Microsoft Picture It!, and Microsoft Streets & Trips, will receive a minimum of 3 years of Mainstream Support from the product’s date of availability. Most products will also receive at least 8 years of online self-help support. Microsoft Xbox games are currently not included in the Support Lifecycle policy.

Roger

How Microsoft Uses File Classification Infrastructure

Roger Halbheer — Wed, 08 Jun 2011 07:51:01 +0000

Quite a while ago, I blogged about the File Classification Infrastructure in Windows Server 2008 R2:

In my opinion, this is an interesting tool, built in to your server platform.

Now, we just published a paper about how we use this File Classification infrastructure to protect PII. This is an interesting read: Microsoft IT Uses File Classification Infrastructure to Help Secure Personally Identifiable Information

Here is the summary:

In today’s high-tech world, collecting and storing data are business-critical processes that form an integral component of daily operations. However, the ever-increasing dependency on and use of electronic data also make data management more challenging—especially in light of government regulations for the appropriate use and storage of personally identifiable information (PII) and financial information. Improper storage of PII can also be a significant financial concern, as the cost of storage-related security breaches can be hundreds of dollars per record.

Microsoft Information Technology (IT) had been using an internally built solution to help secure personally identifiable information (PII), financial information, and other types of sensitive data by classifying internal file shares and Microsoft® SharePoint® sites. However, this solution was limited to defining information sensitivity at a file-share level. It also required each user to specify the sensitivity level of his or her file shares manually, which frequently led to mislabeled information.

This custom, internally developed solution also had a high total cost of ownership, requiring a significant amount of development and maintenance resources to fix identified issues and keep the system up to date, as each upgrade to the storage operating systems required upgrading the code.

Microsoft IT needed a solution that would bring consistency to the file classification process across all teams, and be able to scan content automatically at the file level for key words, terms, and patterns. It then had to apply the correct rights management protection based upon predefined security policies. Cost of ownership and performance were also important drivers for developing a new solution. Microsoft IT needed a system built from off-the-shelf, standardized Microsoft technology, that could scale across terabytes of data. With such a large amount of information, the solution had to be efficient at scanning files while maintaining a high degree of accuracy when identifying sensitive PII.

Roger

A Security Comparison: Microsoft Office vs. Oracle Openoffice

Roger Halbheer — Tue, 19 Apr 2011 09:40:25 +0000

Actually, there is not much to say about this. It is a blog post by CanegieMellon called A Security Comparison: Microsoft Office vs. Oracle Openoffice and just does what it says. However, I do not particularly like the security comparison of products built solely on vulnerabilities as this shows only one side of the equation – an important one but only one.

For all the ones still claiming that Open Source software creates less vulnerabilities, here you find the some stats on Office:

Interesting, hmm….

Roger

Windows 7 and Windows Server 2008 R2 CC EAL4+ Certified

Roger Halbheer — Fri, 01 Apr 2011 19:12:08 +0000

On March 24th, we got the certificate for the Common Criteria certification for Windows 7 and Windows Server 2008 on EAL 4+.

Here are the certified products: http://www.commoncriteriaportal.org/products/ and here you find the certificate.

A great job by the team – congratulations!

Roger

Ethisphere Institute: Microsoft amongst the world’s most ethical companies

Roger Halbheer — Wed, 23 Mar 2011 08:13:01 +0000

Forbes posted: The World’s Most Ethical Companies. I quote:

The Ethisphere Institute, a New York City think tank, has just announced its fifth annual list of the World’s Most Ethical Companies. The selection, open to every company in every industry around the globe, gives its winners an opportunity to trumpet their do-gooding ways. It is not a ranking, so they are all equally winners.

Nearly 3,000 companies were nominated–or nominated themselves–to be considered this year. The record-high number of nominations and applications demonstrates companies’ desire to be acknowledged for high ethical standards. The 2011 list, which includes 110 organizations, is the largest since the award’s inception in 2007.

and

The 110 companies that made the final cut this year include first-time recipients Adidas ( ADDDY.PK – news - people ), eBay ( EBAY – news - people ), Microsoft ( MSFT – news - people ), Colgate-Palmolive ( CL – news - people ) and 30 other newcomers. Thirty-one companies from last year disappeared, generally because of litigation or ethics violations, as well as increased competition from within their industries. Twenty-six companies have been recognized as a WME company for all five years, and 50 more have made the list at least twice.

In my opinion, something we can be very proud of!

Roger

Fighting a Botnet

Roger Halbheer — Thu, 17 Feb 2011 19:42:49 +0000

Microsoft Malware Protection Center published a document on Battling the Zbot Threat, a special edition of the Security Intelligence Report. It is a very good document, worth looking at.

This is the intro (to make you curious for more):

This document provides an overview of the Win32/Zbot family of password-stealing trojans. The document examines the background of Win32/Zbot, its functionality, how it works, and provides telemetry data and analysis from calendar year 2010 about how this threat is detected and removed by Microsoft antimalware products and services.

Roger