Category: Security

There’s a story on TechCentral that reports that Ireland is still awash in infected USB sticks, e.g. by Conficker.  There was a reporter/photographer on site when we were doing the Belfast launch events for Exchange 2010, Windows 7 and Windows Server 2008 R2.  Dave Northey of Microsoft Ireland asked if he could get some of the photos.  The photographer hander over a USB stick and Dave joked about “hoping there aren’t any viruses on there”.

Dave plugged in the stick and that’s when Microsoft Security Essentials popped up an alert.  The free antivirus package for homes and SOHO’s found Conficker which was then automatically cleaned up.  Yeap, those infected sticks are still running wild!

Microsoft released MSE last Tuesday.  I had it downloading and installed within minutes.  As I reported before, it’s a free and very light anti malware product that doesn’t wreck your PC by trying to be all things to all people.  You’ve got Windows Firewall for Internet security (built in and reliable) and MSE for anti malware.

MSE is licensed for free for home and for small home businesses.  It uses the same definition files as the ForeFront range, MS’s anti malware corporate solution.

A number of countries were added to the original beta countries.  Ireland was one of them.  I know that there were issues regarding the country identification last week, e.g. I had access to the download from a Cork hotel on Tuesday but not from home on Friday.  It appears to be fixed now.

Microsoft released some documentation following the RTW of WSUS 3.0 SP2:

• Release Notes WSUS 3.0 SP2: These release notes describe the Windows® Server Update Services 3.0 Service Pack 2 (WSUS 3.0 SP2) release, including system requirements, upgrade requirements, and known issues.
• Deployment Guide WSUS 3.0 SP2: This guide describes how to deploy Microsoft Windows Server Update Services 3.0 SP2 (WSUS 3.0 SP2), including server and client workstation setup.
• Features and Fixes WSUS 3.0 SP2: This document highlights the feature improvements and important software updates provided in the Windows Server Update Services 3.0 Service Pack 2 (WSUS 3.0 SP2) release.
• Operations Guide WSUS 3.0 SP2: This guide describes the major tasks involved in administering and troubleshooting Windows Server Update Services 3.0 SP2 (WSUS 3.0 SP2).
• Step By Step Guide WSUS 3.0 SP2: This guide provides instructions for getting started with Microsoft Windows Server Update Services 3.0 Service Pack 2 (WSUS 3.0 SP2).

Windows Server Update Services is Microsoft’s free patching solution for Microsoft networks.  It patches the OS and applications.  If you’re not patching then please check this product out … NOW.  The new release adds support for Windows Server 2008 R2, Windows 7 and features of the new OS’s, e.g. BranchCache.  That would allow for a central WSUS server with clients directly accessing it over the branch office network.  The first client in the branch office would cache the updates and it’s neighbours would access the downloads from the cache rather than needlessly hitting the WAN. 

BranchCache is a feature of Windows Server 2008 R2 and Windows 7 Enterprise (Software Assurance)/Ultimate only.  Odds are most of us will continue to run branch office WSUS servers.

“Windows Server Update Services 3.0 Service Pack 2 (WSUS 3.0 SP2) delivers updates to corporate environments from Microsoft Update. This release adds new features and fixes issues found since the release of the product.

WSUS 3.0 SP2 delivers important customer-requested management, stability, and performance improvements. Some of the features and improvements include the following:

• Integration with Windows Server 2008 R2.
• Support for the BranchCache feature in Windows Server 2008 R2.
• Support for Windows 7 and Windows Server 2008 R2 clients.
• Compliance Report
• Windows Update Agent (WUA) offers a collection of performance enhancements, user experience improvements, and bug fixes software updates.

WSUS 3.0 SP2 can be installed alone, or as an upgrade of WSUS 3.0 SP1.
This package installs both the WSUS 3.0 SP2 Server, WSUS 3.0 SP2 Administration Console components and WUA client for down-level operating system. You must install the server components on a computer that is running on Windows Server 2003 SP2 or later versions. You may install the Administration Console on a remote computer that is running one of the supported operating systems, see below the Supported Operating Systems section.

WSUS 3.0 SP2 Server Installation on Windows Small Business Server 2003
If you are installing the WSUS 3.0 SP2 product on Windows Small Business Server 2003, follow the instructions in Installing Windows Server Update Services 3.0 on Windows Small Business Server 2003.”

ENN reported yesterday that “The Irish Times reports that Wicklow County Council has started to exam its 300 computers for references to the Whitestown illegal landfill, in order to comply with a request from the High Court”.

300 computers?  Does Wicklow County Council have that many file servers?  Nah, I’m just joking.  These guys obviously have no understanding of how to control over the desktop/laptop network so they’ve got a mess.  It could take them months to find related data; heck they might never live up to their obligations.

Here’s how they should have approached this:

1. Desktops and laptops should be locked down with no local admin access for users.  Dodgy apps should be “shimmed”.
2. Group policy should be employed to prevent access to the local drive on the laptop/PC.
3. Use policy (either Group Policy or 3rd party) to disable use of removable media.  You don’t want people trying to bypass compliance systems by usin USB drives to store dodgy information.
4. Forget roaming profiles.  Use Windows Server 2008 folder redirection to redirect all the possible storage locations you would need on a PC, e.g. My Documents, Application Data, etc, to the user’s home directory on a file server.
5. Configure offline access for the user’s home directory.  That means My Document, etc, will be available to users when the file server isn’t, e.g. roaming laptop users.
6. Set up a file server data retention system.  There’s lots of choices here.  If you’ve got a golden budget then something like a SAN based solution will work.  Normal backups don’t work – backing up a file once a day isn’t retention.  There’s a 24 hour window where data can exist and be deleted.  Maybe look at MS DPM, e.g. DPM-2-DPM-4-DR with a long retention period.  Or have a look at Iron Mountain LiveVault for incremental block level backups every 15 minutes.  With LiveVault there’s a almost certain change you’ll backup anything that ever gets near the file server and you can set up a retention period for your compliance requirements, e.g. 7 or 10 years.
7. You’ll need to set up a compliance solution for your mail server too.  Like with file servers, a daily backup is not a retention system for compliance.  Mails easily come and go in a 24 hour window.  Again, there’s nice solutions from the likes of CommVault.  And there’s the DPM-2-DPM-4-DR and Iron Mountain LiveVault.

What’s the result?  If the High Court demands you search for files then it’s a lot easier.  You only have one or two places to search.  All you’ve got to do is search those locations.  Forget about searching PC’s because your users don’t have the rights to write there.

Finally, someone gets it.  Antivirus should be small, simple and not try to be all things to all people.  It’s when this software gets bloated that it becomes a hindrance.  I’ve installed Microsoft Security Essentials (test version) on my Windows 7 RC laptop.  It’s small and light; I barely know it’s there.  It’s aimed at the home market but the SOHO’s are just as likely to use it.  It’s very simple and small, accomplishing what Forefront Client Security tried to do … until it bundled/required MOM 2005 so the management server became huge. 

Combined with Windows Firewall (firewall, obviously) and Windows Defender (spyware) you have a nice free solution for Internet security without having to buy dodgy yellow-pack software (you know who I mean) on a subscription basis.

The beta is currently restricted to United States, Israel (English only), People’s Republic of China (Simplified Chinese only) and Brazil (Brazilian Portuguese only).  19 markets are to be added to the beta in the coming months.  There is a leaked copy out there but I’m not recommending anyone use it.

A nice simple summary that anyone can understand.  You get the usual context menus in Explorer so you can also kick off a manual scan.

I can quickly trigger manual updates.  Automatic updates will be via Windows Updates, i.e. silent.  I’ve read that updates could be as often as 3 times a day.  Updates to the program will also be via Windows Update; maybe once a month.

Here I can see things that have been detected.

Here’s an alert I got when I downloaded Eicar, the test virus.

And here’s the result of a clean task.

My history was updated.  This is what it deleted: file:C:UsersAFinnAppDataLocalMicrosoftWindowsTemporary Internet FilesLowContent.IE51E60T29Beicar[1].com.  The file I was downloading never made it to the desktop where I was saving it to.

My laptop will do a scan in the morning while I’m having breakfast 🙂

These are the actions when a threat is found.

Real-time protection is set up nicely by default.

You can exclude specific paths from the scan.

I’ve added VM disk file extensions from the scan to improve their performance.

You can exclude certain processes, e.g. if you were running an MSDE.

Here’s the advanced settings.  I’ve added the option to scan removable drives: I use USB drives quite a bit for photo storage and project work.  I’ve seen some people commenting that an infeaction clean is slow.  Yes, because it is preceded by a snapshot.  This gives us a rollback in case of a false positive.  For example, remember when a certain yellow-pack AV started removing Excel spreadsheets late one Friday night a few years ago?  Imagine if it had taken a snapshot first … people wouldn’t have lost files.  They could have restored them quite simply.

Finally this is how you feed back security information for MS to analyse.

All in all, this is a very simple product.  Notice that there aren’t dozens of menu items with settings hidden all over the place?  Notice it doesn’t try to be my Net Nanny?  Notice that some 3rd party firewall hasn’t broken my home network?  Sweet.

A recurring subject on my blog since I started this up back in 2006 has been control of data and usage auditing.  The Irish Times is reporting that companies are losing control of data by allowing employees to download the data to domestic PC’s.  Their PC’s are either stolen or sold with the data on it.  Even if they delete the data, it’s still recoverable without using a wipe tool like DBAN.  Just like disk encryption, it seems like businesses don’t want to take this one seriously.  I’ve talked about it over and over and over.

Have a read of those posts if you want to learn about how to protect your data no matter where it is.  Some quick tips:

• Learn how to properly secure data on your file shares: Then only authorised users can access the files.
• Use Rights Management Services to protect data no matter where it is: Bringing data to a home PC is useless.  Forwarding emails can be prevented.  Printing can be prevented.
• Audit data access, e.g. on the file shares and using OpsMgr 2007 R2 Audit Collection Services: Know who has done what for investigations.
• Use Network Access Protection to restrict access to company resources: That domestic PC won’t be able to connect to your network without the proper security configuration.
• Use forced (by policy) removable storage encryption to protect mobile data: Mobile data is secure even if the removable storage is lost or stolen.
• Use forced (by policy) laptop encryption to protect company laptops: The data on the laptop is secure even if it is lost or stolen.
• Use something like DBAN to wipe computers when you finish with them or they move between departments: Deleted/formatted data is recoverable so a secure wipe is required to overwrite it with garbage.
• Put policies in place:  Breaking company policies is a punishable offence no matter who does it.

If you are still running Windows Server or Workstation 2000 then put July 13th, 2010 in your calendar.  That is the last day that Microsoft will be doing security fixes for that operating system.  Not a big deal you think?  Go do some searching to see how many NT4 users wet their pants over the lack of security fixes for various things like Conficker recently.  It’s not MS’s fault: every software company draws the line over support after a certain amount of time.  Anyway, 10 years is a long time to support something.

Other important ones include end of life for ConfigMgr 2007 RTM (pre service pack) on July 14th 2009 and SQL 2005 SP2 on January 12th, 2010.