Tag Archives: Security

Serving multiple SSL domains on one EC2 instance

Posted on by
Reply

One of the annoying things of Amazon EC2 (and a highly requested feature), is the ability to connect multiple elastic IP’s to one instance, it can’t be done (atm).
You need these IP’s if you want to have more than SSL site on your server (if you are not using a wildcard or a multi domain certicate).

This article from James Elwood has a workaround for it. It makes use of the Elastic Load Balancer.

A little bit of background info on the fact why you can’t use one ip with multiple SSL sites:

The HTTPS protocol encrypts the HTTP request, including the Hostheader which identifies the domain it is requesting. The server then needs to decrypt the request with the correct SSL certificate. But the server does not know which one to use if there are more than one SSL site on 1 ip-address. You can see why you need a dedicated IP per SSL Site, the server can then look at the IP address to which the request was send and match it with the SSL site listening on this address.

Enhancements and certifications announced that raises security and privacy for BPOS

Posted on by
Reply

Microsoft announced @ the 8th annual MS US Public Sector CIO Summit some important enhancements and certifications that raises the  security and privacy for BPOS. Below a summary of the changes announced:

  • BPOS meets a wide variety of industry standards and certifications, including International Organization for Standardization (ISO) 27001, Statement on Auditing Standards (SAS) 70 Type I and Type II, Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), Title 21 CFR Part 11 of the Code of Federal Regulations, Federal Information Processing Standard (FIPS) 140-2, and Trusted Internet Connections (TIC) compliance. Today, more than 500 state and local governments use Microsoft Online Services in the United States, including 48 of 50 states. These range from the largest entities with tens of thousands of seats to the smallest of municipalities.
  • BPOS Federal is launching today for U.S. federal government agencies, related government contractors and others that require the highest levels of security features and protocols. The new offering includes all the certifications and security features of the Business Productivity Online Suite and more. The service is housed on separate, dedicated infrastructure in secured facilities. Physical access to those systems is limited by biometric access controls to a small number of individuals who, in compliance with International Traffic in Arms Regulations (ITAR), must be citizens of the United States who have undergone rigorous background checks, including fingerprinting.
    The above was announced by Ron Markezich, corporate vice president of Microsoft Online. More information and a video can be found here.

 

Integrated Windows Authentication in IE6 and IE7

Posted on by
Reply

In IE you can set the checkbox “Enable Integrated Windows Authentication” (Internet Options, Advanced Tab, below the heading Security)

note: IE8 screenshot

Internet Explorer version 6 and 7 will use Integrated Windows Authentication whether you have the checkbox enabled or disabled. The big difference lies in the type of authentication which is kerberos or NTLM. If the option is checked IE will first try Kerberos and then will fallback to NTLM, if the option is unchecked it will just use NTLM. So Microsoft labeled the option wrong, it should say Negotiate Windows Authentication or so. Checking or unchecking this option just sets the registry key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate” to 1 or 0.

Forefront Product Roadmap

Posted on by
Reply

As you can see from the roadmap below, before the end of 2009 we will have Forefront Threat  Management Gateway (TMG) and Forefront Unified Access Gateway (UAG).

forefront-roadmap

Forefront Threat Management Gateway
TMG is a secure web gateway that enables safe employee web use through comprehensive protection against malware, malicious web sites and vulnerabilities. Building on its predecessor, ISA Server 2006, TMG provides new URL filtering, anti-malware, and intrusion-prevention technologies to protect businesses against the latest web-based threats. These technologies are integrated with core network protection features such as firewall and VPN to create a unified, easy-to-manage gateway.

Forefront Unified Access Gateway 2010
Building on its predecessor, Intelligent Application Gateway, UAG enables remote access via managed and unmanaged PCs and mobile devices. Integrating a deep understanding of applications, the health state of end user devices, and the user’s identity – UAG enforces granular access controls, ensures security, and reduces management costs and complexity

thx to Forefront Team Blog and Mary-Jo Foley’s Blog

Cloud Computing interview with Whitfield Diffie

Posted on by
Reply

Whitfield Diffie is a cryptographer and one of the pioneers of Public Key Cryptography. In 1976 he introduced a new method of distributing Cryptographic keys solving one of the fundamental problems of Cryptography….key distribution. This method became known as the Diffie-Helman Key Exchange (D-H…. you might have heard about it).

Technology Review had an interview with him about the security of Cloud Computing, you can read the full interview here.  He has a nice insight on Cloud Computing, especially this one:

The effect of the growing dependence on cloud computing is similar to that of our dependence on public transportation, particularly air transportation, which forces us to trust organizations over which we have no control, limits what we can transport, and subjects us to rules and schedules that wouldn’t apply if we were flying our own planes. On the other hand, it is so much more economical that we don’t realistically have any alternative.

This one is also nice:

A serious potential danger will be any laws intended to guarantee the ability of law enforcement to monitor computations that they suspect of supporting criminal activity. Back doors of this sort complicate security arrangements with two devastating consequences. Complexity is the enemy of security. Once Trojan horses are constructed, one can never be sure by whom they will be used.

Installing MS Forefront Security for Exchange Server

Posted on by
1

image

    Microsoft Forefront Security for Exchange Server integrates multiple scan engines from industry-leading security firms into a comprehensive, layered solution, helping businesses protect their Microsoft Exchange Server messaging environments from viruses, worms, spam, and inappropriate content.

  • start forefrontexchangesetup.exe
  • Accept the License Agreement and click on [Next]

    image

  • You will be warned with the fact that “Microsoft Exchange Transport” will be restarted, so if this isn’t possible, abort the setup. Else just click [Next]

    image

  • The next screen prompts you for the installation locations. If you want to change this do so, then click [Next]

    image

  • If you use a Proxy Server fill in the details, then click [Next]

    image

  • Enable the Antispam feature (if needed), then click [Next]

    image

  • The next screen is about joining the CEIP (Customer Experience Improvement Program), if you want to be part of it, check the checkbox. Click [Next]

    image 

  • Verify your information, and then click [Next] to begin installation

    image

  • After the installation, click [Finish]

    image

  • Your start menu should now contain the “Forefront Protection for Exchange Server Console”. Fire it up.

    image

  • Activate your license, or continue with the evaluation (only valid for 119 days).

    image

  • If you have a Activation Key, you will be prompted to supply your License Agreement Number. Click on the link provided in the dialog screen.

    image 

Browsing a local hosted site with IE8

Posted on by
Reply

Internet Explorer version 8 has got some annoying loopbackcheck. Whenever you want to browse a local hosted site (IIS), it will pop up a security dialog in which you have to fill in your username and password.
Whatever combination you fill in, eventually you will get a 401.1. error.

You can resolve it by editing the the registry.

    1. Click Start, click Run, type regedit, and then click OK.
    2. In Registry Editor, locate and then click the following registry key:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

    3. Right-click Lsa, point to New, and then click DWORD Value.
    4. Type DisableLoopbackCheck, and then press ENTER.
    5. Right-click DisableLoopbackCheck, and then click Modify.
    6. In the Value data box, type 1, and then click OK.
    7. Quit Registry Editor, and then restart your computer.

The Machine SID Duplication Myth

Posted on by
Reply

A great article by Mark Russinovich (the creator of the tool NewSID), about the Myth around duplicate Security Identifiers. The NewSID tool is frequently used by System Administrators to change a computer’s SID, for cloning purposes, after you read this article you get a better understanding about SID’s and why the tool has been retired

http://blogs.technet.com/markrussinovich/archive/2009/11/03/3291024.aspx

Forefront Client Security and windows 7

Posted on by
Reply

I just installed a new virtual machine with Windows 7 Enterprise. As I wanted to have some good protection from viruses and malware, I decided to go for Forefront Client Security.

I copied the installation files for FCS to a local temp folder, and executed the command CLIENTSETUP.EXE /NOMOM (to install FCS with the MOM agent). Keep in mind that if you are using a x64 system, execute the clientsetup.exe inside the x64 folder
This installation failed because of UAC.
I changed my UAC settings to low by launching the “Change UAC Settings”, under the tool tab in MSConfig.

Change UAC Settings

Again I tried to execute the CLIENTSETUP.EXE /NOMOM.
This time FCS installed correctly.
After installation I pressed the “Check for Updates Now” inside FCS, but it reported that there we’re now updates….strange, because the definition files are from September 14th 2006.

FCS reporting "No new definition files"

I then found this webpage: http://support.microsoft.com/kb/935934/ you can download the antimalware definition files manually and install them. This solved it for me.

FCS Status

Setup IIS mail relaying with authentication

Posted on by
Reply

Today we had an issue with one of our Amazon hosted servers. This server was hosting a local SMTP Server (IIS), and was sending out mail on behalf of a domain (let’s say domain: abracadabra.com).

The mail was dropped into the IIS bad mail directory, because our server was prohibited from relaying mail by spamhaus.org.
As we were relaying for abracadabra.com, and our mail server was not known as a mail server from this domain we we’re blocked.

We solved it by sending our mail through the mail server which was responsible for the abracadabra.com by using SMTP Authentication.

  • Open the [Properties] of your Default SMTP Server
  • Click on the [Outbound Security] button

    Outbound Security

    Fill in your user name and password you use for your remote SMTP Server of the abracadabra domain and click [OK]

  • Then click the [Advanced] button and fill in your remote SMTP server in the “Smart host” field.

    Advanced Delivery 

    Click [OK] twice