Internet Explorer 9 is most secure in Social Engineering attacks

Microsoft Internet Explorer 9 security features block social engineering attacks far more than rival browsers Google Chrome, Mozilla Firefox or Apple Safari, according to NSS Labs Inc.

The Carlsbad, Calif.-based independent testing firm tested a group of popular browsers by exposing them to a set of malware URLs targeting European users. The firm said Internet Explorer 8 (IE8) achieved a blocking rate of 90%. Internet Explorer 9 (IE9), the latest iteration of Microsoft’s browser, earned a 100% blocking rate when its application filtering technology was enabled.

“Internet Explorer 9 was by far the best at protecting against socially engineered malware,” NSS Labs said in its Web browser security report. “The significance of Microsoft’s new application reputation technology cannot be overstated.”

The NSS Labs team said Microsoft’s blocking success is based on its Smartscreen URL Filter, which checks URLs against a master database. The SmartScreen Application Reputation service, which is embedded in IE9, adds to the URL filter to block unwanted downloads. It gives added context so the user can determine whether the source of the download can be trusted.

Google Chrome, Firefox 4 and Safari 5 garnered a 13% blocking rate when tested against the same malware URLs. The three browsers use an engine that checks sites against a list of reported phishing and malware sites provided by Google and Stopbadware.org. The Opera browser, which uses endpoint security vendor AVG to thwart social engineering attacks, came in last, earning a 5% blocking rate.

Neither Mozilla nor Google responded to a request for comment. The NSS Labs test exposed the browsers to a set of 650 known malicious URLs over the course of 19 days in April.  The URLs were known to target users in European Union countries. The testing firm invited the popular browser makers to participate at no cost. The company said it received no vendor funding to produce the report.

Socially engineered malware attacks are extremely common. A recent report from Cisco Systems Inc. found the number of spear phishing campaigns rising over mass email phishing attacks. Spear phishing attacks can target people with similar interests using a phony email message, prompting them to click on a URL to download a malicious file containing malware.  The cybercriminals can use information gathered from social networks and blogs to target individuals or a specific group of people within an organization. The goal is typically to obtain account credentials and other sensitive data and ultimately gain access to corporate information.

Browser protections
Browser makers have added protections to warn users of potentially dangerous sites. Most use a reputation-based system, which adds malicious sites to a black list or assigns a score for the browser user. NSS Labs said some vendors use feedback from user agents on their customers’ endpoints to report to reputation systems, while others crawl the Internet, proactively setting up black lists. Most browsers are set up to connect to Web-based reputation systems and check a URL against the list.

NSS Labs also tested the average response time to block malware, rating the browser for the time it took to add a blacklisted site to its block list. IE9 earned a perfect score using its Application Reputation engine. Chrome, Firefox and Safari, according to NSS Labs, took five to eight hours to add a known trouble site to its block list. Without the Application Reputation engine, IE8 and 9 took up to 16 hours to add a site to its block list.

Windows Server 2008 flaws fixed by June Microsoft patches released

Microsoft this month released some 34 security fixes spread across a range of its core products including Windows Server 2008, Windows Server 2008 R2, Office 2010 and Internet Explorer.

Nine of the vulnerabilities have the maximum severity rating of “critical” with seven rated as “important.”  Of the 16 bulletins released, two have to do with denial of service vulnerabilities, two for information disclosure flaws and two others for escalation of privilege.

Thirteen of the 16 bulletins address operating systems, with several of the updates affecting core installations. Among the most critical security fixes affecting Windows include ones to resolve:

• a vulnerability in Windows Object Linking and Embedding (OLE) automation that could allow remote code execution if users visit a web site containing Windows Metafile images;
• a vulnerability in .NET and Silverlight that could allow remote execution on a client system if users views a Web page using a browser that runs XAML browser applications;
• resolves a vulnerability that could allow remote code execution if a user visits a network share containing a OpenType font;
• a vulnerability in Microsoft’s Distributed File System that could allow remote code execution when attackers send a response to a client-initiated  DFS request.

One of the issues Microsoft is addressing with the June updates is “cookiejacking” which allows an attacker to steal cookies from a user’s computer and access websites where an end user had logged in. This issue is being addressed largely in the Internet Explorer (IE) bulletins.

Two of the bulletins classified as critical stitch up holes in Internet Explorer versions 6 through 9, according to Microsoft. One security update for IE resolves 11 reported vulnerabilities, according to the company, the most severe of which could allow a remote attacker to gain the same user rights as the local user.

Another update, for both Internet Explorer and Windows, patches a vulnerability in Microsoft’s Vector Markup Language The latter update is deemed critical for Internet Explorer versions 6, 7 and 8 on Windows clients. The company said version 9 is not affected.

 

Windows 7 Security Features explained

Windows 7 Parental Controls

Begin setting up Windows 7 Parental Controls by configuring one or more user accounts as standard user accounts (accounts that your children will use). You can then configure Parental Controls from an administrator account. Do so by typing in parental in Start Menu Search to locate and access Parental Controls application. Select the user to which you would like to add Parental Controls. This will prompt the User Controls dialog. Parental Controls can be applied only to standard users and not to an administrator-class account. Another limitation is that while technically it is possible to configure Parental Controls on a system in which one or more administrators do not have passwords, it is not recommended. Parental Controls rely on controlled accounts (your kids’ accounts) not having access to administrator accounts. If one or more administrator-class accounts do not have passwords, your kids will be able to bypass any controls you set up. So be sure that any administrator-class accounts on the PC have passwords.
Parental Controls are not enabled for any standard user accounts by default. You can enable Parental Controls by checking the option titled On, enforce current settings, and you can configure features such as time limits, games restrictions, and allow and block specific programs.

Time Limits

Time Restrictions Parental Controls provides a graphical grid that allows you to configure exactly when your kids can use the computer. Windows 7 users can use the PC on any day at any time by default, but by dragging your mouse around the grid, you can prevent your children from using the computer at specific hours, such as late at night or during school hours.

Games Parental Controls

The Game Restrictions Parental Controls specifies whether your children can play games on the PC and which games they can access. Standard account holders can play all games by default. You can modify that setting using the screen that appears when you click Set game ratings. You can accept game ratings using the rating system enabled on your PC. The most common and default system is the Entertainment Software Ratings Board’s (ESRB). You can additionally block games based on content, using a range of content types, including unrated online games, alcohol and tobacco reference, alcohol reference, animated blood, blood, blood and gore, cartoon violence, comic mischief, crude humor, drug and alcohol reference, drug and tobacco reference, drug reference, edutainment, fantasy violence, and about 200 others.
Finally, you can also block or allow specific games, especially many Windows games that do not digitally identify their rating. The nice thing about this UI is that Parental Controls sees which games are already installed on the system and enables you to supply a Caesar-style yea or nay.

Allow and Block Specific Programs

This final setting lets you manually specify applications that you do or do not want your child to use. Standard users can access all of the applications installed on the system by default. Browse to find an application if you do not see it.

Simplest way to secure Windows 7

Out of the box, Windows 7 includes antispyware functionality in the form of Windows Defender, a two-way firewall in Windows Firewall; a hardened Web browser (Internet
Explorer 8); and automatic updating features that keep the system up-to-date, every day, with the latest security patches. Also included are changes to the User Account Control (UAC) feature, covered in the next chapter, making it less annoying and less likely to be turned off, thus reducing your exposure to malware. It would seem that Windows 7 comes with everything you need to be secure.Sadly, that’s not quite the case. First, Microsoft makes it too easy for users to opt out of one of the most important security features available in the system. In addition, one glaring security feature is missing from Windows 7. You’ll want to make sure you correct both of these issues before using Windows 7 online. Fortunately, doing so takes just two steps:

1. Enable automatic updating:

If you set up Windows 7 yourself, one of the final Setup steps is configuration of Automatic Updates, the Windows Update fea-ture that helps to ensure your system is always up-to-date. However, Automatic Updates can’t do its thing if you disable it, so make sure at the very least that you’ve cond this feature to install updates automatically. (Optionally, you can enable the installation of recommended updates as well, but these are rarely security oriented.) We can’t stress this enough: this feature needs to be enabled. If you’re not sure how it is cond, run Windows Update (Start Menu Search and then type windows update) and click Change Settings in the left side of the window. Make sure the option under important updates Install updates automati-cally (recommended) is selected.

2. Install an ant ivirus solution:

Many new PCs are preinstal led with security suites from companies such as McAfee and Symantec. While these suites are better than nothing, they’re also a bit bloated and perform poorly in our own tests. We prefer standalone antivirus solutions for this reason. There are many excellent options, including Symantec Antivirus, which in our own tests has proven to do an excellent job with minimal system impact. AVG free antivirus is another options for who are on budget. Security in Windows 7 starts with this simple rule: leave all the security settings on, at their defaults, and install an antivirus solution. That said, a full understanding of what’s available in Windows 7 from a security standpoint is, of course, beneficial. That’s what this chapter is all about.

 

Windows 7 Action Center explained

indows 7 Action Center is a new version of Vista Security Center. Action Center can be found at Control Panel >System and Security > Action Center. Action Center provides solutions to your PC problems.

Network firewall – This setting alerts you when windows firewall is off
Windows Update – Ensures window updates are on.
Virus Protection – Ensures system has AntiVirus installed
Spyware and unwanted software protection – Ensures Windows Defender is running.
Internet security settings – Ensures IE security settings are at their recommended levels.
User Account Control – Ensures UAC is on.
Network Access Protection – Ensures Network Access Control client is running.

Built-in Windows 7 Security features

 

Windows Defender

Over the years, hackers have come up with new and inventive ways to attack PCs. Recently, spyware, one of the most pervasive and difficult forms of malware yet invented, has become a serious issue. For this reason, Windows 7 includes an integrated antispyware and anti-malware package cal led Windows Defender. Unl ike some security products, you won’t typically see Windows Defender, as it’s designed to work in the background, keep-ing your system safe; but if you’d like to manually scan your system for malware or update your spyware definitions, you can do so by loading the Windows Defender application, available through the Start menu.Windows Defender does occasionally show up as an icon in the taskbar notification area. This generally happens when the tool has been unable to download new defini-tions, the files it uses to ensure that its antispyware database is up-to-date. In such a case, you can click the Windows Defender icon and trigger a manual download of the latest updates.

Windows Firewall

When Microsoft first shipped Windows XP in 2001, it included a feature called Internet Connection Firewall (ICF) that could have potentially thwarted many of the electronic attacks that ultimately crippled that system over the ensuing several years. There was just one problem: ICF was disabled by default and enabling and configuring it correctly required a master’s degree in rocket science (or at least in computer security). Microsoft wised up and shipped an improved ICF version, renamed as Windows Firewall, with Windows XP SP2. Best of all, it was enabled by default. Sure, it broke many applications at first, but now, years later, virtually all Windows applications know how to live in a firewall-based world.In Windows Vista, we were given an even better version of Windows Firewall. Unlike the XP SP2 version, the version in Windows Vista enabled monitoring both outbound and inbound network traffic. While Windows 7 doesn’t bring many Windows Firewall addi-tions, it does feature a much more informative interface, Windows Firewall is initially cond to block any unknown or untrusted connections to the PC that originate over the network. You can enable exceptions to this behavior via the Allowed Programs list, which you can access by clicking the link Allow a program or feature through Windows Firewall. Typically you just leave the settings as is, of course. Depending on the network type (Home, Work, or Publ ic) chosen when Windows 7 connects to a network, some programs and features are automatically cond to communicate through the firewall,

Windows Update

With Windows 98 over a decade ago, Microsoft introduced a Web-based service called Windows Update that provided software updates to Windows users. That service has since been superseded by Microsoft Update, which also provides updates to many other Microsoft software products. In Windows Vista, Windows Update was moved into the oper-ating system and made a client application, eliminating the number of Web browser hoops you had to jump through to keep your operating system up-to-date. Windows 7 continues to carry the Windows Update torch, making a few subtle changes for the good., Windows Update remains a client application that you can access from the Start menu. From here, you can check for and install new updates, hide updates you don’t want to be alerted about anymore, and view the history of updates you’ve already installed. You can also click a link to enable Microsoft Update functionality, enabling Windows Update to download and install updates for other Microsoft applications, such as Microsoft Office and various Windows Live products.

Windows 7 User Account Control (UAC)

No Windows feature has proven as controversial and misunderstood as User Account Control, or UAC. When it debuted in Windows Vista, tech pundits screamed far and wide about this reviled feature, spreading mistruths and misunderstandings and generally raising a lot of ruckus about nothing. If these pundits had just calmed down long enough to actually use User Account Control for longer than a single afternoon, they’d have dis-covered something very simple: it’s not really that annoying, and it does in fact increase the security of the system. Indeed, we would argue that User Account Control is one of the few features that really differentiate modern Windows versions from the increasingly crusty XP, because there’s no way to add this kind of functionality to XP, even through third-party add-on software. User Account Control is effective, and as ongoing security assessments have proven, it really does work.Great, but what is it exactly? In order to make the operating system more secure, Microsoft has architected Windows so that all of the tasks you can perform in the system are divided into two groups, those that require administrative privileges and those that don’t. Thisrequired a lot of thought and a lot of engineering work, naturally, because the com-pany had to weigh the ramifications of each potential action and then code the system accordingly.
The first iteration of UAC was implemented in Windows Vista with what Microsoft thought to be a decent technical compromise. In response to overwhelming user feedback sur-rounding the frequency of prompts, however, Microsoft modified UAC in Windows 7 to make it “less noisy” (that is, less annoying) by default. They did this by implementing a pair of “Notify me only when. . .” options, letting users perform common configuration tasks, prompting only when something out of the ordinary is done (for example, changing important configuration settings). The result is that UAC in Windows 7 is more configu-rable and less irritating than it was in Vista. But it’s even more controversial, because it’s not clear that it’s as secure as it used to be.

How UAC Works under the hood

Every user, whether cond as a standard user or an administrator, can perform any of the tasks in Windows 7 that do not require administrator privileges, just as they did in Windows XP. (The problem with XP, from a security standpoint, of course, is that all tasks were denoted as not requiring administrative privileges.) You can launch applica-tions, change time zone and power-management settings, add a printer, run Windows Update, and perform other similar tasks. However, when you attempt to run a task that does require administrative privileges, the system will force you to provide appropriate credentials in order to continue. The experiences vary a bit depending on the account type. Predictably, those who log on with administrator-class accounts experience a less annoying interruption.Standard users receive a User Account Control credentials dialog, as in 8-1. This dialog requires you to enter the password for an administrator account that is already cond on the system. Consider why this is useful. If you have cond your chil-dren with standard user accounts (as, frankly, you should if you’re going to allow them to share your PC), then they can let you know when they run into this dialog, giving you the option to allow or deny the task they are attempting to complete. Administrators receive a simpler dialog, called the User Account Control consent dialog,2. Because these users are already cond as administrators, theydo not have to provide administrator credentials. Instead they can simply click Yes to keep going. The presentation of these User Account Control dialogs can be quite jarring if you’re not familiar with the feature or if you’ve just recently switched to Windows 7 from XP. (Vista users are very well accustomed to this effect.) If you attempt to complete an adminis-trative task, the screen will flash, the background will darken, and the credentials or consent dialog will appear somewhere onscreen. Most important, the dialogs are modal: you can’t continue doing anything else until you have dealt with these dialogs one way or the other.
There’s also a third type of User Account Control dialog that sometimes appears regard-less of which type of user account you have cond. This dialog appears whenever you attempt to install an application that has not been digitally signed or validated by its creator. These types of applications are quite common, so you’re likely to see the dialog fairly frequently, especially when you’re initially configuring a new PC. Over time, these prompts will occur less and less because you won’t be regularly installing applications anymore.By design, this dialog is more colorful and “in your face” than the other User Account Control dialogs. Microsoft wants to ensure that you really think about it before continuing. Rule of thumb: you’re going to see this one a lot, but if you just downloaded an installer from a place you trust, it’s probably okay to go ahead and install it.
When UAC is left at its default setting, Windows 7 automatically elevates a hand-picked list of applications, further reducing the UAC dialogs you see. These applications are referred to as being white-listed for auto-elevation. They include:
WindowsehomeMcx2Prov.exe
WindowsSystem32AdapterTroubleshooter.exe
WindowsSystem32BitLockerWizardElev.exe
WindowsSystem32bthudtask.exe
WindowsSystem32chkntfs.exe
WindowsSystem32cleanmgr.exe
WindowsSystem32cliconfg.exe
WindowsSystem32CompMgmtLauncher.exe
WindowsSystem32ComputerDefaults.exe
WindowsSystem32dccw.exe
WindowsSystem32dcomcnfg.exe
WindowsSystem32DeviceEject.exe
WindowsSystem32DeviceProperties.exe
WindowsSystem32dfrgui.exe
WindowsSystem32djoin.exe
WindowsSystem32eudcedit.exe
WindowsSystem32eventvwr.exe
WindowsSystem32FXSUNATD.exe
WindowsSystem32hdwwiz.exe
WindowsSystem32ieUnatt.exe
WindowsSystem32iscsicli.exe
WindowsSystem32iscsicpl.exe
WindowsSystem32lpksetup.exe
WindowsSystem32MdSched.exe
WindowsSystem32msconfig.exe
WindowsSystem32msdt.exe
WindowsSystem32msra.exe
WindowsSystem32MultiDigiMon.exe
WindowsSystem32Netplwiz.exe
WindowsSystem32newdev.exe
WindowsSystem32ntprint.exe
WindowsSystem32ocsetup.exe
WindowsSystem32odbcad32.exe
WindowsSystem32OptionalFeatures.exe
WindowsSystem32perfmon.exe
WindowsSystem32printui.exe
WindowsSystem32rdpshell.exe
WindowsSystem32recdisc.exe
WindowsSystem32rrinstaller.exe
WindowsSystem32rstrui.exe
WindowsSystem32sdbinst.exe
WindowsSystem32sdclt.exe

How to configure Windows 7 firewall

Windows Firewall included with Windows 7 helps prevent unauthorized users or malicious software from accessing your computer. Windows Firewall does not allow traffic that was not sent in response to a request, to pass through the firewall.
To configure Windows Firewall, select Start > Control Panel > Large Icons View > Windows Firewall. Click Turn Windows Firewall On Or Off. This will prompt the Windows Firewall Settings dialog box.

The Windows Firewall Settings dialog box enables you to turn Windows Firewall on or off for both private and public networks. The On setting blocks external sources except those indicated on the Exceptions tab. The Off setting allows external sources to connect. There is also a check box for Block All Incoming Connections. This feature allows you to connect to networks that are not secure. When Block All Incoming Connections is enabled, exceptions are ignored and you receive no notification when an application is blocked by Windows Firewall.

The exceptions section of the Windows Firewall Settings dialog box allows you to classify which programs and services are allowed to pass through Windows Firewall. There is a defined list of programs and services you can choose from, or you can use the Add Another Program button to modify your exceptions. It is important that you enable exceptions carefully. Exceptions allow traffic to pass through the firewall, which can put your computer at risk due to the exposure. Remember that the Block All Incoming Connections setting ignores all exceptions.

Windows Firewall with Advanced Security

There are more advanced settings to be configured in Windows Firewall with Advanced Security (WFAS). To access Windows Firewall with Advanced Security, click Start > Control > Panel > Large Icons View > Windows Firewall and then click the Advanced Settings link. The Windows Firewall with Advanced Security on Local Computer dialog box appears and to the left on the scope pane shows that you can set up specific inbound and outbound rules, connection security rules, and monitoring rules. An overview of the firewall’s status and current profile settings is shown in the central area.

Inbound and Outbound Rules

Inbound and outbound rules have many preconfigured rules that can be enabled or disabled. Inbound rules monitor inbound traffic and outbound rules monitor outbound traffic. Many are disabled through default. If you double-click a rule, this will prompt its Properties dialog box. The rules can be filtered for easier viewing. Filtering can be done based on the rules, whether enabled or disabled, of the affected profile, or based on the rule group. If you have trouble finding a rule that suits your needs, you can create a new rule by right-clicking Inbound Rules or Outbound Rules in the scope pane and selecting New Rule. This will launch the New Inbound or Outbound Rule Wizard and it will ask whether you want to create a rule based on a particular program, protocol or port, predefined category, or custom settings.

How to Create a New Inbound Rule Allowing for Only Encrypted TCP Traffic:

1. Select Start > Control Panel > Large Icon View > Windows Firewall.
2. Click Advanced Settings on the left-hand side.
3. Right-click Inbound Rules and select New Rule.
4. Choose a Rule Type. To see all available options, choose Custom and click Next.
5. Choose the programs or services affected by this rule and then click Next.
6. Choose the protocol type and the local and remote port numbers affected by this rule and click Next.
7. Choose the local and remote IP addresses affected by this rule and click Next.
8. Indicate if this rule will allow the connection, allow the connection only if it is secure, or block the connection and then click Next.
9. Indicate whether you want to allow connections from certain users only and click Next.
10. Indicate whether you want to allow connections from certain computers only and then click Next.
11. Choose which profiles will be affected by this rule. You can select more than one profile and click Next.
12. Name your profile, type in a description and then click Finish. Your custom rule appears in the list of Inbound Rules and the rule is enabled.
13. Double-click the new rule you just created. Note that previously configured options can be changed.
14. You can disable the rule by deselecting the Enabled check box. Click OK.

 

 

 

 

 

New mobile functionality for Windows PowerShell explained

Those familiar with Windows PowerShell might also recognize PowerGUI Pro from Quest Software, a graphical front-end for PowerShell that automates common tasks for the command-line system. What you might not know is that there is new functionality that expands on this concept: PowerGUI Pro – MobileShell.

MobileShell runs the PowerGUI Pro command engine on a remote server through a Web browser. Internet Explorer 8 and Mozilla Firefox are both supported out of the box, and the programmers are working on adding support for many other browsers, including Google Chrome and Opera.
MobileShell installs on a Windows Server running Internet Information Services (IIS). It will install by default in a subdirectory named /MobileShell within the default website. All connections to MobileShell are SSL-encrypted by default, so snooping the traffic on the connection is no easier than it would be for any other SSL-protected transaction. Note that you can run MobileShell without HTTPS, but it is not recommended since (among other things) you’ll have to pass credentials in plain sight. Also, if you are disconnected in the middle of a session by a browser crash or network disruption, you can reconnect to the session spawned before in much the same manner as with a Remote Desktop session.

When you connect to MobileShell, you’ll see a three-pane display: an output window at the top, a command window at the bottom, and a pair of panels labeled Recent Commands and Favorites on the right. When you begin typing in a command in the bottom window, MobileShell will provide an auto-completion prompt for the command—a big timesaver since PowerShell commands can be a bit wordy.

The Recent Commands and Favorites panels are more or less what they sound like. The former maintains a history of the commands submitted through MobileShell. Click an item in the list and you can repopulate the command window with the same text. The Favorites panel is a list of commonly-used commands which you can customize by adjusting the settings. Among other things that can be controlled in the settings window is the output buffer size, which is set to 1,000 lines by default.

Finally, when using PowerGUI Pro – MobileShell it is important to avoid clicking the back button in your browser, as you risk closing the current session and losing your work; a minor tradeoff for another strong innovation.

Things you should know for Windows 7 Security

Windows 7 is the most secure version of the Windows operating system ever developed – Says Microsoft. am pretty sure that Microsoft has made that claim for every new version of Microsoft Windows in the past 15 years, and that it is a valid claim.

What else would you expect? Is Microsoft going to come out with a new operating system and make it less secure than its predecessor? I think not. Still, while the marketing around Windows 7 security may be part hyperbole, there are actually a number of significant security improvements to be aware of, especially for Windows XP users making (or considering) the transition to Windows 7. Many of these security updates existed in Windows Vista as well, so Vista users should already be familiar with them.

[ Get InfoWorld’s 21-page hands-on look at the new version of Windows, from InfoWorld’s editors and contributors. | Find out what’s new, what’s wrong, and what’s good about Windows 7 in InfoWorld’s “Windows 7: The essential guide.” ]

1. Protecting the core
The kernel is the heart of the operating system, which also makes it a prime target for malware and other attacks. Basically, if an attacker can access or manipulate the operating system kernel, they can execute malicious code at a level that is undetectable by other applications or even by the operating system itself. Microsoft developed kernel-mode protection to protect the kernel and ensure there is no unauthorized access.

In addition to protecting the kernel, Microsoft has made some other fundamental improvements since Windows XP to protect the operating system. Many attacks rely on the attacker being able to know where a specific function or command resides within memory, or the ability to perform attacks on files that are supposed to contain only data.

Address Space Layer Randomization (ASLR) keeps attackers guessing about where to attack by randomizing the memory locations of key operating system functions. Microsoft also developed Data Execution Prevention (DEP) to prevent files that are supposed to contain data or that are stored in an area reserved for data from executing code of any type.

2. Safer Web browsing
Windows 7 comes with the latest and greatest version of Internet Explorer, IE8. You can download and use IE8 with other versions of Windows, so it’s not specific to Windows 7, but it does contain some security enhancements worth nothing.

First, InPrivate Browsing provides the ability to surf the Web in private as the name implies. When you launch an InPrivate Browsing window, Internet Explorer does not save any information related to your Web surfing. That means that there is no cache containing information you typed and no history of the sites you visited. This is especially useful if you are using IE8 on a shared or public computer, like at a library.
The other IE8 security improvement is Protected Mode. Protected Mode relies on security components in Windows 7 to ensure that malicious or unauthorized code is not allowed to run within the browser. Protected Mode prevents things like drive-by downloads that install malicious software on your system just by visiting a compromised Web site.

3. Protection we love to hate
User Account Control (UAC) is the poster child for everything we love to hate about Windows Vista. With Windows 7, UAC is still there, but Microsoft has added a slider that enables you to control the level of protection –and therefore the amount of pop-ups asking for permission to access or execute files — UAC provides.

The pop-ups are just a small, but visible, aspect of what UAC does. Many users simply disabled UAC altogether in Windows Vista, but that also turns off Protected Mode IE and some other operating system protection. The slider in Windows 7 is set to the same protection as Windows Vista by default, but you can customize the setting in the Control Panel.

4. Security tools and apps
Because of the kernel-mode protection and the changes Microsoft made regarding how, or if, applications are allowed to interact with the core functionality of the operating system, older anti-virus and other security software is not compatible with Windows 7.

Vendors like McAfee, Symantec, Trend Micro, and others offer Windows7 compatible versions of their security software products, but Microsoft also provides free security tools to protect you if you don’t want to invest the additional money.

The Windows Firewall and Windows Defender antispyware tools are included with the base installation of Windows 7. You can also download and install Microsoft Security Essentials, a free anti-virus product released recently by Microsoft.

5. Monitor the Action Center
The Security Center that Windows XP users are familiar with has been replaced by the Windows Action Center. The Action Center is a more comprehensive console for monitoring the Windows 7 system, including security.

The security section of the Action Center provides at-a-glance status regarding the security of your Windows 7 system. It includes information about firewall, spyware, and virus protection, as well as the state of Windows Updates, Internet security settings, and UAC.

There are plenty of good reasons to make the switch to Windows 7. If you are still running Windows XP, security is arguably the best reason to embrace the new operating system. It may or may not be the greatest operating system ever, but it is definitely the most secure Windows operating system ever.

Rights Management protection in Exchange 2010 SP1

No matter what corporate policies are in place to prevent it, users will still send email messages containing sensitive information. It’s the administrator’s job to protect these messages. And although encryption technologies such as TLS and S/MIME can, to some degree, protect these messages, both technologies fall short of providing comprehensive message security.

Enter Exchange Server’s Information Rights Management (IRM) feature. IRM allows a sender to specify what the recipient can and cannot do with the message. For example, a sender might use IRM to prevent the recipient from forwarding or printing the message. Admins can also use IRM to prevent recipients from extracting message contents using copy and paste or the Windows snipping tool. You can configure IRM-protected messages with an expiration date after which the message can no longer be viewed.

With all of IRM’s unique security capabilities, it is no wonder that so many organizations use it to protect sensitive data. Of course, all of this protection comes at a price; IRM is useless unless the end user’s mail client supports it.

Outlook Web App and IRM aggravations
Microsoft Outlook has supported Information Rights

Management since Outlook 2003. However, until Exchange Server 2010, Outlook Web Access (OWA) clients couldn’t use IRM. Even then, IRM support for Outlook Web App, as it’s called in this latest version of Exchange, still isn’t quite right.

Although Exchange 2010 allows OWA users to send and receive IRM-protected messages, the process collapses if a protected message contains an attachment. The user can’t view the attachment directly through the OWA interface; instead he has to download it and use the associated application to open it. Although this extra step probably isn’t a deal breaker for most organizations, it does mean that users who log onto OWA from a kiosk or a public computer still cannot access IRM-protected attachments.

Exchange Server 2010 SP1 alleviates this problem. If a user receives an IRM-protected message that also contains an attachment, he can view the attachment directly through the browser using Web-ready document viewing.

SP1 was also designed to allow Exchange mobile device users connected via ActiveSync to send and receive IRM-protected messages without having to connect to Windows Mobile Device Center — a previous requirement. Another improvement is that users aren’t forced into one particular browser. You can view IRM-protected documents via Internet Explorer, Firefox and Safari browsers (Figure 1).

Figure 1. You can view IRM-protected attachments directly through Outlook Web App.

In spite of this, there are still several limitations related to sending and receiving email. For starters, Information Rights Management only supports specific types of attachments. The application seamlessly supports Microsoft applications including Word, Excel PowerPoint documents and .xps files.

If a user attaches one of these types of documents to an IRM-protected message, the attachment is also IRM-protected. But when a user tries to send any other type of attachment, such as a .pdf file, he will receive a message informing him that file cannot be protected.

Likewise, Exchange 2010 only offers Web-ready document viewing for these specific file types. If a user receives an unsupported attachment type, then he must save the attachment and open it with the corresponding application — regardless of whether or not the attachment is IRM-protected.

This brings up an important point. Although IRM is used in Exchange Server 2010, it’s not limited to Exchange Server. Users can send documents that are IRM protected, without the message itself being IRM protected.

Generally, when a user adds an attachment to an IRM-protected email message, the attachment — if it’s a supported file type — also becomes IRM-protected. If a user attaches an IRM-protected document to an IRM-protected email, however, the attachment’s original IRM protection is retained. Exchange will not attempt to overwrite Information Rights Management protection.

Microsoft Acknowledges MHTML Vulnerability

Microsoft has released a tool mitigating the issue behind a new vulnerability that impacts all supported versions of Windows, aside from Server 2008 installations using the Server Core option. While concept code to leverage attacks is public, the software giant says it is unaware of any actual attacks.

On Friday, Microsoft acknowledged reports of a vulnerability in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler that surfaced earlier this month on a security mailing list. The handler itself has been around for a while, and is used to render various types of documents.

The nature of the vulnerability means that Internet Explorer (IE), and third-party applications leveraging IE or the protocol, pose the greatest risk. In their default installations, both Firefox and Chrome browsers do not support MHTML.

The impact of an attack on the vulnerability would be similar to that of server-side cross-site-scripting (XSS) vulnerabilities, Microsoft has explained.

“The XSS attack can be used to run JavaScript code on the user’s Internet Explorer instance, which gives the attacker a way to get at information stored in the browser and a mechanism to trick users into installing unwanted code through social engineering,” added Wolfgang Kandek, CTO at Qualys.

While on the surface the vulnerability looks overly critical, many security experts don’t see it as something to go running to the hills over. The mitigation steps suggested by Microsoft will have little user impact if applied in the office or at home.

“…even though the proof of concept code is public, carrying out an attack using this complicated cross site scripting-like bug will not be easy. Because of this, attacks are probably not imminent but users should still follow the mitigation advice in the advisory,” commented Andrew Storms of nCircle in an email.

“Locking down the MHTML protocol is likely to have a nominal impact on most users and will go a long way toward protecting their browsing experience,” he added.

Until an official patch is forthcoming, Microsoft has released a FixIt script that locks down the MHTML protocol and prevents script abuse.

“In our testing, the only side effect we have encountered is script execution and ActiveX being disabled within MHT documents. We expect that in most environments this will have limited impact,” Microsoft said regarding the fix.

“While MHTML is an important component of Windows, it is rarely used via mhtml: hyperlinks. Most often, MHTML is used behind the scenes, and those scenarios would not be impacted by the network protocol lockdown. In fact, if there is no script content in the MHT file, the MHT file would be displayed normally without any issue.”

More information on the MHTML vulnerability can be viewed here.

The official Security Advisory related to the MHTML issue can be found here.

Microsoft Warns On New Browser Vulnerability

Microsoft on Wednesday issued a security advisory to users of its Internet Explorer Web browser about a newly disclosed vulnerability that could be exploited and used to run malicious code on vulnerable Windows systems.

The Redmond, Washington company said it is investigating new, public reports of a vulnerability in all supported versions of IE. The company said it is working on a patch and cooperating with anti malware vendors in its Microsoft Active Protections Program (MAPP) and Microsoft Security Response Alliance to help expedite the distribution of protections against exploits using the hole. However, the company cautioned that the newly discovered vulnerability is not serious enough to warrant an out of cycle patch.

As reported by Threatpost, the new vulnerability was first disclosed by the IT security firm Vupen on December 9 and affects most versions of Microsoft’s Internet Explorer Web browser. If exploited, the hole could allow remote attackers to circumvent defensive features in fully patched WIndows 7 and Windows Vista machines, and attack Microsoft’s latest version of Internet Explorer, IE8 to run malicious code on vulnerable systems.

The company, based in Montpellier, France, said it had discovered a “use-after-free” error in the mshtml.dll library – IE’s HTML rendering engine – that could allow attackers to take complete control of a vulnerable system.Use-after-free errors happen when a program continues using a pointer to an area of computer memory after that memory has been freed. In cases, the freed memory can be re-allocated and used to launch attacks, such as buffer overflows, that can result in malicious code being run on a vulnerable system, according to OWASP.In this case, the flaw could be exploited when IE loaded specially formated Cascading Style Sheets (CSS) files that included @import rules, which allow Web sites to incorporate style sheets from external sites.

The vulnerability is what is describes as a “use-after-free” error in the mshtml.dll library – IE’s HTML rendering engine. Use-after-free errors happen when a program continues using a pointer to an area of computer memory after that memory has been freed. In cases, the freed memory can be re-allocated and used to launch attacks, such as buffer overflows, that can result in malicious code being run on a vulnerable system, according to OWASP.

In this case, the flaw could be exploited when IE loads specially formated Cascading Style Sheets (CSS) files that included @import rules, which allow Web sites to incorporate style sheets from external sites, Vupen said.

In its advisory, Microsoft said that existing features like IE Protected Mode and the default Enhanced Security Configuration for newer versions of IE on Windows Server 2003 and 2008 would mitigate the impact of the vulnerability by reducing the privileges that attackers have on Windows systems should they successfully compromise IE.

However, a version of a public exploit has already been added to the Metasploit Framework, a free testing tool. That, when combined with other attack techniques, could allow attackers to circumvent more recent Microsoft protections such as  Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR), which are specifically designed to thwart malicious code.

In a separate post, Fermin J. Serna, a Security Software Engineer at Microsoft explained how those technologies might be circumented and suggested a workaround to prevent them from being defeated in an attack using the new IE hole.

Sharepoint Extranet Setup with Forms Based Authentication

At some point in your company’s SharePoint usage, you will probably want to expand the usage of your Intranet sites to clients. Extranet deployment usually requires some additional server and license resources which can add to the expense of the Sharepoint deployment. Fortunately, SharePoint Server 2007 has the Authentication Zones feature, which allows you to setup different authentication methods for your employers and customers and minimize the additional hardware and software licenses required.

In this article we will be configuring forms based authentication with newest version of Microsoft Office SharePoint Server with Service Pack 2 on Windows Server 2008.

SharePoint authentication zones

By default, on SharePoint applications there is only one default zone configured, which corresponds to our LDAP (Active Directory) authentication mode. However, there are several other zones that can be used for authenticating site users (see screen below)

Alternate Access Mapping Collection

In this instance we will be configuring our Extranet zone with Forms Based Authentication, so our external users (clients/customers) would be using different credentials database. In most cases we do not want external users to have any accounts in the Active Directory as it will be a drain on resources to have an Active Directory only for these users. Therefore, in this scenario we will be using ASP .NET functionality to store user credentials in MS SQL Database.

Configure Extranet zones with users stored in a SQL Server Database

We need set the ASP .NET services engine to use a SQL Server database to store user credentials, as well as membership, profiles and the SQL Web event provider. To do this, you will need to run aspnet_regsql.exe located in theC:WindowsMicrosoft.NETFrameworkv2.0.50727 folder (or C:WindowsMicrosoft.NETFramework64v2.0.50727 for 64-bit OS’s).

After reading the application description in the first screen and clicking next, we then ensure that Configure SQL Server for application services is selected and click Next (see screenshot below).

Configure SQL Server for application services

Next, we enter our SQL Server credentials. This is a very useful feature because we can use the same SQL Server instance that is used for SharePoint to avoid the expense of purchasing an additional SQL Server license for external user authentication. Alternatively we could install the free SQL Server Express which is capable of handling Forms based credentials.

Select Servers And Databases

Next, confirm that the SQL Server credentials for ASP .NET services are correct, and click Next. By default, ASPNET_RegSQL.exe will be using the ‘aspnetdb’ database for storing user data.

Confirm your settings

Now we must configure the provider for membership, profiles and the role manager in SharePoint.

First we need to expand our Intranet site that is in the Default Zone (with default, Active Directory based Authentication). This is done in Central Administration / Create or Extend Web Application.

Central Administration Create or extend Website

Select Extend an existing Web application and then select the web application we need to extend to external, SQL Server based users.

Extend an existing Web application

The most important part of the configuration forms after you select the correct application to extend, is on the screen below.

Configuration part

We need to enter the external host name that will be visible from every workstation, so it’s important to have a good domain for our extranet site as it will be probably used by our clients and customers. We may also need to enable anonymous authentication, but in this scenario we won’t be using that for our Extranet site.

At the bottom of the configuration, we need to select the correct zone for our newly extended site. Here we will select Extranet.

Load Balanced URL

Before you accept these changes, ensure that NTLM authentication is selected, which is the only supported mode for Forms Based Authentication.

Configure Forefront TMG 2010 as WPAD server (Auto Proxy Discovery)

WPAD stands for Web Proxy Auto-Discovery Protocol. WPAD contains the information proxy settings for clients. Windows client uses WPAD protocol to obtain proxy information from DHCP and DNS server. Clients query for WPAD entry and returns with address of WPAD server in which WPAD.dat or Wspad.dat is stored. WPAD server can be a Forefront TMG server or an separate IIS server holding WPAD.dat or wspad.dat URL. Configuring a WPAD server is pretty simple as described in the following steps:

1. Select and configure an automatic discovery mechanism.
2. Implement a WPAD server and DNS or Implement a WPAD Server and DHCP.
3. Configure automatic discovery through GPO for Windows client computers

What’s in WPAD.dat and WSPAD.dat file? The Wpad.dat file is a Microsoft JScript® file used by the Web client browser to set browser settings. Wpad.dat contains the following information:

• The proxy server that should be used for client requests.
• Domains and IP addresses that should be accessed directly, bypassing the proxy.
• An alternate route in case the proxy is not available.
• TMG Enterprise Server, Wpad.dat provides a list of all servers in the array

In the TMG Server WSPAD implementation uses the WPAD mechanism, and constructs the Wspad.dat file to provide the client with proxy settings, and some additional Firewall client configuration information not required for automatic detection. The relevant automatic detection entries in Wspad.dat are the server name and port name.

Configure WPAD Entry in an authoritive DHCP Server:

Click Start, point to All Programs, point to Administrative Tools, and then click DHCP.

In the console tree, right-click the applicable DHCP server, click Set Predefined Options, and then click Add.

In Name, type WPAD. In Code, type 252. In Data type, select String, and then click OK.

In String, type http://Computer_Name:Port/wpad.dat where Port is the port number on which automatic discovery information is published. You can specify any port number. By default, Forefront TMG publishes automatic discovery information on port 8080. Ensure that you use lowercase letters when typing wpad.dat. Forefront TMG uses wpad.dat and is case sensitive.

Right-click Scope Options, and then click Configure options. Confirm that Option 252 is selected.

Note: Assign the primary domain name to clients using DHCP. A DHCP server can be configured with a DHCP scope option to supply DHCP clients with a primary domain name. You can use port 8080 if you are using DHCP to deliver WPAD. Most corporate uses port for so many web application or primary web site. My preferred method is to deliver WPAD using DHCP.

Configuring WPAD Entry in Active Directory DNS (AD DS):

Click Start, point to All Programs, point to Administrative Tools, and then click DNS.

In the console tree, right-click the forward lookup zone for your domain, and click New Alias (CNAME).

In Alias name, type WPAD.

In Fully qualified name for target host, type the FQDN of the WPAD server. If the Forefront TMG computer or array already has a host (A) record defined, you can click Browse to search the DNS namespace for the Forefront TMG server name.

Note: If clients belong to multiple domains, you will need a DNS entry for each domain. Firewall clients should be configured to resolve the WPAD entry using an internal DNS server. For WPAD entries obtained from DNS, the WPAD server must listen on port 80. Do NOT configure CNAME entry in AD DS if you are using DHCP to deliver WPAD.

Important! Use ONLY one deliver method that means either DNS or DHCP

Configuring TMG Server as the WPAD Server: You can configure Forefront TMG as the WPAD server as follows

In the console tree of Forefront TMG Management, click Networking. In the details pane, click the Networks tab, and then select the network on which you want to listen for WPAD requests from clients (usually the default Internal network).

On the Tasks tab, click Edit Selected Network.

On the Auto Discovery tab, select Publish automatic discovery information.

In Use this port for automatic discovery requests, specify the port on which the Forefront TMG WPAD server should listen for WPAD requests from clients.

Click on Forefront TMG Client Tab, Check Enable Forefront TMG Client Support for this network, by default TMG server name will selected in this option, for TMG Enterprise Edition, you can select any Array Member hosting WPAD. Check Automatically Detect Settings, Check Use Automatic configuration script and select Use Default URL, Check Use a web proxy server. You may select one of the following:

• Use default URL. Forefront TMG provides a default configuration script at the location http://FQDN:8080/array.dll?Get.Routing.Script, where the FQDN is that of the Forefront TMG computer. This script contains the settings specified on the Web Browser tab of the network properties.
• Use custom URL. As an alternative to the default script, you can construct your own Proxy Auto-Configuration (PAC) file and place it on a Web server. When the client Web browser looks for the script at the specified URL, the Web server receives the request and returns the custom script to the client.

Apply Changes, Click ok.

To run the AD Marker tool for automatic detection: Use this tools if you use active directory as deliver mechanism.

To store the marker key in Active Directory, at the command prompt, type:

TmgAdConfig.exe add -default -type winsock -url <service-url> [-f] where:

The service-url entry should be in the format http://<TMG Server Name>:8080/wspad.dat.

The following parameters can be used in the commands:

To delete a key from Active Directory, at a command line prompt, type:TmgAdConfig.exe del -default -type winsock

To configure the Active Directory marker for a specific site, use the –site command line parameter.

For a complete list of options, type TmgAdConfig.exe -?

For detailed usage information, type TmgAdConfig.exe <command> -help

The TmgAdConfig tool creates the following registry key in Active Directory: LDAP://Configuration/Services/Internet Gateway(“Container”) /Winsock Proxy(“ServiceConnectionPoint”)

The key’s server binding information will be set to <service-url>. This key will be retrieved by the Forefront TMG Client and will be used to download the wspad configuration file.

Configuring an Alternative WPAD Server: An alternative configuration is to place the Wpad.dat and Wspad.dat files on another computer instead of on the TMG Server computer. For example, you can place the files on a server running IIS. In such a configuration, the DNS and DHCP entries point to the computer running IIS, and this computer acts as a dedicated redirector to provide WPAD and WSPAD information to clients. The simplest way to download the Wpad.dat and Wspad.dat files is to connect to the TMG Server computer through a Web browser and obtain the files from the following URLs:

• http://computer_name:port/wpad.dat
• http://computer_name:port/wspad.dat

Configuring Internet Explorer for Automatic Discovery in a single computer: Configure WPAD for automatic detection for DHCP delivery method as follows:

1. In Internet Explorer, click the Tools menu, and then click Internet Options.
2. On the Connections tab, click LAN Settings.
3. On the Local Area Network (LAN) Settings tab, select Automatically detect settings.

Enabling browsers for automatic detection using a static/custom configuration script

1. In Internet Explorer, click the Tools menu, and then click Internet Options.
2. On the Connections tab, click LAN Settings.
3. On the Local Area Network (LAN) Settings tab, select Use automatic configuration script. Enter the script location as http://fqdnserver:port/array.dll?Get.Routing.Script. Where fqdnserver is the fully qualified domain name (FQDN) of the Forefront TMG server. The configuration script location can be specified in each browser, or it can be set for all clients who use Group Policy.

To export the settings from your computer to an .ins file using IEM

In Group Policy, double-click Local Computer Policy, double-click User Configuration, and then double-click Windows Settings.

Right-click Internet Explorer Maintenance, and then click Export Browser Settings.

Enter the location and name of the .ins file that you want to use.

Copy this WPAD.INS file and host this in a separate IIS server.

Configure Automatic Detection through GPO for entire Windows fleet

Log on to Domain Controller as an administrator.

Open Group Policy Object Management Console, Select desired Organisational Unit, Right Click, Click on Create a GPO in this Domain and in it here

Type the Name of the GPO, Click ok

Right mouse click on newly created GPO, Click on Edit,

Expand GPO editor to User Configuration>Windows Settings>Internet Explorer Maintenance>Connections>Double Click Automatic Browser Configuration

If you decide to use DHCP as WPAD.dat delivery method then check Automatic Detect Configuration Settings.

If you decide to default Routing Script from TMG server

If you want to deliver wpad.dat through DNS server use the following option

For WPAD.INS deployment use the following option

In the automatic configure every ~ minutes, you can setup time and type 0 (zero) for auto update after restart.

Testing Automatic Detection

To test DHCP delivery method, Log on to a client machine. Open IE8 and setup IE Proxy settings as Automatically detect setting

Run GPUPDATE.exe /Force and reboot computer

Browse any websites to test proxy is detected by browser.

For a WPAD entry in DNS, you can test the automatic discovery mechanism by typing the following in the Web browser:

• http://wpad/wpad.dat
• http://wpad.wspad.dat

For a WPAD entry in DHCP, you specify the FQDN of the WPAD server. For example, if the WPAD DHCP entry is available on an TMG Server computer, type the following:

• http://ISA_Server_FQDN:Port/wpad.dat
• http://ISA_Server_FQDN:Port/wspad.dat

To test that the automatic configuration script is being retrieved as expected, type the following in the Web browser:

• http://ISA_Server_FQDN /array.dll?Get.Routing.Script