Friday, August 29, 2014

Proactive Security Beats Reactive Security (as seen on the Windows IT Pro Insider)

 

I had the opportunity to write an article to the Windows IT Pro Insider newsletter (previously known as Sprinboard Newsletter). Make sure you have subscribed to it like more than a million of your collegues. You can sign up here: http://technet.microsoft.com/en-us/windows/insider%20della%20serie%20springboard.aspx

Here’s my article:

Community update

 

Proactive Security Beats Reactive Security
By Sami Laiho, Microsoft MVP – Windows Expert-IT Pro

You have probably read interviews with major anti-malware company executives saying that the IT world is changing to direction where reactive protection can’t defend the user and the computer anymore. Threats are changing and evolving so rapidly that systems that focus on finding something according to fingerprints or heuristics just can’t do the job they used to do. My company specializes in getting rid of end user administrative rights and I’ve always been a strong believer in proactive security. I hope you take the time to read through this article where I try give my five cents on how I believe we need to protect our environment in the future.

 

I recently bought a new Dell Precision laptop with Windows 8.1 to work as my travelling data center. I travel more than 100 days a year and connect to hundreds of different networks and environments. To prove a point, I’m running a different OS configuration than I normally do. My laptop doesn’t have any anti-malware software installed and has all ports opened in my firewall. (Windows 8.1 actually makes it quite hard to keep it this way; it tries its best to turn on anti-malware and Windows Firewall whenever it gets a chance.) Before you get ahead of yourself, I would like to remind you that this configuration is just to prove a point and is an experiment. I don’t recommend that anyone to turn off their anti-malware solution or Windows Firewall. In fact, I recommend that you keep both enabled to stay on top of the proactive security measures I’m going to talk about.

With this current configuration, I manually scan my computer weekly with different anti-malware solutions to document how my experiment goes and how effective proactive security can be. Am I worried? I had to stop for a few seconds and actually think about it, but I have to say, "No, not at all."

So what is my "shields up" defense if not an anti-malware solution and a firewall? Let’s first look at a list of my defensive measures:

No end user administrator rights – This is the most fundamental and important part. Even Microsoft documentation states that if you are running local administrative rights you can’t protect yourself.

Current OS – I’m running a 64-bit version of Windows 8.1 Enterprise that is fully up to date.

Unified Extensible Firmware Interface (UEFI) – I always run hardware that has UEFI and Secure Boot enabled.

Trusted Platform Module (TPM) – I always run hardware that has a TPM, either as a physical chip or as part of the firmware.

BitLocker – I always have hard disk encryption in place.

AppLocker – I only run whitelisted software. You can do this with Windows 8.1 Pro and Software Restriction Policies, but AppLocker in Windows 8.1 Enterprise is easier to administer.

IPsec – I only answer to devices I trust.

So, if you ask about me being worried or scared, I would answer you like this, "I have a Windows machine that only runs code that I explicitly trust and only talks to other devices I explicitly trust and I have no way of mistakenly disabling or bypassing it." The whole thing is not a walk in the park; every part requires planning and some administrative overhead, as you can imagine. As a result, I’d like to walk you quickly through every feature I’m using and offer a short description on how I do it.

No end user administrator rights

During daily use, I never log on with an administrative account. When people have told me that they hate User Account Control (UAC), I have to say that I love it. I don’t need UAC for its protection as I don’t have any administrator rights, but I love the extra power that UAC gives me by asking me if I would like to use an administrator account when I need one. In Windows XP, I had to press the SHIFT key and right-click icons to get an option to Run As a different user. With Windows Vista came UAC and I don’t have this overhead anymore. I have a local administrator account if I need it. It’s actually simply called "A" so I can quickly type in ".\a" and the password when prompted. (To be honest, I use a software called Privilege Guard that gives me the opportunity to give administrative access to processes instead of only users or computers.)

Current OS and only x64

People always know that they need a 64-bit system to get better use of their 4GB+ memory, but they seem to forget that x64 versions of Windows can be more secure than x86. For example, an x86 Windows 8.1 system will run unsigned code in the kernel while the x64 version won’t – a fundamental difference when keeping a computer secure against malware.

UEFI + Secure Boot + TPM + BitLocker

I’m running BitLocker with TPM protection only—no PIN, no USB stick. This does; however, require Windows 8 and UEFI with Secure Boot to keep it secure. The reasons behind this are long enough that I can’t list them here, but check out my TechEd North America session, Building a Bulletproof Windows BitLocker, for more details.

AppLocker

Software restrictions come in two flavors: blacklisting and whitelisting, Blacklisting serve its purpose in certain cases, but it is a perfect example of an old, reactive way of protecting a computer. For example, it’s basically impossible to use for securing your computer as a blacklist includes all non-wanted software. How would you make a list of all the software in the world you wouldn’t want to run on your computer? As a result, the only effective solution is whitelisting, which is a great example of a proactive measure. You list what you want to run.
Now, many IT pros stop me here before I get started by saying, "My company has over a thousand application with many more executables. How would I list those in AppLocker?" You wouldn’t. It’s time to stop thinking about objects and start thinking about containers. Instead of counting the executables, count the applications that run outside of c:\Program Files or c:\Windows folders. I know my Windows image (WIM) file so I start from a trusted environment. Then, I tell AppLocker to allow everything for Administrators (not me) and to allow C:\Program Files, C:\Program Files (x86)\ and C:\Windows. As I don’t have administrator rights, I can’t add anything to those folders – it’s simple. This prevents things like like Chrome, Firefox, Spotify, and TeamViewer from running in my environment, although (as you probably know) those can run without administrator rights by default. You do need to tweak these rules and add some of your own, that’s for sure. I have a running environment that has more than 30,000 workstations, and that has been running Software Restriction Policies since 2002, and they have 14 rules. Before Windows XP, they had a whitelist of a whopping 8,000 executables!
AppLocker is my number one proactive measure in Windows and I have to say I just love it! However; even with AppLocker, you need to audit your installation. By default, C:\Windows should be a place that no limited user can write to, but sadly that is not the case. You can check where limited users have write access with a free Windows Sysinternals tool called AccessChk. Here is a screenshot of a default Windows folder on a Windows 8.1 Enterprise machine and, as you can see, you need to exclude at least three folders to make it bulletproof:

Figure 1. AccessChk process

IPsec

Today, I would say that a firewall should be built inside of port 443. I don’t really understand the reason behind blocking 65,534 ports when everything goes through the one that’s "always" open. IPsec has been around for ages, and is almost always misunderstood (like AppLocker) to be something that requires huge overhead. IPsec consists of two protocols: Authentication Header (AH) which does authentication and Encapsulating Security Payload (ESP) which does encryption. Only when you start talking about encryption do you start to see any overhead, if even then. When I say I use IPsec 99% of the time, I am only referring to authentication. My IPsec policy is built in a way that I always try to authenticate when sending packets. If the other end can’t do it, I revert to unauthenticated. If I would require outbound authentication, I couldn’t browse the Internet or search with a search engine. When someone starts talking to me (inbound), I’m stricter and I won’t reply if the device doesn’t belong to my domain or have a certificate from my certificate authority (CA). So, I do have all my firewall ports open and I won’t block them when they are reported dangerous, but, on the other hand, I don’t let anyone in that I don’t trust—again an example of proactive versus reactive measures.

That’s all for now, but I hope you follow me on Twitter to get updates on how my experiment is going, and start to be proactive instead of reactive when it comes to the security of your environment!

Sami LaihoSami Laiho is one of the world’s leading Windows OS professionals. A Microsoft MVP (Windows Expert – IT Pro) and member of the Springboard Series Technical Expert Panel (STEP), Sami has been working with and teaching troubleshooting, management, and security for more than 15 years. His session was evaluated as the best session, and Sami as the best speaker, at TechEd North America 2014 and TechEd Australia 2013. Sami’s session at TechEd Europe 2013 was also rated the best session by an external speaker. Sami is globally known as the creator of a free Windows SteadyState replacement called Wioski and a one-time admin password creator called Adminizer. You can follow him on Twitter @samilaiho or visit his website at www.samilaiho.com.

Thursday, July 17, 2014

Server 2012 R2 Essentials shutting down from time to time

Sometimes I seem to forget to look at the INFORMATION event log entries as I’m looking for errors. Many times the unwanted reboots are intentional and don’t show as Warnings or errors. Like here:

image

I had mistaken and installed Server 2012 R2 Essentials as a Member server which is not allowed. It’s my Direct Access server so I meant it to be Standard but had used the wrong USB key for installation.  The pointed Event Log told it to me in plain English as soon as I remembered to look at the INFO events as well Winking smile

Hosting Wioski.com

I just changed Wioski.com from GoDaddy to Bluehost. This link helps when deciding where to host: http://www.tcpiputils.com/domain-neighbors

On GoDaddy I was sharing the IP with thousands of websites and Bluehost with 16 Winking smile

Sami

Wednesday, July 16, 2014

Uninstall MSI-packages in Safe Mode

I dug this up from a 10 year old course material I wrote but it’s still very usableSmile

One weird thing in Windows OS troubleshooting is that Microsoft wants software developers to use MSI as the installation method and at the same time says on their documentation that if you run into problems after installing some software you should boot into Safe Mode and uninstall it. The weird part is the fact that Safe Mode in Windows actually doesn’t allow the Windows Installer service to start thus preventing uninstallation of any software that was installed with an MSI!

You can get around this by tweaking the Safe Mode registry key with following command:

REG ADD "HKEY_LOCAL_MACHINE\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer" /VE /T REG_SZ /D "Service"

After this you can start the service with the following command or do it graphically with Services.msc:

NET START msiserver

Now you can uninstall any software that was installed by an MSI!

Tuesday, July 1, 2014

Why you need to manage your GPO’s from a Windows 8.1 and not with an RDP session to a Server 2012 r2

Inspired by Jeremy Moskowitz and his blog “RSAT is not Evil” http://www.gpanswers.com/rsat-is-not-evil/ I decided to give my 5 cents on this matter as well.

Most of my customers have adopted a style of administering their GPO’s from a central Server by establishing an RDP connection to it instead of using RSAT from a Windows 8.1 machine. This is not the case with just 8.1 and Server 2012 R2 but I’ll use them as an example. There are positive sides to using a server of course:

  1. A centralized location which always has the right ADMX-files even if no CentralStore has been created
  2. No need to install RSAT on workstations

But there are drawbacks as well which are the reasons why I on the other hand never do it but instead always use a management workstation for it:

  1. There are only 2 free RDP instances available on a server while infinite amount of RSAT’s can be used
  2. The most important: GPMC uses the underlying OS to gather settings you can administer even if you have a Central Store or the most up to date ADMX-files!

Let’s dig in to the second one a bit more with an example. Let’s say I have a scenario where my Boss asks me to:

  1. Change the startup type of WebClient service to Disabled to make connections to unknown UNC paths quicker
  2. Only allow the “Weather” Modern App on our Windows 8.1 machines

Here’s how the settings look from Windows Server 2012 R2 server:

image

image

And here’s what it looks like from GPMC installed on a Windows 8.1 machine:

image

image

Cheers,

Sami

Battery Life - Running with Hypervisor On or Off

I hear this conversation all the time about not running your Windows OS Hypervisor to save battery life. There’s instructions on building a different BCD Store entry so you can switch your Hypervisor OFF when your travelling and you don’t have need for running virtual machines. This does differ from hardware to another and especially from Workstation to Server. I don’t rely on  one advice but I test it on my hardware. Many good things come from Finland and one of them is a performance metering software called PCMark http://www.futuremark.com/benchmarks/pcmark

Here are my result from my new Dell Precision M3800 “Ultrabook”. And as you can see I won’t be using two different boot options but I’ll just run with my Hypervisor ON all the time.

Hypervisor ON:

HypervisorON

Hypervisor OFF:

HypervisorOFF

Monday, June 23, 2014

Preparing a new computer for personal use

There are certain steps I always follow when I get a new computer so I decided to write them down for everyone else to know as well.

I just received my new Dell Precision M3800. It’s got a 16 GB of RAM which is sad… Doesn’t it just suck that Intel doesn’t support 16GB modules of RAM with the i7-processors? AMD does but I wouldn’t buy a laptop with an AMD processor for other reasons.. So before Intel starts to support 16GB modules as well we are kind of stuck with 16GB Ultrabooks ..

Luckily drives on the other hand are getting bigger in capacity and smaller in size. So before I’m gonna take my Dell to production I’m going to change the mSata drive to a 1 TB sized Samsung one and the actual 2.5” SSD to another 1TB Samsung drive. Then what I’ll do is run Windows and programs on the mSata drive as well as store ISO files etc on it. Then I’ll steal the Dedup bits from the Windows Server 2012 R2 and use the 2.5” drive as a dedupped drive for my Hyper-V virtual machines. That’s the plan.

And what about my settings? I use UE-V, OneDrive and Folder Redirections (with Windows 8.1 having “Always offline mode” http://technet.microsoft.com/en-us/library/hh968298.aspx I love it!) so I’m not that worried. It’s usually a case of installing a few pieces of software, reinstalling my modern apps, settings up a new Outlook profile as UE-V doesn’t sync it and I’m ready to go. With the addition of the concept of primary computers I’m really in a struggling between using UE-V or Roaming profiles as the latter would sync the Outlook settings and taskbar better http://technet.microsoft.com/en-us/library/jj649076.aspx

While working with two computers for a while I love my new Logitech Ultrathin Touch Mouse T630 as it has two BlueTooth ID’s so I can change it from one computer to another with the press of a button.

What do I always to when I get a new computer?

  1. Unpack
  2. Finish off the installation for the preinstalled OS
  3. Make sure you have a working Internet Connection
  4. Update all drivers etc. in any way which is the easiest
  5. Open up C:\Windows\System32\DriverStore\FileRepository\
  6. Copy every folder that is newer than 22.8.2013 (in the case of Windows 8.1) to a USB stick
  7. (change hard drives etc)
  8. Install Windows 8.1 Enterprise with Update
  9. Reinstall all device drivers from the USB stick
    1. for /r %i in (*.inf) do pnputil.exe –i –a “%i”
      1. Need to be run in the folder where you copied your DriverStore\FileRepository contents to
    2. If Device Manager still shows something not working then install drivers manually
  10. Some minor tweaking as always Winking smile