Anything about IT

Yesterday I received a pre-release copy of Russel Smith’s book called Least Privilege Security for Windows 7, Vista and XP. The book is entirely dedicated to the subject of running Least Privilege Security (or standard user accounts) on Windows operating systems in the enterprise.

The book has 420 pages and covers the following topics:

• Chapter 1, An Overview of Least Privilege Security in Microsoft Windows
• Chapter 2, Political and Cultural Challenges for Least Privilege Security
• Chapter 3, Solving Least Privilege Problems with the Application Compatibility Toolkit
• Chapter 4, User Account Control
• Chapter 5, Tools and Techniques for Solving Least Privilege Security Problems
• Chapter 6, Software Distribution using Group Policy
• Chapter 7, Managing Internet Explorer Add-ons
• Chapter 8, Supporting Users Running with Least-Privilege
• Chapter 9, Deploying Software Restriction Policies and AppLocker
• Chapter 10, Least Privilege in Windows XP
• Chapter 11, Preparing Vista and Windows 7 for Least Privilege Security
• Chapter 12, Provisioning Applications on Secure Desktops with Remote Desktop
  Services,
• Chapter 13, Balancing Flexibility and Security with Application Virtualization
• Chapter 14, Deploying XP Mode VMs with MED-V

You can download the FREE chapter Solving Least privilege Problems with the Application Compatibility Toolkit  from here

I haven’t read the entire book yet, but from what i have seen thus far, it’s definitely a must have for any IT Pro who working within the Client Desktop management space. I’ll submit further feedback when I have completed the review.

Today I’ve received a signed copy of Jeremy Moskowitz latest Book “Group Policy – Fundamentals, Security and the Managed Desktop”, so instead of using my laptop I guess I’ll be holding a real book in my hands this weekend.

Jeremy also published 3 FREE chapters:

Bonus Chapter 1 - Scripting Group Policy Operations with Windows PowerShell (co-written with PowerShell MVP Jeff Hicks.)
Bonus Chapter 2 - Advanced Group Policy Management (AGPMv4)
Bonus Chapter 3 - Full Lockdown with Windows SteadyState

………. order this book, it’s worth the money, I have the previous published GPO books and they have been extremely useful so far.

During the past weeks we have seen quite some messages about the MS10-015 security update which can cause bluescreens after being installed. According to a recent post on the Microsoft Security Response Center blog there is a revised installation package for MS10-015 that prevents the update from installing if abnormal conditions exist such as an infection of a computer virus as the Alureon rootkit. More details about the updated MS10-015 security update can be found here

In addition Microsoft today also released the Kernel Update Compatibility Assessment Tool that allows systems administrators who are concerned about deploying MS10-015 throughout their enterprise to perform an upfront assessment to identify clients that could have a compatibility issue with MS10-015.

Beside the Compatibility Tool mpsyschk.exe itself Microsoft has also added a sample batch file that could be added to a corporate logon or startup script. The script executes mpsyschk.exe and reports the status into a log file that can be stored on a central share. In a very large environment you also want to consider to write the status into a local log file and collect the results through a custom inventory on your Systems Management system.

While I was preparing my home lab for some Group Policy tests i wanted to perform I got an error when generating a report in the Group Policy Management Console which is running on a Windows Server 2008 with Internet Explorer 8.

The error was: “An error occurred in the script in this page”

A search on the web indicated that this had to do with the Internet Explorer Security Settings, but when I opened the Internet Explorer Security settings I noticed that I could not change them since all buttons were grayed out.

But wait a minute, I’m the Administrator on this box, so why should I not be able to change these settings?. Another search on the web pointed me to the Internet Explorer 8 Enhanced Security Configuration which places the server and Internet Explorer in a configuration that decreases the exposure of servers to potential attacks.

To configure the Internet Explorer Enhanced Security Configuration you must open the Server Manager and start “Configure IE ESC” as shown in the screen shot below.

Then turn of IE ESC for Administrators.

Start Internet Explorer again, and you notice that you can now configure the Security Settings.

I then clicked on “Reset all zones to default level”. The next time I opened the Group Policy Manager, I could run the settings report without any error.

Resources:
Internet Explorer 8 Enhanced Security Configuration

With the launch of Windows 7 Microsoft also released an updated version of the Microsoft Baseline Security Analyzer also known as MBSA. The version is 2.1.1 which is indicating that this is basically just a minor revision of the previous MBSA 2.1, and that is exactly what it is . MBSA 2.1.1 does not appear to bring any new features other than adding support for Windows 7 and Windows Server 2008 R2.

Hoping to find at least something new, i had extracted the content of the the MBSASetup-x64-EN.msi of both versions, but could not find any differences other than some updated readme and about files and the new compiled executables. Also when launching the new MBSA it’s only showing 2.1 and not 2.1.1.

The MBSA 2.1.1 can be downloaded from here

When opening an Excel file that contains macros, Microsoft Excel 2007 shows a security warning as shown in the picture below and disables the macros.

To continue using the Excel sheet and its macros, you must first enable then by clicking on the "Options…” button and selecting the “Enable this content” option. This is quite annoying if you must use that same file on a regular basis. You could of course completely disable this security warning on your entire system, but then there is a risk of opening content once that could contain unwanted code.

But if you are sure about files that are located at a specific location can be considered as save, you can configure Trusted Locations in Excel 2007. Once that folder is configured as a trusted location, your Excel files will open without disabling the macros.

To configure Trusted Locations in Excel 2007, press the Alt+F key and then the Alt+I key to access the Excel Options, then select “Trust Center”, “Trust Center Settings”, “Trusted Locations”.

Then select “Add new location”. I used C:\data\trust for this example.

Press the “OK” button to confirm your configuration.

Watch the Using AppLocker in Win7 video on TechNet where Paul Cooke gives an insight on what Applocker is, how it works and how to deploy it.

Just found a document called Windows Update Explained on the Microsoft Update Team Blog.  The document provides a good insight on how Windows Update works.

When you install SQL Server 2000 / 2005 / 2008 you can configure under what user account the services are running. In the past i’ve often seen people selecting “local system”, I also selected that….not thinking too much about security then and it was the easiest to do with no need to create an additional user account and as long as you don’t need to access any other domain resources that worked fine.

Today from a security perspective though running the SQL services under the local sysem account is probably not a good idea, as the local system account is equivalent to a local administrator, so bad code that might get into your SQL server might hit the underlying system as well. From reading various sql forum postings and articles and Microsoft Technet articles it appears to be the best to simply create standard users accounts, during installation these accounts are being given the necessary permissions on the system they need.

If you don’t need access to other domain resources, the creation of local user accounts on the system that hosts the SQL server is enough, if not create them in AD.

The article “Picking Service Accounts” describes it all in more detail. (note that you must register yourself to read articles on SQLServerCentral.com

I do periodically browse through the Microsoft Download Center (Beta) to see if there is anything new that is of interest to me. Today i came across Article 913086 which describes an alternative way of obtaining all Microsoft Security patches for all Operating systems and languages.

The ISO image files are intended for corporate administrators who:

To be honest i haven’t gone into the details of the Windows Integrity Levels myself but wanted to mention the chml.exe tool that can be downloaded from Mark Minasi’s web site.

More details about the Windows Vista Integrity Mechanism can be found here:

Although you usually don’t read IT related books from page 1 and end it on the last page, I consider having finished reading Mark Minasis’ Administering Windows Vista Security – The Big surprises.

While many IT books can end up being a bit annoying, i found this one very nice to read as it does include the authors own opinion and practical experiences and it does real fluently.

The book gives you a good insight into Vista’s UAC, File and Registry virtualization and other security related topics.

Furthermore the books contains some practical examples including demonstration tools that can be downloaded from Marks’ website to better understand how registry and file virtualization is working.