PhoneFactor offers an easy to implement and inexpensive solution for IT groups that want to implement two-factor mobile phone based authentication without the overhead of physical tokens and licensing.

PhoneFactor is free for up to 25 users and reasonably priced after that. The beauty of PhoneFactor is that it utilizes something users already have – a mobile phone – as a token rather than a proprietary device.

PhoneFactor Agent, the software behind the service, acts as a RADIUS server for authentication to network resources such as a VPN. When a user attempts authentication, he will still first be prompted for a user name and password. After he enters those details, the service will place a call to his phone and require the user to answer the call and press the “#” button. Once this is completed, the user is successfully authenticated.

In this tutorial we will install the Agent on Windows Server 2008 R2, integrate with Active Directory, link a few user accounts, and set up a RADIUS server.

Getting started

You can download the PhoneFactor Agent after registering here. You will need a mobile phone to register since PhoneFactor utilizes their own system on their customer portal. Run the installer and launch the PhoneFactor Agent. You will be greeted by the Authentication Configuration Wizard, where you can:

(more…)

Rate this tool: (2 votes, average: 4.00 out of 5)

 Loading ...

Submit a free admin tool | Free admin tools index | Browse free admin tools

In this article you will learn how to improve your network security by disabling Universal Serial Bus (USB) drive usage in your Active Directory domain.

Universal Serial Bus (USB) flash drives are undeniably convenient and easy to use. However, these devices pose very real security threats.

Number one, allowing your users to mount their own USB flash drives provides a vector for malicious code into your network. Number two, a malicious user can steal sensitive data by copying it to their flash drive and leaving the campus.

Here are a couple excellent articles that delve more deeply into IT security threats posed by USB devices:

• Social Engineering, the USB Way
• USB Drives Pose Insider Threat

You may decide to institute an IT security policy in your domain that prohibits use of personal USB devices. This is all well and good, but how many of your users will actually adhere to the policy without some kind of a control in place?

(more…)

In this article you will learn some best-practice suggestions for using service applications according to the IT security rule of least privilege.

In my previous article, we defined services and service accounts and also examined what options there are for selecting a service account for use with a particular service or application.

Here we take that fundamental knowledge and put it in more of a practical context. In real world multi-tier Web application scenarios, a Windows administrator can quickly become overwhelmed in keeping track of which service account he or she used with which application or service.

Consider the following example diagram:

A typical multi-tier Web application topology

(more…)

In this article you will learn four quick methods for increasing the security of a SQL Server 2008 R2 instance. This article is intended for Windows systems admins who don’t know (or don’t want to know) much about SQL Server.

If you are a Windows systems administrator, then there is a good chance that you are also an unwilling SQL Server DBA as well. After all, many organizations host line of business (LOB) applications that use SQL Server 2008 as their back-end data store.

Your organization may be subject to industry and/or governmental regulations that require you to step up the security of your IT infrastructure. On the other hand, the mere threat of data penetration or compromise may have you asking the question, “How can I secure our SQL Server databases without my having to know T-SQL and SQL Server architecture?”

The purpose of this article is to provide you with some nitty-gritty, fairly easy to implement security tweaks for SQL Server 2008. Of course, there is no such thing as a secure system. Instead, we have degrees of security, from low to high. Nevertheless, by following the tips I give you in this article, you will substantially improve the security of your SQL Server systems.

(more…)

In this article you will learn the basics of managed service accounts in Windows Server 2008 R2.

Here’s the situation: You are called into consult for a client, and in examining their IT infrastructure you observe no organization as to how service accounts are deployed. For instance, some line-of-business (LOB) applications are using the domain Administrator as their service account identity, while others use the Local Service or Network Service identity.

Recently, the client began associating application services with dedicated domain user service accounts. However, because domain password policy forces password changes every 60 days, the manual reassignment of service account passwords created organizational headaches for the IT support staff.

How can you resolve this mess of a real-world situation?

(more…)

SetACL Studio is a management tool for Windows permissions. It combines powerful features with an intuitive user interface.

Helge Klein, the author of this article, raffles off five licenses, each worth $14.95 USD of SetACL Studio. The deadline of this contest is November, 24. If you want to take part in this raffle, please send an email with the subject “SetACL Studio” to .

Set Windows permissions with SetACL Studio

(more…)

In this final part of this four part series we’ll look at Local GPO which is a bit of a hidden gem in SCM and round off the look at SCM with a summary.

LocalGPO in SCM v2

LocalGPO is included with SCM but there’s no dependency between the two programs. Once you’ve installed SCM there’s an option on the Start Menu to also install LocalGPO. The traditional role of LocalGPO is to control workgroup computers where centralized AD deployment of GPOs isn’t an option but in SCM v2 there’s also a new GPOPack feature that works with Microsoft Deployment Toolkit (MDT) 2010.

LocalGPO lets you export the current configuration of a reference computer as a GPO object provided you’re a local administrator and the export folder already exists:

LocalGPO.wsf /Path:c:\GPOBackup /Export

LocalGPO also allows you to apply settings from a GPO backup file type to the local PC:

LocalGPO.wsf /Path:c:\GPOBackup\{12345678-9ABC-DEFG-1234-56789ABCDEFG}

(more…)

In this third part of four we’ll learn how to add settings to a baseline, we’ll examine the new User Interface innovations in SCMv2 and how to Compare and Merge baselines.

Adding settings to a baseline in SCM v2

There will be times when a particular baseline is missing a setting that you’d like to include, remember that the baselines only include security settings where Microsoft has best practice guidance. In SCMv1 you had to import a Setting Pack which gave you ALL the GPO settings for a product and you then had to delete the settings you didn’t want.

SCM v2 has a great new feature which is much better, the Add a Setting command lets you pick the relevant product, in which group within the baseline you’d like to add the setting(s) and a comprehensive list of all the settings. You can also search and filter the list of available settings.

Adding settings to your custom baseline has never been easier.

(more…)

In this second part of four we’ll learn about the new GPO Import feature in SCMv2, we’ll also see the many stakeholders involved in the creation of a baseline as well as learn how new baseline settings are categorized.

Import GPOs in SCM v2

To be able to import your current security GPO settings into SCMv2 so that you can compare them to Microsoft’s recommendations start by backing up the relevant GPOs using the Group Policy Management Console (GPMC). Any AD administrator should be familiar with this process; relying on system state backups to recover a corrupt GPO is an exercise in frustration. Each GPO will be stored in a folder with a long Globally Unique Identifier (GUID) folder name.

Back in SCM click GPO Backup (folder) in the Action pane on the right and point to the folder. If you have associated ADM / ADMX or GP Preference files associated with a particular GPO, SCM will save these to a subfolder of the public folder for the user and if you later export a GPO object based on the import these files will be restored. Once you have imported a GPO simply use the Merge or Compare options to match it to a baseline, this will be covered in part 3.

(more…)

In this first part of four posts we’ll examine what SCM v2 is and why it’s such an important tool for sysadmins and we’ll cover installation options as well as introduce the main console.

This review was written on SCM v2 beta, the beta period has ended and SCM v2 is now available for download here. Note that the release date on the download page is incorrect, this is the final RTW (Release To Web) version of SCM v2.

Foreword

Group Policy is one of the most powerful tools in a sysadmin’s arsenal, not only for making sure users don’t get themselves into too much trouble but also to establish security standards across client and server machines.

For quite some years Microsoft have produced security guidance for Group Policy, what settings to use and how to configure them but most administrators don’t have time to trawl through lots of documentation. To make it easier for busy administrators to make well informed decisions when building Group Policy Objects (GPOs) Microsoft published the free tool Security Compliance Manager (SCM) v1 in early 2010.

(more…)

Rate this tool: (5 votes, average: 4.40 out of 5)

 Loading ...

Submit a free admin tool | Free admin tools index | Browse free admin tools

StatWin Server Enterprise is an employee monitoring software which supports website logging, keystrokes recording, instant messaging recording and more.

Author: Vitaly Dvorak

SXR software raffles three licenses of their employee monitoring software StatWin Server Enterprise each worth $399 USD. You can monitor up to 25 employees with this license. The deadline of this contest is July 26, 2011. If you want to take part in this in raffle, please send an email with the subject StatWin to .

StatWin Enterprise employee monitoring

(more…)

Microsoft Safety Scanner is a free portable antivirus program that can be launched from a USB stick.

The Microsoft Safety Scanner was just released a few days ago. The free portable antivirus tool only comes as a simple EXE file and is available as a 32-bit and 64-bit version. The EXE file contains all the virus signatures.

A portable antivirus program is useful whenever you want to scan a PC that lacks antivirus software. If you don’t have a Microsoft antivirus scan engine installed (Microsoft Security Essentials or Forefront), you can use the Safety Scanner if you need a second opinion.

(more…)

Rate this tool: (2 votes, average: 4.00 out of 5)

 Loading ...

Submit a free admin tool | Free admin tools index | Browse free admin tools

This article explains how Data Execution Prevention (DEP) works and how to turn it off and on in Windows 7, Windows Vista, and Windows Server 2008 (R2).

Data Execution Prevention (DEP) is a security feature of the CPU that prevents an application from executing code from a non-executable memory region. This is supposed to prevent buffer overflow attacks from succeeding. Since Microsoft introduced support for Data Execution Prevention (DEP) on Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1, it’s included in every version of Windows.

How DEP works: Hardware enforcement and the role of the OS

Data execution prevention works by marking certain memory pages being indented to hold only data and no executable code. This is achieved by setting a special bit in its page table entry called NX, for No eXecute, or XD, for eXecute Disabled, respectively. It’s the responsibility of the OS to set the NX bit for the stack and heap memory areas. If a malfunctioning program – or malware – should try to execute code from an NX-marked memory page, the CPU will refuse to do so and trigger an interrupt instead, which causes the OS to shut down the application accordingly.

(more…)

This post gives some tips on how to deal with computers that have been offline for a while.

A common security problem is a PC that has been offline for some time and therefore lacks the latest malware definition updates. Many organizations make the mistake of allowing PCs such as this to go online, hoping that the online updates will reach the machines before the latest computer worms do.

An even more severe mistake is deploying OS images without ensuring that all antivirus definitions are in the image. Many admins just install the latest antimalware software and believe that the software’s update mechanism will do the rest for them. However, many antivirus solutions don’t download new updates immediately. Depending on the number of images that you deploy, this can be a serious security threat to your organization.

(more…)

USB Alert is a USB stick watcher that prevents users from forgetting their USB stick by blocking shutdowns and logoffs as long as a USB stick is connected.

I wonder if there is a study about the costs involved with forgotten USB sticks in businesses. A user wants to continue work at home or on a business trip, but the required data is on a USB stick in the desktop at the office. Even more problematic are forgotten USB sticks that contain sensitive data.

One solution to this problem is to let users store their data in the cloud. But many feel uncomfortable knowing that only a password prevents hackers around the globe from getting access to their confidential data.

(more…)