PhoneFactor is free for up to 25 users and reasonably priced after that. The beauty of PhoneFactor is that it utilizes something users already have – a mobile phone – as a token rather than a proprietary device.

PhoneFactor Agent, the software behind the service, acts as a RADIUS server for authentication to network resources such as a VPN. When a user attempts authentication, he will still first be prompted for a user name and password. After he enters those details, the service will place a call to his phone and require the user to answer the call and press the “#” button. Once this is completed, the user is successfully authenticated.

In this tutorial we will install the Agent on Windows Server 2008 R2, integrate with Active Directory, link a few user accounts, and set up a RADIUS server.

Getting started

You can download the PhoneFactor Agent after registering here. You will need a mobile phone to register since PhoneFactor utilizes their own system on their customer portal. Run the installer and launch the PhoneFactor Agent. You will be greeted by the Authentication Configuration Wizard, where you can:

• Enable replication between agents: Allows you to replicate data between multiple installations. Since we are only installing it on one server, do not check.
• Select Applications: You can apply PhoneFactor to a variety of applications, including Citrix, Outlook Web Access, and Remote Desktop. For our purposes, we will only choose VPN.
• VPN with Radius: Specify your VPN server IP address as well as a strong shared secret between the VPN server and PhoneFactor. Leave the default port options as-is.
• VPN Target: Since we want to authenticate against a Windows domain, we will choose Windows domain. However you can also use another RADIUS server (some firewalls have built-in RADIUS servers, so you can redirect back to the firewall).

Phonefactor Agent Configuration

Click Finish and let PhoneFactor do its magic. Once the setup is complete, you can begin using the Agent.

Locking down PhoneFactor

By default, PhoneFactor will allow any user who successfully authenticates against AD to sign in – if no user is defined (and no phone number is linked), it will just authenticate the user. In most cases, you would not want this to happen. Navigate to Company Setup and choose “Fail Authentication” when user is disabled.

Fail authentication

We will also want to specify a default search domain for AD users. Choose the “Username Resolution” tab and specify a default search domain for the option “Use Windows security identifiers (SIDs) for matching usernames.”

Security identifiers (SIDs)

Finally, if your Active Directory user account setup is non-standard, you should navigate to Directory Integration and confirm in the “Filters” and “Attributes” tabs that the data fields you wish to use are the ones that PhoneFactor will use. Most administrators will not need to do this.

Directory Integration

Adding users

Now we can begin adding users to our PhoneFactor implementation. Because of our previous setup, only users who have been added to PhoneFactor with a phone number defined will be able to authenticate successfully against AD. After all, not all users will require remote access. Navigate to the Users section and click “Import from Active Directory.”

This powerful interface allows you to select users by OU or filter terms. You can import all users at once – which is not advisable – or specify which ones to import in a granular fashion. The users you have selected will appear in the window on the right. You will notice that by default, “Only New Users with Phone Numbers” are enabled. This is the behavior you want, since users without a phone number will authenticate using only their AD credentials. Once you are ready, click “Import.”

Import users

In many cases, you will not have defined phone numbers yet for your users in Active Directory. This is OK; you will just need to do so now for each authorized user. Double-click the user, then define a phone number and enable the user.

Phone number – Enable user

Finally, you will see your newly-enabled user in the users listing. Once you have defined all of your users, you will need to configure your VPN server to authenticate using RADIUS.

User listing

VPN Server Configuration with PhoneFactor RADIUS

Since there are so many VPN servers out there, we will focus on a few general tips for setting this up. You will typically need to provide:

• PhoneFactor Agent IP
• PhoneFactor Agent Ports: Typically, 1645,1812 for authentication and 1646,1813 for accounting. Make sure the firewall on your Agent server does not block this traffic
• Shared Secret: This is the secret you had defined in the wizard and it should be strong since it will serve as a barrier between your VPN server and the RADIUS server.
• Timeout: Make sure you set a fairly high timeout value; by default, most VPN servers do not give you a lot of time to authenticate because the RADIUS server is local to the network and does not take long to perform the lookup. However, since PhoneFactor takes about 3-5 seconds to place the call, and the user can take anywhere from 2-20 seconds to actually respond, I would recommend a timeout of at least 30 seconds.

That’s it! Though PhoneFactor offers more powerful features (especially in paid versions), you are already set up and ready to authenticate. For small businesses with fewer than 25 users, PhoneFactor is a free and easy to implement two-factor authentication solution. Give it a try today!

PhoneFactor

• How to disable USB drive use in an Active Directory domain (0)
• Service Account best practices – Part 2: Least Privilege implementation (0)
• Four fast ways to improve security in SQL Server 2008 R2 (12)
• Managed Service Accounts in Windows Server 2008 R2 (7)
• Raffle: SetACL Studio – Set Windows permissions (1)

Universal Serial Bus (USB) flash drives are undeniably convenient and easy to use. However, these devices pose very real security threats.

Number one, allowing your users to mount their own USB flash drives provides a vector for malicious code into your network. Number two, a malicious user can steal sensitive data by copying it to their flash drive and leaving the campus.

Here are a couple excellent articles that delve more deeply into IT security threats posed by USB devices:

• Social Engineering, the USB Way
• USB Drives Pose Insider Threat

You may decide to institute an IT security policy in your domain that prohibits use of personal USB devices. This is all well and good, but how many of your users will actually adhere to the policy without some kind of a control in place?

Fortunately, Windows Server 2008 R2 provides us administrators with a method for easily disabling USB drive access on Active Directory domain assets. Let’s get to work.

Defining the restriction

One important thing to keep in mind is that Microsoft made it MUCH easier to control removable drive access in Windows 7/Windows Server 2008 R2 Group Policy. If you need to restrict USB drives on earlier client operating systems (including Windows Vista), then one of the following links should prove helpful to you:

• How can I prevent users from using USB removable disks (USB flash drives) by using Group Policy (GPO)?
• Group Policy..Block USB
• HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers
• Step-by-Step Guide to Controlling Device Installation Using Group Policy

Now then: from one of your Active Directory Domain Services domain controllers or from an administrative workstation, open the Group Policy Management Console and link a new GPO to the appropriate target (domain, OU, etc.).

Within the Group Policy Editor, navigate to \Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access.

NOTE: If you prefer to set these restrictions on a per-user basis instead of computer-wide, then use the Group Policy path \User Configuration\Policies\Administrative Templates\System\Removable Storage Access.

Group Policy – Removable Storage Access

Note from the above screenshot that we can use Group Policy to limit access to the following device classes:

• Optical drives (CD and DVD)
• Floppy drives
• Removable disks (USB devices)
• Tape drives
• Custom device classes

By far, the most restrictive restriction (pardon the redundancy) is the policy All Removable Storage Classes: Deny All Access. If we enable this policy, as is shown in the following screen capture, then we prevent affected users from mounting ANY class of removable media.

All Removable Storage classes – Deny all access

Naturally, we want to apply GPO security filtering to ensure that only our desired users and computers are affected by our new policy. From the Group Policy Management Console we can make use of the Security Filtering and/or the WMI Filtering areas to properly scope our GPO. This is depicted in the following screen image:

Disable USB drive

In order to put your new GPO into effect immediately, open an administrative command prompt and issue the following command:

gpupdate/ force

This command refreshes Group Policy throughout your Active Directory domain.

How the restriction works

Once your GPO has been ingested by your domain, a user will see the following message box whenever they attempt to mount a restricted media device:

Disabled removable drive

It’s as simple as that!

Conclusion

In this article you learned how to leverage Windows Server 2008 Group Policy to disable USB drive us in our Active Directory domain. Have you initiated this policy in your environment? Please feel free to share your experiences and questions in the comments portion of this post.

• Microsoft Exam 70-640 – Active Directory trusts – Sample question (0)
• Microsoft Exam 70-640 – Active Directory trusts (0)
• Microsoft Exam 70-640 – Active Directory Forests and Domains – Sample question (5)
• Microsoft Exam 70-640 – Active Directory Forests and Domains (0)
• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)

In my previous article, we defined services and service accounts and also examined what options there are for selecting a service account for use with a particular service or application.

Here we take that fundamental knowledge and put it in more of a practical context. In real world multi-tier Web application scenarios, a Windows administrator can quickly become overwhelmed in keeping track of which service account he or she used with which application or service.

Consider the following example diagram:

A typical multi-tier Web application topology

Think of how many service accounts we require in the preceding scenario:

• Client services (likely if the client is using anything beyond a simple Web browser to access the Web application)
• IIS services
• AD and related infrastructure services (DNS, DHCP, etc.)
• Application services (SharePoint 2010, for instance, requires an entire suite of service account-attached services and applications
• SQL Server services
• “Standard” Windows services (Server service, etc.)

What is a busy Windows systems administrator to do? Well, read on and I’ll tell you.

Tip #1: Remember the Principle of Least Service

The IT security principle of least service means, in a nutshell, if you don’t absolutely require a specific service, disable it. Just turn it off. By performing this action we not only conserve system and possibly network resources, but we also reduce the number of attack vectors a malicious user can employ to penetrate your network.

As you know, we can manage all aspects of Windows services by using either the Service Control Manager (services.msc) MMC console or (even better) through Group Policy. The relevant Group Policy path is \Computer Configuration\Preferences\Control Panel Settings\Services.

Managing services with Group Policy

Tip #2: Know exactly what your applications and services are doing

Microsoft does a fairly decent job of enumerating the system privileges and file system permissions that its enterprise applications grant automatically to service accounts. For instance, check out the following links and prepare to be surprised:

• SharePoint 2010 Account Permissions and Security Settings
• SQL Server 2008 R2: Setting Up Windows Service Accounts
• Exchange 2010: Roles, Rights, and Permissions

You need to remain ever-aware of any “out of the box” privilege escalation that your line-of-business applications grant to service account. The best way to do this is to keep a wary and scrupulous eye on the vendor’s documentation.

Tip #3: Be Vigilant regarding the Everyone and Authenticated users groups

Everyone and Authenticated Users are dynamic security principals, which means that their membership is controlled by your network environment itself and that we administrators cannot control membership to these group identities.

The Everyone identity includes all authenticated and unauthenticated network users (this includes Local Service, people).

The Authenticated Users identity includes all domain user and computer accounts who have successfully authenticated to Active Directory. This group includes the Local System and Network Service built-in service account identities.

Thus, our “take-home” message is to keep a careful eye on where and how we are assigning access permissions to these two special groups.

We can control which accounts have which system privilege by using Group Policy; the relevant Group Policy path is \Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment.

Managing user rights with Group Policy

NOTE 1: System privileges are also called user rights. Either way, we refer to system-wide abilities such as logging on as a service, logging on locally, changing the system time, and so forth.

NOTE 2: Be sure to exercise due diligence and perform research prior to making user rights assignments in Group Policy. We don’t want to inadvertently break LOB application access.

Tip #4: Remember that network service authenticates as the Computer

If you opt to associate the built-in Network Service service account to a network-aware service, be aware that when that service makes a remote connection, it does so under the security context of the “calling” computer account (not user account).

Thus, you may need to adjust the discretionary access control lists (DACLs) on relevant target systems to include an access control entry (ACE) for the calling computer.

Editing a DACL for an IIS Web application

Tip #5: Use separate domain user accounts for services and applications

The main reasons why I suggest that you use dedicated domain user accounts for service accounts instead of the built-in identities are as follows:

• By using domain user accounts as service account logons, you can more granularly audit access locally and across your network
• For applications that support them, managed user accounts (MSAs) enable you to use domain password policy with your service accounts
• A domain user account has unquestioned visibility throughout your entire domain and Active Directory forest
• Domain user accounts can be more definitively targeted with Group Policy
• Using domain user accounts consistently makes it easier to manage multi-tier application infrastructures

Speaking of Group Policy, you might want to ensure that your domain service accounts are denied the Log on Locally user right at the very least. This action will prevent a malicious user from succeeding in an interactive logon attempt by using a breached service account.

With regard to my final point about consistent use of service accounts, Microsoft recommends that you assign different service accounts to different services within each enterprise application. The thinking here is that an attacker would have to compromise more than one account to “own” your application.

The only “gotcha” with using multiple service accounts is the pure confusion factor that can happen if you deploy the service accounts with no consistency. To reduce the confusion, (a) store your service accounts in separate organizational units (OUs) in Active Directory; and (b) name the accounts in an intuitive manner.

Conclusion

In this lesson we learned some industry best practices for using service accounts in a Windows-based, multi-tier application infrastructure. To be sure, we have truly only scratched the surface of this behemoth of a topic.

Please feel free to share your own experiences, war stories, tips, etc. in the comments portion of this post. The Windows admin community deeply needs a vibrant yet solid knowledge base for this subject.

Further reading

• Service Accounts Step-by-Step Guide
• Services and Service Accounts Security Planning Guide

• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)
• How to disable USB drive use in an Active Directory domain (0)
• Service Account best practices Part 1: Choosing a Service Account (0)
• Four fast ways to improve security in SQL Server 2008 R2 (12)
• Managed Service Accounts in Windows Server 2008 R2 (7)

If you are a Windows systems administrator, then there is a good chance that you are also an unwilling SQL Server DBA as well. After all, many organizations host line of business (LOB) applications that use SQL Server 2008 as their back-end data store.

Your organization may be subject to industry and/or governmental regulations that require you to step up the security of your IT infrastructure. On the other hand, the mere threat of data penetration or compromise may have you asking the question, “How can I secure our SQL Server databases without my having to know T-SQL and SQL Server architecture?”

The purpose of this article is to provide you with some nitty-gritty, fairly easy to implement security tweaks for SQL Server 2008. Of course, there is no such thing as a secure system. Instead, we have degrees of security, from low to high. Nevertheless, by following the tips I give you in this article, you will substantially improve the security of your SQL Server systems.

Tip #1: Change the default SQL Server port

By default, the first installation of a SQL Server 2008 engine (called the default instance) listens for incoming connections on TCP port 1433. This is bad news, of course, because any malicious user seeking to fingerprint your network will probe this well-known port in search of SQL Server services.

Additional installations of SQL Server on the same box (called named instances) will be dynamically assigned a TCP port number by SQL Server. However, I recommend you hard-code a personally chosen (and non-standard) port number for all of your SQL Server 2008 services.

Remember that SQL Server 2008 consists of several different services, each requiring its own TCP socket:

• SQL Server Database Engine
• SQL Server Agent
• SQL Server Analysis Services (SSAS)
• SQL Server Reporting Services (SSRS)
• SQL Server Integration Services (SSIS)

Before you change the listener port for SQL Server, please check in with your application development team beforehand. The last thing you want to do is to inadvertently break your LOB applications that may be hard-coded to connect to SQL Server by using the default port.

You’ll also want to check in with the individual(s) who manage your corporate firewall, because exceptions will doubtless need to be created for the newly assigned SQL Server port numbers.

Rather than give you the click-by-click procedures for securing SQL Server in this article, I will instead point you to hand-picked external Web sites that have already undertaken the task in excellent form.

For instance, to learn how to change the SQL Server listener port numbers, please consult the following article:

• How to: Configure a Server to Listen on a Specific TCP Port (MSDN)

Tip #2: Harden SQL Server service accounts

Each SQL Server 2008 engine that you install has an associated Windows service account. Your first plan of attack is to create a separate low-privilege Active Directory user account for use by each SQL Server service.

The reason why you don’t want to use a single service account is that if someone compromises the account, they would be able to control all SQL Server services.

SQL Server will automatically grant the service account any relevant OS privileges; therefore, you should never make your SQL Server service accounts a member of any administrative group.

Here are a couple of nice tutorial links on how to specify service account identities for SQL Server 2008:

• SQL Server Service Accounts
• Server Configuration – Service Accounts

We also want to ensure that our SQL Server service accounts have strong passwords. This subject introduces a common Windows administrator conundrum: password policy. Normally, when user accounts have password expiration, this produces headaches with service accounts and potentially breaks LOB applications that contain hard-coded references to service account passwords.

If you run Windows Server 2008 R2, you can leverage the stunningly awesome managed service account (MSA) capability and let Windows itself manage the passwords for service accounts.

To create and manage MSAs, we use Windows PowerShell 2.0. See the following link for instructions:

• Creating a Managed Service Account
• Service Accounts Step-by-Step Guide

Tip #3: Take control of authentication

As you may already know, SQL Server 2008 supports both Windows-integrated authentication as well as SQL Server authentication. Unless you have a compelling reason to use local SQL Server accounts, I strongly suggest that you go with Windows authentication so you can take advantage of:

• Domain password policy
• Kerberos authentication protocol

You also already know that you should change the names of your default Administrator and Guest accounts, right? Right.

Even if you choose not to enable SQL Server authentication, you should rename and potentially disable the built-in default system administrator (sa) SQL Server account. This can be accomplished either with the SQL Server Management Studio GUI tool or by running a couple simple Transact-SQL statements:

alter login sa with name = secretsa

go

alter login secretsa disable

go

Tip #4: Limit access of Public role and Guest account

SQL Server security is a thorny conceptual bush, indeed. The role-based security model in SQL Server includes a Public server role as well as a Public database role in every database within an instance.

The Public roles function very similarly to the Everyone and Authenticated Users Windows identities. SQL Server grants the CONNECT system privilege to the Public server role, and the Public database role has SELECT privilege against several system views.

Therefore, you want to strip as much access from the Public roles as you can get away with, and certainly not grant the roles any additional privileges.

For more information on this subject, see the following:

• Understanding SQL Server 2008 R2 Fixed Database Level Roles
• Permissions of Fixed Server Roles
• Brad’s Sure DBA Checklist

Each SQL Server database also includes a Guest database user, which can be renamed and disabled but not dropped.

Conclusion

The tips I provided you in this article will go a long way toward making your SQL Server 2008 instances less vulnerable to abuse/attack and more in compliance with any industry and/or governmental security mandates.

Please feel free to share any additional easy-to-implement SQL Server security tips in the comments portion of this post.

• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)
• How to disable USB drive use in an Active Directory domain (0)
• Service Account best practices – Part 2: Least Privilege implementation (0)
• Single-user mode in SQL Server 2008 (0)
• Managed Service Accounts in Windows Server 2008 R2 (7)

Here’s the situation: You are called into consult for a client, and in examining their IT infrastructure you observe no organization as to how service accounts are deployed. For instance, some line-of-business (LOB) applications are using the domain Administrator as their service account identity, while others use the Local Service or Network Service identity.

Recently, the client began associating application services with dedicated domain user service accounts. However, because domain password policy forces password changes every 60 days, the manual reassignment of service account passwords created organizational headaches for the IT support staff.

How can you resolve this mess of a real-world situation?

Introducing Managed Service Accounts

In Windows Server 2008 R2, we finally have a solution to the problem of reconciling service accounts with Active Directory password policy: the Managed Service Account, or MSA.

When you define an MSA, you leave the account’s password to Windows. Thus, MSAs interoperate just fine with your organizational password policies. When it comes time to change the MSA password, Windows takes care of that for you, automatically generating a password that meets any complexity requirements you may have mandated.

As wonderful and convenient as MSAs are (and they are, trust me), we need to always keep in mind the IT security principle of least privilege. In other words, we must be careful not to assign permissions, either explicitly or implicitly, to the MSA account that are beyond the required access scope of that account.

Creating Managed Service Accounts

We use Windows PowerShell 2.0 to create and manage MSAs. From an elevated command prompt, type powershell to enter the Windows PowerShell environment.

Next, type import-module activedirectory to load the Active Directory PowerShell cmdlet library.

We use the new-adserviceaccount cmdlet to define a new MSA. For instance, the following statement creates an MSA named testmsa and enables the account for use:

PS>new-adserviceaccount –Name testmsa –Enabled $true

To verify that the MSA has been created and is "ready for action," so to speak, run the get-adserviceaccount cmdlet. Sample output from this cmdlet is shown in Figure 1:

The get-adserviceaccount cmdlet

NOTE: Windows appends a dollar sign ($) to the MSA account name. Therefore, an MSA named testmsa appears in the computer’s SAM or Active Directory as testmsa$.

We can also fetch MSA properties from Active Directory Users and Computers. Open the tool, click View > Advanced Features to display advanced features, and expand the Managed Service Accounts container. This is shown in Figure 2:

Viewing MSAs in Active Direcotry Users and Computers

Using Managed Service Accounts

Once they are defined, we can associate MSAs with applications and services by using any of the traditional methods with which you are familiar.

For instance, you can open the Service Control Manager, double-click a service, and navigate to the Log On tab to browse Active Directory for an MSA. This procedure is shown in Figure 3:

Assigning an MSA to a service

NOTE: Be sure to leave the Password and Confirm password fields empty. Remember, we are delegating account password management to Windows.

Once you apply the change, you will see a Services message box informing you that the designated MSA has been granted the Log On as a Service user right. This message box is shown in Figure 4:

Services message box

Taking the next step

From Windows PowerShell, you can issue the statement get-command –noun *adserv* to retrieve a list of all MSA-related cmdlets.

MSA-related Windows PowerShell cmdlets

You can then run help <cmdname> to obtain online help concerning syntax and usage concerning that specific cmdlet.

Conclusion

If you are like me, then you find that the Managed Service Account capability of Windows Server 2008 R2 is an administrative godsend. Windows PowerShell is increasingly becoming a "must have" skill set for Windows administrators; please see my 4sysops blog posts on the subject if you’d like a general introduction to Windows PowerShell.

• Microsoft Exam 70-640 – Active Directory trusts – Sample question (0)
• Microsoft Exam 70-640 – Active Directory trusts (0)
• Microsoft Exam 70-640 – Active Directory Forests and Domains – Sample question (5)
• Microsoft Exam 70-640 – Active Directory Forests and Domains (0)
• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)

Helge Klein, the author of this article, raffles off five licenses, each worth $14.95 USD of SetACL Studio. The deadline of this contest is November, 24. If you want to take part in this raffle, please send an email with the subject “SetACL Studio” to .

Set Windows permissions with SetACL Studio

Set permissions with Windows tools

Managing permissions has always been complicated on Windows. It takes five clicks just to view the owner of a folder. If you want to take a quick peek at the permissions – you cannot. Because the dialog is not resizable, you need to click and scroll around to view all entries. And before you can view permissions you need to have permissions you do not even get to see what is there. No wonder the permissions topic is not very popular among administrators.

Set Windows permissions with SetACL

Internally making use of the powerful engine of the popular free command line tool SetACL, SetACL Studio hides the complexity of Windows permissions behind an intuitive graphical user interface, showing you everything that is relevant on a single screen.

As you can see in the screenshot above, SetACL Studio covers nearly all areas of the system: it works with directories, files, registry keys, printers, network shares, services and WMI objects. And it works remotely just as well as on the local computer. In fact, you can add as many computers to the tree view on the left side as you like.

Showing everything, regardless of permissions

Unlike the tools built into Windows, SetACL Studio shows you everything. Once you run the program with admin rights, you can magically peek into corners of the system hidden in total darkness ever before. If you always wanted to know what is stored in the “System Volume Information” directory, SetACL Studio shows you.

SetACL Studio v1 – Display System Volume Information

Full replacement of Windows ACL Editor

With SetACL Studio installed there is no need to ever revert back to Windows ACL Editor. Not that it is likely that you would want to. SetACL Studio lets you change the owner; it adds, edits and deletes permissions; it configures inheritance from the parent object, and it resets child objects.

SetACL Studio – WMI with object picker

Undo permission changes

If you think that it might be a little dangerous to be able to change the security of any object on the system with a single click, you are probably right. Because humans make errors from time to time, SetACL Studio lets you undo any change to the system. Whenever you apply a change, a hyperlink appears at the top of the window that lets you undo it.

SetACL Studio v1 – Undo permissions changes

You can download the fully functional 30 day trial version of SetACL Studio from helgeklein.com. If you have any questions, the support forum is the right place to ask.

• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)
• How to disable USB drive use in an Active Directory domain (0)
• Service Account best practices – Part 2: Least Privilege implementation (0)
• Four fast ways to improve security in SQL Server 2008 R2 (12)
• Managed Service Accounts in Windows Server 2008 R2 (7)

LocalGPO in SCM v2

LocalGPO is included with SCM but there’s no dependency between the two programs. Once you’ve installed SCM there’s an option on the Start Menu to also install LocalGPO. The traditional role of LocalGPO is to control workgroup computers where centralized AD deployment of GPOs isn’t an option but in SCM v2 there’s also a new GPOPack feature that works with Microsoft Deployment Toolkit (MDT) 2010.

LocalGPO lets you export the current configuration of a reference computer as a GPO object provided you’re a local administrator and the export folder already exists:

LocalGPO.wsf /Path:c:\GPOBackup /Export

LocalGPO also allows you to apply settings from a GPO backup file type to the local PC:

LocalGPO.wsf /Path:c:\GPOBackup\{12345678-9ABC-DEFG-1234-56789ABCDEFG}

The GUID in italics is the identification of the GPO you want to apply.

The only drawback with LocalGPO in SCM v1 was the fact that you had to install LocalGPO on each machine where you’d like to use it and whilst it’s a quick installation this wasn’t very flexible.

Thus was born the new GPOPack option for LocalGPO which packs the executable and the baseline into a single self-extracting file which can be applied without any prior installation. Whilst you can use this in many situations it works very well as part of a task sequence in Microsoft Deployment Toolkit (MDT) 2010 to apply your security settings to a machine directly after installation with just a single line of code in a script.

If you don’t want to type out (and potentially misspell) long GUID folder names you can name the GPO Pack with a friendly name, be aware that this means you won’t be able to import the GPO object in the GPMC. When applying a GPOPack in a script point to the GPOPack.wsf file that’s created by the GPOPack option like this:

C:\GPObackup\{12345678-9ABC-DEFG-1234-56789ABCDEFG }\GPOPack.wsf /path:C:\GPOBackups\{12345678-9ABC-DEFG-1234-56789ABCDEFG } /silent

You can also use LocalGPO to monitor workgroup computers in your environment for configuration drift, simply export their current settings and then compare them in SCM v2 against your company sanctioned baseline.

LocalGPO is a very versatile tool and the new GPOPack option opens up additional possibilities.

SCM v2 beta in summary

Everyone knows that both servers and client computers need to be locked down in a business environment, each successive version of Windows have added more versatile GPO options to achieve just that. But with the proliferation of GPO settings comes the difficulty in selecting the right settings and the appropriate level of lock down. Too locked down and users are hindered in their work and productivity suffers, too open leads to an insecure environment.

SCM v2 is an awesome tool that helps any administrator with these challenges which should bode well for its popularity. The new GPO Import functionality is great and the GPOPack in LocalGPO is really cool but most importantly the interface is much easier to work with.

SCMv2 is an excellent product that belongs in every sysadmins toolbox, especially considering it’s free.

Resources

Microsoft Solution Accelerators Security & Compliance blog

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)

Adding settings to a baseline in SCM v2

There will be times when a particular baseline is missing a setting that you’d like to include, remember that the baselines only include security settings where Microsoft has best practice guidance. In SCMv1 you had to import a Setting Pack which gave you ALL the GPO settings for a product and you then had to delete the settings you didn’t want.

SCM v2 has a great new feature which is much better, the Add a Setting command lets you pick the relevant product, in which group within the baseline you’d like to add the setting(s) and a comprehensive list of all the settings. You can also search and filter the list of available settings.

Adding settings to your custom baseline has never been easier.

This feature is fueled by a new Settings Library than stores every configuration option that SCM knows about, in every product that SCM v2 covers. Today that includes Windows XP SP3 to Windows 7 and Office 2007/2010, and IE 7 to 9 on the client side, as well as Windows Server 2003 SP2 to Windows Server 2008 R2 SP1 on the server side. New settings will be included in the Library as Service Packs are released and you can check your library version in the About dialog.

The settings grid in SCM v2

A characteristic of using SCM v1 was that there was a lot of scrolling up and down through lists of settings, two innovations in SCM v2 will make this a bit easier.

If you select the Advanced view in SCM v2 (I hope this will be become the default or the only option in the released version) a breadcrumb bar lets you filter down in a baseline settings hierarchy. By clicking each button you’re shown only the settings that are available at that level. To jump back up to the top simply click the red cross at the end of the button row.

Once you’ve drilled down to a particular list of settings they’re grouped by horizontal bars that you can expand or collapse which makes it a lot easier to work with long lists of items. If you’re browsing a signed baseline there’s a link offering to create a modifiable copy on each page. This new way of working with settings soon becomes second nature; the UI was inspired by Windows Intune according to Jeff Sigman, Senior Software Design Engineer with the SCM team.

The thing I love about SCM though is how great a teaching tool it is. Every best practice setting is described in detail, not only what the setting does but what threat it’s designed for and how different settings mitigate the risk. If you prefer to read documents the old Word documents are still included in each baseline.

Use SCM to teach any junior admin about the power of GPO, IT security in general and why we use certain settings.

Merging and comparing baselines in SCM v2

When you’ve imported a GPO from your own environment (see part 1) and you’d like to see how it compares to the official guidance click Compare and select the two baselines. The results are presented in two views; a summary shows the number of settings that are different and lists unique settings in each baseline. The values tab on the other hand displays each individual setting and their configuration in each baseline.

Tag: Comparing two baselines is dead easy in SCM v2.

Sometimes you want to combine two baselines, the Merge feature allows you to pick the source and then point to a target baseline. The wizard then shows you the items that will change, with an option to deselect items that you don’t want to merge as well as which settings only exist in one baseline or the other and if there are settings that are identical in both baselines. If you want to delete settings from a baseline you can now select multiple items in one go; SCM v1 forced you to delete each setting one at a time.

If you’re in the US you might be familiar with the United States Government Configuration Baselines (USGCB) format, used mostly in governmental departments, SCM v2 is more reliable in its import of these files.

SCM v2 can also export baselines in the National Institute of Standards and Technology (NIST) format Security Content Automation Protocol (SCAP) format.

In the final part of this series we’ll look at LocalGPO, a command line companion tool to SCM and a new feature it offers for desktop deployment.

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)

Import GPOs in SCM v2

To be able to import your current security GPO settings into SCMv2 so that you can compare them to Microsoft’s recommendations start by backing up the relevant GPOs using the Group Policy Management Console (GPMC). Any AD administrator should be familiar with this process; relying on system state backups to recover a corrupt GPO is an exercise in frustration. Each GPO will be stored in a folder with a long Globally Unique Identifier (GUID) folder name.

Back in SCM click GPO Backup (folder) in the Action pane on the right and point to the folder. If you have associated ADM / ADMX or GP Preference files associated with a particular GPO, SCM will save these to a subfolder of the public folder for the user and if you later export a GPO object based on the import these files will be restored. Once you have imported a GPO simply use the Merge or Compare options to match it to a baseline, this will be covered in part 3.

The ease with which SCM v2 lets you import GPOs belies the power of this “full cycle” workflow for creating, testing and comparing security GPOs.

Baselines in SCM v2

I’ve always wondered where the recommendations in baseline comes from, are they just Microsoft’s thinking on the subject? Turns out that its whole lot more involved than that; Jeff Sigman, Senior Software Design Engineer with the SCM team at Microsoft explains how a baseline is created:

1. Subject-matter experts perform an initial deep dive into a product and produce draft guidance and recommendations.
2. The product group who is responsible for the architecture, design and maintenance of the product is involved and contributes to all aspects of the baseline recommendations.
3. Typically after enough testing to be reasonably sure of the quality of the baseline, a beta is released to our baseline community.
4. We directly reach out to all sizes and shapes of organizations. Small, medium and enterprises – all the way to the governments of the world.
5. We’ve built a strong relationship in particular with US Department of Defence agencies that sit down with our betas and weigh in on all the settings.
6. We have extensive field communities, like Microsoft Consulting Services, and other organizations like NATO who pour over the settings and provide feedback.
7. We bring all that feedback together, test, test, test it again and again and you get a Microsoft baseline out of it.

When the beta has been tested thoroughly, it’s released as a final baseline, but Service Packs and changes in the overall threat landscape are incorporated when necessary in a baseline lifecycle.

Different types of Baselines in SCM v2

Today’s baselines come in two different versions, EC for Enterprise Client which has a generic lockdown suitable for most business environments and SSLF for Specialized Security, Limited Functionality where loss of functionality is acceptable in a high security setting.

New baselines will combine these two versions into one to simplify Governance, Risk Management and Compliance (GRC) management and reporting. Each setting is classified according to four levels and you can filter based on these to achieve the same grading as the older baselines offered. Most of the settings from the EC baselines are found under the Critical level and should be used in most cases. There are Important settings which includes most options from the SSLF baselines while Optional configuration items have negligible impact on security and can be left out of most security configuration GPOs. None is the final level and is used for items not included in previous baselines and can also be ignored as far as security is concerned.

The new classification scheme for each item in each baseline makes it easy to filter down to the critical settings you need to set.

Baselines will also be reorganized so settings are more logically laid out to help with GRC reporting. There’s a IT GRC Process Management Pack for Systems Center Service Manager 2010 that provides end-to-end compliance management and automation for desktop and datacenter computers.

In the next installment we’ll cover how additional settings can be added to baselines much easier than in v1, a couple of UI gems as well as how to Merge and Compare baselines.

• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)
• How to disable USB drive use in an Active Directory domain (0)
• Service Account best practices – Part 2: Least Privilege implementation (0)
• Four fast ways to improve security in SQL Server 2008 R2 (12)
• Managed Service Accounts in Windows Server 2008 R2 (7)

This review was written on SCM v2 beta, the beta period has ended and SCM v2 is now available for download here. Note that the release date on the download page is incorrect, this is the final RTW (Release To Web) version of SCM v2.

Foreword

Group Policy is one of the most powerful tools in a sysadmin’s arsenal, not only for making sure users don’t get themselves into too much trouble but also to establish security standards across client and server machines.

For quite some years Microsoft have produced security guidance for Group Policy, what settings to use and how to configure them but most administrators don’t have time to trawl through lots of documentation. To make it easier for busy administrators to make well informed decisions when building Group Policy Objects (GPOs) Microsoft published the free tool Security Compliance Manager (SCM) v1 in early 2010.

This tool contained baselines for various products with best practice security settings and the ability to export a customized baseline as a GPO. The one glaring omission in v1 however was that it didn’t allow you to import your current GPO security settings and compare them to Microsoft’s recommendations, SCM v2 remedies this as well as adding some other great features, in this three part article we’ll examine why this tool should be in every admin’s toolkit.

The one thing that shines through in the SCM v2 is the real world feedback that’s obviously gone into the design: Jeff Sigman, Senior Software Design Engineer with the SCM team at Microsoft agrees. “Everything we did in SCM v2 was because of direct customer feedback. We did a number of surveys and interviews throughout the development cycle of SCM v1 and then again after SCM v1 was released publicly. The results were quite clear; SCM v1 had three areas which needed improvement: GPO Import, User interface facelift and SQL database flexibility.”

Installation of SCMv2

Installation is mostly a “click-next affair” but as mentioned above, unlike SCMv1 you have the option of pointing to an already installed local instance of SQL Server / SQL Server Express. SCM v1 always had to install its own copy of SQL Server Express.

If you have SCMv1 or SCMv2 CTP (which preceded the beta) the installer will automatically upgrade it, with all data preserved. This beta also contained 10 baselines that installed directly after SCM is installed, this takes a couple of minutes.

Being able to choose which SQL database to use makes SCM v2 more flexible than its predecessor.

The SCMv2 Console

Since SCM can be used in a few different ways the welcome screen is a handy tool. It has a whole heap of links for various topics that leads to in-depth information on parts of the program.

On the left is the Baseline Library with all your installed baselines, sorted by product. The main area in the middle displays information about the part of a baseline that’s currently selected whereas the right hand Action pane has context sensitive task links.

The SCM console has a simple layout and is easy to navigate.

A downloaded baseline from Microsoft is signed with a digital signature so when you want to create a custom baseline based on an “official” one you have to duplicate it to create an unsigned, modifiable copy. If you want to work with other baselines than the 10 included in the beta package go to Tools – Check for Baselines, during the installation you can let SCM create copies automatically so you can start customizing immediately.

In the next part of this series we’ll examine the new GPO Import functionality in SCM v2 as well as see how Microsoft actually creates a baseline and the different classification in the new baseline format.

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)

Author: Vitaly Dvorak

SXR software raffles three licenses of their employee monitoring software StatWin Server Enterprise each worth $399 USD. You can monitor up to 25 employees with this license. The deadline of this contest is July 26, 2011. If you want to take part in this in raffle, please send an email with the subject StatWin to .

StatWin Enterprise employee monitoring

StatWin Server Enterprise monitors employee activity on network computers. The program allows the PC administrator to keep a check on users by capturing visited websites, recording keystrokes and mouse clicks, capturing ICQ, MSN, Outlook, Bat messages and more. Over a specified period of time, the program can take screenshots of the computer screen and save images to the selected destination. Collected statistics on employee activity is transferred from client computers to the server automatically.

The program also offers tools for remote administration of clients, remote installation, launch, shutdown and uninstallation of clients, automatic submission of collected data about user activity from clients to the server, as well as automatic notification of the administrator about events on clients in real time. StatWin Server Enterprise is a complete employee monitoring solution for enterprises, offices and educational institutions.

The program runs under Windows 7 / Vista / XP / 2008 / 2003 / 2000 (32-bit, 64-bit). The free 30-day demo version can be downloaded without registration

• Poll: Are you currently using a monitoring solution? (11)
• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)
• How to disable USB drive use in an Active Directory domain (0)
• Service Account best practices – Part 2: Least Privilege implementation (0)
• SCOM 2012 review – Part 8: Dashboards (0)

The Microsoft Safety Scanner was just released a few days ago. The free portable antivirus tool only comes as a simple EXE file and is available as a 32-bit and 64-bit version. The EXE file contains all the virus signatures.

A portable antivirus program is useful whenever you want to scan a PC that lacks antivirus software. If you don’t have a Microsoft antivirus scan engine installed (Microsoft Security Essentials or Forefront), you can use the Safety Scanner if you need a second opinion.

Safety Scanner offers three scanning options: quick, full, and customized. Quick scan searches in “areas of the system most likely to contain viruses, spyware, and other potentially unwanted software.” It is unclear where these “areas” are. Therefore, I wouldn’t use this option because an antivirus scan only makes sense if you are more or less certain afterwards that the system is clean. The customized option is useful if you already suspect that a virus has infected a certain folder. In most cases, a full scan is the best option.

Safety Scanner has three major downsides. The antivirus patterns can’t be updated, the tool can only be used for 10 days after the download, and it doesn’t run on Windows PE.

I have been searching for quite a while for a portable antivirus program that runs on Windows PE. When I tried to start Safety Scanner on Windows PE 3.0, the anti-malware tool quit with an enlightening message “An error has occurred.” Some viruses can only be removed in offline mode. Thus, it is somewhat disappointing that Safety Scanner does not run on Windows PE.

Online updates are probably not supported because the Safety Scanner only consists of a single EXE file. However, technically, it would be possible to modify those parts of the EXE. Thus I hope that Microsoft adds this feature in a future version.

The 10-day restriction is probably related to the fact that Safety Scanner can’t be updated. This makes sense from a security point of view, but this means that you have to download the 70MB file every time you want to use the tool. This reduces the usability of Safety Scanner significantly.

Please let me know if you know of a portable antivirus program that works on Windows PE.

Microsoft Safety Scanner

• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)
• How to disable USB drive use in an Active Directory domain (0)
• Service Account best practices – Part 2: Least Privilege implementation (0)
• Four fast ways to improve security in SQL Server 2008 R2 (12)
• Managed Service Accounts in Windows Server 2008 R2 (7)

Data Execution Prevention (DEP) is a security feature of the CPU that prevents an application from executing code from a non-executable memory region. This is supposed to prevent buffer overflow attacks from succeeding. Since Microsoft introduced support for Data Execution Prevention (DEP) on Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1, it’s included in every version of Windows.

How DEP works: Hardware enforcement and the role of the OS

Data execution prevention works by marking certain memory pages being indented to hold only data and no executable code. This is achieved by setting a special bit in its page table entry called NX, for No eXecute, or XD, for eXecute Disabled, respectively. It’s the responsibility of the OS to set the NX bit for the stack and heap memory areas. If a malfunctioning program – or malware – should try to execute code from an NX-marked memory page, the CPU will refuse to do so and trigger an interrupt instead, which causes the OS to shut down the application accordingly.

Turn on and turn off DEP support in Control Panel

DEP can not only prevent the execution of malware or malfunctioning applications, but it may also highlight problems with legacy (not DEP-compliant) software, which can cause it to crash. Another potential problem is the support for third-party plugins such as those found in browsers or office applications: While the application itself may be DEP compliant, chances are that one or more of the plugins aren’t. Microsoft recommends updating your software if it’s experiencing crashes with DEP, but this is not always possible. For such situations, DEP support in Windows can be configured to meet the user’s needs, handling exceptions for certain software.

Some limitations exist when you turn off or turn on DEP support, however. Because DEP support is a kernel mode option, it must be configured as a boot option. Thus, it is not possible to manage and deploy DEP settings centrally by group policies; they have to be configured at the local machine in each case and need a reboot of Windows to take effect.

The settings GUI can be invoked this way: Open Control Panel, click on System and Security → System → Advanced system settings. In the Advanced tab, click on the Settings button in the Performance section (the first one). In Performance Options, Data Execution Prevention has its own tab. Here you can turn on DEP support for Windows essential programs and services only (OptIn, default on Windows 7 workstation) or for all programs, with the possibility to define exceptions for non-compliant software (OptOut, default on Windows Server 2008/2008 R2). This can be achieved via the Add button, where a local administrator can add non-compliant executable files one by one.

Exceptions can also be configured as a DisableNX compatibility fix using the Application Compatibility Toolkit (ACT). The resulting Custom Compatibility Database can be deployed in the Active Directory. Note that those kinds of exceptions do not show up in the DEP support configuration GUI.

Turn off and turn on DEP support as a boot option

There are two more DEP settings for a Windows machine. These settings cannot be configured in the control panel but only as a boot option via the service program bcdedit in a command prompt with elevated rights.

One possible choice is to turn on DEP support unconditionally:

bcdedit /set {current} nx AlwaysOn

In this mode, the DEP support options GUI is disabled and no exceptions can be defined. Any DisableNX compatibility options will also be ignored.

The opposite is to turn off DEP support completely:

bcdedit /set {current} nx AlwaysOff

With this setting in effect, the DEP support options GUI will be disabled as well as with the first option. To return to one of the GUI switchable modes, use:

bcdedit /set {current} nx OptIn

for the workstation default, which enables DEP support for Windows essential programs and services, or:

bcdedit /set {current} nx OptOut

for the server default, enabling DEP support for all executable files. The Windows machine must be rebooted each time for the bcdedit command to take effect. The output of the command:

bcdedit /enum

will tell the current status in each case.

This article has been translated from German language. You can find the original posting: Datenausführungsverhinderung (DEP) konfigurieren oder abschalten

• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)
• How to disable USB drive use in an Active Directory domain (0)
• Service Account best practices – Part 2: Least Privilege implementation (0)
• Four fast ways to improve security in SQL Server 2008 R2 (12)
• Managed Service Accounts in Windows Server 2008 R2 (7)

A common security problem is a PC that has been offline for some time and therefore lacks the latest malware definition updates. Many organizations make the mistake of allowing PCs such as this to go online, hoping that the online updates will reach the machines before the latest computer worms do.

An even more severe mistake is deploying OS images without ensuring that all antivirus definitions are in the image. Many admins just install the latest antimalware software and believe that the software’s update mechanism will do the rest for them. However, many antivirus solutions don’t download new updates immediately. Depending on the number of images that you deploy, this can be a serious security threat to your organization.

Thus, it is essential that you download and add the latest antivirus signatures before deploying a new image. Most antivirus vendors offer these definition updates as a separate update. You can download Forefront, Defender, and Security Essentials updates from Microsoft’s Malware Protection Center.

I also recommend preventing computers that don’t have the latest security updates from going online. Large and mid-sized organizations should consider working with the Network Access Protection (NAP) feature in Windows Server 2008. It is Microsoft’s Network Access Control (NAC) solution that allows you to limit a computer’s network access based on predefined health requirements such as up-to-date security updates or malware definitions.

For many small organizations, NAP is probably overkill. However, there is a simple NAP alternative: Just remove the network cable and leave a note at the user’s desktop to stop by your office after he returns from his vacation. Then you simply go to the user’s PC and install the latest updates from a USB stick. Another option is to prepare a scripted solution where the user only has to insert a CD to update the computer.

• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)
• How to disable USB drive use in an Active Directory domain (0)
• Service Account best practices – Part 2: Least Privilege implementation (0)
• Four fast ways to improve security in SQL Server 2008 R2 (12)
• Managed Service Accounts in Windows Server 2008 R2 (7)

I wonder if there is a study about the costs involved with forgotten USB sticks in businesses. A user wants to continue work at home or on a business trip, but the required data is on a USB stick in the desktop at the office. Even more problematic are forgotten USB sticks that contain sensitive data.

One solution to this problem is to let users store their data in the cloud. But many feel uncomfortable knowing that only a password prevents hackers around the globe from getting access to their confidential data.

Another way to prevent data loss is to deploy USB Alert on all your desktops and laptops. This free USB stick watcher raises an alarm whenever the computer is shut down or the user logs off while a USB stick is still connected.

USB Alert comes in two versions: portable and installable. The portable executable and its autorun.inf file have to be copied to the root folder on the USB stick. When the USB stick is inserted, the Windows AutoPlay feature lets you launch USB Alert.

This works fine on Windows XP and Windows Vista. However, for security reasons, autorun from non-optical devices is no longer supported in Windows 7. Thus the only way to make USB Alert work on Windows 7 is to install USB Alert. This will prevent users from leaving their USB stick at the office. Only when they insert their USB stick on other computers are they in danger of forgetting their flash drives. But since the majority of computers still run older Windows versions, it makes sense to copy USB Alert on all USB sticks in your organization and advise users to launch the USB stick watcher when AutoPlay starts.

Note that the behavior of USB Alert is different between Windows XP and Windows Vista/7. On Windows XP, USB Alert will display a warning dialog window whenever you try to log off or shut down the computer with a USB stick still connected. On Windows 7 and Vista, USB Alert will block the AutoEndTasks Windows function (see screenshot).

In any case, the user will then see the USB Alert user interface that allows her to safely eject the USB stick. You can access this program also through the systray.

A few years ago, I discussed a similar USB watcher tool that is based on a Visual Basic script. This solution also gives you an idea of how you can leverage Group Policy to help forgetful users.

USB Alert

• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)
• How to disable USB drive use in an Active Directory domain (0)
• Service Account best practices – Part 2: Least Privilege implementation (0)
• Four fast ways to improve security in SQL Server 2008 R2 (12)
• Managed Service Accounts in Windows Server 2008 R2 (7)

Elevate starts programs elevated from batch files and scripts.

The syntax of the Elevate command is as follows:

  elevate [-opt1] [-opt2...] [path\]file[.exe] [param1 [param2...]]

Where -optN can be one of the following:

  -?         - Display the help screen and exit
  -info      - Open the web page with more information
              (the web page you are reading now!) and exit
  -wait4idle - Wait for the target process to initialize before returning
  -wait4exit - Wait for the target process to finish before returning
  -noui      - Don't display any messages, even if an error occurs

After the options, the following arguments should be entered:

  file       - The file name of the program to launch elevated
  paramN     - Optional parameters (as expected by the program being launched)

Elevate

• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)
• How to disable USB drive use in an Active Directory domain (0)
• Service Account best practices – Part 2: Least Privilege implementation (0)
• Four fast ways to improve security in SQL Server 2008 R2 (12)
• Managed Service Accounts in Windows Server 2008 R2 (7)

AD Tidy is a completely free tool that I created to help other IT Pros out. It can be used to identify when user/computer accounts last logged on to the network and can tidy up these accounts in various different ways.

All you need to do is configure the search settings to find the accounts you are interested in (for example you might want to find all user accounts in a particular OU that have not logged on for 60 days), then the tool will query each DC in your domain to find the most recent logon time for each account that matches your search criteria. You can then select any number of accounts from the search results and perform one or more of the following actions: Disable, Enable, Move, Delete, Set Description, Set Expiry Date, Add To Group, Remove From Group, Remove From All Groups, or Export To CSV.

Search settings can be saved to an XML file to avoid you having to setup a particular search configuration each time you launch the program.

AD Tidy

• Microsoft Exam 70-640 – Active Directory trusts – Sample question (0)
• Microsoft Exam 70-640 – Active Directory trusts (0)
• Microsoft Exam 70-640 – Active Directory Forests and Domains – Sample question (5)
• Poll: Are you currently using a monitoring solution? (11)
• Microsoft Exam 70-640 – Active Directory Forests and Domains (0)

The product relies on built-in Group Policy mechanisms and seamlessly integrates into your existing environment. Another advantage of the product is simplicity: only a couple of mouse clicks to get the work done. And the most exciting: the software is free of charge for small networks (up to 50 computers). The paid commercial version is also available with advanced functionality and no limitation of network size.

Benefits:

• Prevents unauthorized use of removable devices.
• Hardens endpoint security.
• Enables regulatory compliance, such as SOX, GLBA and HIPAA.
• Freeware! Saves your IT buck for other projects.

Features:

• Seamlessly integrates with Active Directory.
• Simple point-and-click deployment.
• Fully centralized management.
• Very simple to use, no monster tools and long learning curves.

The product is provided free of charge (limited 50 managed computers) for use by organizations and individuals.We also provide free of charge technical support for the freeware version on the Support Forum. The commercial version of the product is also available, featuring advanced configuration options and technical support: more details.

USB Blocker

• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)
• How to disable USB drive use in an Active Directory domain (0)
• Service Account best practices – Part 2: Least Privilege implementation (0)
• Four fast ways to improve security in SQL Server 2008 R2 (12)
• Managed Service Accounts in Windows Server 2008 R2 (7)

However, if you just have to read the data from your USB stick on Windows XP or Vista, there is a simple solution for that limitation. It is called BitLocker to Go Reader and can be downloaded here. It is quite interesting that the tool does not need Windows XP Professional or Windows Vista Business to run since BitLocker to Go is only included in the Enterprise and Ultimate versions of Windows 7. Despite that, there is one other limitation: The tool only works with FAT file systems. So if you use NTFS on your USB sticks, you have to convert it to FAT before you can use them with BitLocker to Go Reader.

Once you have installed the application, it recognizes BitLocker-protected USB sticks and flash cards as soon as you plug them into the computer. You are automatically asked to enter the password for the device. After you have entered the correct password, you can access the encrypted data.

• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)
• How to disable USB drive use in an Active Directory domain (0)
• Service Account best practices – Part 2: Least Privilege implementation (0)
• Four fast ways to improve security in SQL Server 2008 R2 (12)
• Managed Service Accounts in Windows Server 2008 R2 (7)

I will first show you what you can do with the SysKey utility and then discuss how much extra security SysKey protection really brings.

The SAM database is part of the Windows Registry and stores information about user accounts such as user names and password hashes. The corresponding Registry file is located in c:\windows\system32\config. Since Windows NT 4 SP3, the SAM file is partly encrypted. The SysKey utility allows you to move the SAM encryption key off the computer and/or configure a startup password.

Using the SysKey utility

To launch the SysKey utility, type “syskey” at the Start Search prompt of Windows Vista or Windows 7, or use the “run” option of the Windows XP Start Menu.

To move the SAM encryption key off the computer, you have, click “Store Startup Key on Floppy Disk.” The tool claims that you will need to insert a floppy disk on startup, which is not really true. Modern computers no longer have floppies, and this storage medium isn’t reliable enough anyway. You can also store the SAM encryption key on a USB flash drive.

However, the USB stick has to be mounted on drive “A:”. You can assign this drive letter to your thumb drive in Windows Disk Management. If the drive letter A is not available, you have to first disable the floppy disk in the computer BIOS.

The SysKey utility will then allow you to store a file with the name StartKey.Key on your USB drive. This file contains the SAM encryption key. Without it, you won’t be able to log on in the future. Thus, whenever you boot up your computer, you have to insert this USB stick. Windows will always automatically load the encryption key from drive A:, and if you set a password with the SysKey utility, you will have to enter this password whenever you boot up the computer.

What extra security does the SysKey utility bring?

First of all, neither storing the SAM encryption key on an external drive nor protecting it with a password can prevent tools such Kon-Boot or the Trinity Rescue Kit from manipulating the SAM database. These tools are still able to set an empty password on all accounts. However, after such a manipulation, it is not possible to boot up Windows without the encryption key on the USB drive or without the startup password.

Hence, this method will prevent the majority of wannabe hackers from logging on to the computer with administrator privileges. It won’t, however, stop real hackers. As long as an attacker has physical access to an unencrypted system drive, everything is doable because every system file can be replaced as I demonstrated in my article about the Sticky Key trick. By the way, this trick will no longer work if you secure the SAM encryption key because an attacker wouldn’t be able to reach the logon screen without access to the encryption key.

So does it make sense to protect all your PCs with the SysKey utility? I don’t think so. The fact that the tool tries to store the encryption key on a floppy disk shows that this method is a bit outdated. It is too much hassle for your users to mess with a USB stick or to use an additional password compared to the extra protection the tool offers.

However, I think, the SysKey utility is still useful in some environments. For instance, you can use the tool to protect laptops or servers where you don’t want to disable booting from external drives or where many people would have the time to open the PC and access the system drive. It might also make sense to protect your own PC this way. Wouldn’t it be embarrassing if your colleague’s eight-year-old daughter hacks your PC while you take a coffee break?

The point is that 99% of all kids out there who call themselves hackers know about Kon-Boot and the myriad of similar tools, but they don’t know how to handle SysKey. SysKey was originally introduced to prevent hackers from cracking passwords in the SAM database with brute force attacks. And popular hacking tools such SAMInside still can’t handle a protected SAM encryption key.

Of course, SysKey can’t stop the bad guys and gals disguised with vacuum cleaners from shoving some nasty rootkits on the system drives of your PCs. But BitLocker will do the job in 99.999% of all such attacks. Thus, I believe encrypting all hard drives in your organization is a must!

• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)
• How to disable USB drive use in an Active Directory domain (0)
• Service Account best practices – Part 2: Least Privilege implementation (0)
• Four fast ways to improve security in SQL Server 2008 R2 (12)
• Managed Service Accounts in Windows Server 2008 R2 (7)