Tom Decaluwé

The new version of SCM is in beta and you will realy love the new features being introduced into this version.

Microsoft Security Compliance Manager (SCM) 2 enables organizations to take better advantage of their existing knowledge and investments, and customize security and compliance settings with ease. Customers can harden their machines to industry standards, monitor for configuration drift and address the configuration requirements of hundreds of regulations like SOX, PCI and HIPAA. Learn more.

New SCM 2 features include:

• GPO import: SCM 2 can now import Group Policy Object (GPO) Backup files to allow organizations to import and compare their existing knowledge against Microsoft baseline recommendations. This long-awaited feature effectively helps you to customize and manage your organization's existing knowledge stored in Active Directory.
• Baseline setting customization: Modifying baselines just got easier. Adding, extending, or deleting settings from a baseline is an effortless process in this new version of the tool.
• Local GPO functionality: Apply security baselines directly to client and server computers using the LocalGPO command-line tool, which enables you to secure stand-alone computers and test different baselines without using Active Directory to deploy them. Use this tool to create local policy snapshots that you can import into SCM 2 using the new GPO import capabilities, which you can then compare, customize, and export as needed.
• Additional features: These include a new and enhanced UI that provides simpler navigation in the tool, and improved installation with SQL Server 2005 and later releases of SQL Server.

Version 2 of the SCM tool will release with a full complement of Microsoft product baselines, including these new and/or updated baselines:

• Windows Internet Explorer 9
• Windows Server 2008 R2 Service Pack 1 (SP1)
• Windows Server 2008 SP2
• Windows Server 2003 SP2

Can’t wait for the RTM? Why would you, you can build your skill base and give your feedback now:

Download the beta release of the Microsoft Security Compliance Manager version 2

• Join the Security Compliance Manager Beta Review Program
• Members, bookmark this link to get the latest project details

Yesterday afternoon I presented a gave an overdrive session on how to use nmap to discover hosts, ports, services and os’s on your network. Initially I had 45 minutes to present the session, which is to short for any real session but in the end I spent about 70 minutes with a fantastic group of about 20 minutes and seeing as nobody left the session I’m guessing all enjoyed :-)

In any case on question that was as asked was how Nmap can detect a host if it’s firewalled. A very valid question and I touched on this very briefly but did not have time to demo this in real time so I thought it would only be courtesy to show how it works in a blog post.

To show you this I ran the nmap scans from my linux based box agains a fully patched win7 SP1 in three different scenarios:

In scenario1 I ran the nmap scan to port 80 against a system with a webserver running and no firewall. This would be a typical scan of an open port.

What you can see here is Nmap sending it’s Syn packet and getting a syn/ack packet back from the win7 machine and then the Nmap client neatly ending the TCP session with a RST.

The end result is nmap knows the host is up and knows the port is active.

In scenario 2 I ran the nmap scan to port 80 on the same system but stopped the webserver before running the scan. The firewall was still not on so the system was open just didn’t have a service on that port.

What you see is Nmap sending it’s Syn packet tot he destination and the destination replying back to the Nmap client with a RST packet. As mentioned during me talk yesterday this is the great thing about Nmap. Even what seems to be a negative responce at first is actually positive as by sending the Rst packet the client confirmed it was up and no service is on port 80, but at least we are 100% sure the host is up.

The end result is nmap knows the host is up and knows the port is in-active.

Scenario 3 is where i start firewalling the host. I have configured my firewall to block port 80 (standard win7 firewall).

What you see is Nmap sending it’s syn packet to the destination host, getting no reply and retrying a second time, still not getting any reply.

The end result however is still Nmap indicating the host is up and hte port is filtered. Filtered means nmap know the host is active put did not respond in any way to it’s scan packet so it know’s the port is nog just not active but it’s being filtered by some kind of firewall als TCP logic would dictate a port not begin active should respond with a RST packet just like scenario 2.

But how did Nmap know the host was up when we go no responce? The proof is in the packets.

As explained yesterday when you run Nmap on a local network it will always do an ARP in the background to the host as this is the fastest, easiest and certain way to detect hosts on a network. (nmap did this in all scenarios, but I filtered out the traffic to clarify it didn’t need arp in the previous two scenarios)

The most important thing I wanted to point out yesterday that even win7’s advanced firewall with all it’s gifts does not stop host discovery through arp as just about all host based firewalls operate at OSI layer 3 and 4 and just allow arp traffic.

The security impact of this is of course very low compared to an unpatched non firewalled system, but it does go a far way in proving nmaps power to discver hosts in just about any scenario.

If you are using TMG firewall client, make sure you rollout this patch.

http://www.microsoft.com/technet/security/bulletin/MS11-040.mspx

A+ for reset:

As many of you have been able to read in my previous post I have been a happy MS office 356 customer and am using it’s lync functionality in my day to day job intensively now.

Well all good stories have to have their ooops moment and it happened to me this week. I had activate office 356 on a blue Sunday just to give it a quick try and as so often when I just try something I'm not that strict with registering everything I type.

This week I wanted to go back into the office 356 interface to add some extra lync users and to my great shame saw that somehow the password I was typing now was not inline with the one I had registered on that off day :-( Don’t panic you would say just use the second account you created as admin and reset the password that way. Hmm, i probably have not create a second admin account yet :-(

The above situation is a classic and you would joke about this happening but it happens and yep it also happened to me. No problem you would think office 356 has a forgot your password button doesn’t it?

Yes it does but read the text well and you will see it’s telling me to have my company admin log on and reset the password => oop’s I’m the admin.

It’s also very helpful to say if you are the admin contact support, but MS forgot to put the link in their to contact support :-(

So I started to sweat a bit but as always with this type of deadlock situation an MS representative can save your day (good thing I’m an MVP and have some great contacts). Sure enough within minutes of my panic email Ilse Van CriIlse Van Criekinge (again) provided the solution by referencing a post 

http://community.office365.com/en-us/b/office_365_technical_blog/archive/2011/04/07/forgot-your-password.aspx

and this post pointed to the service request page: https://portal.microsoftonline.com/Support/NewSignupServiceRequest.aspx

And sure enough MS support contacted me over the phone to verify my details and reset the password for me.

Looking at the time frame, i logged the call on Tuesday evening and they called me back and reset the password on Thursday mid day. This might seem long but heck if you are stupid enough to forget your office 356 logon credentials i consider this being acceptable punishment :-)

I can only say a bit A+ for the way this is handled and I'm very happy I regained control over my office 356 account.

C- for security:

The procedure handled was great in my case as it was a legit call and I really needed help.

However being a security freak I also needed to take a look at the dark side. If you dissect the above procedure you will see, all I needed to place the call was:

- The name of the account I wanted to rest

- A telephone number that MS can call

- Fill in the web form and request a reset

- Pickup the phone (there is no phone number masking when MS call’s you can clearly see it’s a us +1 number) and say hi, this is tom, yes please reset my account.

This should make you worry about the overall security and confidentiality of your office 356 data at this time. The office 356 account names are easy to come by, we all know we can anonymously post a web form and get Cell phone numbers that are untraceable and I’m pretty sure a lot of people are cable of mention a different name then their own when they see a +1 number come in. Moments later MS assists you in doing the logon to your account and reset admin account credentials and boom, you have instant access to all the office 356 accounts linked to that admin to do as you please or create your own account on their office 356 with full admin rights.

Cloud security is only as strong as the weakest link and sure enough, the above procedure worked great for me but would work equally efficient for any one interested in your data.

Luckily this is only the Beta stage of office 365 and MS will surly sharpen the procedure of validating identity before we really start putting our critical data in the cloud? I hope!

For several months now my internal job role has shifting into a more virtual world a bit the same as the network world is going virtual and cloud base.

Where I used to head two local office teams in Belgium and UK, I’m now also working intensively for the holding company that owns the company I work for. In this job role I’m responsible for heading four virtual teams that tackle the core infrastructure for all our companies.

The concept of V-Teams is reach out form our mother company and re-use existing and complementary knowledge in our daughter companies. To do this we form virtual teams across company borders joining forces on specific topics.

The four teams I’m currently heading are:

- WAN team: comprise of myself and 2 people spread across Holland

- Datacenter team: comprise of myself and 2 people spread across Holland

- Security team: comprise of myself and 2 people spread across Holland and a team member based in the UK

- Virtualization – Storage and Backup team: comprise of myself and 1 other person based in Holland

As you can see these teams are not big in size but they are huge in knowledge and intensity as each member is a year long IT-Pro veteran with a huge passion for their specialty. 

This V-Team concept has been a great challenge for me on a content level but even more so on the technical level. Hosting meetings and keeping in contact is easy when your colleges are in the same room as you. It becomes more difficult when they are in the same building but a different room, however once you start talking about company and country borders the concept of keep in touch takes on a whole new dimension.

To guide my teams to success we have had to re-invent the way we do our daily tasks as non of us had ever been confronted with this type of operations before. Most of this takes place on a more logical level where I have had to re-think the way I prepare my meetings,… but also technology has really stepped up and helped.

I needed a quick and easy way to know if my V-Team members where available (yep presence)  and I also needed a quick and easy way to get in contact and setup conference call’s and as the call’s are frequent, long a network based solution seemed the most cost efficient way to go.

As always I love MS and their product but I’m also a number 1 challenger of MS products as I strongly believe MS is great in many things but you need to select the right tool from the job and sometimes these tools come from 3de parties.

We experimented with Brosix IM for 4 weeks to see how this corporate oriented cloud based IM worked. Although it was ok we ran into a number of issue that posed to be a problem:

- Voip audio worked fine when on the internet at home but would not traverse our corporate firewall’s (yep the hate and love for firewall’s). I didn’t want to go and change firewall rules just for the sake of IM so this posed to be a number one breaker for us.

- Multi person whiteboards was an issue as well and seeing our teams ware more than two in size and we do a lot of design work this too was quite :-(

- The last issue we found with the product was the notifications of people coming back online where quite intrusive working counter productive as they distracted you from the work you where doing while missed chat messages,… where so obscure you looked over them for hours.

Of course there where also some great plus points with this tool not the least of them being the very easy config and deploy web portal and availability of multi os clients.

However the above three issues made us relook the market and trial Lync off the office 365 cloud service and sure enough it’s working great.

The whole setup through the MS portal was easy and fast and appart form the fact that we needed an MS rep Ilse van Ilse Van Criekinge to point us to SIP addresses before we found each other in the Lync list all went very very smooth. I have now been using lync to keep in touch with the team and the easy of setting up voip call’s with one or more people, sharing my meeting presentations and using the white board have proven to be extremely valuable.

Lync is really making my life easier and ensuring the success of my newly founded V-Teams as it makes weekly meetings possible and affordable where without this type of technology we would be bound to phone call’s and occasional travel.

If you have not tried it in our company yet, you should, you’ll really love it and you can trial it for free.

http://www.microsoft.com/en-us/office365/online-software.aspx