Entries tagged with feature of the week - TechNet Edge

Forefront Stirling Policies : Feature of the Week

extreme — Thu, 11 Sep 2008 15:32:00 GMT

Even in Beta 1 of Forefront Stirling you can check out the security policy capabilities the product has. I know what you’re thinking – “whoopee, more policies”, but what you can do with the policies in Stirling are quite impressive.

What can you do with Stirling policies?

For each policy, you can easily specify granular compliance settings for Forefront Client Security (FCS), Forefront Server for Exchange (FSE), and various other security state assessments AND specify granular automated actions to be taken to remediate - all from a single console. Some ideas for what you might do with Stirling policies:

If a client doesn’t have the correct firewall or latest anti-malware updates, remediate this using NAP.
Scan email using two engines and when a virus is found to be sent via email, clean the virus and initiate a full client virus and anti-malware scan using FCS
Audit to verify your IIS 6/7 and SQL 2005 servers have appropriate security settings enabled
If a client is doing a port scan or quickly sending a large number of emails, quarantine their computer using NAP, block their outbound internet access through TMG, scan their email for viruses with FSE, and do a full virus scan with FCS

In updates past Beta 1, you can eventually expect even more capabilities and integration with other Forefront products.

How does it work?

There are two major components – the policy and the target group. The policy contains all of the settings you are checking for and/or the remediation steps. The target group can be a user, group, computer, OU, or domain. A policy can be bound to one or more target groups and precedence can be set to determine priority if there are conflicts in policy settings. Under the hood, you have Enterprise Security Assessment Sharing (ESAS) and SCCM doing the majority of the communication work related to the policies – which I’ll cover in more depth in future posts.

What’s the catch?

In order to get this functionality working, you’ll need to have the core Stirling infrastructure in place and then utilize the vNext for FCS and FSE installed (if you create policies related to these settings). Also, for the NAP functionality to work – you’re going to need to set up a NAP infrastructure separately.

GET STARTED
Download Beta 1 software or VHDs
Working with Stirling Policies

Feature of the Week: URLScan 3.0 for IIS 7.0

Joey — Thu, 28 Aug 2008 07:01:00 GMT

Back in April there were reports that surfaced stating that web sites running on Internet Information Services (IIS) had been compromised by an automated attack that used vulnerabilities in web pages that did not follow security for best practices. These websites were taken advantage of via SQL injection attacks. While the only way to completely prevent SQL injection attacks is by following proper development best practices, URL Scan 3.0 is an updated IIS feature that will allow server administrators to help mitigate SQL injection attacks until the web application can be updated to protect against SQL injection. This post will provide more details on the latest version of this technology.

URL Scan 3.0

Who’s it for? IT Professionals and Website Administrators.

When does it ship? URL Scan 3.0 was released to the Web on 8/21/08 and can be downloaded from the following locations:

· 32 Bit: http://www.iis.net/go/1697

· 64 Bit: http://www.iis.net/go/1698

(Wow looking at those nice clean URL’s makes me want to post about another new IIS feature. I guess more on that later.)

What does it do? When installed and configured on a server running IIS 5.1 or higher, URLScan can scan incoming http requests and if the request contains content that is undesirable (like a SQL injection attack), that request can be rejected. By filtering these requests, URLScan helps prevent unwanted requests from potentially damaging the web application or even the web server.

How is URLScan different than the request filtering module that ships with IIS 7? The request filtering module does not have the ability to filter based on query strings like URLScan 3.0 does. Also you cannot specify rules applying to multiple parts of an HTTP request.

So didn’t URLScan exist before? Yes. URLScan 2.5 was originally released as part of the IIS Lockdown Tool and if you are using URLSCan 2.5, you can use your existing configuration file with URLScan 3.0 and everything will function fine. Plus you get the added URLScan 3.0 features!

What are the new URLScan 3.0 features? While the configuration format of URLScan 3.0 is the same as it’s predecessor, there are a number of new sections in the configuration to support the following new features:

· Deny rules can be independently applied to a query string, all headers, a particular header, a URL or a combination of the above.

· Configuration change notifications are propagated to the IIS worker processes so configuration changes don’t require worker process restarts.

· The global DENYQUERYSTRING section of the configuration file allows you to add deny rules for query strings and include an option to check the un-escaped version of the query string.

· The global ALWAYSALLOWEDQUERYSTRINGS section allows for the specification of safe query strings that will bypass all query string checks. (This feature was not in the previously released URLScan 3.0 beta).

· Descriptive configuration errors are now available in W3C formatted logging. This feature was also not available in the beta.

· Escape sequences like (%0A%0D) can now be used in deny rules allowing to deny CTRLF and other sequences involving non-printable characters.

How can URLScan be setup? URLScan can be setup up either as a global filter or a site level filter. A global filter is triggered for every HTTP request sent to the server. Site level filters are only invoked for HTTP requests sent to particular sites on a IIS server. Starting with URLScan 3.0 site filters can be used in conjunction with global filters.

Where can I get more information?

URLScan 3.0 FAQ

Using URLScan

Common URLScan Scenarios

IT Pro Feature of the Week: MMS Announcements

AdamBomb — Thu, 01 May 2008 22:48:00 GMT

It’s Thursday, and that means one thing: Time for another Feature of the Week! Since I’m on location (along with Joey, who does in fact know everyone) at MMS (Microsoft Management Summit) this week, I thought I’d just give you a roundup of the announcements Microsoft made at the event

MMS Announcements Roundup

Beta availability of Virtual Machine Manager 2008 Available immediately for download, VMM 2008 provides complete management of Virtual Server, Hyper-V and VMWare virtual machines. Also includes PRO (Performance and Resource Optimization) tips that can dynamically move and provision VMs to best use the resources available across all your virtual machine hosts.

Beta availability of Cross-Platform extensions for Operations Manager Utilizes industry standards and open source technologies like WS-Man and OpenPegasus to bring SCOM management to HP-UX, Solaris, and Redhat and SUSE Linux. Partners providing Oracle, MySQL and Apache management packs.

Release of Microsoft Operations Framework (MOF) 4.0 The first major MOF release in 5 years, this release moves beyond just operations to include the whole IT lifecycle. It also includes guidance that you can start implementing in just 20 minutes, and strong community engagement and interaction.

Configuration Manager SP1 Integration with Intel’s vPro technologies for deeper hardware layer integration. Asset Inventory Services – cloud based application catalog. Available in May

Configuration Manager R2 native integration of Application Virtualization distribution and streaming. SQL Reporting services and Forefront integration. RC in June.

Links

The Newly redesigned System Center home page

The MOF homepage

MMS coverage on TechNet Edge

Windows Server 2008 - Unix Interoperability

AdamBomb — Fri, 14 Mar 2008 07:01:00 GMT

I used to bang the interoperability drum a lot – I still don’t think we do a good enough job as a company of telling the story of how well Windows plays nicely with others. Case in point: while perusing the Book of Longhorn looking for something to write about this week, I noticed just one or two brief mentions of Unix and our interoperability.

The good news is we still have a strong Unix integration story in Windows Server 2008. Read on for more details.

Unix Support in Windows Server 2008

Why do Unix Support? There are two main reasons:

· Maximize previous investments – we have interoperability with platform customers have already deployed, and administrators can leverage their existing knowledge and skills.

· Lower costs – few management tools reduces the cost of administration, management and migration

What are we actually offering? Unix support is spread across a few different roles and features in Win2k8:

· Telnet, both a server and client, for command line administration

· Services for NFS allows transfer of files between Windows and Unix machines.

· Subsystem for Unix-based Applications (SUA)allows you to compile and run Unix apps on Windows with minimal changes to the source code. It also provides 300 Unix commands, utilities, and shell scripts.

· Identity Management for Unix (IDMU) – password sync between Windows domains and many Unix flavors, and a Server for NIS that allows AD to act as a master NIS server for NIS domains.

Those all sound familiar – what’s actually new here? Windows Server 2008 is the first time we’re offering x64 versions of these tools – now with x64 SUA you can use it to port x64 or x32 bit Unix apps to x64 Windows. Most scripts should run without changes at all. This is the first time that we’re including all this functionality as part of the OS – it was previously offered via web download or on the supplemental disc in Server 2003 R2.

Get started

Services for Unix on Server 2008 site (worst site ever)

Telnet Operations Guide

Server for NFS on TechNet

SFU Team blog on MSDN

IDMU on TechNet

Windows Server 2008 - DNS enhancement nuggets

extreme — Thu, 06 Mar 2008 07:59:00 GMT

There are a number of enhancements to DNS in Windows Server 2008. There are already some lengthy articles on the features, so in this post I hope to give a quick “why you care” on each of the features and some nuggets of wisdom / insight. Here we go…

DNS on Server Core: I see this as a very useful scenario for most people who use DNS in conjunction with RODC in branch offices using the new primary read-only zone. You get all of the server core benefits such as improvements in performance, less patching, security, etc, and it can have all of the same core functionality as a regular DNS server. The easiest way to manage is remotely using the DNS MMC.

Background Zone Loading: Companies who have a large number of records in AD-integrated zones might have to wait 1+ hours to have DNS respond to queries after restarting. Now, DNS spawns off multiple threads to be able to respond to client queries right away. If the record in the zone hasn’t been loaded into memory yet and it is still in the process of loading the entire zone, it will query the node in AD, cache it in the zone, and return a response to the client.

IPv6 Support: Microsoft supports IPv6 in Server 2003, but it was a bit of a management pain and there were some other limitations. See Joseph Landies Cable guy article for the management/integration improvements made in WS08. Also, some other improvements:
· DNS servers can now send recursive queries to IPv6-only servers
· The server forwarder list can contain both IPv4 and IPv6 addresses
· DHCP clients can also register IPv6 addresses in addition to (or instead of) IPv4 addresses.
· DNS servers now support the ip6.arpa domain namespace for reverse mapping.

Make sure your critical apps are cool with receiving a response for an IPv4 address and an IPv6 address. I haven’t personally seen any app problems, but nonetheless, worth mentioning.

Primary read-only zone: This new zone type is also referred to as a “branch office zone” which is available on RODCs running DNS. The zone will make a read-only copy of all of the AD-integrated zones locally from a full DC. The easiest way to think about it is as a read-only secondary zone, but better due to the benefits of AD-integration (i.e. security, management, and you can easily replicate multiple zones).

Global Names Zone: This allows you to resolve single-label names in DNS as an aid to get rid of WINS. If you still need computer browsing, you have apps hard-coded to only use NetBIOS name resolution, or have really old clients & NT4 – sorry, you probably still need WINS. However, if you just need the single-label name support for things like custom-named internal websites or servers throughout your entire environment – this is the solution. There are quite a few things to consider with this, so I recommend reading the whitepaper listed below. A couple quick key limitations are a) this functionality only works with WS08 DNS servers and b) it also doesn’t support dynamic updates.

DNS Client changes: For Vista clients or WS08 servers, the DNS client has a few good changes:
· Periodic check to make sure the client is authenticating with a local DC (configurable via group policy). Previously, a client would only fail back to the closer DC when forced.
· Locate the nearest domain controller using the defined Active Directory sitelink costs instead of searching randomly. This is disabled by default, but good to enable when you have clients across slow site-links.
· Use link-local multicast name resolution (LLMNR), also known as multicast DNS or mDNS, to resolve names on a local network segment when a DNS server is not available.

Get Started
Windows Server 2008 & Domain Name Service: What's New (WS08 Blog by Kurt Roggen)
Changes in Functionality from Windows Server 2003 with SP1 to Windows Server 2008 (http) (doc version)
The Cable Guy DNS Enhancements in Windows Server 2008 (by Joseph Davies)
What's New in DNS in Windows Server 2008 (very short blurb on TechNet)
DNS Server GlobalNames Zone Deployment Whitepaper