Security

Rights Management

Microsoft rights management solutions be it WRM or AD-RMS have been in my opinion for many years, a solution waiting for a problem; many organisations wanted to protect and control their documents and emails from being read or altered by recipients the content was not intended for, but the product lacked some important functionality, one of which was the ability to natively classify and label content (this was left to third parties). Their solutions also required a somewhat niche skillset and as a result the adoption of Microsoft’s rights management was slow.

Azure Information Protection (AIP) is a cloud-based solution that has addressed the challenges the on-premises solution had; as a solution it still protects documents, but it now also now natively enables an organisation to classify and label its documents and emails with the benefit of the on-premises complexities being reduced by moving the operation of the rights management service to the Azure platform.

Protect, Classify and Label.

Protect

The ability to protect a document, is how a content owner can restrict who has access to the content and what they can do with the document or its contents.

This can include the inability to edit the document, restrict who can print-it or in true “Mission Impossible” style, self-destruct (when the content expires).

The control can be controlled by the end user (ad-hoc).

or administratively on the portal via (classification and labelling).

Classification and Labels

The ability to label a document enables a document to be classified by the means of the label.

By selecting for example “Internal”, the document would be labelled and classified as internal and additional settings can be applied (in addition to rights management), such as a watermark, custom header or footer.

When I started this brief summary of AIP, I described the problem as procrustean and by this I meant, that when we have a problem we normally find the solution to the problem, yet AIP was a solution that needed a problem to solve.

In my opinion GDPR is one problem that needs a solution and AIP can form part of it.

May 25th, 2018, sees the start of the General Data Protection Regulation (GDPR) being enforced and this is where AIP can help in several areas, with the main one being that of “article 25. data protection by design and by default”.

AIP has a built-in capability to automatically protect documents that contain information in certain formats such as passport numbers, government issued information and credit card numbers.

This for me is the kind of problem that Microsoft’s rights management solutions were always intended to solve, the fact that AIP can also do automatic classification is a failsafe position for many organisations that need to collect and store personal information and when combined with content expiry too, it can be a very reassuring comfort blanket.

General Data Protection Regulation (GDPR)

More AIP insights to follow…..

 

 

This summary stems from a brief conversation within a peer circle. A parallax perspective on the issue of passwords. 

Most IT organisations have an IT Security policy, which defines the required password parameters for an organisation.  Active Directory provides a method to enforce the password parameters, from their complexity and length to the frequency that they must be changed. 

Once a company’s password policy is understood and required parameters are known, internally bad practice can set in and this is not necessarily limited to the end users, IT can equally be at fault.  For example the service desk may create all new user or service accounts with the same common password.  Password1234$$ or Welcome2015! 

So what has this got to do with hacking your own Active Directory? 

Using one of the numerous Active Directory password cracking tools on the internet, you can analyse (crack the easy ones) the passwords stored in Active Directory and produce a list of the most common passwords.

These common passwords can then be cross referenced to their owners and with a little bit of mathematics, it is possible to deduce that perhaps with 10 passwords, 70 % of all systems can be accessed, not only is this a rather frightening metric, but this is reality and one attack vector for anyone with access to a domain controller. 

This is not a simple problem to fix with the current architecture of Active Directory, but with small process changes and education around the use of common passwords the percentage of systems that could be accessed or compromised may be reduced. 

 

 

Microsoft have released a new document which contains best practice recommendations to assist organisations in enhancing the security of their Active Directory installations.

Microsoft state that “In implementing these recommendations, organisations will be able to identify and prioritise security activities, protect key segments of their organisation’s computing infrastructure and create controls that significantly decrease the likelihood of successful attacks against critical components of the IT environment“.

This document discusses the most common attacks against Active Directory and countermeasures to reduce the attack surface, and recommendations for recovery in the event of complete compromise.

Download

 

If you are looking to understand what the security policies in Windows 7 and 2008 R2 mean and how they can impact your environment, then this guide is a must read.

Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2

The document is covers the following categories in some depth:

Account Policies

This section discusses the Group Policy settings that are applied at the domain level: password policies, account lockout policies, and Kerberos protocol authentication policies.

Advanced Security Audit Policy

This section discusses the use of advanced audit policy settings, which are now integrated with Group Policy to monitor and enforce your security measures. It describes the various settings, and it provides examples of how audit information is modified when the settings are changed.

User Rights

This section discusses the various logon rights and privileges that are provided by the Windows 7 and Windows Server 2008 R2 operating systems, and it provides guidance about which accounts should be assigned these rights.

Security Options

This section provides guidance about security settings for digital data signatures, Administrator and Guest account names, drive access, driver installation behaviour, and logon prompts.

Event Log

This section provides guidance about how to configure the settings that relate to the various event logs on computers running Windows Server 2008 R2 or Windows 7.

System Services

Windows Server 2008 R2 and Windows 7 include a variety of system services. Many of these services are configured to run by default, but others are not present unless you install specific components. This section describes the various services included with the operating systems so that you can best decide which ones to leave enabled and which ones can be safely disabled.

Software Restriction Policies

This section provides a brief overview of the Software Restriction Policy feature that is available in Windows Server 2008 R2 and Windows 7. It provides links to additional resources about how to design and use policy settings to control which applications can be used in your organization.

Application Control Policies

This section provides a brief overview of the AppLocker™ feature that is available in Windows Server 2008 R2 and Windows 7. It provides links to additional resources about how to design and use policy settings to control which applications can be used in your organization.

External Storage Devices

This section describes Group Policy settings that can be used to limit, prevent, or allow the use of external storage devices in networked computers.

Additional Resources

This section provides links to additional information sources about Windows security topics from Microsoft that you may find useful.

Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2

Microsoft have today delivered the first release candidate (RC) for Windows 7 and Windows Server 2008 R2. Service Pack 1 is slated for release in early 2011 but there is no confirmed date.  The Service Pack can be downloaded here and the associated documentation can be downloaded here.

The document “Windows 7 and Windows Server 2008 R2 Service Pack 1 Release Candidate Notable Changes” has changed since the initial beta release but  is now dated June instead of February 2010; the document “Windows Server 2008 R2 and Windows 7 Service Pack 1 Test Focus Guide” has moved to version 1.3 and is dated October 2010 and the final document “Hotfixes and Security Updates included in Windows 7 and Windows 2008 R2 Service Pack 1 Release Candidate” is dated October 2010 too.

The Service pack now consists of: 78 Non-Security GDR updates, 27 Security updates and 520 Hotfix updates.

The last Security update included in the Release Candidate is MS10-061

For a technical overview of Windows Server 2008 R2 SP1 RC release, click here

Microsoft have released a guide for configuring and applying Group Policy in Microsoft Office 2010.

The guide states that " it provides a guide is the IT administrator who plans to use Group Policy to configure and enforce settings for Microsoft Office 2010 applications."  In addition to providing an insight into Group Policy for Office 2010, the guide also provides an insight into how Group Policy functions and is applied at a Windows level.

Group Policy for Office 2010

I have had a quick read through the guide and it makes interesting reading.

In the companies that I work with, Active Directory and Firewalls are often said in the same sentence, this KB article discusses the essential network ports; protocols and services that are used by Windows client and server operating systems;  server-based programs and their subcomponents in the Windows server system.

I have found this document to be invaluable when it comes to making Active Directory and other Windows components such as  (DFS-N and DFS-R) work through a firewall.

http://support.microsoft.com/kb/832017/en-US

One of the reasons that I am adding this post is that this KB article is constantly evolving and in the pass 6 six weeks alone I have seen 4 versions.

30th March 2010 Version: 42.0
9th April 2010
Version: 43.0
23rd April 2010
Version: 44.0