Azure Firewall and starting with Azure Firewall Manager step away from Classic #Azure #Firewall #classic #policy #security #AVD

In Azure there are multiple options to add a Firewall to your Azure landing zone. But the standard Azure firewall comes with an option Classic or firewall policy, and there is a good change that you already have an Azure firewall classic then you can migrate to a premium SKU see the link to get the process https://docs.microsoft.com/en-us/azure/firewall/premium-migrate?WT.mc_id=AZ-MVP-4025011

Azure Firewall pricing

https://azure.microsoft.com/en-us/pricing/details/azure-firewall?WT.mc_id=AZ-MVP-4025011

Azure Firewall Standard

Stateful firewall as a service
Built-in high availability with unrestricted cloud scalability
Centralized network and application level connectivity policy
Threat intelligence-based filtering
Support for hybrid connectivity through deployment behind VPN and ExpressRoute Gateways

Azure Firewall Premium (Public Preview)

Built-in TLS Inspection for customer’s selected encrypted applications
Ability to detect and block malicious traffic through advanced IDPS engine
Restrict access to Web content via built-in URL Filtering for both plain text and encrypted traffic
Web Categories provide enhanced content filtering capabilities
IDPS signatures and Web categories are fully managed and constantly updated

Initial I setup a Azure Firewall premium

Premium firewalls support additional capabilities, such as SSL termination and IDPS. Additional costs may apply. Migrating a Standard firewall to Premium will require some down-time.

As you can see there is an option standard or premium and use the Firewall policy or the Classic. In premium there is no classic any more the only option is firewall policy.

Choosing the Premium and the option firewall management is gray out.

As I already have some Firewall policy’s I can already attach these to my new firewall, this is one of the great options, In the firewall manager you can create Firewall policy’s with out having a azure firewall running, you can already prepare the landing zone with all kind of rules .

Keep in mind that the firewall must be in the same resource group as your vnet.

Setting up a Azure Firewall with PowerShell is easy but you need to have the resources already in place

# Create the firewall
$Azfw = New-AzFirewall `
    -Name $FirewallName `
    -ResourceGroupName $rgNamevnet `
    -Location $Location `
    -VirtualNetworkName $VnetName `
    -PublicIpName $pip01 `
    -SkuTier Premium

Now that The Firewall I created We can see the policy’s attached in the Firewall manager.

Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.

Firewall Manager can provide security management for two network architecture types:

Secured virtual hub

An Azure Virtual WAN Hub is a Microsoft-managed resource that lets you easily create hub and spoke architectures. When security and routing policies are associated with such a hub, it is referred to as a secured virtual hub.

Hub virtual network

This is a standard Azure virtual network that you create and manage yourself. When security policies are associated with such a hub, it is referred to as a hub virtual network. At this time, only Azure Firewall Policy is supported. You can peer spoke virtual networks that contain your workload servers and services. You can also manage firewalls in standalone virtual networks that aren’t peered to any spoke.

Azure Firewall Premium Preview in the Azure portal | Microsoft Docs

So now that the firewall is in place and we already had an policy attached but you can change that real quick.

Go to the Firewall blade and her you can see the policy and change it directly

Or if you go to the firewall manager and select the virtual networks you can see a good overview of where and what is attached to the vnet

Remember the firewall need to be in the same resource group as your network, and there come’s also the hard part if you want to switch policy’s

Looking at the firewall policys from here you can add them to a hub or a vnet

here you see an overview of the firewall policy’s

When associate a policy to a vnet or multiple vnets we got a good overview on what is available and what not.

Adding the Policy to a network,

The firewall manager blade with all the rules and options

You can add rule collection groups and rule collections, In a rule collection group can hold multiple rule collections, I would advise you to build these collections as it is real handy if you want to change later some item or you want to export a collection and import them in a different collection group

Also new is the application rules here you can set web category’s that are allowed or denied.

using the application rules with the internet categories is still in preview but is a great addition for Azure virtual desktop #AVD

Setting up the web categories is easy selectable in the destination type. and then select one or multiple.

Remember the naming if you want to find this later in your rules, keep it clean and neat

Keep in mind that when you are selecting multiple categories the naming field is also corresponding to that

Removing the Firewall does not mean that you will loose the policy’s or removing the policy and loose the firewall unless…

Keep in mind when you remove a policy and you will set the little checkbox the firewall will be removed. If it is added to multiple vnets you may have a failure on the firewall deletion as there is still a policy attached

Overall the firewall manager is a great step to a modern security management in Azure, there a multiple items that I could wish for in the Firewall manager like management of all the NSG’s who nice would that be and traffic logging etc one thing is clear Azure is getting better and better and true the more options we get the more complex items we are building, and that’s fine keeps me off the streets and my work is never gets boring

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google : Robert Smit MVP profile

Altaro Webinar – Your 5 Most Critical M365 Vulnerabilities Revealed and How to Fix Them #Altaro #M365 #Webinar #security

Webinar – Your 5 Most Critical M365 Vulnerabilities Revealed and How to Fix Them

Microsoft 365 is an incredibly powerful software suite for businesses, but it is becoming increasingly targeted by people trying to steal your data. The good news is that there are plenty of ways admins can fight back and safeguard their Microsoft 365 infrastructure against attack.

This free upcoming webinar, on June 23 and produced by Hornetsecurity/Altaro, features two enterprise security experts from the leading security consultancy Treusec – Security Team Leader Fabio Viggiani and Principal Cyber Security Advisor Hasain Alshakarti. They will explain the 5 most critical vulnerabilities in your M365 environment and what you can do to mitigate the risks they pose. To help attendees fully understand the situation, a series of live demonstrations will be performed to reveal the threats and their solutions covering:

· O365 Credential Phishing

· Insufficient or Incorrectly Configured MFA Settings

· Malicious Application Registrations

· External Forwarding and Business Email Compromise Attacks

· Insecure AD Synchronization in Hybrid Environments

This is truly an unmissable event for all Microsoft 365 admins!

The webinar will be presented live twice on June 23 to enable as many people as possible to join the event live and ask questions directly to the expert panel of presenters. It will be presented at 2pm CEST/8am EDT/5am PDT and 7pm CEST/1pm EDT/10am PDT.

Don’t miss out – Save your seat now!

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google : Robert Smit MVP profile

Starting with FIDO2 security keys With Azure Active Directory #Trustkey #pointblank #fido #Azure #Security #AAD

Received a great FIDO2 Test kit from the vendor PointBlank Security / TrustKey Solutions https://www.trustkeysolutions.com/ https://www.pointblank.de/en/

As FIDO2 is the new hot item in the security world, let see if it is that easy to implement and to use. I’m not going into the depth specs of the keys but more as a user view. easy to use and setup is this key to use by anyone.

for all the Azure AD login this is usable when the Microsoft authentication challenge is the say for Windows virtual desktop (WVD) you can use this.

I have a USB key and a USB-C type key.

I use my Computer with the normal USB for this so the Trustkey G310 model

Setting the Key en use it is simple I configured the Azure Active directory did some easy settings add the Key to my profile and ready.

First we Enable FIDO2 security key in the Azure AD this is been configured from the Azure Portal.

Azure Active directory <> Security

Next we go to authentication methods.

Here we can change the authentication type for all users of for a select of users.

When this is done you can set the fido option in your profile. If this is your own account then in the top of the azure portal you can go directly to your user account . or go to https://myaccount.microsoft.com/

Go to Security info

Here you can do add a method

Adding the Security key or if you want to used the phone the method is similar.

Now that we have chosen the FIDO2 Security Key we can configure this with a PIN.

Choose a proper Pin and use the Key. Now everything is set and ready to use.

Whenever you are challenged to login with the Microsoft Azure AD account you can make the choice on using the USB key. You can also make this dedicated

So for samples we go to Browse to https://myprofile.microsoft.com use an in private session or different browser to make sure you test this right.

select sign in with a security key

When entering the PIN and touching the USB you will be granted to login when it was successful you will see the page else it will prompt you again.

All this is perfect usable to login into your WVD portal

https://rdweb.wvd.microsoft.com/webclient/index.html

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google : Robert Smit MVP profile

Configure Azure Service Endpoints for Web Applications #Azure #ASE #Endpoints #AzureServiceEndpoints #webapp #AzureDevOps

Sometimes you are building things in Azure and thinking if this is possible than that would be a cool feature. Suddenly you are building this and noticed that it is already there in Azure. How Cool is that.

Today I was building a demo website but I did not want to expose this directly to the web, play with this and still get the use of Azure Cloud over the internet. Reading the Azure Endpoint services there is no WebApp Endpoint services. Using a NSG or enable the Azure Firewall well it is just a test so lets see what we can do with all the basic stuff. But during the test I saw this option Microsoft.Web in the service endpoints.

More security is needed in everything you expose to the internet. And in Azure it all starts with a Vnet.

Virtual Network (VNet) service endpoints extend your virtual network private address space and the identity of your VNet to the Azure services, over a direct connection. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Traffic from your VNet to the Azure service always remains on the Microsoft Azure network.

First we create a new Vnet, while we creating this wen can enable an pick the right service endpoints. this can also be done afterwards.

Azure service traffic from a virtual network uses public IP addresses as source IP addresses. With service endpoints, service traffic switches to use virtual network private addresses as the source IP addresses when accessing the Azure service from a virtual network. This switch allows you to access the services without the need for reserved, public IP addresses used in IP firewalls.

In case you have already a Vnet, just go to the Service points and add the selected service you want to add or select it all.

At this point there is no Configuration, it is just adding a services to the network or subnet.

Below is a list of the Azure services that are currently available.

Generally available

Azure Storage: Generally available in all Azure regions.
Azure SQL Database: Generally available in all Azure regions.
Azure SQL Data Warehouse: Generally available in all Azure regions.
Azure Database for PostgreSQL server: Generally available in Azure regions where database service is available.
Azure Database for MySQL server: Generally available in Azure regions where database service is available.
Azure Database for MariaDB: Generally available in Azure regions where database service is available.
Azure Cosmos DB: Generally available in all Azure regions.
Azure Key Vault: Generally available in all Azure regions.
Azure Service Bus: Generally available in all Azure regions.
Azure Event Hubs: Generally available in all Azure regions.
Azure Data Lake Store Gen 1: Generally available in all Azure regions where ADLS Gen1 is available.

Public Preview

Azure Container Registry: Preview available in all Azure regions where Azure Container Registry is available.

The Web app is not listed but the option is there, and working. The Azure service Endpoint is not a Firewall, as the Azure Firewall this is a totally different service.

For Samples you have a Web application, and it needs to have connection to storage or SQL server and connection to an other Web services, without setting this open to Any – Any you can restrict this with the Azure Service Endpoints

Creating the Rules is a quick process, these are similar as in the NSG.

Network security groups (NSGs) with service endpoints:

By default, NSGs allow outbound Internet traffic and so, also allow traffic from your VNet to Azure services. This continues to work as is, with service endpoints.
If you want to deny all outbound Internet traffic and allow only traffic to specific Azure services, you can do so using service tags in your NSGs. You can specify supported Azure services as destination in your NSG rules and the maintenance of IP addresses underlying each tag is provided by Azure.

First we go the the Web App Service. in Networking and the non readers will click the VNet integration. #Wrong

In this case I don’t want a premium network, So we go to Configure Access Restrictions

Here we create a access rule, on who gets access to this web application.

I created a deny rule for a specific IP.

And the pages shows an error webapp is stopped. here you can also see the difference between a complete port block and no access to the application.

Changing this to Allow the App is visible

Also for the KUDU SCM you can have different rules or apply the same rules. with the little check box

With these options you can create a more secure environment again this is a great add on.

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google : Robert Smit MVP profile

Secure DevOps Kit for Azure (AzSK) With Security Monitoring #Devops #Azure #AzSK #Security #LogAnalytics #PowerShell

The Secure DevOps Kit for Azure is a collection of scripts, tools, extensions, automations.

The kit is based on Powershell and can be extended to Azure log analytics with some nice dashboarding. But if you have a large subscription the Powershell query can take some time. With this toolkit Devops teams using extensive automation and smoothly integrating security into native Devops workflows helping accomplish secure Devops with these 6 focus areas:

Secure the subscription: A secure cloud subscription provides a core foundation upon which subsequent development and deployment activities can be conducted. An engineering team should have the capabilities to deploy and configure security in the subscription including elements such as alerts, ARM policies, RBAC, Security Center policies, JEA, Resource Locks, etc. Likewise, it should be possible to check that all settings are in conformance to a secure baseline
Enable secure development: During the coding and early development stages, developers should have the ability to write secure code and to test the secure configuration of their cloud applications. Just like build verification tests (BVTs), we introduce the concept of security verification tests (SVTs) which can check for security of various resource types in Azure
Integrate security into CICD: Test automation is a core tenet of devops. We emphasize this by providing the ability to run SVTs as part of the VSTS CICD pipeline. These SVTs can be used to ensure that the target subscription used to deploy a cloud application and the Azure resources the application is built upon are all setup in a secure manner
Continuous Assurance: In the constantly changing dev ops environment, it is important to move away from the mindset of security being a milestone. We have to treat security as a continuously varying state of a system. This is made possible through capabilities that enable continuous assurance using a combination of automation runbooks, schedules, etc.
Alerting & Monitoring: Visibility of security status is important for individual application teams and also for central enterprise teams. We provide solutions that cater to the needs of both. Moreover, the solution spans across all stages of dev ops in effect bridging the gap between the dev team and the ops team from a security standpoint through the single, integrated views it generates
Cloud Risk Governance: Lastly, underlying all activities in the kit is a telemetry framework that generates events capturing usage, adoption, evaluation results, etc. This allows us to make measured improvements to security targeting areas of high risk and maximum usage before others.

Keep in mind that The OMS portal will is retired on January 15, 2019. You can continue to use your existing services and licensing in the Azure portal.

Even in the Azure portal you can still connect to OMS

Complete feature set of Secure DevOps Kit for Azure

Feature Area	Secure DevOps Kit Feature
Secure the subscription	Subscription Health Check Subscription Provisioning Alerts Configuration ARM Policy Configuration Azure Security Center Configuration Access control (IAM) Hygiene
Enable secure development	Security Verification Tests (SVT) Security IntelliSense- VS Extension
Integrate security into CICD	AzSK VS Extension-executes SVTs in a CICD pipeline
Continuous Assurance	Security scanning via Azure Automation Runbooks
Alerting & Monitoring	OMS Solution for AzSK containing: Security dashboard views covering security state/actions Alerts with pertinent search queries
Cloud Risk Governance	Control/usage telemetry through Insights

Setting up Secure DevOps Kit for Azure (AzSK)

First make sure you have the right Azure modules installed, I noticed the automation module failed So I added this manualy.

Import-Module AzureRM.Automation

Get-AzSKAzureServicesSecurityStatus -SubscriptionId

Installing the Secure DevOps Kit for Azure (AzSK)

Install-Module AzSK -Scope CurrentUser

Now that the Powershell modules are installed we can start the (AzSK) Scan

Get-AzSKAzureServicesSecurityStatus –SubscriptionId ID

In this subscription there are 44 items that are been checked

Items are been checked on the security issues

Nice detailed overview is shown. Also a log folder is been created with all the issues. per resource Item.

As you can see I have some failed items and with a High, so I need to take a good look at this and fix this.

This maybe one of the best Items here an excel sheet with al the issues listed with the solution mentioned and if this can be automated.

If needed there is an URL that points you to the right solution.

As Azure log analytics is great and it can be integrated with some OMS (Azure monitoring Dashboards)

The OMS portal will be retired on January 15, 2019. You can continue to use your existing services and licensing in the Azure portal. So the current documentation need some updating.

Pressing the OMS button in the Azure portal brings you to the OMS portal but then nothing. As it is now all Azure portal.

Setting up the dashboards failed on me during the first installation but when I did run this a second time the dashboard was there. (Timing)

Creating the OMS default dashboard we need to run some powershell scripts.

$omsSubId =”id” #subscription hosting the OMS workspace

$omsWSId =’OMS ID’

$omsRGName =’omsrsg’ #RG where the OMS workspace is hosted

$azSkViewName = ‘MVP_AzSK_view’ #This will identify the tile for AzSK view in OMS.

#This command will deploy the AzSK view in the OMS workspace.
Install-AzSKOMSSolution -OMSSubscriptionId $omsSubId `

-OMSResourceGroup $omsRGName `

-OMSWorkspaceId $omsWSId `

-ViewName $azSkViewName

Note:

1) The blades of the OMS view created by this command will start populating only after AzSK scan events become available in the corresponding OMS workspace.

To understand how to send AzSK events to an OMS workspace see https://aka.ms/devopskit/oms.

2) The OMS view installed contains a basic set of queries over DevOps Kit scan events. Please feel free to customize them once you get familiar with the que

ries.

We also periodically publish updated/richer queries at: https://aka.ms/devopskit/omsqueries.

Checking the OMS – log analytics workspace it has not much issues as this is a test subscription and if it was all perfect then there is no fun.

and with longer logging and more Items in azure you will get a different overview.

There are lots of options you can set and there is a detailed description on how to use this on Github

Setting up ARM policys is also one of the options

Set-AzSKARMPolicies –SubscriptionId

So get started with the DevOpsKit https://github.com/azsk/DevOpsKit-docs

https://github.com/azsk/DevOpsKit-docs/tree/master/05-Alerting-and-Monitoring

AzSK Security Controls Portal @https://aka.ms/azskosstcp

With this it’s a nice tool and yes a bit time consuming but learned a lot and make me see things different in the Azure Subscription

And If you combine this directly and not afterwards then this could be your time saver to fix all the security items

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google : Robert Smit MVP profile

Step by Step Azure network security groups NSG – Security Center #Azure #NSG #Network

Now Days I see that people not fully understand the security needs in Azure. There are a lot of options in Azure to improve the security.

A great option is the Security Center. This is a great dashboard to get a quick over view an the security status of your subscription.

But the other Option is setting up a network security group (NSG)

A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager).

When an NSG is associated to a subnet, the rules apply to all resources connected to the subnet. Traffic can further be restricted by also associating an NSG to a VM or NIC.

Associating NSGs

You can associate an NSG to VMs, NICs, and subnets, depending on the deployment model you are using, as follows:

VM (classic only): Security rules are applied to all traffic to/from the VM.
NIC (Resource Manager only): Security rules are applied to all traffic to/from the NIC the NSG is associated to. In a multi-NIC VM, you can apply different (or the same) NSG to each NIC individually.
Subnet (Resource Manager and classic): Security rules are applied to any traffic to/from any resources connected to the VNet.

You can associate different NSGs to a VM (or NIC, depending on the deployment model) and the subnet that a NIC or VM is connected to. Security rules are applied to the traffic, by priority, in each NSG, in the following order:

Inbound traffic
1. NSG applied to subnet: If a subnet NSG has a matching rule to deny traffic, the packet is dropped.
2. NSG applied to NIC (Resource Manager) or VM (classic): If VM\NIC NSG has a matching rule that denies traffic, packets are dropped at the VM\NIC, even if a subnet NSG has a matching rule that allows traffic.
Outbound traffic
1. NSG applied to NIC (Resource Manager) or VM (classic): If a VM\NIC NSG has a matching rule that denies traffic, packets are dropped.
2. NSG applied to subnet: If a subnet NSG has a matching rule that denies traffic, packets are dropped, even if a VM\NIC NSG has a matching rule that allows traffic.

As most items in Azure there are Limits to the number of NSGs you can have in a subscription and number of rules per NSG. To learn more about the limits, read the Azure limits article.

Creating a network security group (NSG) is easy you can do this in the portal or with Powershell

As I mentioned above you can set the network security group (NSG) on a subnet or VM. Add multiple items in a network security group (NSG)

By default all is set to basic just pick a service and open or close the port.

But when checking the Advanced option the Rule pane will change into a rich and flexible option menu.

Instead of selecting just a service You can also add a IP range to exclude others for accessing this machine.

Setting this in the GUI is nice but when you need to change or add a lot of these you will need Powershell or ARM templates.

Below are just some examples on how to use them

Login-AzureRmAccount

# Select a subscription
$subscriptionId = (Get-AzureRmSubscription | Out-GridView -Title ‘Select your Azure Subscription:’ -PassThru)
Select-AzureRmSubscription -SubscriptionId $subscriptionId.Id

# Select a Resource Group
$rgName = (Get-AzureRmResourceGroup | Out-GridView -Title ‘Select your Azure Resource Group:’ -PassThru).ResourceGroupName

# Set the NSG name and Azure region
$nsgName = "Trusted-Nsg01"
$location = "West Europe"
$source1 = "8.8.8.8/32"
$source2 = "8.8.4.4/32"
$source3 = "*"
$dest1="3389"
$dest2="443"
$dest3="80"
$tag="blog"

#Below are Sample Rules
$rule1 = New-AzureRmNetworkSecurityRuleConfig -Name rdp-rule -Description "Allow RDP" `
-Access Allow -Protocol Tcp -Direction Inbound -Priority 100 `
-SourceAddressPrefix $source1 -SourcePortRange * `
-DestinationAddressPrefix * -DestinationPortRange $dest1

$rule2 = New-AzureRmNetworkSecurityRuleConfig -Name web-rule2 -Description "Allow Port" `
-Access Allow -Protocol Tcp -Direction Inbound -Priority 101 `
-SourceAddressPrefix $source2 -SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange $dest2

$rule3 = New-AzureRmNetworkSecurityRuleConfig -Name web-rule3 -Description "Allow Port" `
-Access Allow -Protocol Tcp -Direction Inbound -Priority 103 `
-SourceAddressPrefix $source3 -SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange $dest3

$rule4 = New-AzureRmNetworkSecurityRuleConfig -Name web-rule4 -Description "Allow Port" `
-Access Allow -Protocol Tcp -Direction Inbound -Priority 104 `
-SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange 88

Now that the port Rules are created we need to put them in a security group

#applying the Rules
$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $rgName -Location $location -Name $nsgName -SecurityRules $rule1,$rule2,$rule3,$rule4

# Display default and security rules for NSG

(Get-AzureRmNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgName).SecurityRules | Select-Object * | Out-GridView
(Get-AzureRmNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgName).DefaultSecurityRules | Select-Object * | Out-GridView

#Remove NSG

Remove-AzureRmNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgName

Now that we created a network security group (NSG) we can add it to a VM this can also be done with PowerShell but there is a BUT.

let me show you, Go to the VM and select the network card.

The Nic can be named nic245768323 something, I always use named NIC’s so that is easy but if not the NSG could be applied on an other VM and maybe it will fail.

When selecting this manual you can see the nic and if you are sure on the other machines you can do this with PowerShell also.

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Http://nl.linkedin.com/in/robertsmit

Google Me : https://www.google.nl

Bing Me : http://tinyurl.com/j6ny39w

LMGTFY : http://lmgtfy.com/?q=robert+smit+mvp+blog

Enhanced Mitigation Experience Toolkit #EMET #security

The Enhanced Mitigation Experience Toolkit (EMET) helps raise the bar against attackers gaining access to computer systems. EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques. EMET helps protect your computer systems even before new and undiscovered threats are formally addressed by security updates and antimalware software. EMET benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives.

Download The Enhanced Mitigation Experience Toolkit (EMET) : http://www.microsoft.com/en-us/download/details.aspx?id=41963

EMET 5.0 Technical preview introduces a mitigation that can be used to reduce the exposure of components at risk to remote attackers. ASR is a new feature that can be used to block the usage of specific modules or plugins within an application. For example, EMET can be configured to prevent Microsoft Word/Excel from loading the Flash plugin, or, with the support of security zones, can be used to prevent Internet Explorer from loading the Java plugin on an Internet Zone website while continuing to allow Java on Intranet Zone websites. The mechanism simply prevents DLL loading in a selective way per-process and it essentially adds the benefit of the “killbit” mechanism to any application without need of complicated CLSID.
NOTE: The list of blocked modules for ASR and the zones with exceptions (where the modules are allowed to be loaded) should be manually defined by the user in the following registry key per-application:

HKLM\SOFTWARE\Microsoft\EMET\_settings_\{CLSID}\asr_modules = “…”
HKLM\SOFTWARE\Microsoft\EMET\_settings_\{CLSID}\asr_zones = “…”
In EMET 5.0TP the feature is enabled only for the following combinations of processes and modules:

The list of security zones is the standard one used by Internet Explorer: Local (0), Intranet (1), Trusted (2), Internet (3), Untrusted (4).

EMET offers the “Early Warning Program” reporting feature. When an exploitation attempt is detected and blocked by EMET, a set of information related to the attack will be sent back to Microsoft through the standard Windows Error Reporting channel.

This information will help Microsoft to obtain information related to 0day exploits and will facilitate the remediation of the issue before it becomes a large scale threat. If the vulnerability is related to a software from a third party vendor, Microsoft will work with the affected vendor through the Microsoft Vulnerability Research program to remediate the issue.

The Early Warning Program reporting feature will also send back to Microsoft information related to suspicious SSL certificates related to Microsoft online services. Please refer to the “Privacy Statement.rtf” file, available also through the “Help” ribbon in EMET GUI, and at http://aka.ms/emet41ps, for more information on the type of data that will be sent to Microsoft.

Enhanced Mitigation Experience #Toolkit #EMET Version 4.0 #msteched #TEE13

http://www.microsoft.com/en-us/download/details.aspx?id=39273

The Enhanced Mitigation Experience Toolkit (EMET) is designed to help prevent hackers from gaining access to your system.
Software vulnerabilities and exploits have become an everyday part of life. Virtually every product has to deal with them and consequently, users are faced with a stream of security updates. For users who get attacked before the latest updates have been applied or who get attacked before an update is even available, the results can be devastating: malware, loss of PII, etc.
Security mitigation technologies are designed to make it more difficult for an attacker to exploit vulnerabilities in a given piece of software. EMET allows users to manage these technologies on their system and provides several unique benefits

Quick installation shots , trusted applications

EMET is designed to work with any software, whether it is developed by Microsoft or by other vendors. However, you should be aware that some software may be incompatible with EMET. Some applications rely on exactly the behavior that the mitigations block. It is important to use test scenarios on all target computers before you deploy EMET in a production environment.

After you install EMET, you must configure EMET to provide protection for a piece of software. This requires you to provide the name and location of the executable file that you want to protect. To do this, use one of the following methods:

Work with the Application Configuration feature of the graphical application
Use the command prompt utility

If you want to leverage the Certificate Trust feature, you have to provide the list of the websites that you want to protect and certificate pinning rules that apply to those websites. To do this, you have to work with the Certificate Trust Configuration feature of the graphical application.

Alternatively, you can use the new Configuration Wizard that allows you to automatically configure EMET with the recommended settings.

Get the toolkit here : http://www.microsoft.com/en-us/download/details.aspx?id=39273

SCM 3.0 with Windows Server 2012, Windows 8, and IE 10 baselines Now in beta

SCM is a free tool from the Microsoft Solution Accelerators team that enables you to quickly configure and manage your computers whether their located on desks, in traditional datacenter, or in a private cloud using Group Policy and Microsoft® System Center Configuration Manager. To learn more about the current version of Security Compliance Manager, SCM 2.5, visit the TechNet Library More info about SCM get it here.

Secure your environment with new product baselines for Windows Server 2012, Windows 8, and Windows Internet Explorer 10. The beta release of Security Compliance Manager (SCM) 3.0 provides all the same great features for these new baselines, as well as an enhanced setting library for these new Microsoft products. This beta release includes fixes that resolve many previously reported issues in the setting library. The updated setting library also gives you the ability to further customize baselines. SCM 3.0 provides a single location for you to create, manage, analyze, and customize baselines to secure your environment faster and more efficiently.

As part of a select group of our key customers, we invite you to participate in the Beta Review Program of these new product baselines that include security enhancements for the following server roles and features:

Windows Server 2012 Security Baselines:

Domain Controller Security Compliance
Domain Security Compliance
Hyper-V Security Compliance
Member Server Security Compliance
Web Server Security Compliance

Windows 8 Security Baselines:

BitLocker Security
Computer Security Compliance
Domain Security Compliance

User Security Compliance:

Internet Explorer 10 Security Baselines:
Computer Security Compliance
User Security Compliance

What is not available in this beta release

The ability to export compliance data using formats that work with the DCM feature in Microsoft System Center Configuration Manager and the Security Content Automation Protocol (SCAP) is temporarily blocked in the new baselines for Windows Server 2012, Windows 8, and Internet Explorer 10. This functionality will be enabled in the next beta release update.

This beta release includes five baselines for Windows Server 2012. The following additional server role baselines will be included in the next beta release update:

Active Directory Certificate Services (AD CS)
DNS Server
DHCP Server
File Services
Network Policy and Access Servers
Print Services
Remote Access
Remote Desktop Services

If you perform a clean installation of SCM 3.0 Beta on a computer running either Windows 8 or Windows Server 2012 that does not also have Microsoft SQL Server software installed on it, you may receive the following compatibility warning message.

A setting named Configure Windows SmartScreen in the Windows 8 Computer Security baseline may not be set in the registry correctly after its Group Policy Object (GPO) is applied. This is a known issue in this beta release that will be fixed in the final commercial release of SCM. The workaround to resolve this issue is to disable or not configure this setting in the baseline before exporting the GPO.

If you export the Windows 8 Computer Security Compliance baseline into a GPO, import the GPO into SCM 3.0 Beta, and then export it to a computer running a Windows operating system earlier than Windows 8 and Windows Server 2012, an application exception message may appear. This is a known issue in this beta release that will be fixed in the final commercial release of SCM. The workaround to resolve this issue is to disable the setting named Configure Windows SmartScreen before clicking GPO Backup (folder) in the Export area of the Action pane in SCM 3.0 Beta.

Security Compliance Manager 2.5 Beta

The Microsoft Security Compliance Manager (SCM) tool—version 2.5—is now available for beta download

NEW baselines include:
•Exchange Server 2007 SP3 Security Baseline
•Exchange Server 2010 SP2 Security Baseline

Updated client product baselines include:
•Windows 7 SP1 Security Compliance Baseline
•Windows Vista SP2 Security Compliance Baseline
•Windows XP SP3 Security Compliance Baseline
•Office 2010 SP1 Security Baseline
•Internet Explorer 8 Security Compliance Baseline

SCM 2.5 enables you to quickly configure and manage your desktops and laptops, traditional data center, and private cloud using Group Policy and Microsoft System Center Configuration Manager.

Configure and manage your computers, traditional data center and private cloud with new and updated baseline configurations available with SCM 2.5 Beta. In addition to key features from the previous version, SCM 2.5 offers new Exchange Server 2010 and 2007 security baselines. Updated SCM2 client product baselines are included in the Beta download as well. Beta client product baselines include Windows 7 SP1, Windows Vista SP2, Windows XP SP3, Microsoft Office 2010 SP1, and Internet Explorer 8.

KeyFeatures in SCM 2.5 include:

Integration with the System Center 2012 IT GRC Process Pack for Service Manager-Beta:Product baseline configurations are integrated into the IT GRC Process Pack to provide oversight and reporting of your compliance activities.
Gold master support: Import and take advantage of your existing Group Policy or create a snapshot of a reference machine to kick-start your project.
Configure stand-alone machines: Deploy your configurations to non-domain joined computers using the new GPO Pack feature.
Updated security guidance: Take advantage of the deep security expertise and best practices in the updated security guides, and the attack surface reference workbooks to help reduce the security risks that you consider to be the most important.
Compare against industry best practices: Analyze your configurations against prebuilt baselines for the latest Windows client and server operating systems.

SCM2 tool released in September 2011 with a full complement of Microsoft product baselines, including Windows Internet Explorer 9, Windows Server 2008 R2 Service Pack 1 (SP1), Windows Server 2008 SP2, and Windows Server 2003 SP2. As well as new features such as GPO import, baseline setting customization, Local GPO functionality, enhanced UI and improved installation with SQL Server 2005 and later releases of SQL Server.

To learn more about the Security Compliance Manager tool, visit the TechNet Library page Microsoft.com .

Next Steps

To learn more about the Security Compliance Manager tool,visit the TechNet Library.

Microsoft Security Compliance Manager (SCM 2) tool

Secure Client Computers with updated SCM 2 Client Baselines—Beta now available for download

Available beta baselines are:

Windows 7 SP1 Security Compliance Baseline
Windows Vista SP2 Security Compliance Baseline
Windows XP SP3 Security Compliance Baseline
Office 2010 SP1 Security Baseline
Internet Explorer 8 Security Compliance Baseline

SCM 2 enables you to quickly configure and manage your desktops and laptops, traditional data center, and private cloud using Group Policy and Microsoft System Center Configuration Manager.

SCM 2 is a free tool from the Microsoft Solution Accelerators team that enables you to quickly configure and manage your computers, traditional data center, and private cloud using Group Policy and Microsoft System Center Configuration Manager.

If you don’t already have SCM 2, download it from the Microsoft Download Center.

Key features in SCM 2 include:

Integration with the System Center 2012 IT GRC Process Pack for Service Manager-Beta:Product configurations are integrated into the IT GRC Process Pack to provide oversight and reporting of your compliance activities.
Gold master support: Import andtake advantage of your existing Group Policy or create a snapshot of a reference machine to kick-start your project.
Configure stand-alone machines: Deploy your configurations to non-domain joined computers using the new GPO Pack feature.
Updated security guidance: Take advantage of the deep security expertise and best practices in the updated security guides, and the attack surface reference workbooks to help reduce the security risks that you consider to be the most important.
Compare against industry best practices: Analyze your configurations against prebuilt baselines for the latest Windows client and server operating systems.

SCM 2 released with the a full complement of Microsoft product baselines, including Windows Internet Explorer 9, Windows Server 2008 R2 Service Pack 1 (SP1), Windows Server 2008 SP2, and Windows Server 2003 SP2.

Also the security guides are also in the download.

Get SCM2 from the Microsoft Download Center. Click here to download the latest version of the tool.

Security and Compliance Baselines

In addition to the previously released security baselines, the SCM 2 includes a new Windows Internet Explorer 9 Security Baseline, and updated versions of the security and compliance baselines for Windows Server 2008 R2 SP1, Windows Server 2008 SP2, and Windows Server 2003 SP2.

These new beta baselines provide:

Setting severity ratings, allowing you to quickly sort, prioritize, and apply Microsoft security recommendations.
Consolidated product baselines that eliminate EC and SSLF baseline components, and make viewing, customizing, and implementing your security baselines easier than ever!
New compliance-based settings groups allow quicker and easier compliance reporting and audit preparation, when used with theGRC management solution within System Center.

Security Compliance Manager 2

Microsoft Security Compliance Manager (SCM) 2 enables you to take better advantage of your organization’s existing knowledge and investments, and customize security settings with ease.

New Features in SCM 2 Include:

GPO import: SCM 2 is can now able to import Group Policy Object (GPO) Backup files to allow organizations to import and compare their existing knowledge against Microsoft baseline recommendations. This long-awaited feature effectively helps you to customize and manage your organization’s existing knowledge stored in Active Directory.
Baseline setting customization: Modifying baselines just got easier. Adding, extending, or deleting settings from a baseline is an effortless process in this new version of the tool.
Local GPO functionality: Apply security baselines directly to client and server computers using the LocalGPO command-line tool, which enables you to secure stand-alone computers and test different baselines without using Active Directory to deploying them. Use this tool to create local policy snapshots that you can import into SCM 2, using the new GPO import capabilities, which you can then compare, customize, and export as needed.
Additional features: These include a new and enhanced UI that provides simpler navigation in the tool, and improved installation with SQL Server 2005 and later releases of SQL Server.

Version 2 of the SCM tool will release with the a full complement of Microsoft product baselines, including Windows Internet Explorer 9, Windows Server 2008 R2 Service Pack 1 (SP1), Windows Server 2008 SP2, and Windows Server 2003 SP2.

Security and Compliance Baselines

In addition to the previously released security baselines, the SCM 2 beta download includes a new Windows Internet Explorer 9 Security Baseline, and updated versions of the security and compliance baselines for Windows Server 2008 R2 SP1, Windows Server 2008 SP2, and Windows Server 2003 SP2.

These new beta baselines provide:

Setting severity ratings, allowing you to quickly sort, prioritize, and apply Microsoft security recommendations.
Consolidated product baselines that eliminate EC and SSLF baseline components, and make viewing, customizing, and implementing your security baselines easier than ever!
New compliance-based settings groups allow quicker and easier compliance reporting and audit preparation, when used with the GRC management solution within System Center.

Looking Ahead

Additional product baselines are currently in development, including baselines for:

Windows 7 SP1
Microsoft Exchange Server 2007
Exchange Server 2010
SQL Server 2008 and SQL Server 2008 R2 (multiple roles)
Microsoft Office 2010
Windows Vista SP2
Windows XP SP3
Windows Internet Explorer 8

Previously released security baselines include: Windows 7, Windows Vista, Windows XP, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Internet Explorer 8, Microsoft Office 2010, and Office 2007.

You can use local GPo settings

and some screens about group viewing or simple view in the old version all info is on one screen

now it is much better but still you have to know what you are doing. and not all IT pro’s are aware of this. With GPO’s you can easy tear down your domain so never test in the production environment. I see to often that GPo’s are quickly set and have problems afterwards.

Compliance Group View

(IT GRC compliance) Group View.

Great tool that can help you to secure your environment based on the templates.

Security Content

Teach Kids Mobile Safety brochure (view content)

This brochure discusses how to work with kids to set clear limits for mobile device use, and responsible use as well as how to get help from technology and what to do if there are problems.

Coordinated Vulnerability Disclosure (view content)

Video- Coordinated Vulnerability Disclosure (view content)

In July 2010, Microsoft announced a shift in philosophy on vulnerability disclosure, reframing its practice of Responsible Disclosure and moving to adopt Coordinated Vulnerability Disclosure as its new approach. The purpose of this shift was to move away from the endless and often unproductive debate between responsible and full disclosure proponents, and focus instead on the heightened role that coordination plays in minimizing risk to customers. Microsoft believes that the process of vulnerability disclosure is a shared responsibility best practiced in strong coordination between finders, vendors, and protection providers working together to protect customers, businesses, and critical infrastructure.

Adding Usable Security to the SDL (view content)

Adam Shostack blogs about adding usable security to the SDL- “Lately, I’ve been focused on how we bring the engineering of usable security into the SDL. When I say usable security, I mean that for those times when we need to ask a user for input on something only they know. (For example, are you connecting to a coffee shop network or your work network? Are you trying to print to a printer you’ve never used before?) We want to ensure that those questions enable users to make security decisions in accordance with their preferences and goals”.

National Cyber Security Alliance (NCSA) Partnership (view content)

Microsoft has partnered with the National Cyber Security Alliance (NCSA) since its inception nearly a decade ago. Founded by the Department of Homeland Security (DHS), NCSA’s mission is to help increase awareness of Internet safety and security, and to educate people about how to best protect themselves and their devices. Microsoft works with the NCSA on many issues and activities, including strategic programs and projects, market research and industry and public outreach.

Beware of bin Laden malware on the web and in email (view content)

Cybercriminals are quick to put up fraudulent websites that people will find when they’re searching for popular news topics. These sites often contain fake security software that tries to trick you into to downloading malware by making you think that your security is at risk.

Security Compliance Manager Updated Templates

We’re pleased to announce the release of new resources that can be used in combination with the Security Compliance Manager tool: the Office 2010 Security Baseline and setting packs for Windows 7 and Internet Explorer 8. Together with the SCM tool, these resources are designed to help organizations efficiently manage the security and compliance process for some of the most widely used Microsoft products.

The security baseline for Microsoft® Office 2010 provides you with free Microsoft-recommended solutions to meet today’s security challenges. In combination with best-practice guidance and the Security Compliance Manager tool, the baseline is designed to help you plan, deploy, and monitor the security of Office 2010 applications. This release also includes a setting pack for Office 2010, enabling you to define baselines that include settings outside the scope of the security baselines from Microsoft.
The Windows® 7 and Windows® Internet Explorer® 8 setting packs, in combination with the Security Compliance Manager tool, will enable you to define baselines that include settings outside the scope of the security baselines from Microsoft. Use these new resources to define custom baselines, meet business-critical needs, and elevate the security of Windows 7 and Internet Explorer 8.

To learn more, visit the TechNet Library: http://go.microsoft.com/fwlink/?LinkId=113940.
New users can access these releases by visiting the Microsoft Download Center to download the Security Compliance Manager tool: http://go.microsoft.com/fwlink/?LinkId=113939. Existing users can access these releases by clicking the Tools menu, and then clicking Check for Baselines.

#teched #tee10

Windows Server 2008 R2 Security Baseline

The Windows Server® 2008 R2 Security Baseline is a new addition to the security baselines released earlier this year that can be used in combination with the Security Compliance Manager tool. The security baseline for Windows Server 2008 R2 provides you with free Microsoft-recommended solutions to meet today’s security challenges. In combination with best-practice guidance and the Security Compliance Manager tool, the baseline is designed to help you plan, deploy, and monitor the security of Windows Server 2008 R2. This release also includes a settings pack for Windows Server 2008 R2, enabling you to define baselines that include settings outside the scope of the security baselines from Microsoft.

To learn more, visit the TechNet Library: http://go.microsoft.com/fwlink/?LinkId=200483
New users can access this baseline by visiting the Microsoft Download Center to download the Security Compliance Manager tool: http://go.microsoft.com/fwlink/?LinkId=113939
Existing Security Compliance Manager tool users can access this baseline by clicking the Tools menu, and then clicking Check for Baselines.

Security Compliance Manager Baseline Beta Review Program

The Security Solution Accelerators team is developing new baselines and settings, all of which are designed to help your organization plan and deploy security baselines with ease and confidence. These new baselines and supporting best-practice guidance are available as part of the Security Compliance Manager Baseline Beta Review Program. The scope of this program includes security baselines for Microsoft Exchange Server 2007, Office 2010, SQL Server® 2008, SQL Server® 2008 R2, and Windows Server 2008 R2; and settings packs for Windows 7 and Internet Explorer 8.

The beta releases in this program are formatted to be imported for use in the Security Compliance Manager tool, which released in early 2010. This powerful tool provides guidance to work with other tools and features of Microsoft products to help you plan, deploy, and monitor your security baselines. The tool enables you to access and automate all of your organization’s baselines in one centralized location, balancing your needs for security and functionality.
To learn more about the Security Compliance Manager tool, visit the TechNet Library: http://go.microsoft.com/fwlink/?LinkId=113940
To download the tool, click here: http://go.microsoft.com/fwlink/?LinkId=182512

Technorati Tags: Server,Baseline,addition,combination,Compliance,Manager,tool,Microsoft,guidance,scope,TechNet,Library,LinkId,Download,Center,Tools,menu,Check,Baselines,Beta,Review,Program,Solution,Accelerators,team,organization,Exchange,Office,Internet,Explorer,features,products,location,needs,solutions,users,fwlink
WordPress Tags: Server,Baseline,addition,combination,Compliance,Manager,tool,Microsoft,guidance,scope,TechNet,Library,LinkId,Download,Center,Tools,menu,Check,Baselines,Beta,Review,Program,Solution,Accelerators,team,organization,Exchange,Office,Internet,Explorer,features,products,location,needs,solutions,users,fwlink