Microsoft – Insinuator.net

February 12, 2015 by Friedwart Kuhn

How to go ahead with future end of life Windows (2003) Servers

Server operating systems with an OS, for which vendor support has ended, come with many risks that have to be considered and addressed. The primary goal should be always to decommission or migrate the majority of end-of-life (EoL) servers to OS versions, supported by the vendor. Here it should be noted that a migration to an up-to-date OS should be preferably done before your organization enters the end of life of that software 😉

However, it must be considered that a number of servers cannot be migrated or shut down (easily) and must remain operational and accessible. Based on a customer project in 2014 we developed a high-level security concept for the secure operation of end-of-life Windows servers. We published this concept in our latest newsletter. You will find it here (https://www.ernw.de/download/newsletter/ERNW_Newsletter_47_Security_Concept_for_End-of-Life_Windows_Servers_signed.pdf)

Continue reading “How to go ahead with future end of life Windows (2003) Servers”

Building

May 21, 2014 by Christopher Werny

Microsoft Windows Update over IPv6 (or not?)

Hello everyone,

I recently stumbled over a document from Microsoft which lists all services/applications that support IPv6. Most of the content wasn’t new for me, but one item caught my attention. Windows Update. I haven’t heard before that Windows Update can be done over IPv6 (but this could just be me not looking hard enough ;)), so I was eager to test it out seeing if this is really the case. I was also curious why Microsoft referenced this document in the respective column. Continue reading “Microsoft Windows Update over IPv6 (or not?)”

Building

July 1, 2013 by Friedwart Kuhn

EMET v4.0 with New Certificate Trust Feature Released

Microsoft released EMET v4.0 with a new (security) feature that enables protection against fraudulent websites or compromised root certification authorities (do you remember Comodo, DigiNotar, DigiCert, Turktrust et al. ;-)?)

EMET defines via “certificate trust“ a trust chain between the domain name of a website (and its associated website certificate) and a root CA certificate. This is done through so called “pinning rules”. Here is one of the default pinning rules of EMET 4.0 for the domain name login.live.com:

Continue reading “EMET v4.0 with New Certificate Trust Feature Released”

Building

June 5, 2013 by Enno Rey

Microsoft Doc “Best Practices for Securing Active Directory”

Hi,

MS just released a new guide on securing Active Directory. At the first glance seems a fairly comprehensive document to me.

At this occasion I may furthermore draw your attention to our (German language) newsletter no. 40 covering hardening MS Windows Server 2008 + AD.

have a good one,

Enno

Breaking

September 20, 2012 by Michael Thumann

Update: Microsoft Advisory 2757760 Windows Internet Explorer Vulnerability

Microsoft takes this vulnerability quite serious and was acting fast. The Microsoft Security Response Center announced the availability of a fix last night in the MSRC Blog.

The fix will be available via Windows Update on friday, the 21st of september. So it’s time to get ready for this update ;-).

Have a nice day
Michael

Breaking

September 15, 2010 by Enno Rey

MS10-063, Prevention

One of the four vulnerabilities rated “critical” from yesterday’s MS patchday, that is MS10-063, has an interesting “Workarounds” section as for MS Internet Explorer. There it’s stated:

“Disabling the support for the parsing of embedded fonts in Internet Explorer prevents this application from being used as an attack vector.”

which, according to the advisory, should/can be done by setting the “Font Downloading” parameter to “Disable”.

Which is exactly what this document suggests. So taking a preventive approach, once more, might have saved some concerns (“Will we be targeted by this one”) and patch/testing time…

Have a great day,

Enno

Breaking

August 24, 2010 by Enno Rey

Just a Quick Note on the Library Loading / Binary Planting Stuff

For those of you who missed it: Microsoft released the associated advisory yesterday, together with a hotfix introducing a new registry key that allows users to control the DLL search path algorithm. For a detailed explanation of the problem we refer to the excellent article on Ars Technica.

For the record: no, AV (anti-virus software) will – in most cases – not protect you from security problems related to this one. And, no, there is no easy patch for this one either.

Carefully reading the “Mitigating Factors” and “Workarounds” section in the MS advisory or this entry from our blog might provide ideas how to address this or similar stuff (in the future).

Wishing you all some sunny summer days,

Enno

Update: this article gives some more technical details and this one describes some real attack paths against popular applications. Sorry, guys, good luck with fighting this one with traditional AV…