WindowsNetworking.com - Monthly Newsletter - February 2015
Hi Security World,
Welcome to the WindowsNetworking.com newsletter by Debra Littlejohn Shinder <http://www.windowsnetworking.com/Deb_Shinder/>, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: dshinder@windowsnetworking.com
1. Beyond Passwords: Authentication Options for Better Security
---------------------------------------------------------
It has been more than a decade since Bill Gates first declared that passwords are obsolete:
http://www.paymentsnews.com/2004/11/bill_gates_pass.html
Despite his and many other experts’ predictions, most software and services still rely on the user name and password as the sole or primary means of authentication. In the same speech, Bill commented that Microsoft’s leading customers were moving to smart cards and biometric authentication for better security, and many large enterprises and high security government agencies do indeed use these methods, but they haven’t penetrated the general market nearly as quickly as expected.
There are obvious security advantages to smart cards, tokens and biometrics but there are also some significant drawbacks. One of the obstacles to adoption in an era of tight budgets is that these methods incur additional cost. Cards require reader hardware and software as well as the cards themselves. Cards are also easy to lose or forget, negating their value as an authentication factor. USB tokens can also be lost or forgotten but are usable in most devices that have a standard USB port, without the purchase of reader hardware.
Biometric authentication has the advantage of not requiring the user to remember to carry something with him/her, since it’s based on physical characteristics or behaviors. Fingerprint or retinal recognition requires hardware scanners, though, and voice pattern recognition requires a microphone (now standard on most computers) and software to process the input. Bottom line: biometric and smart card/token authentication is more expensive than simple passwords.
The four basic types of authentication are those that utilize something you know (such as a password, passphrase or PIN), something you have (such as a smart card or token), something you do (such as your speech or typing pattern) or something you are (physical characteristics such as your fingerprint or retinal patterns).
Something you know can be forgotten, or you could be tricked into or forced into revealing it. Something you have can be lost or stolen. Something you do can be changed through learning (with great effort). Something you are generally can’t be changed, although it can in some cases be emulated (for instance, making a copy of a fingerprint with rubber cement or silicon gel, or even making a photocopy):
http://www.networkworld.com/article/2293129/data-center/120606-10-ways-to-beat-fingerprint-biometrics.html
Because even the most costly authentication solutions are not perfect and can be defeated, many organizations have stuck with password authentication. This has led to efforts to make passwords more secure by setting criteria for strong password creation and/or forcing users to change their passwords frequently via regular expiration. Both of these can increase the security of passwords but these password policies can also backfire and result in security compromises when taken too far.
If passwords are required to be too complex, or if they must be changed too often, users get frustrated at their inability to remember their passwords and do what comes naturally (and what can’t be enforced technologically): they start writing the passwords down. And because they need to refer to the record of the password on a daily basis, they tend to “hide� the notation in a place that’s convenient and thus easy for someone else to find. This can make it easy for a hacker or attacker who has physical access to the area to obtain legitimate credentials for logging onto a computer, network or service.
Whereas the best form of multi-factor authentication combines different authentication types (for instance, something you know in the form of a PIN combined with something you have in the form of a smart card), you might have noticed that many sites are now taking a lower cost approach by requiring multiple forms of knowledge-based authentication.
This is most often manifested in the form of the “secret question� that is especially popular for logging onto banking and financial services web sites. When you set up an account, in addition to creating a user name and password, you’ll also be asked to provide the answer to a question that is easily remembered but is specific to you and not widely known, and which has only one correct answer that another person couldn’t easily find out or guess.
In many cases, you will be able to choose between a number of standardized questions, and in some more sophisticated systems, you can create your own question. Some favorite question include “What was the name of your first pet?� or “What is your favorite song?� These might or might be good questions from a security standpoint, depending on whether you have that information about yourself prominently shared on social networks. The more obscure the question (as long as it’s something that you can remember), the better.
Some knowledge based authentication schemes use questions that the user doesn’t choose, and some of these may be so obscure that the user doesn’t know the answer him/herself. For instance, a government agency might ask questions regarding information that is on file with that agency, such as information about vehicles formerly registered to you or data from old tax return filings.
This “poor man’s multi-factor authentication� can add a layer of protection to a password-only authentication scheme when it’s not practical to incorporate more costly methods. We can only hope that in the future, there will be an inexpensive, foolproof way to authenticate identity on local networks and on the Internet. In the meantime, as with much of life, it’s all about making trade-offs.
‘Til next time,
Deb
dshinder@windowsnetworking.com
=======================
Quote of the Month - To know what you know and what you do not know, that is true knowledge. - Confucius
=======================
2. Windows Server 2012 Security from End to Edge and Beyond â€" Order Today!
---------------------------------------------------------
Windows Server 2012 Security from End to Edge and Beyond
By Thomas Shinder, Debra Littlejohn Shinder and Yuri Diogenes
From architecture to deployment, this book takes you through the steps for securing a Windows Server 2012-based enterprise network in today’s highly mobile, BYOD, cloud-centric computing world. Includes test lab guides for trying out solutions in a non-production environment.
Order your copy of Windows Server 2012 Security from End to Edge and Beyond. You'll be glad you did.
<http://www.amazon.com/Windows-Server-2012-Security-Beyond-ebook/dp/B00CMQK0OG/ref=sr_1_1?ie=UTF8&qid=1387293428&sr=8-1&keywords=windows+server+2012+end+to+edge+and+beyond>
3. WindowsNetworking.com Articles of Interest
---------------------------------------------------------
Working with the Desired State Configuration Feature (Part 6)
If you’ve been following Brien Posey’s ongoing series about how to use the Desired State Configuration (DSC) platform management feature in Windows Server 2012 R2 and Windows 8.1, you’ll want to be sure to catch this final installment as Brien wraps up the discussion with instructions on performing a DSC scan on an automated basis using the Windows Task Scheduler.
http://www.windowsnetworking.com/articles-tutorials/windows-server-2012/working-desired-state-configuration-feature-part6.html
Active Directory Migration Considerations (Part 8)
Another comprehensive series comes to an end this month, with the final part to Mitch Tulloch’s eight part article that touches on just about everything you need to know before undertaking an AD migration. This last piece will examine some alternatives to using ADMT for performing a forest or domain migration or consolidation.
http://www.windowsnetworking.com/articles-tutorials/windows-server-2012/active-directory-migration-considerations-part8.html
Windows Server 2012 R2 Essentials: A Better Solution Than You Thought
This is the final part in my series of articles on the benefits and limitations of Windows Server 2012 R2 Essentials and how it can be used to best advantage in some common small business scenarios. Part 3 delves into Storage Spaces and then discusses how to deploy WS 2012 R2 Essentials in a new AD environment, in an existing AD environment, or as part of a hybrid IT environment.
http://www.windowsnetworking.com/articles-tutorials/windows-server-2012/windows-server-2012-r2-essentials-better-solution-you-thought-part3.html
How to Successfully Create a Hyper-V Cluster Using Virtual Machine Manager (Part 3)
In Part 3 of a 4-part article, Nirmal Sharma continues the process of teaching you how to create Hyper-V clusters between two Hyper-V hosts with VMM, after laying the framework by explaining the requirements for using the Create Cluster Wizard in Parts 1 and 2.
http://www.windowsnetworking.com/articles-tutorials/netgeneral/how-successfully-create-hyper-v-cluster-using-virtual-machine-manager-part3.html
PowerShell Essentials (Part 6)
This is another multi-part article by Brien Posey, which provides a good overview for IT professionals who are just beginning to dip their fingers into the world of Windows PowerShell. This last article in the series deals with PowerShell scripts and functions.
http://www.windowsnetworking.com/articles-tutorials/windows-server-2012/powershell-essentials-part6.html
4. Administrator KB Tip of the Month
---------------------------------------------------------
Test your knowledge of server imaging
Here is a tip from Mitch Tullock that tests your understanding of customizing Windows images for server deployment:
Quick Check:
Why are per-user customizations not usually performed when building a reference image for server deployment?
Quick Check Answer:
Administrators generally don’t bother customizing the desktop environment of servers because they usually manage them remotely using administrative tools and scripts.
The above tip was excerpted from Mitch Tulloch's book Training Guide: Installing and Configuring Windows Server 2012 <http://www.amazon.com/exec/obidos/ASIN/0735673101/mtitenterprises> from Microsoft Press.
5. Windows Networking Links of the Month
---------------------------------------------------------
Microsoft targets June for Windows 10 completion
http://www.networkworld.com/article/2885117/microsoft-subnet/microsoft-targets-june-for-windows-10-completion.html
Browser fingerprints and why they are so hard to erase
http://www.networkworld.com/article/2884026/security0/browser-fingerprints-and-why-they-are-so-hard-to-erase.html
Google changes security disclosure policy, offers 14 day grace period to patch vulnerabilities
http://www.geekwire.com/2015/google-changes-security-disclosure-policy-offers-14-day-grace-period-patch-vulnerabilities/
How network admins can survive Software Defined Networking (SDN)
http://www.computerworld.com/article/2883753/how-network-admins-can-survive-sdn.html
5 Tips to improve poor TCP performance
http://www.itworld.com/article/2884389/5-tricks-to-improve-poor-tcp-performance.html
Guide to Virtualization Hypervisors
http://www.networkcomputing.com/data-centers/guide-to-virtualization-hypervisors/d/d-id/1318945?
6. Ask Sgt. Deb
---------------------------------------------------------
QUESTION:
I’ve been reading about this thing where somebody, maybe the NSA, has infected hard drives with some kind of malware that can’t be erased. Is this true and if so, what can we do to protect our company’s stored data from this? â€" Randy L.
ANSWER:
According to Kaspersky Lab’s, a Russian security research company, an unidentified group of cyber attackers that they call the Equation Group has developed some highly sophisticated forms of malicious software that includes malware that can infect and reprogram the firmware of a hard drive. The firmware is hard-coded into the the drive and acts as the drive’s operating system. Part of it is stored on the printed circuit board (PCB) of the drive and part is on a special “service area� of the disk.
Formatting the hard drive does not affect the firmware; thus code that is embedded there can’t be erased by the usual means. Reportedly two pieces of malware used by the Equation Group, called EquationDrug and GrayFish, can reprogram hard drives. The complexity of the malware and the sophistication of the methods lead many to believe that the NSA is behind the Equation Group. You can read more in Kaspersky’s Q&A here:
https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf
WindowsNetworking.com Sections
-----------------------------------------------------------------
- Articles & Tutorials (http://www.windowsnetworking.com/articles-tutorials/)
- KBase Tips (http://www.windowsnetworking.com/kbase/WindowsTips/)
- Products (http://www.windowsnetworking.com/software/)
- Reviews (http://www.windowsnetworking.com/articles-tutorials/product-reviews/)
- Free Tools (http://www.windowsnetworking.com/software/Free-Tools/)
- Blogs (http://www.windowsnetworking.com/blogs/)
- Forums (http://forums.windowsnetworking.com/)
- White Papers (http://www.windowsnetworking.com/white-papers/)
- Contact Us (http://www.windowsnetworking.com/pages/contact-us.html)
Techgenix Sites
-----------------------------------------------------------------
- MSExchange.org (http://www.msexchange.org/)
- WindowSecurity.com (http://www.windowsecurity.com/)
- VirtualizationAdmin.com (http://www.virtualizationadmin.com/)
- ISAserver.org (http://www.isaserver.org/)
- CloudComputingAdmin.com (http://www.cloudcomputingadmin.com/)
- InsideAWS.com (http://www.insideaws.com/)
- WServerNews.com (http://www.wservernews.com/)
--
To unsubscribe: http://www.techgenix.com/newsletter/members.aspx?Task=OOS&SI=78504&E=security.world%40gmail.com&S=1&NL=33
To change your subscription settings: http://www.techgenix.com/newsletter/members.aspx?Task=US&SI=78504&E=security.world%40gmail.com&S=1
WindowsNetworking.com is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@WindowsNetworking.com
TechGenix Ltd. Mriehel Bypass, Mriehel BKR 3000, Malta
Copyright WindowsNetworking.com 2015. All rights reserved.
No comments:
Post a Comment