Wednesday, October 27, 2010

WindowsNetworking.com - October 2010 Newsletter

-----------------------------------------
WindowsNetworking.com Monthly Newsletter of October 2010
Sponsored by: Symprex <http://www.symprex.com>
-----------------------------------------

Welcome to the WindowsNetworking.com newsletter by Debra Littlejohn Shinder <http://www.windowsnetworking.com/Deb_Shinder/>, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: dshinder@windowsnetworking.com


1. Hyperconnectedness: What Will It Mean to IT?
---------------------------------------------------------

In August, the analysts at Gartner released a report that says that the business world can expect to experience ten dramatic changes over the next decade. Many of these predicted changes will affect IT workers, whether employed on the premises of individual companies or with cloud providers. You can read a press release that summarizes those changes here <http://www.gartner.com/it/page.jsp?id=1416513>.

One of the changes that caught my eye was "hyperconnectedness." Hyperconnectivity is a term that is credited to a pair of Canadian social scientists, referring to the use of multiple means of communication. Certainly we've already seen that, with people in the work world today accustomed to using telephony (including IP telephony and wireless telephony), email, instant messaging, web forums, video conferencing, and other means of communication.

Gartner's definition of "hyperconnectedness" goes further, referring to "networks of networks, with the organization unable to control any of them."

This is likely to increase in the future. We're currently seeing a huge invasion of mobile devices in the workplace, with the corresponding burden on IT staff to integrate these smart phones, tablets, netbooks, laptops and other portable devices into the corporate network. Unlike in the past, not all of these devices are issued or owned by the company, either. The consumerization of IT has resulted in users bringing their own devices to work, or using their own devices – from handhelds to desktop computers – to connect to the company network remotely.

This creates at least two major problems for IT:

* How to make the devices work; that is, how to configure them and the network so the devices can access the resources that users need, and
* How to ensure that these devices don't create a security nightmare and allow malware, viruses and attacks into the network.

The first issue presents a problem because there are such a large number of different devices, running different operating systems and applications on different types of hardware. Allowing employees to purchase their own devices can save companies money, but it creates a diversity that never existed when companies purchased one or possibly a handful of device models to issue to employees. Now you may have users who want to connect with Windows Mobile phones, the new Windows Phone 7 devices, Android phones, Symbian phones, iPhones, iPads, and soon, Android, Windows 7 and WebOS tablets, along with Windows, Mac and Linux laptops and desktops. How can IT departments possibly support so many different devices?

The second issue is even more serious. A security breach can cost a company millions of dollars, not to mention lost productivity and damage to the organization's reputation. If customer data or other sensitive information is exposed, consequences could even include legal repercussions.

What can companies and their IT departments do to address these issues, while giving employees the hyperconnectivity they need? Policies are imperative – and they must be well thought out ones that take into account the needs of today's young workers, who grew up with technology and are less likely to bow to the control of IT without question as less tech-savvy workers may have done in the past.

Ultimately, it will take a combination of human and technological solutions to deal with hyperconnected workers and to manage the networks within networks to which they are connected within your organization. It's time to start planning for that eventuality now. One possible solution to the security dilemma is to move toward a model based on the public health model, as was proposed by Microsoft corporate vice president Scott Charney in a recent whitepaper, which I wrote about in my blog <http://blogs.windowsecurity.com/shinder/2010/10/09/microsoft-vp-proposes-application-of-public-health-models-to-the-internet/> over on WindowSecurity.com.

By Debra Littlejohn Shinder, MVP
dshinder@windowsnetworking.com


=======================
Quote of the Month - I hate television. I hate it as much as peanuts. But I can't stop eating peanuts. - Orson Welles
=======================


2. ISA Server 2006 Migration Guide - Order Today!
---------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.

3. WindowsNetworking.com Articles of Interest
---------------------------------------------------------


* What's New in Windows Firewall with Advanced Security in Windows Server 2008 R2 and Windows 7
<http://www.windowsnetworking.com/articles_tutorials/Whats-NewpWindows-Firewall-Advanced-Security-Windows-Server-2008-R2-Windows-7.html>

* Setting up Wi-Fi Authentication in Windows Server 2008 (Part 1)
<http://www.windowsnetworking.com/articles_tutorials/Setting-up-Wi-Fi-Authentication-Windows-Server-2008-Part1.html>

* Troubleshooting Windows 7 Wireless Networking Problems (Part 4)
<http://www.windowsnetworking.com/articles_tutorials/Troubleshooting-Windows-7-Wireless-Networking-Problems-Part4.html>

* Intel's Hyper-Threading Technology
<http://www.windowsnetworking.com/articles_tutorials/Intels-Hyper-Threading-Technology.html>

* Understanding Windows Logon Options
<http://www.windowsnetworking.com/articles_tutorials/Understanding-Windows-Logon-Options.html>

* Acronis True Image Echo Server for Windows - Voted WindowsNetworking.com Readers' Choice Award Winner - Backup
<http://www.windowsnetworking.com/news/WindowsNetworking-Readers-Choice-Award-Backup-Acronis-True-Image-Echo-Server-for-Windows-Aug10.html>

* Four Reasons to Upgrade Your DNS Server to Windows Server 2008 R2
<http://www.windowsnetworking.com/articles_tutorials/Four-Reasons-to-Upgrade-Your-DNS-Server-Windows-Server-2008-R2.html>

* Windows User State Virtualization - Part 4: Mixed Environments
<http://www.windowsnetworking.com/articles_tutorials/Windows-User-State-Virtualization-Part4.html>


4. Administrator KB Tip of the Month
---------------------------------------------------------

Disable In-Private Browsing in Internet Explorer 8

The InPrivate Browsing feature, new in Internet Explorer 8, can be helpful in protecting your privacy. However, there are times you might not want users to be able to freely browse. Fortunately, you can disable this feature with the Group Policy settings in the Windows XP, Vista, and 7 professional editions:

1. Open the Group Policy editor by running gpedit.msc from the XP Run dialog or the Windows 7 or Vista search field on the Start Menu.
2. Navigate to Computer or User Configuration / Administrative Templates / Windows Components / Internet Explorer / InPrivate.
3. Change the Turn off InPrivate Browsing status to Enabled.

For more administrator tips, go to WindowsNetworking.com/WindowsTips
<http://www.windowsnetworking.com/kbase/WindowsTips/>


5. Windows Networking Tip of the Month
---------------------------------------------------------

Run 16-bit applications in Windows 7

There still are a bunch of us who need to run old applications on our shiny new Windows 7 computers. You can do this by taking advantage of a virtual machine process that makes these applications think they are running in 386 Enhanced Mode in Windows 3.x. However, this virtual machine process runs as a single virtual machine, which means that all the legacy applications run in the same process. If one of the applications goes haywire, it can take down the rest of them – just like we remember back in the Win 3.x day.

The good news is that you can help stop a rogue 16-bit or MS-DOS-based application from whacking the others by running that application in a separate memory space. Here's how:

1. Right-click the application's shortcut and click Properties. (You will need to create your own shortcut if there isn't one already.)
2. In the Properties dialog box, on the Shortcut tab, click the Advanced button..
3. In the Advanced dialog box, put a checkmark in the "Run In Separate Memory Space" check box.
4. Click OK and then click OK again to save the changes.

There you go! Note that this will take a bit more memory, but modern computers come with plenty of memory so this shouldn't pose a problem for you. Also, using this method, you can run multiple instances of the application – just make sure each instance is configured to use its own memory space.


6. WindowsNetworking Links of the Month
---------------------------------------------------------

* Are your client machines getting errors such as "Network Path Not Found" or "The Specified Network Name Is No Longer Available" when connecting to a Windows 2008 Server share?
<http://blogs.technet.com/b/networking/archive/2010/09/24/are-your-client-machines-getting-errors-such-as-network-path-not-found-or-the-specified-network-name-is-no-longer-available-when-connecting-to-a-windows-2008-server-share.aspx>

* Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles
<http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx>

* Using the Remote Desktop Services BPA to analyze a Remote Desktop Gateway implementation
<http://blogs.technet.com/b/networking/archive/2010/08/18/using-the-remote-desktop-services-bpa-to-analyze-a-remote-desktop-gateway-implementation.aspx>

* How TCP TIME-WAIT Assassination works
<http://blogs.technet.com/b/networking/archive/2010/08/11/how-tcp-time-wait-assassination-works.aspx>

* The July, 2010 Cable Guy article: Connecting to Wireless Networks with Windows 7
<http://blogs.technet.com/b/networking/archive/2010/07/29/the-july-2010-cable-guy-article-connecting-to-wireless-networks-with-windows-7.aspx>


7. Ask Sgt. Deb
---------------------------------------------------------

* QUESTION:

Hey Deb,

We would like to allow our remote users to access Exchange Server with Outlook using RPC/HTTPS (Outlook Anywhere). However, we need something more than password authentication. While two factor authentication would be nice, it's not strictly required. What we need is some way to prove that the computer that the user is connecting from is a corporate computer. Any ideas?

Thank you –Ted E.


* ANSWER:

Hi Ted!

You have several options when it comes to enhancing the default authentication mechanism used by the Outlook RPC/HTTPS client. As you know, out of the box, you only have the option to enable Windows Integrated authentication (Kerberos/NTLM) or basic authentication. Since the authentication process takes place after the SSL connection is established, in general you're best using basic authentication. This is especially important for non-domain member machines, where you have to use basic authentication.

The Outlook client, for some reason, wasn't built to support two factor authentication at the application level. That means you have to get creative. You mention that you want to make sure that users are using corporate computers. If these corporate computers are using Windows 7, then your best bet is to use DirectAccess. When you use DirectAccess, your Windows 7 domain computers can always be managed, and they also require that the computer present a computer certificate and that the computer and user accounts can be authenticated and authorized. This is a very secure solution, but it does require that you deploy UAG DirectAccess to get full value out of the solution.

If you aren't using Windows 7, UAG is still a great solution for you. What you can do is have users log into the portal using a two-factor authentication method of your choice (RSA, Radius OTP, etc) and then after the user completes the two-factor authentication process, the Outlook client is then able to connect to the Exchange server through the portal. This allows both domain member and non-domain member computers to use strong authentication, since they have to successfully authenticate at the UAG SSL VPN portal before they are allowed access to the Exchange Server.

Another method you can use is to require an IPsec connection to the Exchange Server. In most cases, when you publish the CAS, you want to have a strong application layer inspection firewall like the TMG firewall in front of the CAS server (at least when you're not using UAG as a gateway to the Exchange Server). If you choose to use TMG instead of UAG, you can configure the client systems to require an IPsec tunnel to the external interface of the TMG firewall. The IPsec tunnel will require a computer certificate from the corporate computers running Outlook to establish the IPsec tunnel. After the IPsec tunnel is established using the computer certificate on the client system, then the user will be able to establish the Outlook connection to the CAS. In this scenario, you have a one-and-a-half factor authentication, since the "half factor" is the computer certificate on the client system.

As you can see, you have several options for enhancing the authentication security for your Outlook Anywhere client. There are other options too, but these are the ones that we've used most to provide secure access for our Outlook clients.

Hope this helps! – Deb.

TechGenix Sites
---------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
ISAserver.org <http://www.isaserver.org/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>

--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
WindowsNetworking.com is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@windowsnetworking.com
Copyright c WindowsNetworking.com 2010. All rights reserved.

No comments:

Post a Comment