Server and Domain Isolation Information on TechNet

I noticed today on Jesper's blog that Microsoft has a dedicated web site for the discussion of Server and Domain Isolation solutions.

As quotes on the website:

A Server and Domain Isolation solution based on Microsoft Windows IPsec (Internet Protocol security) and Active Directory enables administrators to dynamically segment their Windows environment into more secure and isolated logical networks based on policy and without costly changes to their network infrastructure or applications. This creates an additional layer of policy-driven protection, and helps better protect against costly network attacks, helps prevent unauthorized access to trusted networked resources, achieve regulatory compliance, and reduce operational costs.

I haven't looked much into this, but I like the premise. I really like the ability of segmenting the environment into more secure zones. You might remember that I talked about zone separation when discussing The "Higher Security Mindset" - Seven Best Practices to Keep you Safe.

There are some great whitepapers on the site discussing how to implement IPSec and Group Policy to do this. I highly recommend that you take some time to check it out.

Thanks for the pointer Jesper!

Blog Maintenance: Server swapping out tomorrow

Just to let you know, Alan is swapping out the server tomorrow and my blog will be down for a good part of the day.

The good news is that it is being moved to some new hardware with thanks to Fred and his crew. The new server is what I consider to be hardware porn for a Linux server:

• Dual hyperthreaded 3.4Ghz cpus
  
• 6G ram
  
• 5x72Gb SCSI drives in a RAID5
  

That should take care of some of the load issues for a while :)

Anyways, good luck to Alan on a clean migration to the new hardware. And thanks to both him and Fred for the great hardware porn for the blog and the rest of ufies.

Ever wonder why Windows File Protection doesn't use ACLs to protect files?

Over the years I have cringed at the thought that rogue elements could overwrite system binaries, bypassing Windows File Protection with use of tools like SysInternal's handle.exe. I always wondered WHY they didn't have tighter ACLs on the files, and today Raymond explains why.

Apparently they tried that. And it didn't work well. Software installers had a nasty problem in which they didn't like being told they can't overwrite a file, and would fail miserably. Microsoft's solution? Let the copy happen, and then overwrite the installer's changes with the original trusted file later.

Raymond says that in Vista this is going to change abit.

"Now that Windows File Protection has been around for some time, software installers have learned that it's not okay to overwrite system files (and trying to do it won't work anyway), so starting in Windows Vista, the Windows File Protection folks have started taking stronger steps to protect system files, and this includes using ACLs to make the files harder to replace. Presumably, they will have compatibility plans in place to accomodate programs whose setup really wants to overwrite a file."

That's great news! I like to see the tighter ACL integration, now that 3rd party vendors have learned to live with constraints of not overwriting system binaries they have no right to be touching in the first place.

So how ARE you supposed to submit samples of malicious software or spyware to Microsoft?

Microsoft has recently streamlined their process for receiving samples of malicious software or spyware, and I asked if it was ok to let everyone know about it. It's actually rather easy:

Samples sent to the following addresses will be automatically processed into the Microsoft Antimalware Team analysis queue:

• avsubmit@submit.microsoft.com (virus/worm/trojan/etc samples)
  
• windefend@submit.microsoft.com (spyware samples)

Note that these use @submit.microsoft.com now, rather than @microsoft.com.

One reason for the change is to move the mail server they use for sample submissions outside of their corporate SPAM and virus filters. In the past they have had issues with sample submission e-mails getting filtered, particularly on the SPAM side.

These addresses replace the old submission addresses:

• avsubmit@microsoft.com (deprecated)
  
• malware@microsoft.com (deprecated)
  
• windefend@microsoft.com (deprecated)

As before, please use "False Positive" or "False Negative" in the mail subject line if possible to indicate the type of submission, and use password of 'infected' on the submitted .zip or .rar file.

If you have any questions about this process let me know, and I will take it to the program manager in the Microsoft Antimalware Team.

Have fun. Keep the samples coming. Microsoft loves them.

Links for Sites of Interest about Regulatory Compliance

As a final post to those who attended my presentation, the following are some links to resources that may assist you in learning more about some of the regulatory compliance standards, and how it may affect you. It is in no way complete, but resources I have bookmarked that I have used in the past.

• SOX Compliance for the Security Practitioner - A collection of resources which offers tips and strategies for keeping your organizations compliant with the ongoing demands of the Sarbanes-Oxley Act.
  
• SOX Security School - Free, multi-media Security School which shows you exactly what you need to do to meet SOX's ongoing demands and arms you with actionable items to ensure your business remains continuously compliant.
  
• HIPAA Learning Guide - s A collection of news articles, analysis reports, expert advice, white papers and case studies that will help keep you on track with HIPAA.
  
• HIPAA Covered Entity Determination Questionnaire - IOWA statewide HIPAA Impact Assessment Criteria document. Nicely laid out
  
• HIPAA Security and Electronic Signature Standards - A bullet item list of some HIPAA security related requirements.
  
• 
  
• UCSB SB1386 Guidelines - University of California in Santa Barbara SB1386 guidelines. Excellent interpretation and guidance of the bill.
  
• How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act - A Guide to GLBA for Small Business from the Federal Trade Commission
  
• Payment Card Industry (PCI) Self-Assessment Questionairre
  
• Meeting the PCI Data Security Standard requirements mitigates threats
  
• Symantec Compliance Assessment Tool - Free software tool (requires registration) that can run a compliance check for any two of these regulations simultaneously: Sarbanes-Oxley, FISMA, HIPAA, GLBA, Basel II, Payment Card Industry - Data Security Standard.
  

Security Guides for Small Business

Last year at SMBNation Susan and I put together a bunch of links that would help small businesses get information on dealing with security. I thought I would provide some of that information here:

• Consensus Benchmark Technical Controls
  
• Security Guide for Small Businesses
  
• Microsoft’s Security Center for Small Businesses
  
• US Chamber of Commerce Small Business Security Center
  
• e-Security Guide for Small Business (Association of Small Business Development Centers, and Microsoft)
  
• Small Business Best Practices (draft) (Internet Security Alliance and Small Business Working Group)
  
• FTC Consumer and Business Education on Online Security
  
• Cybersecurity and Consumer Data: What’s at Risk for the Consumer? – Prepared statement of the Federal Trade Commission (FTC) before the Commerce, Trade, & Consumer Protection Subcommittee, Committee on Energy & Commerce, U.S. House of Representatives, Nov. 19, 2003
  
• NIST 800-26 Security Self-Assessment Guide for Information Technology Systems
  
• NIST 800-50 Building an Information Technology Security Awareness and Training Program
  

I will follow up with links more dedicated to regulatory compliance shortly.

Follow up to my Small Business Summit presentation on the 5 Rules of the Regulatory Process

In what had to be my worst presentation in YEARS I just finished presenting on the 5 Rules of the Regulatory Process for Microsoft at the Small Business Summit.

I swear I was rambling incoherently at times as I tried to keep LiveMeeting going. *sigh* Sorry about that. I really should have practiced using LiveMeeting before I went and did this in front of an audience of over 300 people.

Not as much a technical problem as trying to keep a Level 100 presentation on track without diving into detail while keeping the slides in sync. I found myself spending more time refraining from using infosec terms in an effort to keep it focused on the BDM (business decision makers) of small business rather than IT professionals who have experience in infosec. And stupid me should have used my own slides instead of worrying about LiveMeeting.

Anyways, I promised I would provide the Q and A on my blog, and to not disappoint... that is what this post is about. Susan was AWESOME in answering much of this as I presented... so you will find her common theme as the SBS diva throughout :) In some places where we didn't get to respond to the question, I hope I am able to do that now. If I missed anything... feel free to leave a comment.

I also promised to provide some more info on some of the standards, and I will do that in a follow up post.

I would have posted the raw QA logs, but a LOT of the questions were really about technical difficulties that attendees were having at the Small Business Summit. Apparently some people were getting HUNDREDS of survey questions via email from previous presentations and felt that my presentation was the time to vent their frustration. Luckily Maryamie (Robert Scoble's wife) was the moderator and took care of all those questions for me! Thanks Maryamie! I'll make sure I bring down a bottle of Gwertztraminer and some applewood smoked cheese when I come down to see you and Robert next time. :)

As promised here are the highlights from the QA session:

Questions >>>

Q: How many have joined the seminar ? I don's see the listing
A: we have about 300 people

Q: Can you cover a little bit about PCI (Payment Card Industry) Compliance and how it affects small businesses?
A: Dana won't be talking quite that specific..but right now Visa and Mastercard have yet to apply PCI down to the small businesses....look for changes in this going forward though.
Dana's Followup: You can check out Martin McKeay's view on how these 5 Rules CAN apply to the PCI Data Security standards.

Q: Would you elaborate on steps to establish a full GLBA compliance program for bank?
A: This web cast won't be going that deep dive inot GLBA compliance steps. Rather this is more of an overview of the regulatory process. I'd recommend that you contact a compliance auditor to assist you in setting up a program.

Q: Is there a site to go to to find out want the rules are for a web business.
A: This webcast is an overview of the kinds of regulations that affect many businesses, not just web sites.

Q: With todays hackers why not have more security than need is more better?
A: There's a balance between security and business that has to take place. You just need to be "secure enough" (answered by a fellow small business person and not Microsoft) Too much security and it gets in the way of business (like Dana just said)
Dana's Followup: Remember that security is about risk mitigation, and not risk avoidance. The goal is to reduce risk to acceptable levels for YOUR business. To make it "secure enough" against the risks you believe exist to your business.

Q: Is Sharepoint a program that works with Microsoft Office? I am trying to set up a document control system in accordance with an aerospace quality standard
A: Sharepoint (which is included in SBS 2003) works the best with Office 2003 but can work with other Office versions.
Dana's Followup: Depending on the regulatory requirements for that industry, Sharepoint may not be enough. You may want to look into Microsoft's Rights Management Services. Note that RMS != DRM, as many people believe. Its worth looking into if you want information protection technology that supports individual rights management.

Q: What medium works best with Shadow Copy? HD? USB-HD? Tape?
A: Volume Shadow copy works best with harddrive but it can also be used on an external USB harddrive. It does not work with tape as it's a live "snap" of the data.

Q: Where could I go to get more info on how to audit using GPO's?
A: Inside the Small Business Server 2003 console is the GPMC, you can export from that the server's group policy settings and review that. I would also recommend checking out MS's scripting site
Dana's Followup: You can check out this TechNet article on how to apply or modify auditing policy settings for an object using Group Policy.

Q: What products should we use for authentication?
A: The basic products of desktop and servers give you NTLM authentication whiich works great for small businesses
Dana's Followup: Authentication comes in many means. On top of the native authentication mechanisms available in Windows, I would consider two-factor authentication systems if you are requiring users to access sensitive information remotely. EVEN if you can trust the remote host (which I argue you cannot always do at this point in time), the one time passwords (OTP) will help assure that malware that may obtain passwords is rendered useless. Companies like CryptoCard have products that fit well in the small business space and are much more affordable than their enterprise counterparts.

Q: I use Office Professional, not SBS 2003. Can I still get it?
A: With Sharepoint you need a server. (I'm a small business owner answering this question.. I'd recommend SBS if you want Sharepoint)

Q: Will Office Live provide something like Remote Web Workplace as a way to have secure Information Availability?
A: Office Live gives similar funtions... but there's nothing like Remote Web Workplace to provide secure remote access to data on your desktop and server

Q: What size HD best with Shadow Copy? 200GB+?
A: Whatever size you can afford. Here at my office I have a 160 gig LACIE harddrive for my volume shadow copies ... I snap every hour on the hour

Q: What is Remote Web Workplace?
A: It's a secure web based portal to get back to your server and your desktop that's only in the Small Business Server 2003. Google on Remote Web Workplace and check it out.
Dana's Followup: In my opinion (and many SBSers out there), that this is THE killer app from Microsoft... and is only available in SBS 2003.

Q: Could I operate with SBS 2003 as my only server in a SOHO LAN? Would that be the place to add Active Directory?
A: SBS 2003 is designed to be the perfect first server.. it MUST run active directory...so YES. (a SBS owner here)

Q: Where would I find the risk assessment tool he just mentioned?
A: MSAT and MBSA are available on the web ...google it or see the link in the PDF
Dana's Follow Up: MSAT link=https://www.securityguidance.com/, MBSA link=http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx

Q: When is SBS R2 available?
A: "Sometime this summer" is the word from yesterday's webcasts

Q: How can I request to BETA or Community Test the R2?
A: I beleive there will be a notice posted on the SBS R2 site... but I'll post a follow up on my SBS blog (see www.sbsdiva.com)

Q: Is there a site I can go to that will tell me what regulatory practices or laws I should be checking my system against?
A: What industry are you in? There's unfortunately not a 'standard' out there. You have to find what regulations cover you.
Dana's Followup: The attendee was part of a tax firm in California. As such standards like GLBA and SB1386 would come into play here.

Q: Are there overviews of how to be hippa and sox compliant?
A: Again, that's a huge question... Hipaa and sox are 'by design' vague
Dana's Followup: In a followup post, I will link to some good resources you can read that can help you down this path

Q: Does SBS have auto backup capabilities?
A: Yes it does... RUN THE BACKUP WIZARD (sorry yes I'm shouting) and you can backup to tape, harddrive and there's a daily email that confirms the backup

Q: Can you discuss what you know about Law Firm compliance ?
A: Look at the confidentiality of the data. Think in terms of what's the best to keep that data safe.

Q: What kind firewall and anti-virus is the best to use
A: Pick one. And then keep them updated and monitored.
Dana's Followup: Great answer Susan. It's not as important as to WHICH software you use as most of them perform well these days. It's making sure that signatures are up to date and that systems properly use them.

Q: Does Microsoft have a testing site to actively test whether or not encryption/sercuity meets certain standards?
A: Normally software indicates what encryption it is... DES, Triple DES, etc...what does your regulations specify?

Q: Can you back up to other things besides tape?
A: Absolutely. I use USB harddrive here. I don't use tape
Dana's Followup: These days, I recommend AGAINST tape and prefer other data sources like USB harddrives and offsite backup services. Tapes fail WAY to much (some people say over 70% of the time) and are just not managed well for small business.

Q: Is there anyplace to get any good risk assessment templates?
A: MSAT and MBSA are excellent resources.

Q: Is there one list that can be used to find out what regulations apply to an organization or industry?
A: Unfortunately not..when you find it...can you let me know?
Dana's Followup: Me too!

Q: Our company recently had to become PCI compliant to be able to continue to process transactions online, it required a total overhaul of our server to keep up to date and the standards are changing every couple of months. I thought maybe the audience would like a heads up that this does affect the way small business do ecommerce. Yes I mentioned this earlier, I just think that it really can be a surprise for those considering going online with their business.
A: Currently it's my personal opinion (not MS) that the Visa/mastercard PCI standards are too granular and not aware of risk management
Dana's Followup: I tend to agree with Susan on this, but must admit that the PCI standard atleast IS a standard helping to ensure CC transactions are completed safely. There are a LOT of shopping carts on the Net which are not following PCI and will eventually get weeded out over time.

Q: What can you tell us about the new Visa/Mastercard/Discover certification initiative? I understand it would require data incription. What is the MS solution for small businesses?
A: At the present time, Visa and Mastercard do not have PCI standards that have come down to what I consider "small business" ...yet... but it's coming. I personally (again not MS opinion here) think that the current PCI standards are too restrictive and not Small Business aware. As small businesses, we need to try to impact these regulations as best as we can.
Dana's Followup: I understand Susan's point here, and she is right. However, with that said I believe that PCI offers guidance to help ensure that things like strong crypto are used and that servers are locked down. I know when I was having to put my business through PCI so we could host online transactions we went through a security audit for our own online server which requires some changes that I didn't expect... such as ensuring only strong crypto (we used to allow a fall back if the client request it, that we no longer support). I do know this... because we follow the 5 Rules of the regulatory process, we passed quite quickly once we addressed that one crypto issue in the SSL stream.

Q: What products work over a VPN?
A: Can you be more specific? Honestly with SBS, I use RWW and don't use VPN these days.
Dana's Followup: Me too. Actually, by using RWW we never have to worry about configuring VPN clients or letting in IPSec/PPTP tunnels when they are not needed. This also gives us the benefit of a passive connection to the data which doesn't allow for a layer3 connection. In this way, we don't have to deal with network bound attacks, since packets are simply not allowed through... even if the remote host is full of hostile malware.

Q: What type of anti virus do you use on sbs 2003 norton dose not work
A: (Non MS here) I use Trend, but there's CA, Symantec, and Sophos for just some that install and work on SBS boxes

Q: RWW requires a server which I do not have
A: (SBS owner here) buy SBS..you'll get RWW :-)

Q: Does using encryption on your business server mean that all files are encrypted? ..or are only certain folders encrytable with encoders only on your LAN or WLAN?
A: Depends on how you set it up. I personally have it just on folders.

Q: Sounds like multiplicity is the watch-word to data protection? I use USB-HD plus copy to backup HD on desktop, plus use NTI Shadow Backup to backup to other desktop on network. What else would you add (on-site)?
A: I use VSS and hourly 'snaps', I backup to harddrive... the more paranoia the better :-)

Q: How does the BizTalk Server for HIPAA transactions help an organization meet both HIPAA and SOX compliance?
A: Honestly I personally have not used BiZtalk so I can't answer this (I don't see a lot of Biztalks and SBS boxes)
Dana's Followup: Like Susan, I have no experience with BizTalk. However, Microsoft does have some guidance, which you can find here.

Q: I heard that there is a flash-drive based encryption product that basically encrypts your whole hard drive. Have you heard of it? Seems this might be useful to laptops on the road. If you have heard of it, what's your (personal) take?
A: In Vista there is a "bitlocker" that will be available in the Software Assurance version of Vista.. is that what you mean?

Q: Windows Storage Server. Where can I go for the communities and newsgroups?
A: http://www.microsoft.com/communities/newsgroups/default.mspx

Q: Is current version of RMS forward compatible with SBS R2?
A: I know the old RMS works on current SBS... come out to the SBS community for follow up

<<< End Questions

As I went through the question log, I noticed a lot of praise. I do appreciate that. And I apologize it wasn't smoother. Thanks for coming out and listening to my rambling!

Using SBS 2003 to Meet Objectives in the 5 Rules of the Regulatory Process

Striving to meet the objectives of the 5 Rules of the Regulatory Process does not have to be a huge burden to small businesses. You don’t have to outlay tens of thousands of dollars in document management systems and security safeguards to protect information that can be handled with technologies you may already have at your disposal. As a fan of Microsoft’s Small Business Server 2003, I can attest to the fact that a small investment of a few thousand dollars can offer my small business many of the technical safeguards at no extra cost, and allow me to meet the objectives of the 5 Rules of the Regulatory Process. Here are just a few examples:

• The usage of Active Directory allows me to apply fine grained access control to information assets to my business. (Rule of Information Protection)
  
• The usage of Microsoft's Encrypted File System (EFS) provides key encryption to sensitive information on both desktops and laptop computers. (Rule of Information Protection)
  
• I have fine grained network access control through the usage of ISA 2004. (Rule of Information Protection)
  
• I have detailed auditing controls with Group Policy on both the SBS server and workstations. (Rule of Information Integrity)
  
• SBS 2003 Backup offers me great backup and easy restoration (Rule of Information Integrity and the Rule of Information Retention)
  
• I have data modification auditing with Windows Shadow Copy (Rule of Information Integrity)
  
• I have document version control directly in Sharepoint (Rule of Information Integrity)
  
• I have the ability to offer all employees easy information restoration with the use of the shadow copy client. Accidental (or malicious) deletion of information can easily be restored. (Rule of Information Availability)
  
• I have the ability to offer employees easy remote access through VPN, and more importantly, Remote Web Workplace… the killer app for SBS 2003. (Rule of Information Availability)
  
• I have multi-edit document history with Volume Shadow Copy (Rule of Information Retention)
  
• I have email retention and archiving with Exchange (Rule of Information Retention)
  
• I have easy access to free risk assessment tools such as the Microsoft Security Assessment Tool and the Microsoft Baseline Security Analyzer (Rule of Risk Management)
  
• In the upcoming release of SBS R2, I get the benefits of Windows Server Update Services (WSUS) (Rule of Risk Management)
  
• I have complete access to the Microsoft Small Business Security Guidance Center. (Rule of Risk Management)
  

These are just a few of the assets I get FOR FREE with Small Business Server. I do not have to outlay any more financial investment in new tools to gain many of the benefits to my small business that the 5 rules offer.

The 5 Rules of the Regulatory Process

If you work in enterprise IT security, regulatory compliance is probably nothing new to you. There is a good chance you hate the thought of it, but you are intimately aware of the challenges and expensive nature your business has had to go through to meet compliance objectives.

But if you are a small business, I’ll bet it’s a fearful phrase you typically try to avoid. Or worse yet, a phrase that you don’t believe applies to you! Don’t worry. You are not alone. But I’d like to challenge your thinking and belief system as it relates to regulatory compliance and small business. I believe that if anything, small businesses should realize that the process of creating an environment for regulatory compliance is not that difficult and can be used as an ASSET to the business; an advantage over many competitors that offers real business benefits to your company.

Look, when it comes to this topic, the biggest challenge businesses of all sizes face is in ensuring that regulatory compliance objectives are observed and that compliance can be demonstrated and accurately monitored and reported. What’s interesting is that, against what many security vendors are trying to sell you, this can be done with a lot of what you already have by stepping back and using a ‘higher security mind-set’. In other words, you don’t HAVE to outlay huge investments in unnecessary security safeguards if you think more clearly about the objectives you need to reach. By applying appropriate technical safeguards for enforcing compliance to meet required corporate security and audit policies, small businesses can greatly facilitate the demonstration of controls that enhance the integrity and auditability of their IT systems.

Quite frankly, the process of regulatory compliance is a business problem, not a technical one. Or more to the point, regulatory compliance is a process… not a product.

A few years ago, I started talking about and introduced to my readers the 8 Rules of Information Security that greatly increases the effectiveness of security controls. I wish I could take credit for the original thinking of those rules, but it was something I really learned from Kevin Day. Today though, I would like to introduce similar thinking to how small business can approach regulatory compliance. Borrowing from how Kevin approached information security, I would like to approach regulatory compliance in a similar manner. What it comes down to is 5 Rules of the Regulatory Process.

1. Rule of Information Protection - Limit access to information to only those people and resources that absolutely need it. When possible limit access to the information resource to trusted sources only. Use the Rule of Least Privilege from the 8 Rules of Information Security along side of the Rule of Trust to ensure that this rule can be respected. Some examples of technical safeguards that can assist in meeting this rule’s objectives include using the operating system’s access control system (ACLs, perms etc), file/folder/disk encryption and network access control (firewalls, authentication, etc).
   
2. Rule of Information Integrity - The ability to ensure information is accurate and an unchanged representation of the original secured information is critical to regulatory compliance. Once you have applied safeguards to ensure information resources are only accessible to those people that absolutely need it, it is critical that you can demonstrate who DOES access those resources, and what changes they may cause to the information. Without it, there is no way to ensure the integrity of the original information, and any acceptable changes that may occur. Some examples of technical safeguards that can assist in meeting this rule’s objectives include backups, document version control and audit logging (ie: Auditing controls in Group Policy).
   
3. Rule of Information Availability - It is important to ensure that information resources are readily accessible to authorized personnel at all times. With the growing needs of remote mobile users to access this information, this has to be done so in a responsible manner that can ensure that it can be done so safely and securely. At the same time, while offering availability it is crucial that the rules of Information Protection and Information Integrity be respected. By following these rules, businesses do not sacrifice security to gain access to information assets. Some examples of technical safeguards that can assist in meeting this rule’s objectives include Virtual Private Networking (VPN) and both online and offline document rights management.
   
4. Rule of Information Retention - One of the key aspects of many of the regulatory compliance standards is that information must be retained for a given period of time, and guaranteed to be able to be reproduced in its original form as required. Small businesses need to retain certain information, like contracts and financial records, in order to operate their business and to ensure that they are operating in conformity with provincial, state and federal laws. When the Rule of Information Integrity is applied, this rule helps protect the business against allegations that information was destroyed in an effort to avoid liability. A good information retention policy also allows businesses to benefit from being able to easily retrieve older and archived information that is not readily accessible in day to day operations. Some examples of technical safeguards that can assist in meeting this rule’s objectives include backups, email retention and archiving and document version control.
   
5. Rule of Risk Management - Without information assets, there are no threats to which risk can be applied. In other words, if an adversary has no interest or objective to go after, there may be very little risk. As an example, an attacker probably doesn’t care much about your company’s MP3 share. But they might care about your shared Contract library. Without cataloging information assets to understand what needs to be protected, there is no way to evaluate what is at risk. Risk management does not have to be overly complex or require significant change to business processes to understand and evaluate. It comes down to looking constructively at what information is important to the business, and assessing what risks may be exposed to those assets. And this assessment process is always ongoing and regularly evaluated. As they say, to be forewarned is to be forearmed. Some examples of technical safeguards that can assist in meeting this rule’s objectives include the usage of risk assessment tools such as MSAT and MBSA, following a regular patch management process and receiving relevant guidance and expertise from responsible vendors.
   

Now I know these rules may seem over-simplistic. If we focus on what the expected outcomes are though, we actually begin to see this come together. Some outcomes would include:

• Accountability
  
• Auditability
  
• Privacy
  
• Data integrity
  

Interesting. Now lets look at some of the existing regulatory compliance standards:

• Financial Governance – Sarbanes Oxley (SOX)
  
• Health services – HIPAA
  
• Banking – Gramm-Leach-Bliley (GLBA)
  
• Privacy – SB1386/AB1950
  

You know what? What is interesting about those standards is that their compliance objectives echo the outcomes we can achieve with those 5 rules. In other words, we can meet the original challenge of ensuring that regulatory compliance objectives are observed and that compliance can be demonstrated and accurately monitored and reported. By applying these 5 rules, small businesses can greatly facilitate the demonstration of controls that enhance the integrity and auditability of their IT systems. And that is the goal we are after.

Now you might be asking how this can directly benefit your small business as an asset and not a liability. Well, look at some of the business benefits that can be reached if you apply some of the technical safeguards to meet the objectives of the 5 Rules of the Regulatory Process:

• You can have a more effective backup strategy that can help in disaster recovery and business contingency planning.
  
• You can have a more effective information retention strategy to recover information and offer auditability and accountability to those agencies that may need it.
  
• You can have a more effective and secure remote access strategy that can help extend and enhance user productivity through better information access.
  
• You can reduce business risk to information assets while understanding the real impact of technical safeguards against those risks. This will allow you to make more intelligent business decisions and reduce total expenditures on unnecessary security safeguards that will do little but interrupt your business workflow.
  

These have a direct impact to your business and your IT infrastructure. For many small businesses, these strategies will offer unprecedented protection to information assets and offer your business ways to get more out of your IT investment while saving money and reducing risk. What more can you ask for?

Technology will fail. People will fail. If you apply these 5 rules you will be able to recover from those failures and significantly reduce the impact those failures may have on your business. And in my book, that is more important than fretting that you can’t afford to put such policies and procedures into play in your IT infrastructure. Or worse yet, that you don’t think such safeguards are good for your business. They absolutely are… and are within reach.

Update: If you would like to see how I apply these rules in my own small business you can read about how I do it here with the use of SBS 2003.

Microsoft Threat Analysis & Modeling v2.0

Microsoft has released a new beta of their Threat Analysis & Modeling tool which allows non-security subject matter experts to enter already known information including business requirements and application architecture which is then used to produce a feature-rich threat model. Along with automatically identifying threats, the tool can produce valuable security artifacts such as:

• Data access control matrix
  
• Component access control matrix
  
• Subject-object matrix
  
• Data Flow
  
• Call Flow
  
• Trust Flow
  
• Attack Surface
  
• Focused reports

If you have spent any time working in Frank's previous threat modeling tool, you may want to check this out. You will be pleasantly surprised.

Happy threat modeling!

Origami - How a great idea needs Apple designers

So this morning I had an opportunity to watch Robert's interview with the architect of Origami. As a regular user of a TabletPC, I really like this idea, especially the idea of moving to a touchscreen.

This takes the form factor that I like out of my mobile PC (aka my smartphone) and putting in a FULL XP Tablet Edition operating system. Neat stuff. Not sure how well this thing will work outside in direct sunlight. I will hold my judgement on that part. Same with battery life. I would use my Tablet A LOT more... except I can only get 3 hours at a time with it. I hope this "ultra-mobile" machine will have atleast 8 hours.

One BIG issue that I have personally. Hardware designers who build stuff to run Windows quite simply have NO sense of design. The pre-production units I have seen are UGLY. Take the Origami out on a 'date' with the iPod. Let it procreate and make something sexy. Come on. You are targeting consumers... MAKE IT AN EXPERIENCE THEY WANT. That I want. That YOU want.

Look, there are TONNES of cheaper MP3 players than the iPod. So why do people buy it? The brand? Nope. Because of the experience.! Have you seen the difference in how they look and act? Gimme an iPod nano over a plain jane MP3 player any day.

I am hoping Robert does pick one up. Then the next time I am in Seattle he can show me how it works in direct sunlight.

Good 'working' bits. Hope the hardware vendors make it sexy.

My production desktop Vista Install - How my experience bombed big time

Ok, I lost faith that I will run Vista on a daily basis around here any time soon. Last weekend I thought I would cannibalize a terminal server not being used in the office, and make it one of my production desktops. I thought it met the Vista requirements, being that it had:

• Hyperthreaded Pentium4 running at 3 Ghz
  
• 2 GB ram
  
• 2 x 120GB SATA drives with a hardware RAID1 controller
  
• I expected to put my ATI Radeon 9550 video card in there, which would give me enough 'umf' the run Aero glass in Vista.
  

Lets just say it wasn't meant to be. The Feb CTP just didn't want to play nice.

First off, Vista wouldn't find the hardware RAID controller. I was thinking of going to a software RAID config anyways, and pulled it and put the SATA drives right on the motherboard. Since I cracked the case open, I thought it was time to put the video card in. One problem.. no AGP slots. Apparently this motherboard uses the newer PCI Express, which meant I was out of luck for using my ATI video card. My bad for not looking beforehard.

So I thought I would just do the install and get it going. I figured I could run out and pick up a half decent video card later.

Install went somewhat smoothly, although when it rebooted I had to hard start it. That appeared to be a bios issue on my part, but I don't recall the TS ever having to be powered on manually before. Oh well.

When Vista finally came up for the first time, I quickly realized I wasn't going to have a good night. Apparently Vista doesn't like my hardware. Plain and simple. It was SO SLOW. To be fair though, the CTP apparently is full of debug info and has a lot of monitoring stuff. It is a beta afterall. And I am sure hardware support will be more forthcoming as release date comes near. But thats less than a year away. And this hardware is like a year old. And Vista had a hard time figuring out how to use it. HAL... WAKE UP!

My motherboard is a Gigabyte 8I915G-MF. It's one of those boards that has integrated LAN/Audio/Video. Well, Vista doesn't recognize the audio or the LAN. Kind of a useless machine for me if I can't get network access or listen to tunes. I scoured Google and Gigabyte's website looking for some beta Vista drivers, to no avail. I tried the Windows Server 2003 drivers. Nope. I tried the XP drivers. Nope. I went to report in the Windows beta newsgroup, only to realize I never activated my account to allow posting. So I activated it and was promptly told I have to wait till the next day before posting. I decided to call it a night.

I haven't had a chance yet to post to the private newsgroup, which I will have to do one of these nights. But as it stands now, I have a large brick of Vista bits sitting in the corner. I was so looking forward to trying to run Vista on a daily basis, but its just not in the cards. Not sure if I should fight through getting it running, or repave it and put something else on it. Who knows. Maybe some DDK god will poke the Gigabyte devs and get them to throw out some beta drivers. *sigh*

Input Validation Bug in ASP.NET

So I found an interesting condition today in ASP.NET while doing some code in VS.NET 2003. If you use a RegularExpressionValidator on a web form it will NOT be called if the field is left blank. In other words, even though you apply regular expression input validation on a control, it won't actually be executed if the field is blank.

To me, this is a bug. If I add a regex of "^\d{1,2}$" (which means the field must have a MINIMUM of 1 digit and a MAXIMUM of 2 digits), it should be honored. In ASP.NET, that is apparently not the case. The fix is to add a second validator BEFORE it, using the RequiredFieldValidator. The fix looks something like:

<asp:RequiredFieldValidator id="ControlBlankValidator" runat="server" 

   ErrorMessage="Must enter a number between 0 and 99." InitialValue="" Display="Dynamic" 

   ControlToValidate="SomeControl">Must enter a number.</asp:RequiredFieldValidator>

<asp:RegularExpressionValidator id="ControlInputValidator" runat="server" 

   ErrorMessage="Invalid number. Must be between 0 and 99." 

   InitialValue="" Display="Dynamic" ControlToValidate="SomeControl" 

   ValidationExpression="^\d{1,2}$">Invalid number</asp:RegularExpressionValidator>

So if you are trying to be a good net-izen and are trying to validate your input with regular expressions, you need to test this edge case. There is a good chance you may not actually be catching this.

I contacted a dev security evangelist at Microsoft about this, and he confirms that this condition exists. He also tested it against VS.NET 2005, and apparently the same behaviour exists there as well. But Microsoft doesn't consider this a bug. Apparently the RegularExpressionValidator is not supposed to be tested against a null like its sister System.Text.RegularExpression. And that kind of makes sense since in a postback if there is no data it simply won't exist in the query string. After further discussion, it was brought up that if it didn't work this way, optional fields couldn't otherwise use a RegularExpressionValidator if it worked as I would expect it.

I think this needs to be documented better. If someone new to validating controls ASSUMES regex is honored in testing against a blank string, they will be sadly mistaken. You MUST validate against a NULL first with a RequiredFieldValidator.

Interesting find. Hope that's useful to someone out there.

Default ACLs on Windows Event Logs

Note to self: Eric has a good post about the default ACLs on the Windows event log, as taken directly from the source code.

Included is the Windows Server 2003 defaults, including the equivalent SDDL. Useful information to compare to my hardening code for SBS.