Posts Tagged ‘Security’

EF stands for “Education First”. Founded in 1965 by entrepreneur Bertil Hult, EF is a privately-held company with 16 divisions that offer a range of educational programs from language training, educational travel, and academic degrees to cultural exchanges. With a mission to break down barriers in language, culture and geography, EF has helped people of all ages and nationalities become citizens of the world.

From Berlin to Beijing, Moscow to Mexico City, Dubai to Denver, EF operates 400 schools and offices in over 50 countries. EF’s global network includes 9,000 staff and 25,000 teachers and guides. To date, EF has helped over 15 million people to learn a new language, discover the world, or earn an academic degree.

“Education First” is more than our company name. It is our corporate passion.

EF’s mission is to break down the barriers of language, culture and geography that divide us.

The Official Website

 

About EF Bangalore

It all started with the idea that rather than outsourcing our systems development and maintenance, we could do it smarter and better ourselves – with our own people!

Just over a year and a half ago, a team of people therefore came to Bangalore, the Santa Barbara of India, interviewing hundreds and hundreds of people to find the most remarkable talent the market could offer. We started small, hiring only the best of the best, and began the journey from a very tiny temporary office.

 

As the number of highly skilled people grew, we also initiated the hunt for a bigger and more suitable workplace. After months of negotiations with landlords and architects, innumerous approval stamps, vanished construction workers and delayed furniture, we finally got everything in place and moved in to our new EF office on Cambridge Road on February 1st.

The office was built on the notion that you should feel at home, even when you are in the office; it should be a place where creativity and ideas spire, where you can feel the energy and power to achieve the impossible, and where your friends and colleagues inspire you to walk the extra mile.

We in Bangalore are very proud of our new office and would love for you to come and visit, maybe have a chai in our coffee lounge or enjoy the views from our roof terrace. And, we would of course take the opportunity to show you what we can and will achieve with technology!

Get IT right! Own IT!

Advertisements


If you have evaluated EFS in Windows 2000 and found critical features missing, it’s worth taking a second look at EFS in Windows Server 2003 and XP. The changes include the following:

  • New and more cryptographically robust encryption methods. You can now choose between DESX encryption (used by Windows 2000) and 3DES (Triple-DES), an algorithm that complies with government standards for handling of non-classified documents.
  • Offline file encryption. This feature is one of the most significant improvements in Windows Server 2003 and XP. It enables users to use a highly convenient feature, offline file storage, while retaining the ability to protect their files with encryption.
  • Encrypted file transfer over WebDAV. The Web-based Distributed Authorizing and Versioning redirector uses HTTP rather than SMB. Encrypted files are transferred in their encrypted state rather than being decrypted prior to transport as happens with SMB. Also, servers can store encrypted files using WebDAV without compromising security with Kerberos delegations.
  • More flexible group policy control. EFS can now be disabled throughout a domain with a single click of the mouse in a group policy. This contrasts with Windows 2000, which requires removing and re-importing X.509 certificates to control encryption.
  • Shared encrypted files. Users with encrypted files can assign access to other users. This enhances the use of EFS in a workgroup. Only individual users can be given access, not groups. Additional users can only be selected by users who already have access.
  • Copy warnings. Explorer now warns users when they attempt to copy or move encrypted files to an unprotected location such as a Zip drive, floppy drive, or FAT partition. New switches in COPY and XCOPY permit overriding these protections, if necessary.
  • Visual cues. The Explorer shell now shows the names of encrypted files and folders in a different color, similar to the way compressed files are displayed in Windows 2000.
  • Improved command-line administration. The CIPHER command-line utility has been updated with several new features, including the ability to generate file recovery certificates, the ability to search for encrypted files on a volume, the ability to refresh certificates for all encrypted files on a volume, and the ability to wipe all unused disk space to remove temporary files. (The wipe feature was released in Windows 2000 SP3.)
  • Security improvements. Although not strictly an EFS improvement, the handling of the crypto Master key has been changed so that it is not updated when a local user password is changed by anyone other than the user. This eliminates a serious deficiency for standalone laptops and desktops. Now a hacker cannot use utilities to change a user’s password (or the Administrator password) on a standalone machine to gain access to encrypted files.

Not every change is a welcome one, however. In Windows 2000, files cannot be encrypted without the certificate of a Data Recovery Agent (DRA). This ensures that a user cannot encrypt files and then quit the company and leave you without a means of recovering the files. In Windows Server 2003 and XP, it is possible to encrypt files without a DRA. This “feature” has potentially serious consequences because users could encrypt their files and then lose the private key, thereby losing access to the files permanently.

Problem

You want to ensure that users can only authenticate to Active Directory using strong authentication protocols.

Solution

Using a graphical user interface
  1. Open the Group Policy Management Console snap-in.

  2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain you want to administer, and expand the Group Policy Objects container.

  3. Right-click on the GPO that controls the configuration of your domain controllers and select Edit. (By default, this is the Default Domain Controller Policy, but it may be a different GPO in your environment.) This will bring up the Group Policy Object Editor.

  4. Browse to Computer Configuration Windows Settings Security Settings Local Policies Security Options.

  5. Double-click on “Network security: LAN Manager Authentication Level.” Place a check mark next to “Define this policy setting.”

  6. Select “Send NTLMv2 responses only/refuse LM & NTLM.” Click OK.

  7. Wait for Group Policy to refresh, or type gpupdate /force from the command prompt of a Windows Server 2003 domain controller. On a Windows 2000 DC, use the secedit command with the /refreshpolicy switch.

Discussion

Microsoft operating systems have supported different flavors of LAN Manager (LM) and NT LAN Manager (NTLM) authentication since the earliest days of Windows. LM authentication is an extremely old and weak authentication protocol that should no longer be used in production environments unless absolutely necessary. By default, Windows 2000 Active Directory supported client authentication attempts using LM, NTLM, or NTLMv2; Windows Server 2003 supports only NTLM and NTLMv2 out of the box.

The strongest NTLM authentication scheme you can select is to refuse LM and NTLM authentication from any client, and to only respond to clients using NTLMv2. Depending on your client configuration, though, enabling this option may require changes on the client side as well. You can apply the same setting to a GPO linked to your Active Directory domain to ensure that all of your clients will use NTLMv2 instead of older, weaker protocols.


Problem

You want to enable or disable anonymous access to the information stored in the Active Directory database.

Solution

Using a graphical user interface

  1. Open the Active Directory Users and Computers (ADUC) snap-in.
  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select “Connect to Domain,” enter the domain name, and click OK.
  3. Navigate to the Builtin container. Double-click on the Pre-Windows 2000 Compatible Access group.
  4. Click the Members tab.
  5. Select the Everyone group and click the Remove button. Click Yes and then OK to confirm.
  6. Select the Anonymous Logon user and click the Remove button. Click Yes and then OK to confirm.
  7. If the Authenticated Users group is not present in the group membership list, click Add to include it and then click OK.

Using a command-line interface

You have three command-line choices to modify the Pre-Windows 2000 Access security group: net localgroup, DSMod, or AdMod. net localgroup takes the following syntax:

> net localgroup ”

Pre-Windows 2000 Compatible Access” Everyone /delete

> net localgroup “Pre-Windows 2000 Compatible Access” “Anonymous Logon” /delete

> net localgroup “Pre-Windows 2000 Compatible Access” “Authenticated Users” /add

To update the group membership using DSMod so that it only includes Authenticated Users, enter the following:

> dsmod group “cn=Pre-Windows 2000 Compatible Access,cn=Builtin,

<DomainDN>” -chmbr “cn=S-1-5-11,cn=ForeignSecurityPrincipals,<DomainDN>”

To use AdMod, use the following syntax:

> admod b “cn=Pre-Windows 2000 Compatible Access,cn=Builtin,

<DomainDN>” member::”cn=S-1-5-11,cn=ForeignSecurityPrincipals,<DomainDN>”

Discussion

Anonymous access to Active Directory is controlled by membership in the Pre-Windows 2000 Compatible Access security group, located in the cn=Builtin container. This group is named like that because some legacy applications and operating systems, most notably Windows NT 4.0 RAS servers, required anonymous access to the information stored in AD in order to function properly. The default membership of this group depends on whether you selected “Permissions compatible with pre-Windows 2000 operating systems” or “Permissions compatible with only Windows 2000 and Windows 2003” when you ran dcpromo. If you selected the former, the Everyone group and the Anonymous Logon SID were added to Pre-Windows 2000 Compatible Access; if the latter, only Authenticated Users was added.

In the DSMod, AdMod, and VBScript solutions, the Authenticated Users group was specified using an SID and it resides in the ForeignSecurityPrincipals container. This is because Well-Known SIDs such as Everyone (S-1-1-0) and Authenticated Users (S-1-5-11) are not maintained within Active Directory itself and are therefore stored in the FSP container.


Problem

You want domain controllers to reject LDAP queries from certain IP addresses. This can be useful if you want to prohibit domain controllers from responding to LDAP queries for certain applications or hosts.

Solution

Using a command-line interface

The following adds network 10.0.0.0 with mask 255.255.255.0 to the IP deny list:

> ntdsutil “ipdeny list” conn “co t s <DomainControllerName>” q

IP Deny List: Add 10.0.0.0 255.255.255.0

*[1] 10.0.0.0 GROUP MASK      255.255.255.0

NOTE: * | D – uncommitted addition | deletion

IP Deny List: Commit

[1] 10.10.10.0 GROUP MASK 255.255.255.0

NOTE: * | D – uncommitted addition | deletion

Discussion

The IP deny list is stored as an octet string in the lDAPIPDenyList attribute of a query policy.

When the IP deny list is set, domain controllers that are using the default query policy will not respond to LDAP queries from any IP address specified in the deny list address range. To test whether a certain IP address would be denied, run Test x.x.x.x (where x.x.x.x is an IP address) from the IP Deny List subcommand in ntdsutil.

By setting the IP deny list on the default query policy, you would effectively restrict the IP address range from querying any domain controller in the forest. If you need to restrict queries only for a specific domain controller, you’ll need to create a new LDAP query policy and apply it to only the domain controller in question.

Problem

You want to enable anonymous LDAP access for clients. In Windows 2000 Active Directory, anonymous queries were enabled by default, although they were restricted. With Windows Server 2003 Active Directory, anonymous queries are disabled by default except for querying the RootDSE.

Solution

Using a graphical user interface
  1. Open ADSI Edit.

  2. In the Configuration partition, browse to cn=Services cn=Windows NT cn=Directory Service.

  3. In the left pane, right-click on the Directory Service object and select Properties.

  4. Double-click on the dSHeuristics attribute.

  5. If the attribute is empty, set it with the value 0000002.

  6. If the attribute has an existing value, make sure the seventh digit is set to 2.

  7. Click OK twice.

Problem

You want to enable SSL/TLS access to your domain controllers so clients can encrypt LDAP traffic to the servers.

Solution

Using a graphical user interface
  1. Open the Control Panel on a domain controller.

  2. Open the “Add or Remove Programs” applet.

  3. Click on Add/Remove Windows Components.

  4. Check the box beside Certificate Services and click Yes to verify.

  5. Click Next.

  6. Select the type of authority you want the domain controller to be (select “Enterprise root CA” if you are unsure) and click Next.

  7. Type the common name for the CA, select a validity period, and click Next.

  8. Enter the location for certificate database and logs, and click Next.

  9. After the installation completes, click Finish.

  10. Now open the Domain Controller Security Policy GPO.

  11. Navigate to Computer Configuration Windows Settings Security Settings Public Key Policies.

  12. Right-click on Automatic Certificate Request Settings and select New Automatic Certificate Request.

  13. Click Next.

  14. Under Certificate Templates, click on Domain Controller and click Next.

  15. Click Finish.

  16. Right-click on Automatic Certificate Request Settings and select New Automatic Certificate Request.

  17. Click Next.

  18. Under Certificate Templates, click on Computer and click Next.

  19. Click Finish.

While Windows Vista may be Microsoft Corp’s most secure operating system ever, it’s far from completely secure. In its fresh-from-the-box configuration, Vista still leaves a chance for your personal data to leak out to the Web through Windows Firewall or for some wicked bot to tweak your browser settings without your knowledge.

But by making a few judicious changes using the security tools within Windows Vista — and in some cases by adding a few pieces of free software –you can lock down your operating system like a pro.

1. Use Windows Security Centre as a starting point

For a quick overview of your security settings, the Windows Security Center is where you’ll find the status of your system firewall, auto update, malware protection and other security settings. Click Start, Control Panel, SecurityCenter, or you can simply click the shield icon in the task tray. If you see any red or yellow, you are not fully protected.

For example, if you have not yet installed an antivirus product on your machine, or if your current antivirus product is out of date, the malware section of the Security Center should be yellow. Windows does not offer a built-in antivirus utility, so you’ll want to install your own. For free antivirus,

I recommend Avast 4.8 Home Edition.

2. Use Windows Defender as a diagnostic tool

The malware section of Windows Vista also protects against spyware using Windows Defender. The antispyware protection in your antivirus program usually trumps the protection Microsoft provides, but there are several good reasons to keep Windows Defender enabled. One is that every antispyware program uses a different definition of what is and is not spyware, so redundant protection can actually offer some benefit.

Another reason to keep Windows Defender enabled: diagnostics. Click Tools, and choose Software Explorer from the resulting pane. You can display lists of applications from several categories such as Currently Running Programs, Network Connected Programs and Winsock Service Providers, but Start-u

p Programs is perhaps the most useful. Click on any name in the left window, and full details will appear in the right pane. By highlighting, you can remove, disable or enable any of the programs listed.

3. Disable the start-up menu

Windows Vista keeps track of all the documents and programs you launch in the start-up menu. This can be convenient for some users, but it can also compromise your privacy if you share a computer within an office or household. Fortunately, Windows Vista provides an easy way to tweak this setting

. To protect your privacy, follow these steps:

* Right-click on the task bar and select “Properties.”

* Click on the Start Menu tab.

* Uncheck “Store and display a list of recently opened files.”

* Uncheck “Store and display a list of recently opened programs.”

* Click “OK.”

4. Get two-way firewall protection

No desktop should be without a personal firewall, but even if the Security Center says you’re protected, you may not be. The Windows Firewall within Vista blocks all incoming traffic that might be malicious or suspicious — and that’s good. But outbound protection is not enabled by default. That’s a dangerous situation if some new malicious software finds its way onto your PC.

Microsoft did include the tools for Windows Vista to have a true two-way firewall, but finding the setting is a little complicated. (Hint: Don’t go looking the Windows Firewall settings dialog box.

To get two-way firewall protection in Windows Vista, do the following:

* Click on the Start button; in the search space, type “wf.msc” and press Enter.

* Click on the Windows Firewall with Advanced Security icon. This management interface displays the inbound and outbound rules.

* Click on Windows Firewalls Properties. You should now see a dialog box with several tabs.

* For each profile — Domain, Private and Public — change the setting to

Block, and then click OK.

Even if you do this tweak, I recommend adding a more robust third-party firewall. I suggest either Comodo Firewall Pro or ZoneAlarm, both of which are free and fare very well in independent firewall testing.

5. Lock out unwanted guests

If you share your computer with others — and even if you don’t – Windows Vista includes a neat way to keep unwanted guests from guessing your systems administrator password. When you set up users and declare one user as administrator with full privileges, Windows Vista allows an outsider unlimited guesses at the password you chose. Here’s how to limit the guesses.

* Click Start, then type “Local Security Policy.”

* Click Account Lockout Policy.

* Choose Account Lockout Threshold.

* At the prompt, enter the number of invalid log-ins you’ll accept (say, three).

* Click OK and close.

6. Now audit your attackers

With the Account Lockout policy in place, you can now enable auditing to see any account attacks. To turn on auditing for failed log-on events, do the following:

* Click the Start button, type “secpol.msc,” and click the secpol icon.

* Click on Local Policies and then Audit Policy.

* Right-click on “Audit account log-on events policy,” and select Properties.

* Check the Failure box, and click OK.

* Right-click on “Audit log-on events policy” and select Properties.

* Check the Failure box and click OK.

* Close the Local Security Policy window.

You can then use the Event Viewer (by running eventvwr.msc) to view the logs under Windows Logs and Security.

7. Secure your Internet Explorer settings

The Windows Security Center will also report whether your Internet Explorer 7(or IE 8) security settings are at their recommended levels. If the screen shows this section as red, you can adjust the settings within the browser itself.

* Within Internet Explorer, click Tools in the menu bar.

* From the drop-down menu, click Internet Options.

* Choose the Security tab.

* Within the Security tab, click Custom Level.

Here you’ll see a window with all the security options for the browser. If any are below the recommended level (if, say, some malware reconfigured your browser settings), these options will be highlighted in red.

To change an individual setting, click the appropriate radio button. To reset them all, use the button near the bottom of the tab. You can also change the overall security setting for Internet Explorer from the default Medium-High setting to the recommended High or Medium, if you wish. Click OK to save and close.

8. Use OpenDNS Domain Name System (DNS) servers act as a phone book. When you type “pcworld.com” in the address bar, for instance, your browser sends that common

-name request to your Internet service provider’s DNS servers to be converted into a series of numbers, or an IP address.

Lately, DNS servers have come under attack, with criminals seeking to redirect common DNS preferences to servers that they control. One way to stop such abuse is to use OpenDNS.

Go to Start, Control Panel, Network and Internet, and then click Network and Sharing Center. Under the tasks listed on the left, click Manage Network Connections. In the Manage Network Connections window, do the following:

* Right-click on the icon representing your network card.

* Click Properties.

* Click Internet Protocol Version 4.

* Click the Properties button.

* Select the Use the following DNS server addresses radio button.

* Type in a primary address of 208.67.222.222.

* Type in a secondary address of 208.67.220.220.

* Click OK.

9. Live with User Account Control

One area where some people might want to see the Windows Security Center turn red is User Account Control (UAC), perhaps the most controversial security feature within Windows Vista. Designed to keep rogue remote software from automatically installing (among other things), UAC has a tendency to thwart legitimate software installations by interrupting the process several times with useless messages.

In Windows 7, you’ll be able to set UAC to the level you want. Until then, you do have some options. One is to disable UAC. I would caution against that, since UAC is meant to warn you of potential danger.

Instead, install TweakUAC, a free utility that enables you to turn UAC on or off as well as provides an intermediate “quiet” mode that keeps UAC on but suppresses administration-elevation prompts. With TweakUAC in quiet mode, UAC will appear to be off to those running as administrator accounts, while people with standard user accounts will still be prompted.

10. Check your work

Now that you’ve tweaked Windows Vista, you can keep tabs on your system’s security with the System Health Report. This diagnostic tool takes input from the Performance and Reliability Monitor and turns it into an information-packed report that can spotlight potential security problems.

* Open Control Panel.

* Click System.

* In the Tasks list, click Performance (near the bottom).

* In the resulting Tasks list, click Advanced tools (near the top).

* Click the last item on the resulting list — “Generate a system health report.”

The report will list any missing drivers that might be causing error codes, tell you whether your antivirus protection is installed and declare whether UAC is turned on. You may want to run this report once a month just to make sure everything is still good.

Bootvis Application

*******************

The program was designed by Microsoft to enable Windows XP to cold boot in 30 seconds, return from hibernation in 20 seconds, and return from standby in 10 seconds. Bootvis has two extremely useful features. First, it can be used to optimize the boot process on your computer automatically. Second, it can be used to analyze the boot process for specific subsystems that are having difficulty loading. The first process specifically targets the prefetching subsystem, as well as the layout of boot files on the disk. When both of these systems are optimized, it can result in a significant reduction in the time it takes for the computer to boot.

Before attempting to use Bootvis to analyze or optimize the boot performance of your system, make sure that the task scheduler service has been enabled – the program requires the service to run properly. Also, close all open programs as well – using the software requires a reboot.

To use the software to optimize your system startup, first start with a full analysis of a fresh boot. Start Bootvis, go to the Tools menu, and select next boot. Set the Trace Repetition Settings to 2 repetitions, Start at 1, and Reboot automatically. Then set the trace into motion. The system will fully reboot twice, and then reopen bootvis and open the second trace file (should have _2 in the name). Analyze the graphs and make any changes that you think are necessary (this is a great tool for determining which startup programs you want to kill using msconfig). Once you have made your optimizations go to the Trace menu, and select the Optimize System item. This will cause the system to reboot and will then make some changes to the file structure on the hard drive (this includes a defragmentation of boot files and a shifting of their location to the fastest portion of the hard disk, as well as some other optimizations). After this is done, once again run a Trace analysis as above, except change the starting number to 3. Once the system has rebooted both times, compare the charts from the second trace to the charts for the fourth trace to show you the time improvement of the system’s boot up.

The standard defragmenter included with Windows XP will not undo the boot optimizations performed by this application.

Optimizing Startup Programs [msconfig]

**************************************

MSConfig, similar to the application included in Win9x of the same name, allows the user to fine tune the applications that are launched at startup without forcing the user to delve deep into the registry. To disable some of the applications launched, load msconfig.exe from the run command line, and go to the Startup tab. From there, un-ticking the checkbox next to a startup item will stop it from launching. There are a few application that you will never want to disable (ctfmon comes to mind), but for the most part the best settings vary greatly from system to system.

As a good rule of thumb, though, it is unlikely that you will want to disable anything in the Windows directory (unless it’s a third-party program that was incorrectly installed into the Windows directory), nor will you want to disable anything directly relating to your system hardware. The only exception to this is when you are dealing with software, which does not give you any added benefits (some OEM dealers load your system up with software you do not need). The nice part of msconfig is that it does not delete any of the settings, it simply disables them, and so you can go back and restart a startup application if you find that you need it. This optimization won’t take effect until after a reboot.