Archive

Archive for November, 2009

How Certificates Are Created

November 9th, 2009 Comments off

The following text is a simple copy/paste from the TechNet article How Certificates Work (section How Certificates are Created). Why am I posting this information to the blog? Quite simple: I recognize that it is often overlooked that the key pair generation is always the very first step of a certificate creation.

Certificates are issued by a CA, which can be any trusted service or entity willing to verify and validate the identities of those to whom it issues certificates and their association with specific keys. Companies might issue certificates to employees, schools might issue certificates to students, and so on. Of course, a CA’s public key must be trustworthy or the certificates it issues will not be trusted. Because anyone can become a CA, certificates are only as trustworthy as the authority that issues the underlying keys.

The following six steps describe the process of requesting and issuing a certificate.

  1. Generate a key pair – The applicant generates a public and private key pair or is assigned a key pair by some authority in his or her organization. (at a command-line, this part is covered by any certreq –new command)
  2. Collect required information – The applicant collects whatever information the CA requires to issue a certificate. The information could include the applicant’s e-mail address, birth certificate, fingerprints, notarized documents — whatever the CA needs to be certain that the applicant is who he or she claims to be. CAs with stringent identification requirements produce certificates with high assurance — that is, their certificates generate a high level of confidence. CAs themselves are said to be of high, medium, or low assurance (at a command-line, this part is covered by any certreq –new command).
  3. Request the certificate – The applicant sends a certificate request, consisting of his or her public key and the additional required information, to the CA. The certificate request, which is signed with the client’s public key, can also be encrypted by using the CA’s public key. Many requests are made by using e-mail, but requests can also be sent by postal or courier service — for example, when the certificate request itself must be notarized. (at a command-line, this is done with certreq –submit)
  4. Verify the information – The CA applies whatever policy rules it requires to verify that the applicant should receive a certificate. As with identification requirements, a CA’s verification policy and procedures influence the amount of confidence generated by the certificates it issues.
  5. Create the certificate – The CA creates and signs a digital document containing the applicant’s public key and other appropriate information. The signature of the CA authenticates the binding of the subject’s name to the subject’s public key. The signed document is the certificate.
  6. Send or post the certificate – The CA sends the certificate to the applicant or posts the certificate in a directory, as appropriate (at a command-line, this is done with certreq –accept)

Categories: Uncategorized Tags:

Certificate Revocation Checking Whitepaper

November 7th, 2009 Comments off

A whitepaper on Certificate Revocation Checking in Windows Vista and Windows Server 2008 has been publshed on Technet here – http://technet.microsoft.com/en-us/library/ee619730(WS.10).aspx


Topics in this whitepaper include:


·         What’s new in Windows Vista and Windows Server 2008 revocation checking


·         How revocation checking works


·         How pre-fetching revocation information improves performance


·         Support for independent OCSP signer and custom OCSP URLs


·         Recommendations for optimizing the revocation experience


·         Managing OCSP Settings with Group Policy


 


You can also download a copy of the paper here – http://go.microsoft.com/fwlink/?LinkId=145008 


The content also applies to Windows 7 and Windows Server 2008 R2.


 


Please let me know if you have questions/feedback: ymehta@microsoft.com


 

Categories: certificates, CRL, OCSP, revocation, whitepaper Tags:

Windows 7 Vulnerability Claims

November 7th, 2009 No comments

Now that Windows 7 is available, a recent blog by Chester Wisnieski (who works at security vendor Sophos), entitled Windows 7 vulnerable to 8 out of 10 viruses, which has stirred some interest.

Here’s a quick summary for those who missed Chester’s blog. During a test SophosLabs conducted, they subjected Windows 7 to “10 unique [malware] samples that arrived in the SophosLabs feed.” They utilized a clean install of Windows 7, using default settings (including the UAC defaults), but did not install any anti-virus software. The end result was 8 of the 10 malware samples successfully ran and the blog proclaims that “Windows 7 disappointed just like earlier versions of Windows.” Chester’s final conclusion? “You still need to run anti-virus on Windows 7.” Well, we agree: users of any computer, on any platform, should run anti-virus software, including those running Windows 7.

Clearly, the findings of this unofficial test are by no means conclusive, and several members of the press have picked apart the findings, so I don’t need to do that. I’m a firm believer that if you run unknown code on your machine, bad things can happen. This test shows just that; however, most people don’t knowingly have and run known malware on their system. Malware typically makes it onto a system through other avenues like the browser or email program. So while I absolutely agree that anti-virus software is essential to protecting your PC, there are other defenses as well.

Let me recap some of the Windows 7 security basics. Windows 7 is built upon the security platform of Windows Vista, which included a defense-in-depth approach to help protect customers from malware. This includes features like User Account Control (UAC), Kernel Patch Protection, Windows Service Hardening, Address Space Layout Randomization (ASLR), and Data Execution Prevention (DEP) to name just a few. The result, Windows 7 retains and refines the development processes, including going through the Security Development Lifecycle, and technologies that made Windows Vista the most secure Windows operating system ever released.

Beyond the core security of Windows 7, we have also done a lot of work with Windows 7 to make it harder for malware to reach a user’s PCs in the first place. One of my favorite new features is the SmartScreen Filter in Internet Explorer 8. The SmartScreen Filter was built upon the phishing protection in Internet Explorer 7 and (among other new benefits) adds protection from malware. The SmartScreen Filter will notify you when you attempt to download software that is unsafe – which the SophosLabs methodology totally bypassed in doing their test.

So while I’m not a fan of companies sensationalizing findings about Windows 7 in order to sell more of their own software, I nevertheless agree with them that you still need to run anti-virus software on Windows 7.  This is why we’ve made our Microsoft Security Essentials offering available for free to customers. But it’s also equally important to keep all of your software up to date through automatic updates, such as through the Windows Update service. By configuring your computers to download and install updates automatically you will help ensure that you have the highest level of protection against malware and other vulnerabilities.

Windows 7 Vulnerability Claims

November 7th, 2009 Comments off

Now that Windows 7 is available, a recent blog by Chester Wisnieski (who works at security vendor Sophos), entitled Windows 7 vulnerable to 8 out of 10 viruses, which has stirred some interest.

Here’s a quick summary for those who missed Chester’s blog. During a test SophosLabs conducted, they subjected Windows 7 to “10 unique [malware] samples that arrived in the SophosLabs feed.” They utilized a clean install of Windows 7, using default settings (including the UAC defaults), but did not install any anti-virus software. The end result was 8 of the 10 malware samples successfully ran and the blog proclaims that “Windows 7 disappointed just like earlier versions of Windows.” Chester’s final conclusion? “You still need to run anti-virus on Windows 7.” Well, we agree: users of any computer, on any platform, should run anti-virus software, including those running Windows 7.

Clearly, the findings of this unofficial test are by no means conclusive, and several members of the press have picked apart the findings, so I don’t need to do that. I’m a firm believer that if you run unknown code on your machine, bad things can happen. This test shows just that; however, most people don’t knowingly have and run known malware on their system. Malware typically makes it onto a system through other avenues like the browser or email program. So while I absolutely agree that anti-virus software is essential to protecting your PC, there are other defenses as well.

Let me recap some of the Windows 7 security basics. Windows 7 is built upon the security platform of Windows Vista, which included a defense-in-depth approach to help protect customers from malware. This includes features like User Account Control (UAC), Kernel Patch Protection, Windows Service Hardening, Address Space Layout Randomization (ASLR), and Data Execution Prevention (DEP) to name just a few. The result, Windows 7 retains and refines the development processes, including going through the Security Development Lifecycle, and technologies that made Windows Vista the most secure Windows operating system ever released.

Beyond the core security of Windows 7, we have also done a lot of work with Windows 7 to make it harder for malware to reach a user’s PCs in the first place. One of my favorite new features is the SmartScreen Filter in Internet Explorer 8. The SmartScreen Filter was built upon the phishing protection in Internet Explorer 7 and (among other new benefits) adds protection from malware. The SmartScreen Filter will notify you when you attempt to download software that is unsafe – which the SophosLabs methodology totally bypassed in doing their test.

So while I’m not a fan of companies sensationalizing findings about Windows 7 in order to sell more of their own software, I nevertheless agree with them that you still need to run anti-virus software on Windows 7.  This is why we’ve made our Microsoft Security Essentials offering available for free to customers. But it’s also equally important to keep all of your software up to date through automatic updates, such as through the Windows Update service. By configuring your computers to download and install updates automatically you will help ensure that you have the highest level of protection against malware and other vulnerabilities.

New Microsoft Security Intelligence Report Released

November 2nd, 2009 No comments

Volume seven of the Microsoft Security Intelligence Report (SIRv7) – part of Microsoft’s  commitment to providing an unparalleled level of security intelligence to help keep individuals and organizations better informed and to maximize security investments – was released today and there are a couple of tidbits in the report that caught my attention that I thought I would pass on. As a reminder, the SIR is published by Microsoft twice per year and looks at the data and trends observed in the first and second halves of each calendar year.

The first thing that struck me while reading through the report is that for the first time, the SIR shares some high-level security best practices from countries that have consistently exhibited low malware infection. For example, Japan, Austria and Germany’s infection rates remained relatively low during the first half of this year.

So how do these regions keep their customers and resources safe from cyber threats?  Japan’s infection rates remain relatively low is due in large part to collaborations like the Cyber Clean Center. The Cyber Clean Center is a cooperative project between ISPs, major security vendors and Japanese government agencies aimed at educating users on how to keep their PCs infection free. Austria has implemented strict IT enforcement guidelines to lower piracy rates and this, along with strong ISP relationships and fast Internet lines, has helped ensure the ecosystem is kept up to date with security patches. Germany has also leveraged collaboration efforts with its CERT and ISP communities to help identify and raise awareness of botnet infections and, in some cases, quarantine infected computers.

The other thing that stood out to me was the graph below. This graph shows the effectiveness of automatic updating and shows what happened to the trojan downloader family Win32/Renos once Microsoft released a signature update for Windows Defender via Windows Update and Microsoft Update. Within three days, enough computers had received the new signature update to reduce the error reports from 1.2 million per day to less than 100,000 per day worldwide! To me this shows how important it is for users and organizations to utilize automatic updates to help prevent the spread of malware! 

The report also underscores some of the trends that we have seen from previous versions of the report: for example, the infection rate for Windows Vista is significantly lower than that of its predecessor, Windows XP. It also tells me that the higher the service pack levels of an OS, the lower the infection rate. Once again, these items help point out that you need to keep your software up-to-date. With Windows 7 now available it might be a good time to look at upgrading your OS!

Take a look at the full report at http://www.microsoft.com/sir and use the information to help protect yourself, your networks, and your users.

New Microsoft Security Intelligence Report Released

November 2nd, 2009 Comments off

Volume seven of the Microsoft Security Intelligence Report (SIRv7) – part of Microsoft’s  commitment to providing an unparalleled level of security intelligence to help keep individuals and organizations better informed and to maximize security investments – was released today and there are a couple of tidbits in the report that caught my attention that I thought I would pass on. As a reminder, the SIR is published by Microsoft twice per year and looks at the data and trends observed in the first and second halves of each calendar year.

The first thing that struck me while reading through the report is that for the first time, the SIR shares some high-level security best practices from countries that have consistently exhibited low malware infection. For example, Japan, Austria and Germany’s infection rates remained relatively low during the first half of this year.

So how do these regions keep their customers and resources safe from cyber threats?  Japan’s infection rates remain relatively low is due in large part to collaborations like the Cyber Clean Center. The Cyber Clean Center is a cooperative project between ISPs, major security vendors and Japanese government agencies aimed at educating users on how to keep their PCs infection free. Austria has implemented strict IT enforcement guidelines to lower piracy rates and this, along with strong ISP relationships and fast Internet lines, has helped ensure the ecosystem is kept up to date with security patches. Germany has also leveraged collaboration efforts with its CERT and ISP communities to help identify and raise awareness of botnet infections and, in some cases, quarantine infected computers.

The other thing that stood out to me was the graph below. This graph shows the effectiveness of automatic updating and shows what happened to the trojan downloader family Win32/Renos once Microsoft released a signature update for Windows Defender via Windows Update and Microsoft Update. Within three days, enough computers had received the new signature update to reduce the error reports from 1.2 million per day to less than 100,000 per day worldwide! To me this shows how important it is for users and organizations to utilize automatic updates to help prevent the spread of malware! 

The report also underscores some of the trends that we have seen from previous versions of the report: for example, the infection rate for Windows Vista is significantly lower than that of its predecessor, Windows XP. It also tells me that the higher the service pack levels of an OS, the lower the infection rate. Once again, these items help point out that you need to keep your software up-to-date. With Windows 7 now available it might be a good time to look at upgrading your OS!

Take a look at the full report at http://www.microsoft.com/sir and use the information to help protect yourself, your networks, and your users.