Archive

Archive for April, 2015

MS15-032 – Critical: Cumulative Security Update for Internet Explorer (3038314) – Version: 2.0

Severity Rating: Critical
Revision Note: V2.0 (April 30, 2015): Updated bulletin to inform customers running Internet Explorer on Windows Server 2003 Service Pack 2 that the 3038314 update on the Microsoft Download Center was updated on April 22, 2015. Microsoft recommends that customers who installed the 3038314 update prior to April 22 should reinstall the update to be fully protected from the vulnerabilities discussed in this bulletin.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

MS15-032 – Critical: Cumulative Security Update for Internet Explorer (3038314) – Version: 2.0

Severity Rating: Critical
Revision Note: V2.0 (April 30, 2015): Updated bulletin to inform customers running Internet Explorer on Windows Server 2003 Service Pack 2 that the 3038314 update on the Microsoft Download Center was updated on April 22, 2015. Microsoft recommends that customers who installed the 3038314 update prior to April 22 should reinstall the update to be fully protected from the vulnerabilities discussed in this bulletin.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

MS15-035 – Critical: Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution (3046306) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (April 29, 2015): Bulletin revised to correct update replacement entries for all affected software. This is an informational change only.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website, open a specially crafted file, or browse to a working directory that contains a specially crafted Enhanced Metafile (EMF) image file. In all cases, however, an attacker would have no way to force users to take such actions; an attacker would have to convince users to do so, typically by way of enticements in email or Instant Messenger messages.

Categories: Uncategorized Tags:

MS15-035 – Critical: Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution (3046306) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (April 29, 2015): Bulletin revised to correct update replacement entries for all affected software. This is an informational change only.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website, open a specially crafted file, or browse to a working directory that contains a specially crafted Enhanced Metafile (EMF) image file. In all cases, however, an attacker would have no way to force users to take such actions; an attacker would have to convince users to do so, typically by way of enticements in email or Instant Messenger messages.

Categories: Uncategorized Tags:

Entity Framework and Visual Studio 2015 RC

April 29th, 2015 No comments

Today Soma announced the Release Candidate of Visual Studio 2015. Our team is concurrently working on EF6.x and EF7 versions of our product and both of them make an appearance in this release.

 


Entity Framework 6.1.3

EF6.1.3 is the latest stable version of Entity Framework and is the recommended version for production applications. EF6.1.3 is a patch release containing fixes for high priority issues that were reported on EF6.1.2.

Visual Studio 2015 RC includes the RTM version of Entity Framework 6.1.3 runtime and tooling.

  • The runtime will be installed if you create a new model using the Entity Framework Tools in a project that does not already have the EF runtime installed.
  • The runtime is pre-installed in new ASP.NET projects, depending on the project template you select.
  • The EF6.1.3 Tools for Visual Studio 2015 are included to make sure you get the latest bug fixes and improvements.

You can read more about the specific fixes included in EF6.1.3 in our recent announcement post.

 


Entity Framework 7 Beta 4

EF7 will be the next major release of Entity Framework and it is currently in pre-release.

 

Still very much a preview

EF7 introduces some significant changes and improvements over EF6.x and therefore the pre-release phase of EF7 is much longer than other recent releases. We’ve made significant progress since our last pre-release, but if you decide to try out EF7 then please bear in mind that this preview is designed to give you an idea of what the experience will be like and there are still a number of limitations and missing features that will be addressed before RTM.

If you aren’t comfortable working with a prerelease that is still very much in-flux then don’t worry… there will be plenty of opportunity to try out pre-release EF7 once it is much more stable.

 

Where can I use Beta 4?

Beta 4 can be used in the following types of applications

  • ASP.NET 5 applications that target either full .NET or the new .NET Core. EF7 is included in new ASP.NET 5 applications that are created using the “Web Site” project template. The following resources will help you get started using EF7 in ASP.NET 5:
  • WPF, WinForms, Console and ASP.NET 4 applications that target .NET 4.5.1 or later. We only recommend this for trying out EF7 in sample applications. If you are writing a production application then you should continue to use EF6.x. We do not recommend attempting to upgrade an EF6.x application to EF7 at this stage as there are still key features yet to be implemented on EF7 (such as inheritance support which is currently being implemented).
  • Mac and Linux applications targeting Mono 3.12.1 or later can make use of EF7. We have not done extensive testing of this scenario, but basic query and save functionality works.

 

What databases can I target with Beta 4?

Currently you can target SQL Server or our in-memory store (designed to help with testing). These providers are available in the EntityFramework.SqlServer and EntityFramework.InMemory NuGet packages.

We are working on other providers that will be available for the next prerelease (more on that below).

 

What’s implemented in Beta 4?

Here is a rough guide to what currently works in Beta 4. Most of these features are a work-in-progress and still have limitations.

  • Basic modeling including built-in conventions, table/column mapping, and relationships
  • Change tracking
  • LINQ queries
  • Table based Insert/Update/Delete (including batching)
  • Migrations and database creation/deletion
  • Transactions (including automatic transactions during SaveChanges and explicit transaction APIs)
  • Identity and Sequence patterns for database generated key values
  • Raw SQL commands
  • An early preview of reverse engineering a model from a database
  • Logging
  • Unique constraints including the ability to use them as keys in a relationship

 

What’s Next

Here are some of the areas we are currently working on (or working with other development teams to deliver). You can see many of these features already underway in our working code base.

Providers

There is work underway to enable the following database providers. We’ve also had contact with many other providers who are planning to provide EF7 support.

  • SQLite (being developed by the EF team)
  • PostgreSql (being developed by the npgsql team)
  • MySql (being developed by the MySql team)

Platforms

We are working to enable EF7 use on the following platforms:

  • Windows 10 Universal Application Platform
  • Cross-platform .NET for Mac and Linux
  • Android and iOS Mono frameworks

Features

Here are a number of the cross-cutting features we are currently working on. This isn’t all we will be doing for RTM, just what’s currently underway.

  • Inheritance
  • Cascade delete
  • Template-based reverse engineering from a database
Categories: Announcement, Entity Framework Tags:

Cleaning up misleading advertisements

April 29th, 2015 No comments

The Microsoft Malware Protection Center is committed to protecting our customers and their Windows experience. We use our evaluation criteria to determine if a program should be detected by our security products. As the software ecosystem evolves, so does our evaluation criteria.

We are currently updating our evaluation criteria to address new technology changes, industry trends, customer feedback, and our desire to help better protect our customers. We are working with the industry and our partners to understand and implement these changes.

One of these changes will enable our systems to better detect misleading advertising. There has been a recent increase in the number of online advertisements that are intentionally misleading in nature. We’ve found that these types of advertisements often try to convince a user to do something, the consequences of which they may not fully understand, such as visiting an infected website or downloading a program that can negatively impact their browsing experience.

We will enforce our updated evaluation criteria from June 1, 2015.

Changes to our unwanted software evaluation criteria

We are including the following updates to our objective criteria:

Advertisements: The advertisement should not mislead you into visiting another site or downloading files.

Advertisements shown to a user:

  • Must not mislead or deceive, or confuse with the intent to mislead or deceive
  • Must be distinguishable from website content
  • Must not contain malicious code
  • Must not invoke a file download

Misleading advertisements

Misleading content

The following examples show some of the advertising types that are considered misleading according to our updated evaluation criteria:

misleading advertising

Figure 1: Examples of misleading advertising

Misleading downloads

Another example of misleading advertisements are those that prompt a download when the advertisement is clicked. This reduces user control over their browsing experience. The expected behavior is that the program will be downloaded from a product landing page, and not directly from an advertisement.

Indistinguishable content

Advertisements that make it difficult to tell whether a user is looking at website or advertisement content will also be detected as misleading. In many cases these ads are created so that a user doesn’t realize that they are looking at an advertisement.

Malicious code

Advertisements that include malicious or exploit code are already detected. However, our updated evaluation criteria is now more explicit. Such behavior is not tolerated.

Enforcing our criteria

When SmartScreen Filter is turned on, Internet Explorer will notify you about sites that contain an advertisement that is detected under our evaluation criteria. The warning will look like the following example:

Smartscreen Filter warning 

Figure 2: SmartScreen Filter warning for a webpage with misleading advertising

For more information about how this technology works, see the SmartScreen Filter page.

Michael Johnson and Barak Shein

Addendum:

April 30, 2015: Yesterday, Microsoft announced that Microsoft Edge will be available when Windows 10 is released later this year.

Microsoft Edge will also notify you about sites that contain an advertisement that is detected within our evaluation criteria. The warning will look like the following example:

Microsoft Edge warning 

Categories: Uncategorized Tags:

Cleaning up misleading advertisements

April 29th, 2015 No comments

The Microsoft Malware Protection Center is committed to protecting our customers and their Windows experience. We use our evaluation criteria to determine if a program should be detected by our security products. As the software ecosystem evolves, so does our evaluation criteria.

We are currently updating our evaluation criteria to address new technology changes, industry trends, customer feedback, and our desire to help better protect our customers. We are working with the industry and our partners to understand and implement these changes.

One of these changes will enable our systems to better detect misleading advertising. There has been a recent increase in the number of online advertisements that are intentionally misleading in nature. We’ve found that these types of advertisements often try to convince a user to do something, the consequences of which they may not fully understand, such as visiting an infected website or downloading a program that can negatively impact their browsing experience.

We will enforce our updated evaluation criteria from June 1, 2015.

Changes to our unwanted software evaluation criteria

We are including the following updates to our objective criteria:

Advertisements: The advertisement should not mislead you into visiting another site or downloading files.

Advertisements shown to a user:

  • Must not mislead or deceive, or confuse with the intent to mislead or deceive
  • Must be distinguishable from website content
  • Must not contain malicious code
  • Must not invoke a file download

Misleading advertisements

Misleading content

The following examples show some of the advertising types that are considered misleading according to our updated evaluation criteria:

misleading advertising

Figure 1: Examples of misleading advertising

Misleading downloads

Another example of misleading advertisements are those that prompt a download when the advertisement is clicked. This reduces user control over their browsing experience. The expected behavior is that the program will be downloaded from a product landing page, and not directly from an advertisement.

Indistinguishable content

Advertisements that make it difficult to tell whether a user is looking at website or advertisement content will also be detected as misleading. In many cases these ads are created so that a user doesn’t realize that they are looking at an advertisement.

Malicious code

Advertisements that include malicious or exploit code are already detected. However, our updated evaluation criteria is now more explicit. Such behavior is not tolerated.

Enforcing our criteria

When SmartScreen Filter is turned on, Internet Explorer will notify you about sites that contain an advertisement that is detected under our evaluation criteria. The warning will look like the following example:

Smartscreen Filter warning 

Figure 2: SmartScreen Filter warning for a webpage with misleading advertising

For more information about how this technology works, see the SmartScreen Filter page.

Michael Johnson and Barak Shein

Categories: Uncategorized Tags:

Transparency & Trust in the Cloud Series: Mountain View, California

April 28th, 2015 No comments

T&T Banner

I was in Silicon Valley recently speaking at another Transparency & Trust in the Cloud event. Thank-you very much to all the customers that made time to join us at the Microsoft campus in Mountain View, California! This was another very well attended event with numerous large enterprise customers located in the vicinity in attendance.

Like all the Transparency and Trust events prior to this one, I learned from the attendees what their expectations are for a Cloud Service Provider when it comes to security, privacy and compliance. We had several lively discussions on a range of topics. These are some of the themes that emerged during our discussions:

  • How do customers move data from existing on-premise applications into new applications in the Cloud?
  • What compliance artifacts does Microsoft provide to its Cloud customers?
  • Does Microsoft provide architectural diagrams of what its cloud services look like to its customers?
  • What process does Microsoft use for incident response in the Cloud?

My next stop on this tour is San Diego on April 14th and there are still a few other opportunities to learn more about Microsoft’s approach to building the industry’s most trustworthy Cloud. Please refer to the Transparency & Trust Series event schedule. As always, your Microsoft account team is available if you have any questions about these events.

Tim Rains
Chief Security Advisor
WW Cybersecurity & Data Protection, Microsoft

Social engineering tricks open the door to macro-malware attacks – how can we close it?

April 28th, 2015 No comments

The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person's curiosity.  With subjects that include sales invoices, federal tax payments, courier notifications, resumes, and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice.

The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.

Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.

Increasing trend of macro downloaders from April 2014 to 2015

 Figure 1: Increasing trend of macro downloaders from April 2014 to 2015

We have seen majority of the macro-malware attacks in the United States and United Kingdom.

Macro downloaders’ prevalence in affected countries

Figure 2: Macro downloaders’ prevalence in affected countries

 

Macro malware distribution heat map

Figure 3: Macro malware distribution heat map

Macro malware infection chain

As stated in the previous macro blog, macro downloaders serve as the gateway for other nasty malware to get in. The following diagram shows how a typical macro downloader gets into the system and deliver its payload.

Macro downloader infection chain

Figure 4: Macro downloader infection chain

The macro malware gets into your PC as a spam email attachment. The spam email recipient then falls for a social engineering technique, opens the attachment, thereby enabling the macro inside the document.

We have identified some of these macro downloader threats, but not limited to:

When a malicious macro code runs, it either downloads its final payload, or it downloads another payload courier in the form of a binary downloader.

We have observed the following final payload, but is not limited to:

We have also observed the following binary downloaders to be related to these macros, but not limited to:

After the macro malware is downloaded, the job is pretty much done. The torch is passed to either the final payload or the binary downloader.

We have observed the following threats being downloaded by the binary downloaders, but not limited to:

 

Prevention: How do you close that door?

If you know that social engineering tricks through spam emails open the door to macro malware attacks, what can you do to help protect your enterprise software security infrastructure in closing that door?

Be careful on enabling macros

Macro threats, as payload couriers, seem to gain popularity as an effective infection vector. But unlike exploit kits, these macro threats require user consent to run. To avoid running into trouble because of these macro threats, see Before you enable those macros, for details on prevention.

You can also read more about the macro configuration options to understand the scenarios when you can enable or disable them. See Microsoft Project – how to control Macro Settings using registry keys for details.

Aside from that, be aware of the dangers in opening suspicious emails. That includes not opening email attachments or links from untrusted sources.

If you are an enterprise software security administrator, what can you do?

Most, if not all of the macro malware received are in .doc file format (D0 CF) which are seen in Microsoft Office 2007 and older versions.

If you are in charge of looking after your enterprise software security infrastructure, you can:

  • Update your Microsoft security software. Microsoft detects this threat and encourages everyone to always run on the latest software version for protection.
  • Ensure that your Trust Center settings are configured not to load older Office versions:
    1. Go to Word Options, and select Trust Center. Click Trust Center Settings.

      Trust Center settings

                                                                  

    2. In the Trust Center dialog box, select File Block Settings. Then, select the Word versions that you need to block. 

Trust Center file block settings

Doing so blocks older Office versions from opening.

You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS.

System Center Endpoint Protection MAPS settings

MMPC

Social engineering tricks open the door to macro-malware attacks – how can we close it?

April 28th, 2015 No comments

The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person's curiosity.  With subjects that include sales invoices, federal tax payments, courier notifications, resumes, and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice.

The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.

Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.

Increasing trend of macro downloaders from April 2014 to 2015

 Figure 1: Increasing trend of macro downloaders from April 2014 to 2015

We have seen majority of the macro-malware attacks in the United States and United Kingdom.

Macro downloaders’ prevalence in affected countries

Figure 2: Macro downloaders’ prevalence in affected countries

 

Macro malware distribution heat map

Figure 3: Macro malware distribution heat map

Macro malware infection chain

As stated in the previous macro blog, macro downloaders serve as the gateway for other nasty malware to get in. The following diagram shows how a typical macro downloader gets into the system and deliver its payload.

Macro downloader infection chain

Figure 4: Macro downloader infection chain

The macro malware gets into your PC as a spam email attachment. The spam email recipient then falls for a social engineering technique, opens the attachment, thereby enabling the macro inside the document.

We have identified some of these macro downloader threats, but not limited to:

When a malicious macro code runs, it either downloads its final payload, or it downloads another payload courier in the form of a binary downloader.

We have observed the following final payload, but is not limited to:

We have also observed the following binary downloaders to be related to these macros, but not limited to:

After the macro malware is downloaded, the job is pretty much done. The torch is passed to either the final payload or the binary downloader.

We have observed the following threats being downloaded by the binary downloaders, but not limited to:

 

Prevention: How do you close that door?

If you know that social engineering tricks through spam emails open the door to macro malware attacks, what can you do to help protect your enterprise software security infrastructure in closing that door?

Be careful on enabling macros

Macro threats, as payload couriers, seem to gain popularity as an effective infection vector. But unlike exploit kits, these macro threats require user consent to run. To avoid running into trouble because of these macro threats, see Before you enable those macros, for details on prevention.

You can also read more about the macro configuration options to understand the scenarios when you can enable or disable them. See Microsoft Project – how to control Macro Settings using registry keys for details.

Aside from that, be aware of the dangers in opening suspicious emails. That includes not opening email attachments or links from untrusted sources.

If you are an enterprise software security administrator, what can you do?

Most, if not all of the macro malware received are in .doc file format (D0 CF) which are seen in Microsoft Office 2007 and older versions.

If you are in charge of looking after your enterprise software security infrastructure, you can:

  • Update your Microsoft security software. Microsoft detects this threat and encourages everyone to always run on the latest software version for protection.
  • Ensure that your Trust Center settings are configured not to load older Office versions:
    1. Go to Word Options, and select Trust Center. Click Trust Center Settings.

      Trust Center settings

                                                                  

    2. In the Trust Center dialog box, select File Block Settings. Then, select the Word versions that you need to block. 

Trust Center file block settings

Doing so blocks older Office versions from opening.

You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS.

System Center Endpoint Protection MAPS settings

MMPC

Setting up NDES using a Group Managed Service Account (gMSA)

April 27th, 2015 No comments

Setting up NDES using a Group Managed Service Account (gMSA)

Hallo everybody, this is Andy and Dagmar from Austrian Premier Field Engineering (PFE) describing how to implement NDES using a gMSA (instead of a normal domain user account).

When creating a lab on how to implement NDES (Network Device Enrollment Service) on Windows Server 2012 R2, we decided to go for gMSA to be more secure and to get rid of monolithic service accounts that could be misused. Unfortunately it turned out that it was not as straight forward as we expected and we decided to write down the steps and publish them.

Why all the effort? NDES works like a charm when installed with default settings… The answer is short and simple: Security. NDES acts as a registration authority for a CA thereby leveraging the Simple Certificate Enrollment Protocol (SCEP). Because of the way this protocol was designed, the CA has to fully trust the NDES regarding the verification of incoming certificate requests. The result of this design is that the NDES owns an extremely powerful type of certificate (Exchange Enrollment Agent (Offline request) by default) which allows NDES to request certificates with almost any subject from the CA. Therefore, putting as much effort as possible into securing NDES absolutely makes sense.

Be aware that the whole process of securing NDES should comprise a bunch of measures (e.g. enrolling the NDES certificates to a HSM) and that using a gMSA to run it, is only one of the recommended hardening steps. Please refer to this whitepaper focusing on NDES security: http://www.microsoft.com/en-us/download/details.aspx?id=46406&WT.mc_id=Blog_Intune_General_PCIT

 

Group Managed Service Accounts

(Standalone) Managed Service Accounts were introduced in Windows Server 2008 R2 and are managed domain accounts that provide automatic password management and simplified SPN management, including delegation of management to other administrators but limited to only one server. Group Managed Service accounts were introduced with Windows Server 2012 and provide the same functionality within the domain but also extend their availability to multiple servers.

From the security as well as from the manageability perspective, gMSA are the preferred way to configure services wherever it is supported to use them. For more details regarding gMSA, please refer to https://technet.microsoft.com/en-us/library/hh831782.aspx

 

NDES Accounts

When setting up NDES you have to decide in which security context the NDES application pool should run. From the NDES wiki (see http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx#Permissions_Required_for_the_Network_Device_Enrollment_Servicefor more details) we learn that the NDES app pool account needs to fulfill the following requirements:

  • Must be a member of the local IIS_IUSRS group.
  • Must have request permission on the configured CA.
  • Must be a domain user account and have Read and Enroll permissions on the configured templates.
  • Must have SPN set in Active Directory.

All these requirements can be fulfilled by a gMSA, we simply need to configure the SCEP app pool to run in the security context of the gMSA, perform some additional steps and that’s it. But oooops, it wasn’t so simple then…

 

Configuration Steps

Many of the steps below are described in more detail in the NDES wiki. We are repeating them here in a summarized way in order to provide a complete guide of all steps required. Wherever gMSA specific steps are required, we describe them in detail.

Let’s assume the following parameters for our lab environment:

  • NDES service account: NDESgMSA
  • NDES server: ADCSWeb02.fabrikam.com
  • Certification authority: CA02
  • Web Server certificate (with proper subject and/or SANs set) enrolled to the NDES server

 

Prerequisites

  • Forest prepared for gMSA usage (KDS Root Key created – https://technet.microsoft.com/en-us/library/jj128430.aspx)
  • NDES Administrator account (out of scope of this post, see NDES wiki for details)
  • NDES Device Administrator account (out of scope of this post, see NDES wiki for details)

 

Create and configure gMSA

1. Type the following command to create a new gMSA:

New-ADServiceAccount -name NDESgMSA -DNSHostName NDESgMSA.fabrikam.com -PrincipalsAllowedToRetrieveManagedPassword ADCSWEB02$

2. Then configure the gMSA on the NDES host machine:
a. To load the AD PowerShell RSAT feature, type: Add-WindowsFeature RSAT-AD-PowerShell
b. To install the gMSA on ADCSWEB02 type: Install-ADServiceAccount NDESgMSA
c. To verify if the gMSA has been configured properly, type: Test-ADServiceAccount NDESgMSA

Note: The answer has to be true, otherwise it does not make any sense to continue.

3. Next, add the NDESgMSA account to the IIS_IUSRSgroup on the NDES host machine.

 

Configure CA Security Settings and Templates

Note: we are assuming for easiness that you are going to use the default templates. We recommend using custom (version 2) templates in production as stated at http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx#Setting_Up_New_Templates_for_the_Service_Certificates.

1. Grant Read and Enroll permissions on Exchange Enrollment Agent (Offline Request) template to NDESAdmin.
2. Grant Read and Enroll permissions on CEP Encryption template to NDESAdmin.
3. Grant Read and Enroll permissions on IPSec (Offline Request) template to NDESgMSA and DeviceAdmin.
4. Publish all three templates on the Certification Authority.

 

Install NDES

Unfortunately, the setup wizard does not provide support for running the NDES application pool in the security context of a gMSA. That’s why we are processing the installation using more or less the default settings.

  1. On the NDES host machine, add the Network Device Enrollment Service as a role service for the Certification Authority role.
  2. Once the installation has completed, click Configure Active Directory Certificate Services to continue with the configuration of NDEs.
  3. On the Credentials screen, ensure that the NDES Admin account (which was created as part of the prerequisites) is selected.
  4. On the Role Service page, select Network Device Enrollment Service and click Next.
  5. On the Specify the service account page, select Use the built-in application pool identity. Click Next.
  6. On the Specify CA for Network Device Enrollment Service page, click Select. On Select Certification Authority, select the CA you are going to use with this NDES installation and click OK > Next.
  7. On the Type the requested information to enroll for an RA certificate page, click Next.
  8. On the Configure CSPs for the RA page, click Next.
  9. Finally, click Configure.

Alternatively, using the famous PowerShell:

Add-WindowsFeature Adcs-Device-Enrollment -includeManagementTools

Install-AdcsNetworkDeviceEnrollmentService -ApplicationPoolIdentity -CAConfig "CA02.fabrikam.comFabrikamIssuingCA" -RAName "Fabrikam NDES RA" -RACountry "DE" -RACompany "Fabrikam" -SigningProviderName "Microsoft Strong Cryptographic Provider" -SigningKeyLength 2048 -EncryptionProviderName "Microsoft Strong Cryptographic Provider" -EncryptionKeyLength 2048

 

Post-Installation IIS Configuration

  1. Open Internet Information Service (IIS) Manager.
  2. Configure a binding for https using the host name and Server Name Indication (SNI)
    Note: On Windows Server 2012, IIS supports Server Name Indication (SNI), which is a TLS extension to include a virtual domain as a part of SSL negotiation. What this effectively means is that the virtual domain name, or a hostname, can now be used to identify the network end point. This allows IIS to share IP addresses among SSL websites. However, it should be noted that if this feature is enabled, clients (in this case the mobile device itself or the MDM (Mobile Device Management Tool) not ready for SNI will not be able to contact NDES. Find more details about SNI at http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability
  3. Change SCEP application pool identity to the gMSA

    Note that the NDES application pool is named “SCEP application pool” in IIS.

  4. Change ISAPI Handler order:
    Note: The following steps are described in https://support.microsoft.com/en-us/kb/2800975
    If you do not configure IIS in the way described by the knowledge base article mentioned above, your NDES installation will work upon first testing. But later you will find out that the device administrator role is unable to request a challenge password at the mscep_admin site (unless being added to the Enterprise Administrators group).

    a. Still in IIS MMC, select the Default Web Site.
    b. Click View Applications on the Actions pane on the right side.
    c. Double-click Handler Mappings on the middle pane.
    d. On the Actions pane, click View Ordered List…
    e. On the Details pane in the middle, select ExtensionlessUrlhandler-ISAPI-4.0_64bit and click Move Down. Click Yes to move it below the StatifFile item.

    f. Repeat steps a to f for the /Certsrv/mscep_admin application.
    g. Restart IIS by typing iisreset on an elevated command prompt.

  5. Configure permissions on private keys
    Note: again, we assumed for easiness that you are going to use the default templates. If you followed our recommendations and prepared custom templates instead, you can skip this step.
    During the initial configuration of NDES, two certificates were requested in the security context of the NDES Admin (account used to install NDES role service) and permissions on the corresponding keys were configured for the built-in app pool identity. However, we need to configure permissions to the keys for the gMSA:

    a. Open local computer certificate store (certlm.msc) on the NDES machine
    b. Right-click the CEP Encryption certificate, select All Tasks > Manage Private Keys
    c. Add the NDESgMSA account and add the Read permission.
    d. Repeat the steps a – c for the Exchange Enrollment Agent (Offline) certificate.
    e. Restart IIS by typing iisreset on an elevated command prompt.

    Additional Comments

    Starting with Windows Server 2012 R2, NDES supports policy module integration which can provide additional security for the SCEP. This enhancement lets an organization or mobile device management solution address the issue described in CERT Vulnerability Note VU#971035 “Simple Certificate Enrollment Protocol (SCEP) does not strongly authenticate certificate requests.” See http://www.kb.cert.org/vuls/id/971035for more details on this vulnerability.

    Find more details about the NDES Policy Module support at https://technet.microsoft.com/en-us/library/dn473016.aspx

     

     

     

Categories: Uncategorized Tags:

Setting up NDES using a Group Managed Service Account (gMSA)

April 27th, 2015 No comments

Setting up NDES using a Group Managed Service Account (gMSA)

Hallo everybody, this is Andy and Dagmar from Premier Field Engineering (PFE) describing how to implement NDES using a gMSA (instead of a normal domain user account).

When creating a lab on how to implement NDES (Network Device Enrollment Service) on Windows Server 2012 R2, we decided to go for gMSA to be more secure and to get rid of monolithic service accounts that could be misused. Unfortunately it turned out that it was not as straight forward as we expected and we decided to write down the steps and publish them.

Why all the effort? NDES works like a charm when installed with default settings… The answer is short and simple: Security. NDES acts as a registration authority for a CA thereby leveraging the Simple Certificate Enrollment Protocol (SCEP). Because of the way this protocol was designed, the CA has to fully trust the NDES regarding the verification of incoming certificate requests. The result of this design is that the NDES owns an extremely powerful type of certificate (Exchange Enrollment Agent (Offline request) by default) which allows NDES to request certificates with almost any subject from the CA. Therefore, putting as much effort as possible into securing NDES absolutely makes sense.

Be aware that the whole process of securing NDES should comprise a bunch of measures (e.g. enrolling the NDES certificates to a HSM) and that using a gMSA to run it, is only one of the recommended hardening steps.

 

Group Managed Service Accounts

(Standalone) Managed Service Accounts were introduced in Windows Server 2008 R2 and are managed domain accounts that provide automatic password management and simplified SPN management, including delegation of management to other administrators but limited to only one server. Group Managed Service accounts were introduced with Windows Server 2012 and provide the same functionality within the domain but also extend their availability to multiple servers.

From the security as well as from the manageability perspective, gMSA are the preferred way to configure services wherever it is supported to use them. For more details regarding gMSA, please refer to https://technet.microsoft.com/en-us/library/hh831782.aspx

 

NDES Accounts

When setting up NDES you have to decide in which security context the NDES application pool should run. From the NDES wiki (see http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx#Permissions_Required_for_the_Network_Device_Enrollment_Servicefor more details) we learn that the NDES app pool account needs to fulfill the following requirements:

  • Must be a member of the local IIS_IUSRS group.
  • Must have request permission on the configured CA.
  • Must be a domain user account and have Read and Enroll permissions on the configured templates.
  • Must have SPN set in Active Directory.

All these requirements can be fulfilled by a gMSA, we simply need to configure the SCEP app pool to run in the security context of the gMSA, perform some additional steps and that’s it. But oooops, it wasn’t so simple then…

 

Configuration Steps

Many of the steps below are described in more detail in the NDES wiki. We are repeating them here in a summarized way in order to provide a complete guide of all steps required. Wherever gMSA specific steps are required, we describe them in detail.

Let’s assume the following parameters for our lab environment:

  • NDES service account: NDESgMSA
  • NDES server: ADCSWeb02.fabrikam.com
  • Certification authority: CA02
  • Web Server certificate (with proper subject and/or SANs set) enrolled to the NDES server

 

Prerequisites

  • Forest prepared for gMSA usage (KDS Root Key created – https://technet.microsoft.com/en-us/library/jj128430.aspx)
  • NDES Administrator account (out of scope of this post, see NDES wiki for details)
  • NDES Device Administrator account (out of scope of this post, see NDES wiki for details)

 

Create and configure gMSA

1. Type the following command to create a new gMSA:

New-ADServiceAccount -name NDESgMSA -DNSHostName NDESgMSA.fabrikam.com -PrincipalsAllowedToRetrieveManagedPassword ADCSWEB02$

2. Then configure the gMSA on the NDES host machine:
a. To load the AD PowerShell RSAT feature, type: Add-WindowsFeature RSAT-AD-PowerShell
b. To install the gMSA on ADCSWEB02 type: Install-ADServiceAccount NDESgMSA
c. To verify if the gMSA has been configured properly, type: Test-ADServiceAccount NDESgMSA

Note: The answer has to be true, otherwise it does not make any sense to continue.

3. Next, add the NDESgMSA account to the IIS_IUSRSgroup on the NDES host machine.

 

Configure CA Security Settings and Templates

Note: we are assuming for easiness that you are going to use the default templates. We recommend using custom (version 2) templates in production as stated at http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx#Setting_Up_New_Templates_for_the_Service_Certificates.

1. Grant Read and Enroll permissions on Exchange Enrollment Agent (Offline Request) template to NDESAdmin.
2. Grant Read and Enroll permissions on CEP Encryption template to NDESAdmin.
3. Grant Read and Enroll permissions on IPSec (Offline Request) template to NDESgMSA and DeviceAdmin.
4. Publish all three templates on the Certification Authority.

 

Install NDES

Unfortunately, the setup wizard does not provide support for running the NDES application pool in the security context of a gMSA. That’s why we are processing the installation using more or less the default settings.

  1. On the NDES host machine, add the Network Device Enrollment Service as a role service for the Certification Authority role.
  2. Once the installation has completed, click Configure Active Directory Certificate Services to continue with the configuration of NDEs.
  3. On the Credentials screen, ensure that the NDES Admin account (which was created as part of the prerequisites) is selected.
  4. On the Role Service page, select Network Device Enrollment Service and click Next.
  5. On the Specify the service account page, select Use the built-in application pool identity. Click Next.
  6. On the Specify CA for Network Device Enrollment Service page, click Select. On Select Certification Authority, select the CA you are going to use with this NDES installation and click OK > Next.
  7. On the Type the requested information to enroll for an RA certificate page, click Next.
  8. On the Configure CSPs for the RA page, click Next.
  9. Finally, click Configure.

Alternatively, using the famous PowerShell:

Add-WindowsFeature Adcs-Device-Enrollment -includeManagementTools

Install-AdcsNetworkDeviceEnrollmentService -ApplicationPoolIdentity -CAConfig "CA02.fabrikam.comFabrikamIssuingCA" -RAName "Fabrikam NDES RA" -RACountry "DE" -RACompany "Fabrikam" -SigningProviderName "Microsoft Strong Cryptographic Provider" -SigningKeyLength 2048 -EncryptionProviderName "Microsoft Strong Cryptographic Provider" -EncryptionKeyLength 2048

 

Post-Installation IIS Configuration

  1. Open Internet Information Service (IIS) Manager.
  2. Configure a binding for https using the host name and Server Name Indication (SNI)
    Note: On Windows Server 2012, IIS supports Server Name Indication (SNI), which is a TLS extension to include a virtual domain as a part of SSL negotiation. What this effectively means is that the virtual domain name, or a hostname, can now be used to identify the network end point. This allows IIS to share IP addresses among SSL websites. However, it should be noted that if this feature is enabled, clients (in this case the mobile device itself or the MDM (Mobile Device Management Tool) not ready for SNI will not be able to contact NDES. Find more details about SNI at http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability
  3. Change SCEP application pool identity to the gMSA
    image

    Note that the NDES application pool is named “SCEP application pool” in IIS.

  4. Change ISAPI Handler order:
    Note: The following steps are described in https://support.microsoft.com/en-us/kb/2800975
    If you do not configure IIS in the way described by the knowledge base article mentioned above, your NDES installation will work upon first testing. But later you will find out that the device administrator role is unable to request a challenge password at the mscep_admin site (unless being added to the Enterprise Administrators group).

    a. Still in IIS MMC, select the Default Web Site.
    b. Click View Applications on the Actions pane on the right side.
    c. Double-click Handler Mappings on the middle pane.
    d. On the Actions pane, click View Ordered List…
    e.
    On the Details pane in the middle, select ExtensionlessUrlhandler-ISAPI-4.0_64bit and click Move Down. Click Yes to move it below the StatifFile item.
    image

    f. Repeat steps a to f for the /Certsrv/mscep_admin application.
    g. Restart IIS by typing iisreset on an elevated command prompt.

  5. Configure permissions on private keys
    Note: again, we assumed for easiness that you are going to use the default templates. If you followed our recommendations and prepared custom templates instead, you can skip this step.
    During the initial configuration of NDES, two certificates were requested in the security context of the NDES Admin (account used to install NDES role service) and permissions on the corresponding keys were configured for the built-in app pool identity. However, we need to configure permissions to the keys for the gMSA:

    a. Open local computer certificate store (certlm.msc) on the NDES machine
    b. Right-click the CEP Encryption certificate, select All Tasks > Manage Private Keys
    c. Add the NDESgMSA account and add the Read permission.
    d. Repeat the steps a – c for the Exchange Enrollment Agent (Offline) certificate.
    e. Restart IIS by typing iisreset on an elevated command prompt.

    Additional Comments

    Starting with Windows Server 2012 R2, NDES supports policy module integration which can provide additional security for the SCEP. This enhancement lets an organization or mobile device management solution address the issue described in CERT Vulnerability Note VU#971035 “Simple Certificate Enrollment Protocol (SCEP) does not strongly authenticate certificate requests.” See http://www.kb.cert.org/vuls/id/971035for more details on this vulnerability.

    Find more details about the NDES Policy Module support at https://technet.microsoft.com/en-us/library/dn473016.aspx

     

     

     

Categories: Uncategorized Tags:

Setting up NDES using a Group Managed Service Account (gMSA)

April 26th, 2015 No comments

Setting up NDES using a Group Managed Service Account (gMSA)

Hallo everybody, this is Andy and Dagmar from Austrian Premier Field Engineering (PFE) describing how to implement NDES using a gMSA (instead of a normal domain user account).

When creating a lab on how to implement NDES (Network Device Enrollment Service) on Windows Server 2012 R2, we decided to go for gMSA to be more secure and to get rid of monolithic service accounts that could be misused. Unfortunately it turned out that it was not as straight forward as we expected and we decided to write down the steps and publish them.

Why all the effort? NDES works like a charm when installed with default settings… The answer is short and simple: Security. NDES acts as a registration authority for a CA thereby leveraging the Simple Certificate Enrollment Protocol (SCEP). Because of the way this protocol was designed, the CA has to fully trust the NDES regarding the verification of incoming certificate requests. The result of this design is that the NDES owns an extremely powerful type of certificate (Exchange Enrollment Agent (Offline request) by default) which allows NDES to request certificates with almost any subject from the CA. Therefore, putting as much effort as possible into securing NDES absolutely makes sense.

Be aware that the whole process of securing NDES should comprise a bunch of measures (e.g. enrolling the NDES certificates to a HSM) and that using a gMSA to run it, is only one of the recommended hardening steps. Please refer to this whitepaper focusing on NDES security: http://www.microsoft.com/en-us/download/details.aspx?id=46406&WT.mc_id=Blog_Intune_General_PCIT

 

Group Managed Service Accounts

(Standalone) Managed Service Accounts were introduced in Windows Server 2008 R2 and are managed domain accounts that provide automatic password management and simplified SPN management, including delegation of management to other administrators but limited to only one server. Group Managed Service accounts were introduced with Windows Server 2012 and provide the same functionality within the domain but also extend their availability to multiple servers.

From the security as well as from the manageability perspective, gMSA are the preferred way to configure services wherever it is supported to use them. For more details regarding gMSA, please refer to https://technet.microsoft.com/en-us/library/hh831782.aspx

 

NDES Accounts

When setting up NDES you have to decide in which security context the NDES application pool should run. From the NDES wiki (see http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx#Permissions_Required_for_the_Network_Device_Enrollment_Servicefor more details) we learn that the NDES app pool account needs to fulfill the following requirements:

  • Must be a member of the local IIS_IUSRS group.
  • Must have request permission on the configured CA.
  • Must be a domain user account and have Read and Enroll permissions on the configured templates.
  • Must have SPN set in Active Directory.

All these requirements can be fulfilled by a gMSA, we simply need to configure the SCEP app pool to run in the security context of the gMSA, perform some additional steps and that’s it. But oooops, it wasn’t so simple then…

 

Configuration Steps

Many of the steps below are described in more detail in the NDES wiki. We are repeating them here in a summarized way in order to provide a complete guide of all steps required. Wherever gMSA specific steps are required, we describe them in detail.

Let’s assume the following parameters for our lab environment:

  • NDES service account: NDESgMSA
  • NDES server: ADCSWeb02.fabrikam.com
  • Certification authority: CA02
  • Web Server certificate (with proper subject and/or SANs set) enrolled to the NDES server

 

Prerequisites

  • Forest prepared for gMSA usage (KDS Root Key created – https://technet.microsoft.com/en-us/library/jj128430.aspx)
  • NDES Administrator account (out of scope of this post, see NDES wiki for details)
  • NDES Device Administrator account (out of scope of this post, see NDES wiki for details)

 

Create and configure gMSA

1. Type the following command to create a new gMSA:

New-ADServiceAccount -name NDESgMSA -DNSHostName NDESgMSA.fabrikam.com -PrincipalsAllowedToRetrieveManagedPassword ADCSWEB02$

2. Then configure the gMSA on the NDES host machine:
a. To load the AD PowerShell RSAT feature, type: Add-WindowsFeature RSAT-AD-PowerShell
b. To install the gMSA on ADCSWEB02 type: Install-ADServiceAccount NDESgMSA
c. To verify if the gMSA has been configured properly, type: Test-ADServiceAccount NDESgMSA

Note: The answer has to be true, otherwise it does not make any sense to continue.

3. Next, add the NDESgMSA account to the IIS_IUSRSgroup on the NDES host machine.

 

Configure CA Security Settings and Templates

Note: we are assuming for easiness that you are going to use the default templates. We recommend using custom (version 2) templates in production as stated at http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx#Setting_Up_New_Templates_for_the_Service_Certificates.

1. Grant Read and Enroll permissions on Exchange Enrollment Agent (Offline Request) template to NDESAdmin.
2. Grant Read and Enroll permissions on CEP Encryption template to NDESAdmin.
3. Grant Read and Enroll permissions on IPSec (Offline Request) template to NDESgMSA and DeviceAdmin.
4. Publish all three templates on the Certification Authority.

 

Install NDES

Unfortunately, the setup wizard does not provide support for running the NDES application pool in the security context of a gMSA. That’s why we are processing the installation using more or less the default settings.

  1. On the NDES host machine, add the Network Device Enrollment Service as a role service for the Certification Authority role.
  2. Once the installation has completed, click Configure Active Directory Certificate Services to continue with the configuration of NDEs.
  3. On the Credentials screen, ensure that the NDES Admin account (which was created as part of the prerequisites) is selected.
  4. On the Role Service page, select Network Device Enrollment Service and click Next.
  5. On the Specify the service account page, select Use the built-in application pool identity. Click Next.
  6. On the Specify CA for Network Device Enrollment Service page, click Select. On Select Certification Authority, select the CA you are going to use with this NDES installation and click OK > Next.
  7. On the Type the requested information to enroll for an RA certificate page, click Next.
  8. On the Configure CSPs for the RA page, click Next.
  9. Finally, click Configure.

Alternatively, using the famous PowerShell:

Add-WindowsFeature Adcs-Device-Enrollment -includeManagementTools

Install-AdcsNetworkDeviceEnrollmentService -ApplicationPoolIdentity -CAConfig "CA02.fabrikam.comFabrikamIssuingCA" -RAName "Fabrikam NDES RA" -RACountry "DE" -RACompany "Fabrikam" -SigningProviderName "Microsoft Strong Cryptographic Provider" -SigningKeyLength 2048 -EncryptionProviderName "Microsoft Strong Cryptographic Provider" -EncryptionKeyLength 2048

 

Post-Installation IIS Configuration

  1. Open Internet Information Service (IIS) Manager.
  2. Configure a binding for https using the host name and Server Name Indication (SNI)
    Note: On Windows Server 2012, IIS supports Server Name Indication (SNI), which is a TLS extension to include a virtual domain as a part of SSL negotiation. What this effectively means is that the virtual domain name, or a hostname, can now be used to identify the network end point. This allows IIS to share IP addresses among SSL websites. However, it should be noted that if this feature is enabled, clients (in this case the mobile device itself or the MDM (Mobile Device Management Tool) not ready for SNI will not be able to contact NDES. Find more details about SNI at http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability
  3. Change SCEP application pool identity to the gMSA

    Note that the NDES application pool is named “SCEP application pool” in IIS.

  4. Change ISAPI Handler order:
    Note: The following steps are described in https://support.microsoft.com/en-us/kb/2800975
    If you do not configure IIS in the way described by the knowledge base article mentioned above, your NDES installation will work upon first testing. But later you will find out that the device administrator role is unable to request a challenge password at the mscep_admin site (unless being added to the Enterprise Administrators group).

    a. Still in IIS MMC, select the Default Web Site.
    b. Click View Applications on the Actions pane on the right side.
    c. Double-click Handler Mappings on the middle pane.
    d. On the Actions pane, click View Ordered List…
    e. On the Details pane in the middle, select ExtensionlessUrlhandler-ISAPI-4.0_64bit and click Move Down. Click Yes to move it below the StatifFile item.

    f. Repeat steps a to f for the /Certsrv/mscep_admin application.
    g. Restart IIS by typing iisreset on an elevated command prompt.

  5. Configure permissions on private keys
    Note: again, we assumed for easiness that you are going to use the default templates. If you followed our recommendations and prepared custom templates instead, you can skip this step.
    During the initial configuration of NDES, two certificates were requested in the security context of the NDES Admin (account used to install NDES role service) and permissions on the corresponding keys were configured for the built-in app pool identity. However, we need to configure permissions to the keys for the gMSA:

    a. Open local computer certificate store (certlm.msc) on the NDES machine
    b. Right-click the CEP Encryption certificate, select All Tasks > Manage Private Keys
    c. Add the NDESgMSA account and add the Read permission.
    d. Repeat the steps a – c for the Exchange Enrollment Agent (Offline) certificate.
    e. Restart IIS by typing iisreset on an elevated command prompt.

    Additional Comments

    Starting with Windows Server 2012 R2, NDES supports policy module integration which can provide additional security for the SCEP. This enhancement lets an organization or mobile device management solution address the issue described in CERT Vulnerability Note VU#971035 “Simple Certificate Enrollment Protocol (SCEP) does not strongly authenticate certificate requests.” See http://www.kb.cert.org/vuls/id/971035for more details on this vulnerability.

    Find more details about the NDES Policy Module support at https://technet.microsoft.com/en-us/library/dn473016.aspx

     

     

     

Categories: Uncategorized Tags:

Microsoft Bounty Programs Expansion – Azure and Project Spartan

April 22nd, 2015 No comments

I am excited to announce significant expansions to the Microsoft Bounty Programs.  We are evolving the 'Online Services Bug Bounty, launching a new bounty for Project Spartan, and updating the Mitigation Bypass Bounty.

This continued evolution includes additions to the Online Services Bug Bounty Program

  • Azure
    • Azure is Microsoft’s cloud platform and the backbone of Microsoft cloud services.
    • This program will include a number of Azure services, such as: Azure virtual machines, Azure Cloud Services, Azure Storage, Azure Active Directory and much more
  • Sway.com
    • Sway.com is a web application that lets users express ideas in an entirely new way across many devices and platforms
  • Raising the maximum payout for the Online Services Bounty Program
    • We will pay up to $15,000 USD for critical bugs, as always, more for more impactful and better documented bugs.

We’re also launching a new bounty related to the Windows 10 Technical Preview:

  • Project Spartan Bug Bounty
    • Microsoft’s new browser will be the onramp to the internet for millions of users when Windows 10 launches later this year.  Securing this platform is a top priority for the browser team.
    • This bounty includes Remote Code Execution and Sandbox Escapes, as well as design-level security bugs.
      • Always be sure to use the latest version released in the Windows 10 Technical Preview
    • Microsoft will pay up to $15,000 USD for security vulnerabilities reported in Project Spartan, you can see the specifics in the program terms. Don’t hesitate as the Project Spartan Bug Bounty will run from April 22, 2015 to June 22, 2015
      • The bounties for Spartan are tiered by the criticality of the issue reported, as well as the quality of the documentation and how reproducible the issue is.

The Mitigation Bypass bounty and the Bonus bounty for Defense are both very active, paying up to $100,000 USD for novel methods to bypass active mitigations (e.g. ASLR and DEP) in our latest released version of operating system (currently Windows 8.1 and Server 2012 R2) and a bonus of up to $50,000 USD for actionable defense techniques to the reported bypass.  We have one addition to the Mitigation bypass bounty:

  • Hyper-V escape
    • Guest-to-Host
    • Guest-to-Guest
    • Guest-to-Host DoS (non-distributed, from a single guest)

These important additions to the Bounty Programs reflect the continued shift and evolution of technology towards the cloud.  The additions to the bounty program will be part of the rigorous security programs at Microsoft.  They will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services and Security and Compliance Accreditations by third party audits.

Microsoft has a long history of working closely with security researchers.  Having personally done penetration testing and exploit mitigation, I understand that this is intense and difficult work.  I can say that we truly value these contributions.  Bug bounties are an increasingly important part of the vulnerability research and defense ecosystem and will continue to evolve over time.  We will be regularly managing the Microsoft Bounty Programs to help us best protect our many users.

Mark Russinovich will be sharing some information in his “Assume Breach: An Inside Look at Cloud Service Provider Security” talk.  You can also come by the Microsoft Booth at RSA on April 23, 2PM for a Bounty Program Q&A or you can always find the most up to date information about our bounty programs at https://aka.ms/BugBounty and in the associated terms and FAQs. 

I’m looking forward to seeing some great submissions!

Jason Shirk

Categories: Uncategorized Tags:

Microsoft Bounty Programs Expansion – Azure and Project Spartan

April 22nd, 2015 No comments

I am excited to announce significant expansions to the Microsoft Bounty Programs.  We are evolving the 'Online Services Bug Bounty, launching a new bounty for Project Spartan, and updating the Mitigation Bypass Bounty.

This continued evolution includes additions to the Online Services Bug Bounty Program

  • Azure
    • Azure is Microsoft’s cloud platform and the backbone of Microsoft cloud services.
    • This program will include a number of Azure services, such as: Azure virtual machines, Azure Cloud Services, Azure Storage, Azure Active Directory and much more
  • Sway.com
    • Sway.com is a web application that lets users express ideas in an entirely new way across many devices and platforms
  • Raising the maximum payout for the Online Services Bounty Program
    • We will pay up to $15,000 USD for critical bugs, as always, more for more impactful and better documented bugs.

We’re also launching a new bounty related to the Windows 10 Technical Preview:

  • Project Spartan Bug Bounty
    • Microsoft’s new browser will be the onramp to the internet for millions of users when Windows 10 launches later this year.  Securing this platform is a top priority for the browser team.
    • This bounty includes Remote Code Execution and Sandbox Escapes, as well as design-level security bugs.
      • Always be sure to use the latest version released in the Windows 10 Technical Preview
    • Microsoft will pay up to $15,000 USD for security vulnerabilities reported in Project Spartan, you can see the specifics in the program terms. Don’t hesitate as the Project Spartan Bug Bounty will run from April 22, 2015 to June 22, 2015
      • The bounties for Spartan are tiered by the criticality of the issue reported, as well as the quality of the documentation and how reproducible the issue is.

The Mitigation Bypass bounty and the Bonus bounty for Defense are both very active, paying up to $100,000 USD for novel methods to bypass active mitigations (e.g. ASLR and DEP) in our latest released version of operating system (currently Windows 8.1 and Server 2012 R2) and a bonus of up to $50,000 USD for actionable defense techniques to the reported bypass.  We have one addition to the Mitigation bypass bounty:

  • Hyper-V escape
    • Guest-to-Host
    • Guest-to-Guest
    • Guest-to-Host DoS (non-distributed, from a single guest)

These important additions to the Bounty Programs reflect the continued shift and evolution of technology towards the cloud.  The additions to the bounty program will be part of the rigorous security programs at Microsoft.  They will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services and Security and Compliance Accreditations by third party audits.

Microsoft has a long history of working closely with security researchers.  Having personally done penetration testing and exploit mitigation, I understand that this is intense and difficult work.  I can say that we truly value these contributions.  Bug bounties are an increasingly important part of the vulnerability research and defense ecosystem and will continue to evolve over time.  We will be regularly managing the Microsoft Bounty Programs to help us best protect our many users.

Mark Russinovich will be sharing some information in his “Assume Breach: An Inside Look at Cloud Service Provider Security” talk.  You can also come by the Microsoft Booth at RSA on April 23, 2PM for a Bounty Program Q&A or you can always find the most up to date information about our bounty programs at https://aka.ms/BugBounty and in the associated terms and FAQs. 

I’m looking forward to seeing some great submissions!

Jason Shirk

Categories: Uncategorized Tags:

MS15-034 – Critical: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (April 22, 2015): Bulletin revised to correct the update replacement entries for Windows 8 and Windows Server 2012 in the Affected Software table. This is an informational change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system.

Categories: Uncategorized Tags:

MS15-034 – Critical: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (April 22, 2015): Bulletin revised to correct the update replacement entries for Windows 8 and Windows Server 2012 in the Affected Software table. This is an informational change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system.

Categories: Uncategorized Tags:

MS15-033 – Critical: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3048019) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (April 21, 2015): Revised bulletin to announce a detection change for the 2553428 update for supported editions of Microsoft Word 2010. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

MS15-033 – Critical: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3048019) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (April 21, 2015): Revised bulletin to announce a detection change for the 2553428 update for supported editions of Microsoft Word 2010. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

2755801 – Update for Vulnerabilities in Adobe Flash Player in Internet Explorer – Version: 39.0

Revision Note: V39.0 (April 15, 2015): Added the 3049508 update to the Current Update section.
Summary: Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer on all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10 and Internet Explorer 11.

Categories: Uncategorized Tags: