Archive

Archive for June, 2015

Modernizing Microsoft Application Access with Web Application Proxy and Azure Active Directory Application Proxy

June 30th, 2015 No comments

NEW

As the trends toward bring-your-own-device (BYOD) and Internet Protocol version 6 (IPv6) security increase, Microsoft understands that remote/mobile access is a strategic area and continues to heavily invest in it. Our solutions for cloud and server technologies are an integral part of the Microsoft portfolio, with security continuing to play an important role in Microsoft’s overall management tool mindset.

On September 12, 2012, Microsoft announced the discontinuation of any further releases of certain Forefront branded solutions. Forefront Threat Management Gateway 2010 was one of those solutions. Mainstream support for Forefront TMG ended on April 14, 2015 and extended support will cease on April 14, 2020. In addition, mainstream support for another Forefront branded remote access solution, Forefront United Access Gateway (UAG), also expired on April 14, 2015, with extended support ending in on April 14, 2020. Widely deployed, there are a large number of organizations with active deployments of TMG or UAG as a security solution to protect internet-facing applications.

That said, for post end of life and end of support, organizations have other Microsoft solutions to address their reverse proxy needs. Microsoft Azure Active Directory (AD) Application Proxy and Microsoft Web Application Proxy can fill this role, while providing enhanced capabilities for integration with modern authentication and cloud-based technologies. Please see Table 1 for details on replacement options for the various roles and features offered by TMG and UAG.

Comparing TMG/UAG Functionalities with Web Application Proxy and Azure AD Application Proxy Capabilities

TABLE 1. Microsoft Solution Evolution

TMG/UAG Functionality

Web Application Proxy (WAP)/Azure AD Application Proxy (AADAP)

Selective HTTP Publishing for Browser Apps

Available in WAP in Windows Server 2012 R2

Available in AADAP today

ADFS Integration

Available in WAP in Windows Server 2012 R2

Rich Protocols Publishing (e.g., Citrix, Lync, RDG)

Available in WAP in Windows Server 2012 R2

Partially available in AADAP today – will be enhanced

Preauthentication for ActiveSync (HTTP Basic) and RDG

Will be available in WAP in Windows Server vNext

Will be coming to AADAP

Portal

Use Intune / System Center for WAP

Use AAD Access Panel or Office 365 App Launcher available for AADAP

Endpoint Health Detection

Use Intune / System Center

SSL Tunneling

Use Windows SSL-VPN capability

Layer 2/3 Firewall

Use Windows Server capabilities

Web Application Firewall

No current solution from Microsoft

Secure Web Gateway (Forward Proxy)

No current solution from Microsoft

Secure Access, Simple Administration: Azure AD Application Proxy and Web Application Proxy

For organizations using Azure services or planning to, Azure AD Application Proxy gives remote or cloud users a simple and secure way to access on-premises web applications. Azure AD Application Proxy offers the following:

  • Pre-authentication can now be accomplished using Azure AD before passing user requests across the proxy.
  • Administrators can use Azure AD users and groups to grant access to on-premises web applications, such as SharePoint, Outlook Web Access, and IIS-based apps, with the ability to publish applications inside an organization’s private network.
  • Deployment is simple and uncomplicated, with no demilitarized zone (DMZ) required.
  • Users can easily access published web applications, on-premises and in the cloud, from a remote location using either home or mobile devices.

Microsoft Web Application Proxy for reverse proxy functionality is a remote access role service in Windows Server 2012 R2. Microsoft Web Application Proxy offers the following:

  • Reverse proxy functionality for web applications inside the corporate network allows users on any device to access on-premises applications from outside the corporate network.
  • Pre-authentication for access to web applications using Active Directory Federation Services (AD FS), and AD FS proxy functionality.

In addition, Microsoft Web Application Proxy in Windows Server vNext will offer the following capabilities:

  • Ability to publish a specific domain name as well as an entire sub-domain for organizations that want to publish sites in bulk rather than one at a time. This is important when there is a need to publish SharePoint applications that use a special sub-domain for all applications. HTTP publishing for applications not using preauthentication ensures there is no leakage of sensitive information.
  • HTTP to HTTPS redirection option reduces the risk of server spoofing and offers an improved user experience.
  • Propagate client IP address to back-end application, adding to every request, “X-Forwarded-For” header that includes the address.
  • Simplified Remote Desktop Gateway (RDG) publishing. AD FS can be used to perform preauthentication for Remote Desktop access using capabilities such as Multi-Factor Authentication and smartcards. Users receive the same experience as they do with their web applications. Admins have a convenient, single entry point to the system and a single authentication and authorization mechanism across all applications.
  • Improved logging for better auditing and easier troubleshooting.
  • Administrator UI enhancements include the ability to edit applications in the UI.

Benefits of Microsoft Web Application Proxy

Microsoft Web Application Proxy affords organizations all of the benefits of a secure network with a lower total cost of ownership (TCO) than hardware-based solutions for a number of reasons:

A software-based solution that is simple to deploy, maintain, and scale: Unlike most vendors that offer hardware-based solutions, Microsoft Web Application Proxy is software-based. With no additional appliances required, it is much easier to deploy, maintain, and scale than most hardware-based solutions.

Favorable economics as part of Microsoft Windows 2012 R2: Since Microsoft Web Application Proxy is software-based, startup and OpEx expenses are lower than those of a hardware-based system. This, in turn, provides organizations with a very low TCO.

Consistent management with Windows workloads: It’s not necessary to retrain existing workforce, or hire experts to publish applications. Users can manage them just as they would any other Windows workload. When it comes to publishing Microsoft Office servers (SharePoint, Lync, Exchange), Web Application Proxy provides all of the necessary capabilities. Web Application Proxy vNext will be available with the next version of Windows Server.

Designed and built on modern security standards: Most other vendors’ products are built on legacy protocol stacks using old security standards. Built from a fresh code base, the Web Application Proxy does not store passwords in memory, adding yet another secure layer to systems.

The Hybrid Cloud and Microsoft Azure AD Application Proxy

Over the last decade, keeping pace with new applications, supporting alternative endpoint devices, and maintaining security across a variety of networks has been challenging for businesses to successfully adapt. Organizations need to be agile to innovate and get to market quickly to stay ahead of the competition, while investing in long-term strategies that can easily adapt to change. This means being able to scale effortlessly and securely, reduce (if not eliminate) downtime, and consume minimal resources.

So how are organizations accomplishing this?

Many businesses are turning to the hybrid cloud, a combination of the public cloud and private cloud, to deliver the scalability, reliability, and protection they need to do business anytime, from any place.

The hybrid cloud provides organizations with:

Easy scalability.As needs change, organizations can quickly and seamlessly move data centers between public and private clouds, easily deploying workloads where it makes the most sense, and at no additional expense.

24/7 security. The hybrid cloud provides organizations with a secure means of doing business, ensuring the security of web applications both inside and outside the corporate network—publishing, deploying, and managing applications without compromising security.

Simple and efficient system administration.Organizations can use a single pane of glass to see the entire hybrid infrastructure, offering IT central and comprehensive visibility into the corporate network and its data, applications, and files.

Reliability and performance.Businesses enjoy the same reliability and performance as they had with their previous system, using the same processes, tools, and resources.

Cost containment and savings. With the hybrid cloud, businesses can contain costs since they don’t require additional staff, retraining of existing staff, or purchasing, installing, and learning new management tools.

The hybrid cloud is a viable option that enables businesses to scale effortlessly, contain costs, and eliminate the burden of a substantial TCO. It also provides the reliability, performance, and level of security needed to ensure the protection of web applications, both inside and outside the corporate network.

Enterprise Mobility Is Key to Staying Competitive

Businesses today need a convenient and secure means for their workforces to access information anywhere, at any time, and from any place. While this may be second nature for the non-corporate user, there’s a great deal that the business must deal with—it’s about how organizations enable employees, customers, and partners to easily access the corporate cloud. And when you add BYOD to the mix—with the workforce using laptops, tablets, smartphones, thin clients, and other mobile devices—organizations need to get serious about how they’re going to protect the network, while giving those connected to it simple and intuitive access, and a seamless experience. Additionally, it’s essential that those devices and services used by the workforce are developed with a focus on ease of use and an improved and productive experience.

Microsoft believes that businesses must embrace mobile productivity to stay ahead of the competition. The Microsoft mobility platform provides office and collaborative solutions with mobile applications available for current lines of business, as well as custom-built applications that provide an enhanced user experience for any mobile device, corporate or personal, with a high level of security.

Looking Forward

Microsoft solutions enable IT to embrace a simplified software-based solution with a set of consistent management tools that IT administrators are familiar with. In addition, the economic efficiencies in Microsoft’s software-based approach enable businesses to federate user identity and access management, while at the same time protecting the data.

Though not direct replacements for the Microsoft Threat Management Gateway, Microsoft is offering its new solutions, Microsoft Web Application Proxy and Azure Active Directory Application Proxy, as those built from the ground up to ensure security, enhance the user experience, simplify system administration, and lower the total cost of ownership. Although both TMG and UAG have five more years of extended support, Microsoft recommends that its customers begin evaluating replacement strategies.

Microsoft is committed to the on-going development of Azure AD Application Proxy and Web Application Proxy. As such, we will be bringing out new features and functionality to support our vision, and deliver continued value to our customers so that organizations can continue their expansion into the cloud without compromising security.

References

Using Application Proxy to publish applications for secure remote access: https://msdn.microsoft.com/en-us/library/azure/dn768219.aspx

Introducing the next version of Web Application Proxy: http://blogs.technet.com/b/applicationproxyblog/archive/2014/10/01/introducing-the-next-version-of-web-application-proxy.aspx

Web Application Proxy: https://msdn.microsoft.com/en-us/library/windows/desktop/dn323740(v=vs.85).aspx

Web Application Proxy in Windows Server 2012: https://technet.microsoft.com/en-us/library/dn584107.aspx

Enable Your On-Premises Apps for the Cloud with Microsoft Azure Active Directory Application Proxy: http://channel9.msdn.com/events/Ignite/2015/BRK3864

This whitepaper is also available here.

Categories: Uncategorized Tags:

Modernizing Microsoft Application Access with Web Application Proxy and Azure Active Directory Application Proxy

June 30th, 2015 No comments

NEW

As the trends toward bring-your-own-device (BYOD) and Internet Protocol version 6 (IPv6) security increase, Microsoft understands that remote/mobile access is a strategic area and continues to heavily invest in it. Our solutions for cloud and server technologies are an integral part of the Microsoft portfolio, with security continuing to play an important role in Microsoft’s overall management tool mindset.

On September 12, 2012, Microsoft announced the discontinuation of any further releases of certain Forefront branded solutions. Forefront Threat Management Gateway 2010 was one of those solutions. Mainstream support for Forefront TMG ended on April 14, 2015 and extended support will cease on April 14, 2020. In addition, mainstream support for another Forefront branded remote access solution, Forefront United Access Gateway (UAG), also expired on April 14, 2015, with extended support ending in on April 14, 2020. Widely deployed, there are a large number of organizations with active deployments of TMG or UAG as a security solution to protect internet-facing applications.

That said, for post end of life and end of support, organizations have other Microsoft solutions to address their reverse proxy needs. Microsoft Azure Active Directory (AD) Application Proxy and Microsoft Web Application Proxy can fill this role, while providing enhanced capabilities for integration with modern authentication and cloud-based technologies. Please see Table 1 for details on replacement options for the various roles and features offered by TMG and UAG.

Comparing TMG/UAG Functionalities with Web Application Proxy and Azure AD Application Proxy Capabilities

TABLE 1. Microsoft Solution Evolution

TMG/UAG Functionality

Web Application Proxy (WAP)/Azure AD Application Proxy (AADAP)

Selective HTTP Publishing for Browser Apps

Available in WAP in Windows Server 2012 R2

Available in AADAP today

ADFS Integration

Available in WAP in Windows Server 2012 R2

Rich Protocols Publishing (e.g., Citrix, Lync, RDG)

Available in WAP in Windows Server 2012 R2

Partially available in AADAP today – will be enhanced

Preauthentication for ActiveSync (HTTP Basic) and RDG

Will be available in WAP in Windows Server vNext

Will be coming to AADAP

Portal

Use Intune / System Center for WAP

Use AAD Access Panel or Office 365 App Launcher available for AADAP

Endpoint Health Detection

Use Intune / System Center

SSL Tunneling

Use Windows SSL-VPN capability

Layer 2/3 Firewall

Use Windows Server capabilities

Web Application Firewall

No current solution from Microsoft

Secure Web Gateway (Forward Proxy)

No current solution from Microsoft

Secure Access, Simple Administration: Azure AD Application Proxy and Web Application Proxy

For organizations using Azure services or planning to, Azure AD Application Proxy gives remote or cloud users a simple and secure way to access on-premises web applications. Azure AD Application Proxy offers the following:

  • Pre-authentication can now be accomplished using Azure AD before passing user requests across the proxy.
  • Administrators can use Azure AD users and groups to grant access to on-premises web applications, such as SharePoint, Outlook Web Access, and IIS-based apps, with the ability to publish applications inside an organization’s private network.
  • Deployment is simple and uncomplicated, with no demilitarized zone (DMZ) required.
  • Users can easily access published web applications, on-premises and in the cloud, from a remote location using either home or mobile devices.

Microsoft Web Application Proxy for reverse proxy functionality is a remote access role service in Windows Server 2012 R2. Microsoft Web Application Proxy offers the following:

  • Reverse proxy functionality for web applications inside the corporate network allows users on any device to access on-premises applications from outside the corporate network.
  • Pre-authentication for access to web applications using Active Directory Federation Services (AD FS), and AD FS proxy functionality.

In addition, Microsoft Web Application Proxy in Windows Server vNext will offer the following capabilities:

  • Ability to publish a specific domain name as well as an entire sub-domain for organizations that want to publish sites in bulk rather than one at a time. This is important when there is a need to publish SharePoint applications that use a special sub-domain for all applications. HTTP publishing for applications not using preauthentication ensures there is no leakage of sensitive information.
  • HTTP to HTTPS redirection option reduces the risk of server spoofing and offers an improved user experience.
  • Propagate client IP address to back-end application, adding to every request, “X-Forwarded-For” header that includes the address.
  • Simplified Remote Desktop Gateway (RDG) publishing. AD FS can be used to perform preauthentication for Remote Desktop access using capabilities such as Multi-Factor Authentication and smartcards. Users receive the same experience as they do with their web applications. Admins have a convenient, single entry point to the system and a single authentication and authorization mechanism across all applications.
  • Improved logging for better auditing and easier troubleshooting.
  • Administrator UI enhancements include the ability to edit applications in the UI.

Benefits of Microsoft Web Application Proxy

Microsoft Web Application Proxy affords organizations all of the benefits of a secure network with a lower total cost of ownership (TCO) than hardware-based solutions for a number of reasons:

A software-based solution that is simple to deploy, maintain, and scale: Unlike most vendors that offer hardware-based solutions, Microsoft Web Application Proxy is software-based. With no additional appliances required, it is much easier to deploy, maintain, and scale than most hardware-based solutions.

Favorable economics as part of Microsoft Windows 2012 R2: Since Microsoft Web Application Proxy is software-based, startup and OpEx expenses are lower than those of a hardware-based system. This, in turn, provides organizations with a very low TCO.

Consistent management with Windows workloads: It’s not necessary to retrain existing workforce, or hire experts to publish applications. Users can manage them just as they would any other Windows workload. When it comes to publishing Microsoft Office servers (SharePoint, Lync, Exchange), Web Application Proxy provides all of the necessary capabilities. Web Application Proxy vNext will be available with the next version of Windows Server.

Designed and built on modern security standards: Most other vendors’ products are built on legacy protocol stacks using old security standards. Built from a fresh code base, the Web Application Proxy does not store passwords in memory, adding yet another secure layer to systems.

The Hybrid Cloud and Microsoft Azure AD Application Proxy

Over the last decade, keeping pace with new applications, supporting alternative endpoint devices, and maintaining security across a variety of networks has been challenging for businesses to successfully adapt. Organizations need to be agile to innovate and get to market quickly to stay ahead of the competition, while investing in long-term strategies that can easily adapt to change. This means being able to scale effortlessly and securely, reduce (if not eliminate) downtime, and consume minimal resources.

So how are organizations accomplishing this?

Many businesses are turning to the hybrid cloud, a combination of the public cloud and private cloud, to deliver the scalability, reliability, and protection they need to do business anytime, from any place.

The hybrid cloud provides organizations with:

Easy scalability.As needs change, organizations can quickly and seamlessly move data centers between public and private clouds, easily deploying workloads where it makes the most sense, and at no additional expense.

24/7 security. The hybrid cloud provides organizations with a secure means of doing business, ensuring the security of web applications both inside and outside the corporate network—publishing, deploying, and managing applications without compromising security.

Simple and efficient system administration.Organizations can use a single pane of glass to see the entire hybrid infrastructure, offering IT central and comprehensive visibility into the corporate network and its data, applications, and files.

Reliability and performance.Businesses enjoy the same reliability and performance as they had with their previous system, using the same processes, tools, and resources.

Cost containment and savings. With the hybrid cloud, businesses can contain costs since they don’t require additional staff, retraining of existing staff, or purchasing, installing, and learning new management tools.

The hybrid cloud is a viable option that enables businesses to scale effortlessly, contain costs, and eliminate the burden of a substantial TCO. It also provides the reliability, performance, and level of security needed to ensure the protection of web applications, both inside and outside the corporate network.

Enterprise Mobility Is Key to Staying Competitive

Businesses today need a convenient and secure means for their workforces to access information anywhere, at any time, and from any place. While this may be second nature for the non-corporate user, there’s a great deal that the business must deal with—it’s about how organizations enable employees, customers, and partners to easily access the corporate cloud. And when you add BYOD to the mix—with the workforce using laptops, tablets, smartphones, thin clients, and other mobile devices—organizations need to get serious about how they’re going to protect the network, while giving those connected to it simple and intuitive access, and a seamless experience. Additionally, it’s essential that those devices and services used by the workforce are developed with a focus on ease of use and an improved and productive experience.

Microsoft believes that businesses must embrace mobile productivity to stay ahead of the competition. The Microsoft mobility platform provides office and collaborative solutions with mobile applications available for current lines of business, as well as custom-built applications that provide an enhanced user experience for any mobile device, corporate or personal, with a high level of security.

Looking Forward

Microsoft solutions enable IT to embrace a simplified software-based solution with a set of consistent management tools that IT administrators are familiar with. In addition, the economic efficiencies in Microsoft’s software-based approach enable businesses to federate user identity and access management, while at the same time protecting the data.

Though not direct replacements for the Microsoft Threat Management Gateway, Microsoft is offering its new solutions, Microsoft Web Application Proxy and Azure Active Directory Application Proxy, as those built from the ground up to ensure security, enhance the user experience, simplify system administration, and lower the total cost of ownership. Although both TMG and UAG have five more years of extended support, Microsoft recommends that its customers begin evaluating replacement strategies.

Microsoft is committed to the on-going development of Azure AD Application Proxy and Web Application Proxy. As such, we will be bringing out new features and functionality to support our vision, and deliver continued value to our customers so that organizations can continue their expansion into the cloud without compromising security.

References

Using Application Proxy to publish applications for secure remote access: https://msdn.microsoft.com/en-us/library/azure/dn768219.aspx

Introducing the next version of Web Application Proxy: http://blogs.technet.com/b/applicationproxyblog/archive/2014/10/01/introducing-the-next-version-of-web-application-proxy.aspx

Web Application Proxy: https://msdn.microsoft.com/en-us/library/windows/desktop/dn323740(v=vs.85).aspx

Web Application Proxy in Windows Server 2012: https://technet.microsoft.com/en-us/library/dn584107.aspx

Enable Your On-Premises Apps for the Cloud with Microsoft Azure Active Directory Application Proxy: http://channel9.msdn.com/events/Ignite/2015/BRK3864

This whitepaper is also available here.

Categories: Uncategorized Tags:

Modernizing Microsoft Application Access with Web Application Proxy and Azure Active Directory Application Proxy

June 30th, 2015 No comments

NEW

As the trends toward bring-your-own-device (BYOD) and Internet Protocol version 6 (IPv6) security increase, Microsoft understands that remote/mobile access is a strategic area and continues to heavily invest in it. Our solutions for cloud and server technologies are an integral part of the Microsoft portfolio, with security continuing to play an important role in Microsoft’s overall management tool mindset.

On September 12, 2012, Microsoft announced the discontinuation of any further releases of certain Forefront branded solutions. Forefront Threat Management Gateway 2010 was one of those solutions. Mainstream support for Forefront TMG ended on April 14, 2015 and extended support will cease on April 14, 2020. In addition, mainstream support for another Forefront branded remote access solution, Forefront United Access Gateway (UAG), also expired on April 14, 2015, with extended support ending in on April 14, 2020. Widely deployed, there are a large number of organizations with active deployments of TMG or UAG as a security solution to protect internet-facing applications.

That said, for post end of life and end of support, organizations have other Microsoft solutions to address their reverse proxy needs. Microsoft Azure Active Directory (AD) Application Proxy and Microsoft Web Application Proxy can fill this role, while providing enhanced capabilities for integration with modern authentication and cloud-based technologies. Please see Table 1 for details on replacement options for the various roles and features offered by TMG and UAG.

Comparing TMG/UAG Functionalities with Web Application Proxy and Azure AD Application Proxy Capabilities

TABLE 1. Microsoft Solution Evolution

TMG/UAG Functionality

Web Application Proxy (WAP)/Azure AD Application Proxy (AADAP)

Selective HTTP Publishing for Browser Apps

Available in WAP in Windows Server 2012 R2

Available in AADAP today

ADFS Integration

Available in WAP in Windows Server 2012 R2

Rich Protocols Publishing (e.g., Citrix, Lync, RDG)

Available in WAP in Windows Server 2012 R2

Partially available in AADAP today – will be enhanced

Preauthentication for ActiveSync (HTTP Basic) and RDG

Will be available in WAP in Windows Server vNext

Will be coming to AADAP

Portal

Use Intune / System Center for WAP

Use AAD Access Panel or Office 365 App Launcher available for AADAP

Endpoint Health Detection

Use Intune / System Center

SSL Tunneling

Use Windows SSL-VPN capability

Layer 2/3 Firewall

Use Windows Server capabilities

Web Application Firewall

No current solution from Microsoft

Secure Web Gateway (Forward Proxy)

No current solution from Microsoft

Secure Access, Simple Administration: Azure AD Application Proxy and Web Application Proxy

For organizations using Azure services or planning to, Azure AD Application Proxy gives remote or cloud users a simple and secure way to access on-premises web applications. Azure AD Application Proxy offers the following:

  • Pre-authentication can now be accomplished using Azure AD before passing user requests across the proxy.
  • Administrators can use Azure AD users and groups to grant access to on-premises web applications, such as SharePoint, Outlook Web Access, and IIS-based apps, with the ability to publish applications inside an organization’s private network.
  • Deployment is simple and uncomplicated, with no demilitarized zone (DMZ) required.
  • Users can easily access published web applications, on-premises and in the cloud, from a remote location using either home or mobile devices.

Microsoft Web Application Proxy for reverse proxy functionality is a remote access role service in Windows Server 2012 R2. Microsoft Web Application Proxy offers the following:

  • Reverse proxy functionality for web applications inside the corporate network allows users on any device to access on-premises applications from outside the corporate network.
  • Pre-authentication for access to web applications using Active Directory Federation Services (AD FS), and AD FS proxy functionality.

In addition, Microsoft Web Application Proxy in Windows Server vNext will offer the following capabilities:

  • Ability to publish a specific domain name as well as an entire sub-domain for organizations that want to publish sites in bulk rather than one at a time. This is important when there is a need to publish SharePoint applications that use a special sub-domain for all applications. HTTP publishing for applications not using preauthentication ensures there is no leakage of sensitive information.
  • HTTP to HTTPS redirection option reduces the risk of server spoofing and offers an improved user experience.
  • Propagate client IP address to back-end application, adding to every request, “X-Forwarded-For” header that includes the address.
  • Simplified Remote Desktop Gateway (RDG) publishing. AD FS can be used to perform preauthentication for Remote Desktop access using capabilities such as Multi-Factor Authentication and smartcards. Users receive the same experience as they do with their web applications. Admins have a convenient, single entry point to the system and a single authentication and authorization mechanism across all applications.
  • Improved logging for better auditing and easier troubleshooting.
  • Administrator UI enhancements include the ability to edit applications in the UI.

Benefits of Microsoft Web Application Proxy

Microsoft Web Application Proxy affords organizations all of the benefits of a secure network with a lower total cost of ownership (TCO) than hardware-based solutions for a number of reasons:

A software-based solution that is simple to deploy, maintain, and scale: Unlike most vendors that offer hardware-based solutions, Microsoft Web Application Proxy is software-based. With no additional appliances required, it is much easier to deploy, maintain, and scale than most hardware-based solutions.

Favorable economics as part of Microsoft Windows 2012 R2: Since Microsoft Web Application Proxy is software-based, startup and OpEx expenses are lower than those of a hardware-based system. This, in turn, provides organizations with a very low TCO.

Consistent management with Windows workloads: It’s not necessary to retrain existing workforce, or hire experts to publish applications. Users can manage them just as they would any other Windows workload. When it comes to publishing Microsoft Office servers (SharePoint, Lync, Exchange), Web Application Proxy provides all of the necessary capabilities. Web Application Proxy vNext will be available with the next version of Windows Server.

Designed and built on modern security standards: Most other vendors’ products are built on legacy protocol stacks using old security standards. Built from a fresh code base, the Web Application Proxy does not store passwords in memory, adding yet another secure layer to systems.

The Hybrid Cloud and Microsoft Azure AD Application Proxy

Over the last decade, keeping pace with new applications, supporting alternative endpoint devices, and maintaining security across a variety of networks has been challenging for businesses to successfully adapt. Organizations need to be agile to innovate and get to market quickly to stay ahead of the competition, while investing in long-term strategies that can easily adapt to change. This means being able to scale effortlessly and securely, reduce (if not eliminate) downtime, and consume minimal resources.

So how are organizations accomplishing this?

Many businesses are turning to the hybrid cloud, a combination of the public cloud and private cloud, to deliver the scalability, reliability, and protection they need to do business anytime, from any place.

The hybrid cloud provides organizations with:

Easy scalability.As needs change, organizations can quickly and seamlessly move data centers between public and private clouds, easily deploying workloads where it makes the most sense, and at no additional expense.

24/7 security. The hybrid cloud provides organizations with a secure means of doing business, ensuring the security of web applications both inside and outside the corporate network—publishing, deploying, and managing applications without compromising security.

Simple and efficient system administration.Organizations can use a single pane of glass to see the entire hybrid infrastructure, offering IT central and comprehensive visibility into the corporate network and its data, applications, and files.

Reliability and performance.Businesses enjoy the same reliability and performance as they had with their previous system, using the same processes, tools, and resources.

Cost containment and savings. With the hybrid cloud, businesses can contain costs since they don’t require additional staff, retraining of existing staff, or purchasing, installing, and learning new management tools.

The hybrid cloud is a viable option that enables businesses to scale effortlessly, contain costs, and eliminate the burden of a substantial TCO. It also provides the reliability, performance, and level of security needed to ensure the protection of web applications, both inside and outside the corporate network.

Enterprise Mobility Is Key to Staying Competitive

Businesses today need a convenient and secure means for their workforces to access information anywhere, at any time, and from any place. While this may be second nature for the non-corporate user, there’s a great deal that the business must deal with—it’s about how organizations enable employees, customers, and partners to easily access the corporate cloud. And when you add BYOD to the mix—with the workforce using laptops, tablets, smartphones, thin clients, and other mobile devices—organizations need to get serious about how they’re going to protect the network, while giving those connected to it simple and intuitive access, and a seamless experience. Additionally, it’s essential that those devices and services used by the workforce are developed with a focus on ease of use and an improved and productive experience.

Microsoft believes that businesses must embrace mobile productivity to stay ahead of the competition. The Microsoft mobility platform provides office and collaborative solutions with mobile applications available for current lines of business, as well as custom-built applications that provide an enhanced user experience for any mobile device, corporate or personal, with a high level of security.

Looking Forward

Microsoft solutions enable IT to embrace a simplified software-based solution with a set of consistent management tools that IT administrators are familiar with. In addition, the economic efficiencies in Microsoft’s software-based approach enable businesses to federate user identity and access management, while at the same time protecting the data.

Though not direct replacements for the Microsoft Threat Management Gateway, Microsoft is offering its new solutions, Microsoft Web Application Proxy and Azure Active Directory Application Proxy, as those built from the ground up to ensure security, enhance the user experience, simplify system administration, and lower the total cost of ownership. Although both TMG and UAG have five more years of extended support, Microsoft recommends that its customers begin evaluating replacement strategies.

Microsoft is committed to the on-going development of Azure AD Application Proxy and Web Application Proxy. As such, we will be bringing out new features and functionality to support our vision, and deliver continued value to our customers so that organizations can continue their expansion into the cloud without compromising security.

References

Using Application Proxy to publish applications for secure remote access: https://msdn.microsoft.com/en-us/library/azure/dn768219.aspx

Introducing the next version of Web Application Proxy: http://blogs.technet.com/b/applicationproxyblog/archive/2014/10/01/introducing-the-next-version-of-web-application-proxy.aspx

Web Application Proxy: https://msdn.microsoft.com/en-us/library/windows/desktop/dn323740(v=vs.85).aspx

Web Application Proxy in Windows Server 2012: https://technet.microsoft.com/en-us/library/dn584107.aspx

Enable Your On-Premises Apps for the Cloud with Microsoft Azure Active Directory Application Proxy: http://channel9.msdn.com/events/Ignite/2015/BRK3864

This whitepaper is also available here.

Categories: Uncategorized Tags:

The Latest Picture of the Threat Landscape in the European Union – part 2

June 29th, 2015 No comments

In part 1 of this series on the threat landscape in the European Union (EU) I examined the encounter and infection rates among EU member countries/regions, focusing on a couple of the locations with highest malware encounter rates (ER) and infection rates (CCM).

In part 2 of the series I’ll focus on the locations in the EU with the lowest ERs and CCMs, I’ll also examine the top threats found in the region in the last half of 2014.

Figure 1 illustrates the locations in the EU that have the lowest ERs. Finland, Denmark, Sweden, Ireland, Germany, and Austria had the lowest ERs in the EU in the last quarter of 2014. These locations have consistently had lower ERs than the worldwide average.

Figure 1: Locations with the lowest encounter rates in the EU in the third (3Q14) and fourth (4Q14) quarters of 2014

Taking a closer look at Finland in Figure 2, the location with the lowest ER in the EU, we can see every category of threat is encountered significantly less frequently by systems in Finland than the worldwide average.
0629_Figure1

Figure 2: (left) malware categories encountered in Finland in the fourth quarter of 2014 compared to the worldwide averages; (right); unwanted software categories encountered in Finland and worldwide during the last quarter of 2014
0629_Figure2

Although Norway is not a member of the EU, my coworkers and many of the customers I have met in Norway would want me to mention that Norway is another location in the region with one of the healthiest ecosystems in the world, as is Japan.

Figure 3: (left) Encounter and infection rates for Norway during each quarter of 2014; (right) Encounter and infection rates for Japan during each quarter of 2014
0629_Figure3

Looking at the locations in the EU with the lowest malware infection rates we can see some of the locations with the lowest ERs in the region also have low infection rates, including Finland, Denmark, Sweden, Ireland, and Austria. Estonia had a consistently low infection rate through all four quarters of 2014. We didn’t have enough data to publish an ER for Luxembourg, but its infection rate was consistent with other low infection rate locations in the region during 2014. The Netherlands also has consistently low infection rates.

Figure 4: Locations in the EU with the lowest malware infection rates (CCM) in the last quarter of 2014
0629_Figure4

Although there are locations in the EU with consistently low infection rates, this doesn’t mean those locations don’t experience temporary dramatic infection rate increases. For example, Figure 5 illustrates some dramatic infection rate increases that took place in Austria and the Netherlands in 2011 when the Win32/EyeStye Trojan (also known as SpyEye) was detected and cleaned from a relatively large number of systems in Austria, the Netherlands, Germany and Italy. I visited numerous enterprise customers in the region during that time period to discuss this threat with them.

Figure 5: (left) The infection rate trend for Austria between the third quarter of 2011 and the second quarter of 2013; (right) the infection rate trend for the Netherlands between the third quarter of 2011 and the fourth quarter of 2012
0629_Figure5

Some locations in the EU saw great infection rate improvements in 2014. Figure 6 illustrates some of the biggest infection rate improvements in the region. France, Italy, Portugal, and Spain all ended 2014 with infection rates lower than the worldwide average after starting the year with significantly higher CCMs. Interestingly, over the years I have noticed elevated levels of Adware among these locations relative to the worldwide average, and the fourth quarter of 2014 was no different. With the exception of Portugal, these locations also all had elevated levels of Trojan Downloaders & Droppers during the last quarter of the year.

Figure 6: The largest CCM improvements in the EU in the second half of 2014
0629_Figure6

The most prevalent threat families found in the EU during the second half of 2014 are listed in Figure 7. Having only one commercial exploit kit (JS/Axpergle, also known as Angler) in the top ten threats in the region is good news as they are typically used by attackers to spread ransomware and other malware to unpatched systems. The top three threats in the EU in the fourth quarter of 2014 were all families of worms that typically spread through via unsecured file shares and removal media like USB drives.

Figure 7: The top 10 threat families in the EU in the second half of 2014
0629_Figure7

The good news is that many of these threats can be mitigated by keeping systems up-to-date with security updates and running up-to-date antimalware software. Could it be that locations in the EU that have relatively high malware infection rates also have relatively low antimalware software adoption/usage?

In part 3 of this series on the threat landscape in the EU I’m going to look at which locations in the EU have the highest and lowest usage of real-time antimalware software in the region – a key protection technology. I’m also going to examine which locations in the region host the most drive-by download attacks – a favorite malware distribution method for attackers.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

Governments recognize the importance of TPM 2.0 through ISO adoption

Earlier today, the Trusted Computing Group (TCG) announced in a press release the Trusted Platform Module (TPM) 2.0 Library Specification was approved by the ISO/IEC Joint Technical Committee (JTC) 1 and will be available later in the year as ISO/IEC 11889:2015. This landmark accomplishment is set to encourage worldwide adoption of the TPM 2.0, which is critical for improving trust in information technology products and services.

TPM 2.0 builds on the achievements of its predecessor ISO/IEC 11889:2009, playing an important role in enhancing security by combining hardware and software features. It provides improvements to secure generation of cryptographic keys and to control their use. It includes a privacy protected mechanism that enables remote trust-verification of the software used to boot a particular system. Most importantly, TPM 2.0 supports cryptographic agility, allowing for effective management of cryptographic algorithms; including easier migration when a major weakness is found in an algorithm. Under the same technical framework, it also expands the use of additional publically available algorithms based on market requirements for TPM applications.

The fact that the standard was supported by a large number of countries, including Australia, Belgium, Canada, China, Czech Republic, Denmark, Finland, France, Ghana, Ireland, Italy, Japan, the Republic of Korea, Lebanon, Malaysia, Netherlands, Nigeria, Norway, the Russian Federation, South Africa, the United Arab Emirates, the United Kingdom and the United States, underlines the growing level of concern around cybersecurity, among both developed and emerging economies. It also stems from the inclusive and collaborative development process led by the TCG, which reflects its commitment to finding open and vendor-neutral technology solutions that address industry, consumer and government security requirements.

Microsoft, along with other technology companies, is an active participant in the TCG and over the years has invested in the innovation and promotion of the commercial adoption of trusted computing standards, including in developing TPM features as a part of Windows Vista, Windows 7, 8, 8.1, and most recently Windows 10. These actions and our customers’ feedback significantly advanced our understanding of the trusted computing technology, which in turn helped us deliver timely, market-driven solutions.

However, we recognize that we have to go further to address the security challenges posed by the explosive growth of mobile devices, society’s increasing reliance on wireless networks and the Internet of Things. To this end, Microsoft is providing more TPM functions in Windows 10 and enabling easier deployment of the TPM to achieve “secure by default” objectives for devices, such as mobile devices, servers, etc. TPM 2.0 implementations will include more algorithms and processes such as key generators, as well as onboard storage for cryptographic system measurements for validation and digital certificates. Moreover, Windows 10 hardware requirements enable tailored TPM 2.0 deployments for organizations, ensuring greater flexibility if so needed.

In our view TPM 2.0 represents a significant step forward as it effectively combines best practices from leading industry providers while also ensuring complete transparency of the specification through an open public review and consultation process. However, there is more to be done. The approval of TPM 2.0 offers a rare opportunity for countries to embrace and promote wider commercial adoption of this trusted computing technology in the near term. As technology evolves quickly new standards will be needed. The TPM 2.0 standard development, implemented through the PAS Transposition Process in ISO/IEC JTC 1, provides a template for a future collaborative security standards adoption. It provides ample opportunity for security experts to collaborate and reach an international consensus – one which will ensure user security and privacy and maintain trust in the Internet as a foundational platform of commerce and well-being in the long run.

About the Author:

Jing de Jong-ChenJing de Jong-Chen is a Senior Director, Global Security Strategy and Diplomacy in the Cloud and Enterprise Division at Microsoft Corp.  She also serves as vice president of the Trusted Computing Group and the board advisor of the Executive Women’s Forum. Jing has 20 years of experience in the technology industry with domain expertise in global cybersecurity policy and strategy. She also has an extensive background in developing strategic partnerships with public sector, academic and industry groups. Jing received the “Women of Influence Award” by the Executive Women’s Forum in 2014 for her professional contributions to cybersecurity. She holds a Master’s Degree in Business Administration (M.B.A.) and a Bachelor of Science Degree (B.S.) in Computer Science.

The Latest Picture of the Threat Landscape in the European Union – part 1

June 25th, 2015 No comments

I had the opportunity to visit with some European based customers when I spoke at the RSA Unplugged conference in London just a few weeks ago. Many of the customers I met with were very interested in a deep dive into the types of threats we see in the region. I have written about the threat landscape in Europe and European Union (EU) extensively over the years, including the articles below:

Ransomware is on the Rise, Especially in Europe
The Threat Landscape in the European Union at RSA Conference Europe 2013
European Union check-up: Locations with Lowest Infection Rates in the EU and What We Can Learn From Them
European Union Check-Up: Malicious Websites Hosted in the EU
European Union check-up: Romania still tops the list of most infected in the EU
Cyber-Threats in the European Union: First Half 2012
Cyber-Threats in the European Union
The Threat Landscape Shifts Significantly in the European Union – Part 1
The Threat Landscape Shifts Significantly in the European Union – Part 2
The Threat Landscape Shifts Significantly in the European Union – Part 3

I thought it was time to provide an updated view of the threat landscape in the region based on the latest data just released in the newest volume of the Microsoft Security Intelligence Report published just a few weeks ago.

Figure 1: Encounter rates in the region in the fourth quarter (4Q14) of 2014
 062515_Figure1

First, let’s look at the encounter rate (ER) among locations in Europe where we have sufficient data. ER is the percentage of computers running Microsoft real-time security software that report detecting malware or unwanted software during a given period of time. The worldwide average ER in the fourth quarter of 2014 was 15.9%. The average ER for the countries/regions that we have statistically significant data on in the EU was 20.8% during the same period.

As Figure 2 illustrates, in the third quarter of 2014 Bulgaria, Italy, Romania, and France had the highest ERs in the region. In the fourth quarter Bulgaria, Romania, Croatia and Latvia had the highest ERs in the EU. Bulgaria topped the list in both quarters as the location in the EU that encounters threats most often in the EU with an ER of 26% in the third quarter and 23% in the final quarter of 2014.

Figure 2: Encounter rates in the region in the third (3Q14) and fourth (4Q14) quarters of 2014
062515_Figure2

Taking a closer look at what types of threats are being encountered most often in Bulgaria reveals higher than average levels of Trojans, Obfuscators & Injectors, Exploits, Backdoors and Browser Modifiers – as seen in Figure 3. Figure 4 shows the top threat families encountered in Bulgaria in the fourth quarter of 2014.

Figure 3: (left) malware categories encountered in Bulgaria in the last quarter of 2014 compared to the worldwide averages; (right); unwanted software categories encountered in Bulgaria and worldwide during the last quarter of 2014
062515_Figure3

Figure 4: Top threat families encountered in the last quarter of 2014 in Bulgaria
062515_Figure4
Some of the locations with relatively high ERs, like Romania and Bulgaria, are also among the locations with the highest malware infection rates (CCM[1]) in the EU as Figure 5 illustrates; these are systems that encountered malware and were successfully infected. The worldwide average infection rate in the fourth quarter of 2014 was 5.9 systems infected with malware for every 1,000 scanned by the Malicious Software Removal Tool (MSRT) or 0.59% of the 600 – 700 million systems the MSRT executes on each month. The average infection rate for the 28 countries/regions in the EU during the same period was a CCM of 5.65 or 0.57%.

Figure 5: Locations in the EU with the highest malware infection rates (CCM) in the fourth quarter of 2014
062515_Figure5

Taking a closer look at Romania during this time period reveals some interesting insights. The infection rate there has consistently been significantly higher than the worldwide average and the vast majority of the 28 locations in the EU.

Figure 6: Encounter and infection rates for Romania during each quarter of 2014
062515_Figure6

The top threat found infecting systems in Romania in the last quarter of 2014 was Win32/Sality. What makes this interesting is that Sality is a virus (an old fashioned file infector) – I have written about why this seems remarkable before: Are Viruses Making a Comeback?

Figure 7: Threat families that infected systems in Romania most often in the last quarter of 2014
062515_Figure7

Another noteworthy data point is that the number of systems in Romania consistently running up to date antimalware software (67.4% of systems) is lower than the worldwide average (74.3%). Additionally, the number of systems in Romania consistently not running real-time anti-virus software (26% of systems) is higher than the worldwide average (19.1%).

Figure 8: Security software use in Romania in the last quarter of 2014
062515_Figure8

In the second part of this series on the threat landscape in the EU, I’ll examine the locations that have low encounter rates and low malware infection rates. Is there something we can learn from these countries/regions?

 

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

[1] Short for computers cleaned per mille (thousand). The number of computers cleaned for every 1,000 unique computers that run the MSRT. For example, if MSRT has 50,000 executions in a particular location in the first quarter of the year and removes infections from 200 computers, the CCM for that location in the first quarter of the year is 4.0 (200 ÷ 50,000 × 1,000).

MS15-049 – Important: Vulnerability in Silverlight Could Allow Elevation of Privilege (3058985) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (June 23, 2015): Bulletin published.
Summary: Bulletin revised to announce a detection change in the 3056819 update for Microsoft Silverlight 5. This is a detection change only. Customers who have already successfully updated their systems do not need to take any action.

Categories: Uncategorized Tags:

MS15-044 – Critical: Vulnerabilities in Microsoft Font Drivers Could Allow Remote Code Execution (3057110) – Version: 2.1

Severity Rating: Critical
Revision Note: V2.1 (June 23, 2015): V2.1 (June 23, 2015): Bulletin revised to announce a detection change in the 3056819 update for Microsoft Silverlight 5. This is a detection change only. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded TrueType fonts.

Categories: Uncategorized Tags:

2755801 – Update for Vulnerabilities in Adobe Flash Player in Internet Explorer – Version: 42.0

Revision Note: V42.0 (June 23, 2015): Added the 3074219 update to the Current Update section.
Summary: Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer on all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10 and Internet Explorer 11.

Categories: Uncategorized Tags:

2755801 – Update for Vulnerabilities in Adobe Flash Player in Internet Explorer – Version: 42.0

Revision Note: V42.0 (June 23, 2015): Added the 3074219 update to the Current Update section.
Summary: Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer on all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10 and Internet Explorer 11.

Categories: Uncategorized Tags:

MS15-044 – Critical: Vulnerabilities in Microsoft Font Drivers Could Allow Remote Code Execution (3057110) – Version: 2.1

Severity Rating: Critical
Revision Note: V2.1 (June 23, 2015): V2.1 (June 23, 2015): Bulletin revised to announce a detection change in the 3056819 update for Microsoft Silverlight 5. This is a detection change only. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded TrueType fonts.

Categories: Uncategorized Tags:

MS15-049 – Important: Vulnerability in Silverlight Could Allow Elevation of Privilege (3058985) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (June 23, 2015): Bulletin published.
Summary: Bulletin revised to announce a detection change in the 3056819 update for Microsoft Silverlight 5. This is a detection change only. Customers who have already successfully updated their systems do not need to take any action.

Categories: Uncategorized Tags:

Rollup 2 for Forefront Unified Access Gateway 2010 Service Pack 4 is available for download

downloadWe have recently released Rollup 2 for Forefront UAG 2010 Service Pack 4

UAG 2010 Service Pack 4 Rollup 2 is available as a hotfix download from Microsoft Support as an update to UAG 2010 Service Pack 4.

This update contains 4 new changes for UAG 2010 Service Pack 4. For details, please visit KB 3060650: Description of Rollup 2 for Forefront Unified Access Gateway 2010 Service Pack 4

Please download the Forefront Unified Access Gateway (UAG) 2010 Service Pack 4 Rollup package and learn more about UAG 2010 SP4 by visiting our TechNet Library.

 

Thank you,

The Forefront UAG Product Team

 

Get the latest System Center news on Facebook and Twitter:

The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/ 
The Forefront TMG blog: http://blogs.technet.com/b/isablog/ 
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ 

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Rollup 2 for Forefront Unified Access Gateway 2010 Service Pack 4 is available for download

downloadWe have recently released Rollup 2 for Forefront UAG 2010 Service Pack 4

UAG 2010 Service Pack 4 Rollup 2 is available as a hotfix download from Microsoft Support as an update to UAG 2010 Service Pack 4.

This update contains 4 new changes for UAG 2010 Service Pack 4. For details, please visit KB 3060650: Description of Rollup 2 for Forefront Unified Access Gateway 2010 Service Pack 4

Please download the Forefront Unified Access Gateway (UAG) 2010 Service Pack 4 Rollup package and learn more about UAG 2010 SP4 by visiting our TechNet Library.

 

Thank you,

The Forefront UAG Product Team

 

Get the latest System Center news on Facebook and Twitter:

The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/ 
The Forefront TMG blog: http://blogs.technet.com/b/isablog/ 
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ 

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Rollup 2 for Forefront Unified Access Gateway 2010 Service Pack 4 is available for download

downloadWe have recently released Rollup 2 for Forefront UAG 2010 Service Pack 4

UAG 2010 Service Pack 4 Rollup 2 is available as a hotfix download from Microsoft Support as an update to UAG 2010 Service Pack 4.

This update contains 4 new changes for UAG 2010 Service Pack 4. For details, please visit KB 3060650: Description of Rollup 2 for Forefront Unified Access Gateway 2010 Service Pack 4

Please download the Forefront Unified Access Gateway (UAG) 2010 Service Pack 4 Rollup package and learn more about UAG 2010 SP4 by visiting our TechNet Library.

 

Thank you,

The Forefront UAG Product Team

 

Get the latest System Center news on Facebook and Twitter:

The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/ 
The Forefront TMG blog: http://blogs.technet.com/b/isablog/ 
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ 

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Risk of Leaked Credentials and How Microsoft’s Cloud Helps Protect Your Organization

June 18th, 2015 No comments

This week the Microsoft Identity and Security Services Division announced another new security report feature is now in preview that helps protect Azure Active Directory Premium customers from the risk associated with leaked credentials.

The Risk of Leaked Account Credentials
One scenario that has unfortunately become all too common is where account credentials are stolen in bulk by criminals through website breaches. Credentials are also unwittingly provided directly by the victims themselves through phishing attacks, or harvested from systems that are infected with malware. As we reported in the Microsoft Security Intelligence Report volume 17, account credentials that are stolen in bulk directly from organizations’ websites contribute a significant amount to the trade in stolen credentials. As part of its customer account protection operations during the period from November 2013 to June 2014, Microsoft tracked about 1,700 distinct website credential thefts, comprising a little more than 2.3 million credentials that were posted in public places on the Internet. This number represents only a small fraction of the credentials that are traded in forums and specialized websites on less publicly accessible spaces on the Internet that cater to the illicit trade in stolen credentials.

Figure 1: Number of publicly posted website credential thefts, per month, from November 2013 to June 2014

0618_fig1

Figure 2: Number of stolen credentials from publicly-posted credential thefts, per month, from November 2013 to June 2014. The spike in February represents includes the public posting of 1 million hashed credentials that had been stolen from Forbes[1]

0618_fig2

In addition to attacks on websites, a substantial number of the illicit account credentials trade is provided by devices infected with malware.

Figure 3: Trends for the most commonly encountered password stealers in the 1st half of 2014

0618_fig3

Security Mitigations in Microsoft’s Cloud Services that can Help
Last November I wrote about a unique capability built into Azure Active Directory Premium that allows customers to identify devices that have been compromised with some of the worst professionally managed threats on the Internet, and are attempting to sign into Azure based applications. This information allows customers to identify and remediate infected systems in their environments quickly.

Figure 4: An example report illustrating “sign ins from possibly infected devices” available to Microsoft Azure Active Directory Premium customers

0618_fig4

This week the Microsoft Identity and Security Services Division announced yet another new security report feature is now in preview that helps protect Azure Active Directory Premium customers from the risk associated with leaked credentials.

Figure 5: The new “Users with leaked credentials” report in the Azure management portal surfaces any matches between the leaked credentials lists that Microsoft discovers posted publically and your tenant

0618_fig5

You can get more details here: Azure Active Directory Premium reporting now detects leaked credentials.

Another security mitigation that can help to mitigate the risk of leaked credentials is multi-factor authentication. Typically, a user presents something they know, like their secret password, as proof of authenticity. The basic idea behind multi-factor authentication is for the user to present one or more additional proofs based on something they have, like a device for example, or something they are, such as a fingerprint or retinal scan.

Microsoft Azure and Office 365 already have multi-factor authentication support to help you manage this risk. You can get more details here: Azure Multi-Factor Authentication.

Many of the customers I talk to that manage on-premise environments have implemented some form of multi-factor authentication that helps protect their user accounts. But only a few customers I have talked to look for lists of leaked credentials and test them against their on-premise directory services. I suspect that the new “users with leaked credentials” report will be of high interest to many customers in a world where credential leakage and theft have become so commonplace.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

[1] A. Greenberg, “How The Syrian Electronic Army Hacked Us: A Detailed Timeline,” Forbes.com, 20.Feb.2014. [Online]. http://www.forbes.com/sites/andygreenberg/2014/02/20/how-the-syrian-electronic-army-hacked-us-a-detailed-timeline/. [Accessed: 17-Jul-2014].

Understanding type confusion vulnerabilities: CVE-2015-0336

June 18th, 2015 No comments

In March 2014, we observed a patched Adobe Flash vulnerability (CVE-2015-0336) being exploited in the wild. Adobe released the patch on March 12, 2014, and exploit code using this vulnerability first appeared about a week later.

To help stay protected:

  • Keep your Microsoft security software, such as Windows Defender for Windows 8.1 up-to-date.
  • Keep your third-party software, such as Adobe Flash Player, up-to-date.
  • Be cautious when browsing potentially malicious or compromised websites.

This blog digs deeper into the technique and tactics the attacker used to exploit this vulnerability. Understanding these techniques can help you better defend your enterprise software security infrastructure against similar exploits.

First things first, let’s talk about the vulnerability itself. The vulnerability is a “type confusion”, a common technique with ActionScript Virtual Machine. Usually, when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion. Type confusion can be very dangerous because a type is expressed as a layout of memory in the lower level implementation of Flash Player. Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution.

Figure 1 shows the CVE-2015-0336 exploit code that triggers the vulnerability. This piece of code resembles the proof of concept code detailed by the finder, however, the details are somewhat different.

The first difference is the usage of an ASnative(2100,200) call instead of a NetConnection class initiation. Also, the code that triggers the confusion is different. The exploit utilizes method 8 (line 9) and calls to apply method of NetConnection function object to trigger the type confusion. The original Google Project Zero code used method 1 and a call method on this object.       

Type confusion code 

Figure 1: Exploit code that triggers type confusion

The object that is passed to ASnative(2100,8) function is the _loc_2 object. The _loc2_ object is an ASnative function object that doesn’t exist. It’s just a placeholder for a function object. However, this ASnative object from line number 5 is very important in the exploitation technique, as discussed below.

The _loc2_ object is not a NetConnection object at all – its __proto__ property is set to an Object type object (_loc3_). ASnative(2100,200) is a constructor for the NetConnection object and this _loc3_ object is initialized to the NetConnection type at line 8. This makes the line 9 code to use the non-NetConnection object as a NetConnection object and treats the object’s memory layout as if it is a NetConnection object. Figure 2 shows the actual code that checks for the __proto__ property. With an updated binary, this part is fixed with more sanity checks to prevent unwanted objects passed down further into the code below.

Proto object check 

Figure 2: The proto object check routine

The function that checks code for the proto object is actually a function that processes the ASnative(200,x) commands. It has a jump table that processes each function cases, as shown in Figure 3.

Jump table 

Figure 3: Jump table for function dispatch

The function number 8 falls through the jump table to the code piece as shown in Figure 4. If all the payload and vector spray code is removed from the exploit, it will crash.

Crash point 

Figure 4: Crash point

The actual crash point looks like this:

7061f9b2 8b4f7c          mov     ecx,dword ptr [edi+7Ch] ds:002b:1a1e207c=????????

It tries to access an invalid memory pointed to by the non-NetConnection object. 

At this point, edi designates the start of the object as 0x1a1e2000. This value is directly controlled by the attacker. From the code below, 438181888 is actually 0x1a1e2000. This is an unexpected feature with ASnative and the ActionScript engine. You can control exactly what ASnative (edi) designates here:

var _loc2_ = _global.ASnative(2100,438181888);

The exploit author tried to find and use an instruction that writes a field inside the fake object. First, it sprays a lot of vector objects on the memory. The specific exploit that we analyzed creates more than 120,000 counts of vector.<uint> objects with a length of 0x3FE, as shown in Figure 5. After spraying these objects, it shrinks the size of each vectors to 0x1E to make some empty rooms.

Vector object created 

Figure 5: Vector object creation

We know that the fake ASnative object points to 0x1a1e2000 and that this address is allocated by the exploit code with the vector.<uint> object from heap spray code, as shown in Figure 6. 

From our testing, the allocation behavior from the ActionScript virtual machine was predictable, and we saw 100% allocation of this memory area. The attacker acquires full control over the contents of the fake NetConnection object. Whatever value it fills for the object from the vector.<uint> array will be recognized as a NetConnection object.  

fake NetConnection object 

Figure 6: Vector.<uint> with a size of 0x1e is used as a fake NetConnection object

This fake NetConnection object is passed to various functions and treated as a real NetConnection object. The attacker figured out that they can use function 8 to achieve vector corruption. Function 8 has one of the subroutines that passes one of the NetConnection member objects located at the offset of 0x7C, as shown in Figure 6. The object’s variable at offset 0xBD8 is overwritten later by an instruction. 

Figure 7 shows the data flow and how a specific memory location can be written with a value from the new function call. The overwritten location is 0x1a1e2001 – right inside the vector.length field. Now the exploit has full control over an excessive amount of memory area. With this extra power, it can perform additional vector corruption to open up full range memory control.

Vector corruption

Figure 7: How vector corruption occurs

After the vector corruption, the exploit builds an ROP chain and shellcode by reading into the process memory and collecting the required gadget locations. The exploitation creates a FileReference object on the memory and overwrites its cancel method to the attacker-controlled code. 

After that, it calls the FileReference.cancel method to pass control to malicious code.

Calling FileReference.cancel 

Figure 8 Calling FileReference.cancel method  

In conclusion, this vulnerability resides in the old ActionScript 2 engine, an area that was ignored by malicious attackers for some time. However, now that a vulnerability in this legacy code has been revealed, we might see more exploited.

When the vulnerability itself is a type confusion, exploiting it is relatively easy for an attacker utilizing old methods of corrupt vector objects. The predictable behavior of vector allocation and layout implementation of Adobe Flash Player has been exploited for some time. Using the vector corruption method, an attacker can gain a reliable entry point to further exploit vulnerabilities that are otherwise not so simple to exploit.

Understanding how this exploit works helps us to be better prepared to detect and patch future exploits. Exploits such as this are usually delivered through exploit kits. 

Jeong Wook Oh
MMPC

Categories: Uncategorized Tags:

Understanding type confusion vulnerabilities: CVE-2015-0336

June 18th, 2015 No comments

In March 2014, we observed a patched Adobe Flash vulnerability (CVE-2015-0336) being exploited in the wild. Adobe released the patch on March 12, 2014, and exploit code using this vulnerability first appeared about a week later. To help stay protected:

To help stay protected:

  • Keep your Microsoft security software, such as Windows Defender for Windows 8.1 up-to-date.
  • Keep your third-party software, such as Adobe Flash Player, up-to-date.
  • Be cautious when browsing potentially malicious or compromised websites.

This blog digs deeper into the technique and tactics the attacker used to exploit this vulnerability. Understanding these techniques can help you better defend your enterprise software security infrastructure against similar exploits.

First things first, let’s talk about the vulnerability itself. The vulnerability is a “type confusion”, a common technique with ActionScript Virtual Machine. Usually, when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion. Type confusion can be very dangerous because a type is expressed as a layout of memory in the lower level implementation of Flash Player. Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution.

Figure 1 shows the CVE-2015-0336 exploit code that triggers the vulnerability. This piece of code resembles the proof of concept code detailed by the finder, however, the details are somewhat different.

The first difference is the usage of an ASnative(2100,200) call instead of a NetConnection class initiation. Also, the code that triggers the confusion is different. The exploit utilizes method 8 (line 9) and calls to apply method of NetConnection function object to trigger the type confusion. The original Google Project Zero code used method 1 and a call method on this object.       

Type confusion code 

Figure 1: Exploit code that triggers type confusion

The object that is passed to ASnative(2100,8) function is the _loc_2 object. The _loc2_ object is an ASnative function object that doesn’t exist. It’s just a placeholder for a function object. However, this ASnative object from line number 5 is very important in the exploitation technique, as discussed below.

The _loc2_ object is not a NetConnection object at all – its __proto__ property is set to an Object type object (_loc3_). ASnative(2100,200) is a constructor for the NetConnection object and this _loc3_ object is initialized to the NetConnection type at line 8. This makes the line 9 code to use the non-NetConnection object as a NetConnection object and treats the object’s memory layout as if it is a NetConnection object. Figure 2 shows the actual code that checks for the __proto__ property. With an updated binary, this part is fixed with more sanity checks to prevent unwanted objects passed down further into the code below.

Proto object check 

Figure 2: The proto object check routine

The function that checks code for the proto object is actually a function that processes the ASnative(200,x) commands. It has a jump table that processes each function cases, as shown in Figure 3.

Jump table 

Figure 3: Jump table for function dispatch

The function number 8 falls through the jump table to the code piece as shown in Figure 4. If all the payload and vector spray code is removed from the exploit, it will crash.

Crash point 

Figure 4: Crash point

The actual crash point looks like this:

7061f9b2 8b4f7c          mov     ecx,dword ptr [edi+7Ch] ds:002b:1a1e207c=????????

It tries to access an invalid memory pointed to by the non-NetConnection object. 

At this point, edi designates the start of the object as 0x1a1e2000. This value is directly controlled by the attacker. From the code below, 438181888 is actually 0x1a1e2000. This is an unexpected feature with ASnative and the ActionScript engine. You can control exactly what ASnative (edi) designates here:

var _loc2_ = _global.ASnative(2100,438181888);

The exploit author tried to find and use an instruction that writes a field inside the fake object. First, it sprays a lot of vector objects on the memory. The specific exploit that we analyzed creates more than 120,000 counts of vector.<uint> objects with a length of 0x3FE, as shown in Figure 5. After spraying these objects, it shrinks the size of each vectors to 0x1E to make some empty rooms.

Vector object created 

Figure 5: Vector object creation

We know that the fake ASnative object points to 0x1a1e2000 and that this address is allocated by the exploit code with the vector.<uint> object from heap spray code, as shown in Figure 6. 

From our testing, the allocation behavior from the ActionScript virtual machine was predictable, and we saw 100% allocation of this memory area. The attacker acquires full control over the contents of the fake NetConnection object. Whatever value it fills for the object from the vector.<uint> array will be recognized as a NetConnection object.  

fake NetConnection object 

Figure 6: Vector.<uint> with a size of 0x1e is used as a fake NetConnection object

This fake NetConnection object is passed to various functions and treated as a real NetConnection object. The attacker figured out that they can use function 8 to achieve vector corruption. Function 8 has one of the subroutines that passes one of the NetConnection member objects located at the offset of 0x7C, as shown in Figure 6. The object’s variable at offset 0xBD8 is overwritten later by an instruction. 

Figure 7 shows the data flow and how a specific memory location can be written with a value from the new function call. The overwritten location is 0x1a1e2001 – right inside the vector.length field. Now the exploit has full control over an excessive amount of memory area. With this extra power, it can perform additional vector corruption to open up full range memory control.

Vector corruption

Figure 7: How vector corruption occurs

After the vector corruption, the exploit builds an ROP chain and shellcode by reading into the process memory and collecting the required gadget locations. The exploitation creates a FileReference object on the memory and overwrites its cancel method to the attacker-controlled code. 

After that, it calls the FileReference.cancel method to pass control to malicious code.

Calling FileReference.cancel 

Figure 8 Calling FileReference.cancel method  

In conclusion, this vulnerability resides in the old ActionScript 2 engine, an area that was ignored by malicious attackers for some time. However, now that a vulnerability in this legacy code has been revealed, we might see more exploited.

When the vulnerability itself is a type confusion, exploiting it is relatively easy for an attacker utilizing old methods of corrupt vector objects. The predictable behavior of vector allocation and layout implementation of Adobe Flash Player has been exploited for some time. Using the vector corruption method, an attacker can gain a reliable entry point to further exploit vulnerabilities that are otherwise not so simple to exploit.

Understanding how this exploit works helps us to be better prepared to detect and patch future exploits. Exploits such as this are usually delivered through exploit kits. 

Jeong Wook Oh
MMPC

Categories: Uncategorized Tags:

MS15-048 – Important: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (3057134) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (June 17, 2015): Corrected bulletin replacement for the 3035488 update for .NET Framework 2.0 on all affected editions of Windows Server 2003 Service Pack 2.
Summary: This security update resolves vulnerabilities in Microsoft .NET Framework. The most severe of the vulnerabilities could allow elevation of privilege if an attacker sends specially crafted data to a WinForms application running in partial trust.

Categories: Uncategorized Tags:

MS14-051 – Critical: Cumulative Security Update for Internet Explorer (2976627) – Version: 1.4

Severity Rating: Critical
Revision Note: V1.4 (June 17, 2015): Replaced CVE number CVE-2014-4078 with CVE number CVE-2014-8985. This is an informational change only. The CVE description was not changed. Customers who have already successfully installed the update do not need to take any action.
Summary: This security update resolves one publicly disclosed and twenty-five privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags: