Swedish Windows Security User Group

Do you have a suggestion or idea on how to improve Microsoft System Center Endpoint Protection? If so the Endpoint Protection team would love to hear it through their User Voice site at https://configurationmanager.uservoice.com/forums/300492-ideas/category/115737-endpoint-protection. Please take a few minutes to submit your idea or vote up an idea submitted by another SCEP customer. All of the feedback you share in these forums is regularly monitored and reviewed by the Microsoft engineering teams responsible for building SCEP. They have already added some of the feedback they received so please don’t hesitate to let them know what you think.

J.C. Hornbeck | Solution Asset PM | Microsoft

Our Blogs

• Configuration Manager: http://blogs.technet.com/configurationmgr/
• Data Protection Manager: http://blogs.technet.com/dpm/
• Orchestrator: http://blogs.technet.com/b/orchestrator/
• Operations Manager: http://blogs.technet.com/momteam/
• Operations Management Suite: https://blogs.technet.microsoft.com/omsblog/
• Service Manager: http://blogs.technet.com/b/servicemanager
• Virtual Machine Manager: http://blogs.technet.com/scvmm
• Microsoft Intune: https://blogs.technet.microsoft.com/intunesupport/
• WSUS: http://blogs.technet.com/sus/
• AD and Azure RMS: http://blogs.technet.com/b/rms/
• Application Virtualization: http://blogs.technet.com/appv/
• MED-V: http://blogs.technet.com/medv/
• Application Proxy: http://blogs.technet.com/b/applicationproxyblog/
• Forefront Endpoint Protection: http://blogs.technet.com/b/clientsecurity/
• Forefront Identity Manager: http://blogs.msdn.com/b/ms-identity-support/
• Forefront TMG: http://blogs.technet.com/b/isablog/
• Forefront UAG: http://blogs.technet.com/b/edgeaccessblog/

SCEP 2012 R2 ConfigMgr 2012 R2

Do you have a suggestion or idea on how to improve Microsoft System Center Endpoint Protection? If so the Endpoint Protection team would love to hear it through their User Voice site at https://configurationmanager.uservoice.com/forums/300492-ideas/category/115737-endpoint-protection. Please take a few minutes to submit your idea or vote up an idea submitted by another SCEP customer. All of the feedback you share in these forums is regularly monitored and reviewed by the Microsoft engineering teams responsible for building SCEP. They have already added some of the feedback they received so please don’t hesitate to let them know what you think.

J.C. Hornbeck | Solution Asset PM | Microsoft

Our Blogs

• Configuration Manager: http://blogs.technet.com/configurationmgr/
• Data Protection Manager: http://blogs.technet.com/dpm/
• Orchestrator: http://blogs.technet.com/b/orchestrator/
• Operations Manager: http://blogs.technet.com/momteam/
• Operations Management Suite: https://blogs.technet.microsoft.com/omsblog/
• Service Manager: http://blogs.technet.com/b/servicemanager
• Virtual Machine Manager: http://blogs.technet.com/scvmm
• Microsoft Intune: https://blogs.technet.microsoft.com/intunesupport/
• WSUS: http://blogs.technet.com/sus/
• AD and Azure RMS: http://blogs.technet.com/b/rms/
• Application Virtualization: http://blogs.technet.com/appv/
• MED-V: http://blogs.technet.com/medv/
• Application Proxy: http://blogs.technet.com/b/applicationproxyblog/
• Forefront Endpoint Protection: http://blogs.technet.com/b/clientsecurity/
• Forefront Identity Manager: http://blogs.msdn.com/b/ms-identity-support/
• Forefront TMG: http://blogs.technet.com/b/isablog/
• Forefront UAG: http://blogs.technet.com/b/edgeaccessblog/

SCEP 2012 R2 ConfigMgr 2012 R2

Do you have a suggestion or idea on how to improve Microsoft System Center Endpoint Protection? If so the Endpoint Protection team would love to hear it through their User Voice site at https://configurationmanager.uservoice.com/forums/300492-ideas/category/115737-endpoint-protection. Please take a few minutes to submit your idea or vote up an idea submitted by another SCEP customer. All of the feedback you share in these forums is regularly monitored and reviewed by the Microsoft engineering teams responsible for building SCEP. They have already added some of the feedback they received so please don’t hesitate to let them know what you think.

J.C. Hornbeck | Solution Asset PM | Microsoft

Our Blogs

• Configuration Manager: http://blogs.technet.com/configurationmgr/
• Data Protection Manager: http://blogs.technet.com/dpm/
• Orchestrator: http://blogs.technet.com/b/orchestrator/
• Operations Manager: http://blogs.technet.com/momteam/
• Operations Management Suite: https://blogs.technet.microsoft.com/omsblog/
• Service Manager: http://blogs.technet.com/b/servicemanager
• Virtual Machine Manager: http://blogs.technet.com/scvmm
• Microsoft Intune: https://blogs.technet.microsoft.com/intunesupport/
• WSUS: http://blogs.technet.com/sus/
• AD and Azure RMS: http://blogs.technet.com/b/rms/
• Application Virtualization: http://blogs.technet.com/appv/
• MED-V: http://blogs.technet.com/medv/
• Application Proxy: http://blogs.technet.com/b/applicationproxyblog/
• Forefront Endpoint Protection: http://blogs.technet.com/b/clientsecurity/
• Forefront Identity Manager: http://blogs.msdn.com/b/ms-identity-support/
• Forefront TMG: http://blogs.technet.com/b/isablog/
• Forefront UAG: http://blogs.technet.com/b/edgeaccessblog/

SCEP 2012 R2 ConfigMgr 2012 R2

Cyber threats are everywhere, from hackers causing mischief to show off their skills to organized crime syndicates employing sophisticated financial ruses against governmental organizations, businesses, social channels and individuals. Seventy-one percent of companies admit they fell victim to a successful cyberattack in 2014, leading them to increase their security investments. This in turn created a $170 billion security market in 2015, according to Gartner. Hackers aren’t just targeting companies—an estimated 556 million people fall victim to cybercrime annually or 12 people every second. The World Economic Forum estimates the economic cost of cybercrime to be $3 trillion worldwide.

Today’s cyber criminals have substantial resources at their disposal. The increased sophistication and targeted nature of security threats, coupled with their increasing frequency, has ensured that security breaches are now the top issue affecting all users and organizations today. As we look to the future, the explosion of connected devices and data flows are making it even more challenging to protect against advanced targeted attacks. By 2020, we estimate that:

• Four billion people will be online—that’s double the number as today
• Fifty billion devices will be connected to the Internet
• Data volumes online will be 50 times greater than today

These increased numbers add up to a higher level of complexity—and greater risk of malicious attacks and security exposure. Plus, an estimated 75 percent of infrastructure will be under third-party control (i.e., cloud providers or Internet Services Providers.) It is critical to ensure that the provider you choose has the right people, processes, and technology available to accurately identify security breaches before they can cause damage and respond to events rapidly and effectively.

In the upcoming webinar, “The Emerging Era of Cyber Defense and Cybercrime,” we’ll discuss some of the emerging trends in cybersecurity and cybercrime. We’ll also tell you how Microsoft is working to help protect you and your data. Topics will include:

• Common attacks and exploits
• Microsoft’s layered approach to security (across more than 200 online services)
• How Microsoft helps protect your data in the cloud

Join us to learn about more about cybersecurity threats and how you can help protect your data and your organization.

The “The Emerging Era of Cyber Defense and Cybercrime” webinar will be held on February 9, 2016. Register here: http://aka.ms/e04t9e

Pete Boden
General Manager of Cloud and Enterprise Security

Revision Note: V2.1 (January 27, 2016): For MS15-106, Bulletin Summary revised to add CVE-2015-6184. This is an informational change only.
Summary: This bulletin summary lists security bulletins released for October 2015.

Severity Rating: Important
Revision Note: V1.1 (January 27, 2016): 1) Added an Update FAQ to explain that only certain versions of aepic.dll are affected by CVE-2016-0018; therefore, some customers will not be offered update 3121461. 2) Added an Update FAQ to explain why some customers are not being offered update 3109560. These are informational change only. Customers who have already successfully installed the updates do not need to take any further action.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker is able to log on to a target system and run a specially crafted application.

Severity Rating: Critical
Revision Note: V2.1 (January 27, 2016): Bulletin revised to add CVE-2015-6184. This is an informational change only.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Severity Rating: Important
Revision Note: V1.1 (January 27, 2016): 1) Added an Update FAQ to explain that only certain versions of aepic.dll are affected by CVE-2016-0018; therefore, some customers will not be offered update 3121461. 2) Added an Update FAQ to explain why some customers are not being offered update 3109560. These are informational change only. Customers who have already successfully installed the updates do not need to take any further action.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker is able to log on to a target system and run a specially crafted application.

Revision Note: V2.1 (January 27, 2016): For MS15-106, Bulletin Summary revised to add CVE-2015-6184. This is an informational change only.
Summary: This bulletin summary lists security bulletins released for October 2015.

Severity Rating: Critical
Revision Note: V2.1 (January 27, 2016): Bulletin revised to add CVE-2015-6184. This is an informational change only.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

After three years of intense negotiations, the EU finally reached agreement on the Network and Information Security (NIS) Directive this past December. Politically, all that remains to be done is for the text to be formally approved by the European Parliament and the Council of the EU in the coming months. Then Member States will have 21 months to implement this landmark legislation. At a technical level, however, there’s still work to be done. But more on that later.

Firstly, I would like to commend governments on finalizing what I am sure at times seemed like an arduous and thankless process. The final text of the Directive is much more likely to increase cybersecurity readiness across the EU, given its tighter focus on outcomes and the effectiveness of the obligations introduced. It is also positive to see that all Member States are adopting a national cybersecurity strategy and establishing new national authorities dedicated to cybersecurity, as well as Computer Security Incident Response Teams (CSIRTs). The commitment to greater international and intra-European coordination is equally encouraging.

The risk-based approach laid out in the Directive rightly concentrates government resources on protecting critical infrastructure (“operators of essential services”), making an important distinction between digital service providers overall and those who support aforementioned essential services, by assigning them different sets of obligations. It is particularly important that the transnational nature of the online environment has been recognized and that governments are committed to greater harmonization of security and reporting requirements for digital services.

However, the extent to which EU Member States are able to harmonize the requirements will set the standard for judging the success of the Directive in years to come. The potential for this law to be replicated internationally hinges on the ability of Member States not only to develop new, complementary requirements, but also to align existing ones. Countries such as Germany, France and the Czech Republic have already adopted their own implementation of the NIS Directive ahead of its adoption.

An additional layer of complexity are the different sectoral requirements that could be developed for the different elements of essential services (i.e. transport vs. healthcare sectors) and how these will play out within a particular country and across the EU.

Designing a framework to address some of those concerns will be done through a combination of guidelines to be developed by the European Network and Information Security Agency (ENISA) and a set of implementing acts by the European Commission. ENISA’s ability to coordinate with both governments and the private sector will be critical in order for this process to yield effective and workable results in a relatively short timeframe. This is particularly true with regards to developing an incident reporting scheme – the first of its kind for the technology sector – and effective security baselines.

However, this will not be the only area the EU will focus on. In late December, the European Commission launched a new consultation on how to establish a public private partnership (PPP) on cybersecurity, which is part of the EU’s Digital Single Market Strategy. The PPP is expected to become operational this year, which is an ambitious timeline. The consultation also includes issues vital to increasing the level of network and information security across Europe: certification, standardization and labelling.

All of this could make 2016 the year that shifts cybersecurity in Europe from a topic of conceptual debate to becoming the concrete foundation that is so urgently needed. It is time to roll-up our sleeves.

Jan Neutze, Director of Cybersecurity Policy, EMEA

Microsoft is please to announce the final release of the security configuration baseline settings for Windows 10 version 1511, also known as "November Update," "Build 10586," "Threshold 2," or "TH2." The downloadable…(read more)

Microsoft is please to announce the final release of the security configuration baseline settings for Windows 10 version 1511, also known as "November Update," "Build 10586," "Threshold 2," or "TH2." The downloadable…(read more)

Based on continuing discussions with security experts in Microsoft, the Center for Internet Security, and customers, we are publishing a few changes to the security configuration baseline recommendations for Windows 10, version 1507. Version 1507 was…(read more)

Based on continuing discussions with security experts in Microsoft, the Center for Internet Security, and customers, we are publishing a few changes to the security configuration baseline recommendations for Windows 10, version 1507. Version 1507 was…(read more)

Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). It can highlight when a set of Group Policies has redundant settings or internal inconsistencies, and can highlight the differences between versions or sets…(read more)

Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). It can highlight when a set of Group Policies has redundant settings or internal inconsistencies, and can highlight the differences between versions or sets…(read more)

Microsoft is pleased to announce the final release of the security configuration baseline settings for Windows 10 version 1511, also known as “November Update,” “Build 10586,” “Threshold 2,” or “TH2.” The downloadable attachment to this blog post includes importable GPOs, tools for applying the GPOs to local GPO, custom ADMX files for Group Policy settings, and all the settings in spreadsheet form. We will also be publishing SCM .CAB files for this Windows 10 baseline shortly, and will announce their availability on the Security Guidance blog. (Note that we will not be providing updated SCM .CAB files for the IE11 guidance. For that content, see the attachment on this blog post.)

These are the updates we have made since the draft release in November, following continuing discussions with security experts in Microsoft, the Center for Internet Security, and customers:

• Enabled “Turn off Microsoft consumer experiences,” which is a new setting as of version 1511.
• Removed configuration of “Allow unicast response” from all three Windows Firewall profiles, as disallowing unicast response regularly causes DHCP address acquisition to fail. The threat it is supposed to protect against is miniscule.
• Removed the restrictions on the number of cached logons. Cached logon verifiers are difficult to break, particularly on Windows Vista and newer. (The DISA STIG has also removed this restriction.)
• Removed the screen saver timeout from User configuration, as the computer-wide “Interactive logon: Machine inactivity limit” setting removes that need.
• Removed all EMET settings from the baseline for the time being. Configuration settings in the upcoming version of EMET will be in a different format from that of the existing EMET 5.5 beta.
• Removed the configuration setting for “Recovery console: Allow automatic administrative logon.” This setting has been obsolete since Windows XP and its removal just got missed until now.

Windows 10 TH2 Security Baseline.zip

Based on continuing discussions with security experts in Microsoft, the Center for Internet Security, and customers, we are publishing a few changes to the security configuration baseline recommendations for Windows 10, version 1507. Version 1507 was the original RTM release of Windows 10, and is also known as “Build 10240,” “Threshold 1,” or “TH1.” Version 1507 is also the current Long Term Servicing Branch (LTSB) build, which is the primary reason for continuing to update the baseline for this version. Those who are not relying on the LTSB track should have already updated to version 1511. Note that we are simultaneously releasing final guidance for version 1511, also known as “November Update,” “Build 10586,” “Threshold 2,” or “TH2.”

These are the updates we have made:

• Removed configuration of “Allow unicast response” from all three Windows Firewall profiles, as disallowing unicast response regularly causes DHCP address acquisition to fail. The threat it is supposed to protect against is miniscule.
• Removed the restrictions on the number of cached logons. Cached logon verifiers are difficult to break, particularly on Windows Vista and newer. (The DISA STIG has also removed this restriction.)
• Removed the screen saver timeout from User configuration, as the computer-wide “Interactive logon: Machine inactivity limit” setting removes that need.
• Removed all EMET settings from the baseline for the time being. Configuration settings in the upcoming version of EMET will be in a different format from that of the existing EMET 5.5 beta.
• Removed the configuration setting for “Recovery console: Allow automatic administrative logon.” This setting has been obsolete since Windows XP and its removal just got missed until now.

This specific baseline will be delivered only through the downloadable attachment to this blog post. The attachment includes importable GPOs, tools for applying the GPOs to local GPO, custom ADMX files for Group Policy settings, and all the settings in spreadsheet form. We will not be publishing SCM .CAB files for this baseline, as we are focusing our SCM resources on the “Threshold 2” release.

Windows 10 Security Baseline.zip

Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). It can highlight when a set of Group Policies has redundant settings or internal inconsistencies, and can highlight the differences between versions or sets of Group Policies. It can also compare GPOs against current local policy settings and against local registry settings. And you can export its findings to a Microsoft Excel spreadsheet.

Policy Analyzer lets you treat a set of GPOs as a single unit.  This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values.  It also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set. 

For example, the US Government Configuration Baseline (USGCB) for Windows 7 includes seven different GPOs.  Policy Analyzer can treat them as a single set, and show all the differences between them and the Microsoft recommended baselines for Windows 10 and Internet Explorer 11 with a single comparison.  You can also use it to verify changes that were made to your production GPOs.

The following screenshot shows two baselines compared with each other and to corresponding registry values on the local system. The lower pane displays the Group Policy setting, location, and other information associated with the selected row. Conflicting settings are highlighted in yellow; absent settings are shown as a grey cell. Policy Analyzer also offers options to display only rows containing conflicts or other differences.

The following screenshot shows Policy Analyzer’s Excel output. Policy Analyzer sorts results primarily by the Group Policy path and setting name columns, which are the leftmost columns.

Policy Analyzer is a lightweight standalone application that doesn’t require installation, and doesn’t require administrative rights (except for the “local policy” feature).

The downloadable attachment to this blog post contains Policy Analyzer, its full documentation and sample GPO sets taken from the Microsoft security configuration baselines.

[Updated 3 February 2016: download now includes representations of all Windows, IE, and Office GPOs published in the Security Compliance Manager.]

PolicyAnalyzer+Samples.zip