What does it mean to implement DLP?? So far as I have seen; each vendor has his own view on how to enforce DLP within the organization and how to manage it.
The reason of what brought DLP to the surface is that I had a discussion with one of my customers on DLP enforcement and how to manage it within his infrastructure. While reviewing Email encryption solutions by Sophos and Symantec last week; I found that each vendor has his own concept “if we may call it like that” on DLP and how to manage and enforce it.
First, let me state my own view of DLP; DLP is a technology that helps the organization to own the information/data and prevent leaking those information/data out.
Modern information/data is stored in different locations now, some examples:
- ERP/CRM data.
- Email, Office files, PDF documents.
- SharePoint and similar portals.
- Laptops, USB memory sticks, and portable hard disks.
Helping any organization to control data on the above sources is not easy and could be done in several manners and ways, based on my findings; I will share some thoughts with people thinking about rolling out DLP in their infrastructure:
- DLP is not controlling physical ports (USB, serial, firewire ports..Etc).
- DLP is not DRM nor Encryption.
- Permissions help in controlling the data access, but when the data is accessed; a malicious consumer of the data could share them with 3rd parties or leak them out either intentionally or unintentionally.
- Internal users do most of the hacks/leaks.
- Encrypting the data might help in DLP, but will not help in controlling what happens if a malicious user decrypted them or encryption algorithm is broken, Also encrypting the data might not help when the organization need to share All/some data with authorized 3rd party.
- If the IT department secured physical ports/access, what about leaking the data out using corporate emails or worst, personal emails.
- How you will classify data as corporate and how you will classify data as none-corporate.
- Data classification is suitable for data stored in shared folders, but what about data in SQL/Oracle databases or data copied from documents and sent as emails.
- How data will be shared with 3rd party and secured outside the organization’s control circle.
- Monitoring, logging and alerting, and feeding other 3rd party security applications that are used by the security team.
- What about endusers experience, do we need any input from users?
- What about data in the cloud?!
As you can read from the above, DLP will never be a single solution/technology, DLP is a mix of solutions, technologies and processes that govern the data inside the corporate.
Hope that the above thoughts will shed some light and ring some bells in your head when thinking about DLP.
Part1: The Windows Server 2012 new File Server–part 1- Access Conditions #Microsoft #winserv 2012 #mvpbuzz
In Part 2 of this blog series, We will continue our exploration of the new File Server functionality, In order to complete our journey we will stop by one of my favourite but less fortunate features, Active Directory Rights Management Server.
Active Directory Rights Management Server or AD RMS has been around for several years, and for hidden and secret reasons it wasn’t adopted by a lot of customers, although I believe it is one of the most important features of Windows Server.
What is Active Directory Rights Management Services?
An AD RMS system includes a Windows Server® 2008-based server running the Active Directory Rights Management Services (AD RMS) server role that handles certificates and licensing, a database server, and the AD RMS client. The latest version of the AD RMS client is included as part of the Windows Vista® operating system. The deployment of an AD RMS system provides the following benefits to an organization:
- Safeguard sensitive information. Applications such as word processors, e-mail clients, and line-of-business applications can be AD RMS-enabled to help safeguard sensitive information Users can define who can open, modify, print, forward, or take other actions with the information. Organizations can create custom usage policy templates such as “confidential – read only” that can be applied directly to the information.
- Persistent protection. AD RMS augments existing perimeter-based security solutions, such as firewalls and access control lists (ACLs), for better information protection by locking the usage rights within the document itself, controlling how information is used even after it has been opened by intended recipients.
- Flexible and customizable technology. Independent software vendors (ISVs) and developers can AD RMS-enable any application or enable other servers, such as content management systems or portal servers running on Windows or other operating systems, to work with AD RMS to help safeguard sensitive information. ISVs are enabled to integrate information protection into server-based solutions such as document and records management, e-mail gateways and archival systems, automated workflows, and content inspection.
More Information: http://technet.microsoft.com/en-us/library/cc771627(v=ws.10).aspx
In this blog we will install AD RMS on a new Windows Server 2012 machine, this machine will be used later in my next blog post for Data Classification and policy enforcement.
Installing Active Directory Rights Management Server in Windows Server 2012:
The AD RMS setup has been dramatically improved, in the old days it was hard, and even the improved setup experience in Windows 2008 is no match for the improved setup in Windows Server 2012, and as you can expect everything is controlled by the server manager so to install AD RMS, open the Sever manager and Select Add Roles and Features, from there select AD RMS, Once installed, the Server Manager will tell you that there is pending configuration
In the following screen, select the perform additional configuration:
and in the welcome screen click next:
In the AD RMS Cluster, and since this is the first server, we will create a new cluster:
In the Configuration Database, I will use internal Database, this is a lab environment but make sure to have the proper SQL installation in place if you are using the ADRMS setup in production:
In the Service Account, type in a designated service account, this is a normal account with special permissions (if you are installing the AD RMS on a DC”for testing”, this account must be a member of the Builtin “Administrators” group:
In the Cryptographic mode, Select mode-2 it is much more secure:
In the Key Storage, I will choose to use AD RMS to store the Key:
In the key password, supply a password to protect the key:
In the AD RMS Website, Select the Web Site that will host the AD RMS web services:
In the Cluster Address, Specify the FQDN that will be used my the clients to communicate with the AD RMS Server and the transport protocol, I will keep it simple and choose the HTTP, however you might want to use HTTPS since it is more secure:
In the Server Licensor Certificate name, specify a name for the certificate, and click next:
In the AD RMS service registration, register the AD RMS SCP unless for mysterious reasons you want to do it later:
In the installation summary, review the installation and click install:
Congrats, once finished you then you completed the AD RMS installation, you can configure templates and additional configuration.
In the next blog post, we will see how we can use the AD RMS and Data classification infrastructure to protect valuable and confidential data, on file shares.
Part2: The Windows Server 2012 new File Server–part 2- Install AD RMS #Microsoft #winserv 2012 #mvpbuzz
I am so excited about the new Windows Server 2012, a lot of nice features and a lot of enhancement but one particular enhancement I am so interested in was around file servers.
for years, File Servers have been the same, a normal share that resides on the server and accessed by users, that is what they are and what they do, nothing new to introduce.
But with the recent increase of security demand, and huge need for DLP (Data leak prevention) and with the believe that most of leaks happens from employees not from hackers or intruders, companies kept looking to enhance their file servers.
The question now days is not about who is accessing the files, but it is about auditing that access, continuously enforcing that access, controlling the access and additionally knowing what is on that share and what sort of data inside and from where it is accessed.
let us take a normal example, a file share is located on corporate network, in the old days the control was only enforced by the File share and NTFS permissions, but there are some catches:
- if the user has permissions to access the file share, he can access it from everywhere, he can access it from a kiosk on the hotel, from his IPAD or tablet device without any control, as long as he has access to data using permissions he can do access it from anywhere (provided that there is a remote access).
- if he got access to the share, does that mean that he is allowed to access the data within the share, for example a share that is created for the R&D team contains all the R&D files, but not all R&D team members ]have the same level of access, now if a confidential file has been mistakenly placed on the share, all of the users who have access to the share can see the confidential data. although users should be aware about data confidentiality, but the company must be able to continuously control the data access on the data files themselves without warring about human mistakes which happens, and this is a big portion of the DLP controls.
- Controlling Access properties using groups are really tricky, and more often groups are created to reflect access criteria, so we have a group for Egypt’s Accountants, and another group for Qatar’s Accountants, and a third groups for Egypt’s Accountants with confidential data…etc and group counts can grow and grow to thousands and thousands of groups to reflect the needed level of access.
Windows Server 2012 comes with a lot of handy features that we will explore in this blog series, talking about Access Conditions, Data Classification, Dynamic Access Controls and Rights Management enforcement.
In Part1, we will explore the new security permissions wizard and the new device permissions in Windows Server 2012.
(My lab setup contains only 1 Domain Controller and 1 file Server both running Windows Server 2012 ENT Edition).
NTFS permissions and the new Device Rules:
I have now a normal file share that is shared with the finance admin group:
This is a normal group that has been created in AD and contains one user account (Finance User) who is a finance admin, he has read only access permissions, this is what we have been doing for the past 20 years.
Now, the company wants him to access the share only from specific group of computers (for the sake of this blog we will use normal blog, in part 3 we will talk about claims based authentication where we will explore claims authentication and we will be able to query the device claims on the fly for more properties and control and access dynamically).
Now I created a Group and Placed Finance User1 computer in it (in this case the File Server), this means that if he logs from the DC on that file share he will not be able to access it. let us see how:
If we go to the Security properties and the advanced share permissions, we can see the FinanceAdmin read and execute permissions, if we click Edit:
We Will see the new security permission wizard:
The above wizard has been enhanced to reflect more usability and control over the process, and also a new section called conditions, let us explore this condition section.
now we can place some conditions on the user how is accessing, the resource he is trying to access or the device he is accessing from, now let us create a condition to give the user access from a specific device, the device can only be queried about its group membership in later blog post we will see how to query for more properties using claims, now we can select if it is a member of any or each or not member of specific groups, I will control using any and specific my group:
My rule will control the access based on the AllowedFinancePCs which contains the computers from where the financeadmin group can use to access the files, they can login to any device in the corporate by only access the files if they use specific devices to access it “Sweeeeeeeet” :
Now, The final Security permissions will be like:
Now let us try it:
I logged on locally to the Fileserver, when I try to access the file I can’t although I have the permission and login locally but I am not using the authorized machine to do that:
if we examine the permissions using the effective permissions. if the user tries to login from the 2008DC machine he will have no permissions:
But if he tries from another machine from the allowedFinancePC group, he will have read permissions:
Note: During my lab I have tried the above setup and didn’t work, although conditions worked correctly for users, it looks like something that needs to be enabled or configured in specific way, I am pinging Microsoft folks and when I reach a solution I will update this blog.
In this lab we have explored the new options for setting access permissions, this is very powerful controlling who and from where can access the data.
In the next blog we will see the power of data classification in Windows Server 2012, Stay Tuned.
got this handy email from TrenMicro, would like to share it with you:
Disttrack/Shamoon Malware Overwrites Files
Last week reports of Disttrack/Shamoon malware, which overwrites files and infects the Master Boot Record (MBR) of infected systems, surfaced. Trend Micro detects the said malware as WORM_DISTTRACK.A via pattern file 9.328.04.
Currently, its arrival method is still undetermined. It is found to spread to other computers by dropping copies of itself in administrative shares. Its dropped copy may use file names such as clean.exe or dvdquery.exe.
How it works:
Shamoon is unusual because it goes to great lengths to ensure destroyed data can never be recovered, something that is rarely seen in targeted attacks. It has self-propagation capabilities that allow it to spread from computer to computer using shared network disks. It drops two primary components:
TROJ_WIPMBR.A and TROJ_DISTTRACK.A. TROJ_WIPMBR.A gathers the files to be infected in the computer. It then overwrites disks with a small portion of a JPEG image found on the Internet. Once overwritten, these files can no longer be restored or opened.
On the other hand, TROJ_DISTTRACK.A serves as the communicator. TROJ_WIPMBR.A passes the list of files it infects to TROJ_DISTTRACK.A. TROJ_DISTTRACK.A then creates a connection to an IP and sends the list of files, along with the IP address of the infected computer. It also uses what appears to be a legitimate system driver to gain low-level access to a hard drive so it can wipe the master boot record Windows machines rely on to boot up. The malware also reports back to the attackers with information about the number of files that were destroyed, the IP address of the infected computer, and a random number.
How to identify an infection:
Unlike most malware, which rarely destroy files or wipe the Master Boot Record, Shamoon cripples the victims computer once it has stolen the data and is rendered unusable. However PC virus logs will still be able to indicate whether an infection has occurred.
we have been working with the OCS PG last week in preparing a detailed table for ports requirements and firewall configuration for restricted OCS deployments.
the difference in this table that we have detailed as much as we can the different communication ports and firewall requirements for all of the segmented including internet, internal and enterprise voice communications.
we also detailed the ports and communication paths so it can be reader-friendly for the Security/Firewall engineers.
the wiki assumes that servers are deployed in the same VLAN and separated by a very restricted firewall configuration, Edge is deployed in the DMZ and again restricted firewall configuration is required.
currently the document still being reviewed, but if you are interested in following it you will find it on the wiki, here http://social.technet.microsoft.com/wiki/contents/articles/ocs-2007-r2-firewall-port-settings.aspx, we will be publishing another one for Lync as well linked to the wiki.
we will validate the wiki this week at a customer location and we will publish the updates later.
Thanks to Tom, Rick and Rui for their support during creating this wiki.
well done ya kimooooooooooo
زي ما قولت في مواقع كتيييييييييير للاسف مليئة بالثغرات الامنية
اول موقع ننوه عنه النهاردة هو www.thejobmasters.com الموقع فيه ثغرات SQL injection و الكود البرمجي يتيح استخدام Cross site scripting مما يكشف البيانات الموجودة في قاعدة البيانات ، و هذا شئ خطير نظرا لانه يتيح الحصول على معلومات سرية غير متاحة الا للمشتركين حيث هذا الموقع يقوم بالتوظيف و قاعدة بياناته مليئة ، الثغرات تتيح الدخول بدون استخدام كلمة سر و الدخول بأي حساب سواء موظف او شركة
احب ان اقول انه الثغرة تم اكتشافها بوساطتي و سيتم طلب تأكيدها من اصدقاء مستقلين في الفريق العربي للبرمجة
المعلومات و التحذير جاء بغية التحذير لا اكثر و لا اقل و تنبيه مستخدمي الموقع و اخذ حذرهم بعدم وضع معلومات سرية او شخصية ، و ليس لي اي مصلحة مالية او مادية و انا لا انتمي لاي شركة تمارس نشاطا مضادا للموقع
اتمنى من مبرمجي الموقع ان يقوموا بتحسين كود الموقع عبر ال Variable sanitation و ال User input validation
برضوا الكورسات نفعت لانه زي ما انتوا عارفين فانه اتجاهي في الشبكات هو امن المعلومات رغم عملي في ال infrastrucutre و ال messaging
و نظرا لانه انا بقيت مسئول عن امن المعلومات في كل المشاريع التي اتولاها بشك اساسي و عملي ك security auditor و مؤخرا ك penteration tester فقد وجدت الكثير من المواقع العربية التي تحوي ثغرات برمجية قاتلة تسمح باختراقها
لذا فسيكون جزء من البلوج خاص بالتبليغ عن مثل هذه المواقع لانه للاسف راسلت بعضها و لم يستجيبوا لذا لم يتبقى لنا الا ان نحذر المستخدمين العرب لكي يتجنبوها
المعلومات التي تنشر في هذا القسم للتنويه العلمي و انا غير مسئول عن اي شخص يسئ استخدام هذه المعلومات
و غرضي هو تنبيه المستخدمين لعدم استخدامهم هذه المواقع نظرا لحساسية ما تحتوية من معلومات
و نراكم في اول موقع باذن الله
للاسف مايكروسوفت خيبت ظني مش عارف للمرة الكام بعد الكام
بم اني بدرس كورس ال certified Ethical hacker اليومين دول عقبال عندكم فالواحد وجد الكثير و الكثير من الافكار التي يستطيع ان يجربها في المعمل
و عجبتني فكرة ال MITM اوي و قررت تجربتها
استعملت اول اداة مشروحة في اول سطر الا و هي ال Smbrelay
اداة بسيطة جدا جدا جدا مجرد مشتغلعا تقف زي الزنهار على بورت 139 اللي بيتم عمل ال authentication عليه
اما بتحاول تدخل على اي سيرفر في الكومبيوتر تلقائيا يقوم بارسال اليوسر نيم و الباسوورد زي الاهبل كده علشان تدخل عليه
الاداة دي بتقف بقا و تقدر تحتفظ باللوجين ده لنفسها لكي يمكنك استعماله لاحقا
تاني يا ميكو
طب اعمل فيكي ايه
ال NAT هو تكنولوجي واسعة النطاق يتم من خلالها اتاحة الاتصال بالانترنت لعدة اجهزة من خلال اي بي واحد فقط
او يتم استخدامها بعمل ستاتيك NAT يتم فيه عمل ترجمة ثابتة لكل الترافيك الصادر و الوارد لجهاز معين على الشبكة الداخلية من على الراوتر او الفايروول لاتاحة خدمة على هذا السيرفر للانترنت مثل ويب او ميل سيرفر
ظهرت مشكلة عويصة في ال NAT مع استخدام ال IPSEC و هي ان ال NAT يقوم بتغيير الاي بي و البورت الموجودان في هيدر الباكت و نظرا لانه ال IPSEC يقوم بوضع الاي بي في الPAYLOAD الخاص به و الذي لا يوافق الاي بي الموجود في ال IKE الذي هو اي بي ال NAT DEVICE فانه الجهاز على الطرف الاخر يقوم بعمل DROP للباكت
المشكلة الاخرى هي ال TCP CHECKSUM و التي تقوم بالتأكد من صحة الباكت المرسلة
في العادي يتم وضع الاي بي و البورت في هيدر ال TCP و في الوضع العادي تقوم ال NAT DEVICE بتغيير الاي بي و البورت اما في حالة استخدام IPSEC فانه يتم تشفير هذا الهيرد باستخدام ال ESP و بم انه الهيدر مشفر لا تستطيع ال NAT DEVICE تغيير الهيدر و بالتالي يكون ال CHECKSUM غير مظبوط و يتم عم DROP للباكت
كيف تم حل المشكلة؟
تم عمل ال NAT-T و التي تقوم بعمل UDP HEADER يحتوي ال ESP HEADER و بالتالي تستطيع ال NAT DEVICE ترجمته
ايضا يتم وضع الاي بي للجهاز المرسل في خانة ال ORIGINAL IP و تركها كما هي و بالتالي يمكن التأكد من ال CHECKSUM
Symantec Backup Exec BExpert No. 20
Follow me on Twitter
- 232,964 Visits
- Active Directory
- bla bla bla
- Book Reviewes
- Career Development
- Deep in Active Directory
- Exchange 2010
- Exchange 2010 AKA E14
- Exchange and UC
- Exchange Server 2013
- IPility Training Offerings
- IT Events
- Lync 2010
- OCS 2007 R2/CS14
- OCS2007 R2
- Office 365
- Security related
- Social Media
- Storage and Networking
- System Center
- Unified Communications
- كلام في السياسة
- Windows Server 2012
- Wirless related
- حقائق غير تاريخية
- Thoughts on DLP in modern business…
- Dude, What are the 5 elements I must consider in my virtual machine backups?
- Boosting your career and knowledge in Active Directory
- Announcement: Exchange 2013 sp1 will support running from removable media such as “flash drives”
- Using Redirect with OWA breaks RSA SecureID authentication
- May 2013 (1)
- April 2013 (3)
- March 2013 (4)
- February 2013 (1)
- January 2013 (3)
- December 2012 (4)
- November 2012 (1)
- October 2012 (5)
- September 2012 (19)
- August 2012 (4)
- July 2012 (5)
- June 2012 (9)
- March 2012 (6)
- February 2012 (1)
- January 2012 (1)
- December 2011 (4)
- November 2011 (1)
- October 2011 (3)
- September 2011 (4)
- August 2011 (1)
- June 2011 (1)
- April 2011 (7)
- February 2011 (5)
- January 2011 (6)
- December 2010 (4)
- November 2010 (5)
- October 2010 (14)
- September 2010 (4)
- August 2010 (9)
- July 2010 (17)
- June 2010 (23)
- May 2010 (23)
- April 2010 (7)
- March 2010 (9)
- February 2010 (5)
- January 2010 (1)
- December 2009 (7)
- November 2009 (4)
- September 2009 (5)
- August 2009 (13)
- May 2009 (2)
- April 2009 (3)
- January 2009 (2)
- December 2008 (5)
- November 2008 (4)
- October 2008 (7)
- July 2008 (2)
- June 2008 (2)
- May 2008 (2)
- April 2008 (30)
- March 2008 (60)
- February 2008 (1)
- @seksek @mimi_mokka الحشيش بيديلوا قدرات خارقة 20 minutes ago
- RT @ankoenigSYMC: What are the 5 elements I must consider in my virtual machine backups? | @_busbar ow.ly/kxqsf #HyperV 5 hours ago
- How to talk like a CIO bit.ly/12lIPYV 19 hours ago
- @3abkarin0: @_busbar do u know someone willing to work in UAE as pre sale for share point with wipro. looping @AymanElHattab @marwantarek 1 day ago
- #VMware launches dual persona feature for Verizon smartphones - bit.ly/15Ya9De 1 day ago