Archive for the ‘Security related’ Category

Installing Symantec Encryption Server & Exchange 2010 Configuration Part3–Sending Encrypted Emails

June 2, 2013 Leave a comment

In part1 and part 2 we explored the basics of installing the SES and configuring and managing encryption Keys, in this part we will glue part1 and part2 and send encrypted emails.

Understanding Email Policies:

Email policies are the foundation block for handling email, they determine how emails from specific senders sent to specific recipients with specific contents will be handled.

There are set of defaults policies created by default:


they determine how outbound/inbound emails will be handled, the default policy has the following settings:


the outbound client has the following settings:


which tell the SES to encrypt the emails if the source client is SMTP/MAPI to send it to the outbound chain which does the encryption actions:


if we explore the outbound chain, we will find the following settings:


which instructs the SES how to handle specific emails with specific conditions, so I edited this rule and added the “confidential rule”, which encrypts emails sent internally or externally with the word “confidential” in the subject line. You can add your own set of rules to meet your business and enforce certail delivery types link web or protected PDF:


Once you set the rules, you can send encrypted emails, let us see how:

from outlook client, I will send normal email to (which is fictional domain), the client will detect the policy that is set on the server and will send the email out of message steam to the SES:


Because we can’t find a key for, we will send the email to the SES server and the SES will send the user an email notifying him that there is a message waiting him:


In the above email, I am opening the EML file via notepad (I do have only SMTP server at the recipient side), so the message contains the link to open the email (take a look to how the email flowed from the client to keys “the SES Server” to Exchange to the recipient server)

when opening the link, the client will be prompted with the registration (to register in the SES portal with a passphrase), Then the user can login:


Once user login, he can see the email through the portal; The user can reply and interact securely with the internal user or ask for email delivery via secure PDF:



We reached the end of this series, we can send and exchange emails securely with Symantec Encryption Server now. I hope that you liked this series.


Installing Symantec Encryption Server & Exchange 2010 Configuration Part2–Understand key Management

May 22, 2013 Leave a comment

In part 1 we explored the basic steps to install the Symantec Encryption Server.

In This post, we will explore a very important aspect in any encryption solution, which is key management.


to understand what is public/private keys, check these link:

If you read the above articles you will now realize that we will use public and private keys; While Microsoft uses x.509 certificate based on Microsoft CA which utilizes s/MIME to encrypt the messages, Symantec Encryption server uses PGP keys which uses different structure, keys are stored in PGP LDAP server (we will see how to import x.509 certificate to Symantec encryption server later).

Keys Provisioning:

In order for a user to obtain PGP keys, the user must register for PGP keys with the server, let use see the steps to do that.

To Configure email enrolment, first you need to define email route, this tells the encryption server where to send the registration emails and any emails send to your domain, from the control panel, go to mail > mail route and add email route to your server


When you download the Desktop encryption install package and install it on the machine, the client will detect automatically the encryption server and try to contact the server, since I don’t have a valid certificate on my server it will warn me; Click on always trust this site.


enter the email address:


the user will receive an encrypted email


once the user opens the encrypted email he/she can continue the registration:



verify the username and email address:


create a passphrase to protect your key (remember this step as we will talk about it later in details when speaking about the key storage types):


the key will be generated for the user:


now when you open the Encryption Desktop, you will see the keys and policies created by the encryption server assigned to the user:


in the console, you can see the list of managed keys as well:


If you click on the key mode button (from the Desktop Encryption window), you will see that the key is operating ins SKM mode; so what is that?!


Keys in Symantec Encryption Server operates in different modes, the modes are:

  • Server Key mode: In this mode, the private keys are stored on the server and users can’t manager their keys
  • Client Key Mode: In this mode, the private keys are not stored on the servers and users must manage their own private key and protect it.
  • Guarded Key Mode: In this mode, a pass phrased protected private key is stored on the server and clients manage their key
  • Server Client Key Mode: a sub key of the private key is stored on the server, the private key still stored on the client.
  • you must be very careful when selecting the key mode in your environment; depending on the key mode, you will have or lose some features as per the below table:


for the first instance, SKM might be the ultimate answer, but you have to be aware that administrators have control over private keys, so this might be a security concern.

To change the mode of the key being used, click on the reset key button and you will be taken through a page that will help you selecting the appropriate key mode.

you can also restrict the modes available in your organization, to do so, edit the consumer policy and change the available modes:


Installing Symantec Encryption Management Server and Exchange 2010 Configuration Part1

May 21, 2013 5 comments

In this blog series, we will install together Symantec Encryption Server (previously known as PGP universal server) and configure it to work with Exchange 2010. Additionally we will explore some cool features around virtual disks, disk encryption and secure email delivery.

The Symantec Encryption Server binaries are certified to be installed as virtual and this is the recommended use from Symantec, and this is the method we will use in our environment.

Symantec Encryption Server can manage several different encryption products and solutions including:

  • Symantec encryption email gateway.
  • Symantec Encryption Desktop.
  • Symantec File share encryption.
  • Symantec Encryption portable.
  • Symantec Drive encryption.

In this blog, we will install the Symantec Encryption Server v3.3, the latest version (at this time) of the product. There are several design and architectural decision elements that must be taken into consideration for several features to work; we will explore them later.

To install Symantec Encryption Server, download the ISO image and create a virtual machine, the documentation and install guide mandate that the VM must be created with Kernel 2.6 x86, 4 GB memory for single instance and 8 GB for HA instances.

Once you start the VM with the ISO attached, follow the simple install wizard that will take you through the installation steps:




In the IP address field, specify the IP address for the appliance:


Specify the Gateway and DNS servers:


Specify the host name; one important point is to note that your appliance MUST be named (, this is mandatory if you want to cooperate with other PGP key servers. PGP keys servers contacts the recipients keys servers “if available” (if the server can’t locate a public key for the recipients) on, thus if you want to facilitate exchange secure emails with external parties you must name the server’s FQDN and this name must be reachable from outside.


Once you finish the wizard, the setup will start automatically, once finished the appliance will reboot and the post complete setup will be launched:


accept the license agreement


from the installation type, choose the installation mode. since this is the first server we will choose new installation.


set the time/date:


Confirm the IP settings:


Confirm the setup summary:




Enter the license information:


Enter the administrator information and password:


enter the primary domain that you use to send/receive emails:


To protect the server in case it is physcially attacked you must configure the ignition keys, I will use a passphrase as my ignition keys; enter them and continue:



review the setup summary:


Once setup completes you can login to the admin console on


This completes the Symantec Encryption Server installation, in Part 2 we will continue with the initial setup and keys management, part 2 and 3 will be fun, so stay tuned Smile.

Thoughts on DLP in modern business…

May 17, 2013 Leave a comment

What does it mean to implement DLP?? So far as I have seen; each vendor has his own view on how to enforce DLP within the organization and how to manage it.

The reason of what brought DLP to the surface is that I had a discussion with one of my customers on DLP enforcement and how to manage it within his infrastructure. While reviewing Email encryption solutions by Sophos and Symantec last week; I found that each vendor has his own concept “if we may call it like that” on DLP and how to manage and enforce it.

First, let me state my own view of DLP; DLP is a technology that helps the organization to own the information/data and prevent leaking those information/data out.

Modern information/data is stored in different locations now, some examples:

– ERP/CRM data.

– Email, Office files, PDF documents.

– SharePoint and similar portals.

– Laptops, USB memory sticks, and portable hard disks.

Helping any organization to control data on the above sources is not easy and could be done in several manners and ways, based on my findings; I will share some thoughts with people thinking about rolling out DLP in their infrastructure:

– DLP is not controlling physical ports (USB, serial, firewire ports..Etc).

– DLP is not DRM nor Encryption.

– Permissions help in controlling the data access, but when the data is accessed; a malicious consumer of the data could share them with 3rd parties or leak them out either intentionally or unintentionally.

– Internal users do most of the hacks/leaks.

– Encrypting the data might help in DLP, but will not help in controlling what happens if a malicious user decrypted them or encryption algorithm is broken, Also encrypting the data might not help when the organization need to share All/some data with authorized 3rd party.

– If the IT department secured physical ports/access, what about leaking the data out using corporate emails or worst, personal emails.

– How you will classify data as corporate and how you will classify data as none-corporate.

– Data classification is suitable for data stored in shared folders, but what about data in SQL/Oracle databases or data copied from documents and sent as emails.

– How data will be shared with 3rd party and secured outside the organization’s control circle.

– Monitoring, logging and alerting, and feeding other 3rd party security applications that are used by the security team.

– What about endusers experience, do we need any input from users?

– What about data in the cloud?!

As you can read from the above, DLP will never be a single solution/technology, DLP is a mix of solutions, technologies and processes that govern the data inside the corporate.

Hope that the above thoughts will shed some light and ring some bells in your head when thinking about DLP.

The Windows Server 2012 new File Server–part 2- Install AD RMS #Microsoft #winserv 2012 #mvpbuzz

September 10, 2012 Leave a comment

Part1: The Windows Server 2012 new File Server–part 1- Access Conditions #Microsoft #winserv 2012 #mvpbuzz


In Part 2 of this blog series, We will continue our exploration of the new File Server functionality, In order to complete our journey we will stop by one of my favourite but less fortunate features, Active Directory Rights Management Server.

Active Directory Rights Management Server or AD RMS has been around for several years, and for hidden and secret reasons it wasn’t adopted by a lot of customers, although I believe it is one of the most important features of Windows Server.

What is Active Directory Rights Management Services?

An AD RMS system includes a Windows Server® 2008-based server running the Active Directory Rights Management Services (AD RMS) server role that handles certificates and licensing, a database server, and the AD RMS client. The latest version of the AD RMS client is included as part of the Windows Vista® operating system. The deployment of an AD RMS system provides the following benefits to an organization:

  • Safeguard sensitive information. Applications such as word processors, e-mail clients, and line-of-business applications can be AD RMS-enabled to help safeguard sensitive information Users can define who can open, modify, print, forward, or take other actions with the information. Organizations can create custom usage policy templates such as “confidential – read only” that can be applied directly to the information.
  • Persistent protection. AD RMS augments existing perimeter-based security solutions, such as firewalls and access control lists (ACLs), for better information protection by locking the usage rights within the document itself, controlling how information is used even after it has been opened by intended recipients.
  • Flexible and customizable technology. Independent software vendors (ISVs) and developers can AD RMS-enable any application or enable other servers, such as content management systems or portal servers running on Windows or other operating systems, to work with AD RMS to help safeguard sensitive information. ISVs are enabled to integrate information protection into server-based solutions such as document and records management, e-mail gateways and archival systems, automated workflows, and content inspection.

More Information:

In this blog we will install AD RMS on a new Windows Server 2012 machine, this machine will be used later in my next blog post for Data Classification and policy enforcement.

Installing Active Directory Rights Management Server in Windows Server 2012:

The AD RMS setup has been dramatically improved, in the old days it was hard, and even the improved setup experience in Windows 2008 is no match for the improved setup in Windows Server 2012, and as you can expect everything is controlled by the server manager so to install AD RMS, open the Sever manager and Select Add Roles and Features, from there select AD RMS, Once installed, the Server Manager will tell you that there is pending configuration


In the following screen, select the perform additional configuration:


and in the welcome screen click next:


In the AD RMS Cluster, and since this is the first server, we will create a new cluster:


In the Configuration Database, I will use internal Database, this is a lab environment but make sure to have the proper SQL installation in place if you are using the ADRMS setup in production:


In the Service Account, type in a designated service account, this is a normal account with special permissions (if you are installing the AD RMS on a DC”for testing”, this account must be a member of the Builtin “Administrators” group:


In the Cryptographic mode, Select mode-2 it is much more secure:


In the Key Storage, I will choose to use AD RMS to store the Key:


In the key password, supply a password to protect the key:


In the AD RMS Website, Select the Web Site that will host the AD RMS web services:


In the Cluster Address, Specify the FQDN that will be used my the clients to communicate with the AD RMS Server and the transport protocol, I will keep it simple and choose the HTTP, however you might want to use HTTPS since it is more secure:


In the Server Licensor Certificate name, specify a name for the certificate, and click next:


In the AD RMS service registration, register the AD RMS SCP unless for mysterious reasons you want to do it later:


In the installation summary, review the installation and click install:


Congrats, once finished you then you completed the AD RMS installation, you can configure templates and additional configuration.

In the next blog post, we will see how we can use the AD RMS and Data classification infrastructure to protect valuable and confidential data, on file shares.

The Windows Server 2012 new File Server–part 1- Access Conditions #Microsoft #winserv 2012 #mvpbuzz

September 9, 2012 9 comments

Part2: The Windows Server 2012 new File Server–part 2- Install AD RMS #Microsoft #winserv 2012 #mvpbuzz

I am so excited about the new Windows Server 2012, a lot of nice features and a lot of enhancement but one particular enhancement I am so interested in was around file servers.

for years, File Servers have been the same, a normal share that resides on the server and accessed by users, that is what they are and what they do, nothing new to introduce.

But with the recent increase of security demand, and huge need for DLP (Data leak prevention) and with the believe that most of leaks happens from employees not from hackers or intruders, companies kept looking to enhance their file servers.

The question now days is not about who is accessing the files, but it is about auditing that access, continuously enforcing that access, controlling the access and additionally knowing what is on that share and what sort of data inside and from where it is accessed.

let us take a normal example, a file share is located on corporate network, in the old days the control was only enforced by the File share and NTFS permissions, but there are some catches:

  • if the user has permissions to access the file share, he can access it from everywhere, he can access it from a kiosk on the hotel, from his IPAD or tablet device without any control, as long as he has access to data using permissions he can do access it from anywhere (provided that there is a remote access).
  • if he got access to the share, does that mean that he is allowed to access the data within the share, for example a share that is created for the R&D team contains all the R&D files, but not all R&D team members ]have the same level of access, now if a confidential file has been mistakenly placed on the share, all of the users who have access to the share can see the confidential data. although users should be aware about data confidentiality, but the company must be able to continuously control the data access on the data files themselves without warring about human mistakes which happens, and this is a big portion of the DLP controls.
  • Controlling Access properties using groups are really tricky, and more often groups are created to reflect access criteria, so we have a group for Egypt’s Accountants, and another group for Qatar’s Accountants, and a third groups for Egypt’s Accountants with confidential data…etc and group counts can grow and grow to thousands and thousands of groups to reflect the needed level of access.

Windows Server 2012 comes with a lot of handy features that we will explore in this blog series, talking about Access Conditions, Data Classification, Dynamic Access Controls and Rights Management enforcement.

In Part1, we will explore the new security permissions wizard and the new device permissions in Windows Server 2012.

(My lab setup contains only 1 Domain Controller and 1 file Server both running Windows Server 2012 ENT Edition).

NTFS permissions and the new Device Rules:

I have now a normal file share that is shared with the finance admin group:


This is a normal group that has been created in AD and contains one user account (Finance User) who is a finance admin, he has read only access permissions, this is what we have been doing for the past 20 years.

Now, the company wants him to access the share only from specific group of computers (for the sake of this blog we will use normal blog, in part 3 we will talk about claims based authentication where we will explore claims authentication and we will be able to query the device claims on the fly for more properties and control and access dynamically).

Now I created a Group and Placed Finance User1 computer in it (in this case the File Server), this means that if he logs from the DC on that file share he will not be able to access it. let us see how:

If we go to the Security properties and the advanced share permissions, we can see the FinanceAdmin read and execute permissions, if we click Edit:


We Will see the new security permission wizard:


The above wizard has been enhanced to reflect more usability and control over the process, and also a new section called conditions, let us explore this condition section.

If you click Add a Condition , you will get a new line of condition to control the access:

now we can place some conditions on the user how is accessing, the resource he is trying to access or the device he is accessing from, now let us create a condition to give the user access from a specific device, the device can only be queried about its group membership in later blog post we will see how to query for more properties using claims, now we can select if it is a member of any or each or not member of specific groups, I will control using any and specific my group:


My rule will control the access based on the AllowedFinancePCs which contains the computers from where the financeadmin group can use to access the files, they can login to any device in the corporate by only access the files if they use specific devices to access it “Sweeeeeeeet” Open-mouthed smile:


Now, The final Security permissions will be like:


Now let us try it:

I logged on locally to the Fileserver, when I try to access the file I can’t although I have the permission and login locally but I am not using the authorized machine to do that:


if we examine the permissions using the effective permissions. if the user tries to login from the 2008DC machine he will have no permissions:


But if he tries from another machine from the allowedFinancePC group, he will have read permissions:


Note: During my lab I have tried the above setup and didn’t work, although conditions worked correctly for users, it looks like something that needs to be enabled or configured in specific way, I am pinging Microsoft folks and when I reach a solution I will update this blog.


In this lab we have explored the new options for setting access permissions, this is very powerful controlling who and from where can access the data.

In the next blog we will see the power of data classification in Windows Server 2012, Stay Tuned.

Alarm about the Disttrack/Shamoon Malware

August 29, 2012 Leave a comment

got this handy email from TrenMicro, would like to share it with you:

Disttrack/Shamoon Malware Overwrites Files

Last week reports of Disttrack/Shamoon malware, which overwrites files and infects the Master Boot Record (MBR) of infected systems, surfaced. Trend Micro detects the said malware as WORM_DISTTRACK.A via pattern file 9.328.04.

Currently, its arrival method is still undetermined. It is found to spread to other computers by dropping copies of itself in administrative shares. Its dropped copy may use file names such as clean.exe or dvdquery.exe.

How it works:

Shamoon is unusual because it goes to great lengths to ensure destroyed data can never be recovered, something that is rarely seen in targeted attacks. It has self-propagation capabilities that allow it to spread from computer to computer using shared network disks. It drops two primary components:
TROJ_WIPMBR.A and TROJ_DISTTRACK.A. TROJ_WIPMBR.A gathers the files to be infected in the computer. It then overwrites disks with a small portion of a JPEG image found on the Internet. Once overwritten, these files can no longer be restored or opened.
On the other hand, TROJ_DISTTRACK.A serves as the communicator. TROJ_WIPMBR.A passes the list of files it infects to TROJ_DISTTRACK.A. TROJ_DISTTRACK.A then creates a connection to an IP and sends the list of files, along with the IP address of the infected computer. It also uses what appears to be a legitimate system driver to gain low-level access to a hard drive so it can wipe the master boot record Windows machines rely on to boot up. The malware also reports back to the attackers with information about the number of files that were destroyed, the IP address of the infected computer, and a random number.

How to identify an infection:

Unlike most malware, which rarely destroy files or wipe the Master Boot Record, Shamoon cripples the victims computer once it has stolen the data and is rendered unusable. However PC virus logs will still be able to indicate whether an infection has occurred.

Categories: Security related Tags: ,
%d bloggers like this: