Security Guide for Windows Server 2016

If you guys are working with Windows Server 2016, you must also be interested in the Security Guide.

Microsoft released Windows Server 2016 Security Guide. Access it here:

If you’re into the following roles; the guide is essential for you;

  • Security professional. Individuals in this role focus on how to provide security across computing platforms within an organization. Security professionals require a reliable reference guide that addresses the security needs of all segments of their organizations and also offers proven methods to implement security countermeasures. They identify security features and settings, and then provide recommendations on how their customers can most effectively use them in high risk environments.
  • IT operations and deployment staff. Individuals in all of these roles troubleshoot security issues as well as application installation, configuration, usability, and manageability issues. They monitor these types of issues to define measurable security improvements with minimal impact on critical business applications. Individuals in IT operations focus on integrating security and controlling change in the deployment process, and deployment personnel focus on administering security updates quickly.
  • Systems architect and planner. Individuals in this role drive the architecture efforts for computer systems in their organizations.
  • Consultant. Individuals in this role are aware of security scenarios that span all the business levels of an organization. IT consultants from both Microsoft Services and partners take advantage of knowledge transfer tools for enterprise customers and partners.

In addition to the resources listed in this guide, here are a number of additional resources to help you secure Windows Server environment:

Using Group Policy to prevent FTP.EXE from running

Wow, its been some time i wrote something since i took on my new role. Thought i should pick up my “pen”, erm, rather keyboard and start striking again.

The main focal point of today’s entry in my tech diary, is spurned by a question, can i block ftp.exe program from running in Windows 7. As we all know, Windows 7 loads up with ftp.exe as a process installed. Try opening your command prompt and type “ftp”.


At this time, you open up the task manager, you’ll notice “ftp.exe” amongst the many processes you have.


FTP on its own isn’t a very secure protocol. Its been around for a very long time. Secure FTP is the preferred way of doing FTP these days. A good Admin will secure all sensitive protocol with IPSec, but that is out of scope at the moment for this short write up.

To prevent “FTP.EXE” from being loaded, there are several ways. One of the most primitive way is to delete the file. Yup, an easy but not enforceable, because someone can simply copy and put it back.

To completely prevent FTP.EXE from running, one should be exploring using enforcement via Group Policies. It is the most effective way of governance across the enterprise.

Here are the steps (Done locally on a Windows 7 client, you should do this via GPMC on the right domain policy):

  1. Edit the appropriate GPO and navigate to “Computer Configuration-> Windows Settings –> Security Settings –> Software Restriction Policies.
  2. Create a new Software Restriction Policy if it isn’t already created.
  3. in the Software Restriction Policy, click on Additional Rules.
  4. Right click Additional Rules and click on New Hash Rule
  5. To identify the binary running ftp.exe, click on Browse and locate “C:\Windows\System32\ftp.exe”.
  6. Under security level, select disallowed and click OK.


At this stage, your computer has been updated with the new GPO. However, it will not take effect till the next reboot or till you run the command “gpupdate /force”.

After which, try running FTP. You should be greeted with this message


You can use this technique to prevent banned software from running. On the flip side, you couldn’t also block all software from running except for selected few. Have fun.


High Alert! Conficker Worm Causing Panic

We have received quite a number of reports of Conficker worm making its round in Malaysia. Please note that this is not isolated to Malaysia, but is wide spread through the world. If you have been updating your machines and keeping them up to date, good on you.

Almost all Anti-Virus Vendor are having a tough time dealing with it.

Below are some information that will help identify, fix and resolve.
Do note that detection and cleaning of the worm is already taken into account with the latest ForeFront signature.

Security Bulletin

Summary, Analysis, Prevention & Recovery

Good News for ISA Users- There are scripts available publically from, à   “block conficker.vbs” which will block the worm  at perimeter level itself.

Please proactively monitor your environment. This may potentially be damaging on a scale similar to Blaster. Staying up to date and taking steps to prevent is the best form of defense.


iMac hit by Malware

For Mac lovers who thought they’re very safe on a secure platform, think again.

I don’t wish to hit out at Mac that its unsecure, but i do want to bring out that Mac also needs protection. The OS itself needs protection. In fact, any operating system needs additional protection.

Windows covers almost 90% of the computers out that, making it a super hot target.
However, think again, because its a hot target, most attackers would have hit it relatively hard. In Microsoft, there are many initiatives and efforts to make sure Windows Operating Systems remain secure.

So think hard, a tested and tried OS that has constant mechanism to secure and update, versus one that has never been rigorously hit and tried. 🙂

Anyway, here’s the iMac article a fellow Windows group pal brought up.

Security Guides

Security Guidance


Microsoft Security Assessment Tool 4.0

The Microsoft Security Assessment Tool employs a holistic approach to measuring your security posture by covering topics across people, process, and technology. This revised version features an updated defense-in-depth assessment plus questions related to the evolving threat landscape. Findings are coupled with prescriptive guidance and recommended mitigation efforts, including links to more information for additional industry guidance.


IT Compliance Management Guide

The IT Compliance Management Guide can help you shift your governance, risk, and compliance (GRC) efforts from people to technology. Use its configuration guidance to help efficiently address your organization’s GRC objectives.


Microsoft Encrypting File System Assistant

The Encrypting File System (EFS) Assistant is a software tool you can use to centrally control EFS settings on your mobile or desktop PCs. The EFS Assistant can help you encrypt the sensitive files on your users’ laptops, regardless of where those files are located. Part of the Data Encryption Toolkit for Mobile PCs, a community version of the tool, is also available from CodePlex at


Configuring Security in IIS 7.0

Windows Server 2008 featuring Internet Information Services 7.0 (IIS 7.0) is a powerful Web application and services platform that delivers rich Web-based experiences. Learn how to install and configure security settings for IIS 7.0, including built-in user and group accounts, URL authorization, SSL, and request filtering.


UrlScan v3.0

UrlScan version 3.1 is a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) 6.0 will process. UrlScan screens all incoming requests to the server by filtering the requests based on rules that are set by the administrator. Filtering requests helps secure the server by ensuring that only valid requests are processed.


Checklist: Securing Web Services

Part of the patterns and practices guide for "Improving Web Application Security," this checklist is designed to help developers build and secure Web services by outlining design, development, and administrative considerations.


A Guide to Securing ISA Server 2006

Get best practices for securing your servers, using the Security Configuration Wizard, and assigning administrative roles.


IPSec makes IPS/NIDS redundant?

I was in a recent discussion with a customer to talk about Network Access Protection. Along the lines of discussions (after understanding what NAP has to offer and after an introduction to Server Domain Isolation model with IPSec), i was asked this question about Intrusion Prevention Systems (IPS) and Network Intrusion Detection Systems (NIDS).

Does IPSec make IPS/NDS redundant?

I will not go into what IPSec does, since it has been available for a rather long period. IPSec existed since Windows 2000 days. Many people think that its only use is for Point-to-Point as in, for a VPN encryption technique. Well, that is right, but IPSec isn’t just limited to that. It can do a lot more.

It can be used to authenticate machines in the domain, and encrypting anything, on any port, from any source, to any destination, that the administrator wants. Anyway, i shan’t teach you what IPSec does because there is a very good resource about it. Visit to learn about IPSec.

Back to the topic here; Does IPSec make IPS/NIDS redundant?

As i am not a subject matter expert, i took it back to the Product Team, looking for an authoritative answer. William Dixon, technical co-author of Server and Domain Isolation Guide, responded. He recommended to read up Chapter 1 to 3 of the linked guide.

Definitions of IDS

Here’s the definition of IDS –

In its definition, it says IDS is commonly divided into NIDS and HIDS. The earlier being Network and the latter being Host.

New generations of NIDS has the capabilities of doing NIPS. In contrast, one earlier detects, latter prevents. In either situations, they all need the ability to pick up TCP traffic.

What essentially does IDS need to do its job?

They all essentially monitors TCP traffic and then take necessary actions accordingly. So, what IDS needs is the ability to monitor TCP packets where its being placed. Here’s where the value of the question is being posted.

Since IPSec has the capability to scramble a TCP packet (in ESP), won’t that prevents IDS/NIDS/NIPS (I’ll called them IDS collectively from now, excluding HIDS), from being able to decipher the TCP packets?

Essentially yes. If traffic is scrambled, IDS will have trouble deciphering the TCP Packets to monitor, however, that does not make IDS redundant on the network. It depends on the situation, and it warrants a requirements study of the situation. You can email me for a discussion. 😉

IPSec can scramble TCP Packets

IPSec, ESP, has the ability to scramble the TCP packets holding data and make them unreadable to anyone, other than the intended party. Which essentially, IDS is the anyone. However, in Authentication mode, IDS still can play a part in doing what it is supposed to do, thereby, making it not redundant. But if encryption is deployed, IDS cannot monitor such traffic

The other equations

In finding the answer of whether IDS is redundant with the use of IPSec. The easy answer is No (May not apply in all situations, most diplomatic is "Depends" LOL). Well, where IPSec is used in ESP mode, IDS won’t be able to do its job.

In most situations, IPSec encryption is not used on all network traffic. You won’t be "IPSec-ing" everything. You will only use IPSec where needed. You can choose the type of traffic to apply IPSec. It can be defined between hosts (eg, between certain server and client) and type of traffic (eg. HTTP, but not ICMP). A combination is also possible.

So in fact, if you have machines not joined to the domain, and machines or traffic where IPSec isn’t used, IDS still plays an important part of ensuring the network is safe.

After applying IPSec to protect your critical assets and data on the network, does the protection of IDS still offer a good compelling value? If yes, you will still want to use IDS. However, if after applying IPSec and you think IDS is not playing an important role in your quest for network security anymore, then i guess no, since you will probably be protecting your critical assets with IPSec encryption.

Give it some thoughts because there are certain cases where IDS does play a crucial role and they can complement IPSec. Remember, the crucial objective is to make sure network is secure and hosts on it are protected, and not what was used.

Personally, the choice of the platform/technology to use, is certainly the one (in personal opinion), the one that offers the easiest form of management/deployment and provides the best form of protection for your objectives.

There are some more information which i think i will either post later on, or wait for someone to ping me for more information. (Psst, the fact is, i am sleepy and i got to work tomorrow.. Yawn..) Till then again… see ya around.

Oh, do check out this web site about Server and Domain Isolation model using IPSec. Essentially, you can make domain assets ignore non-domain machines totally.

Happy New Year


… is Windows more secure?

Having been managing Windows infrastructure for many years, the darkest years of Windows are probably over. Recalling Blaster virus in 2002/2003 (can’t exactly remember which year), bringing Windows systems down in 60 seconds was horrific for the Windows administrator. That has since been history.

Over the years, Microsoft had taken numerous steps, and one of those that i recalled was a stop to all developments in the pipeline. All developers in Microsoft had to go through training on writing secure code.

Security has since been a word everyone in Microsoft remembers and had to live with everyday. I guess that is bearing fruit for now. In all product designs, Microsoft has placed Security in top priority.

I came across a recent report, from ZDNet, as saying "Apple Mac operating systems had more critical vulnerabilities reported in 2007 than Microsoft’s operating systems, according to research."

A figure in the report was interesting. Mac OS X has 234 highly critical vulnerabilities reported in 2007, as compared to just 23 for Vista and XP combined. You can read the report here.,1000000189,39291625,00.htm

So is Windows more secure than before? I would say yes for sure. However, being in IT, we need to be constantly be reminded that there are no such thing as 100% secure. Security in IT is not just about technology. IMHO, it combines technology, processes, policies and constant updates for the IT Pros.


Microsoft Security Intelligence Report (Jan – Jun 07)

Microsoft has released a report.

It is based on the data derived from several hundred million Windows Users and some of the buiest online services on the Internet.

It provides in-depth perspective on trends in software vulnerability.

If you’re into Security focused role in your organization, this is one of the best source of information that you should read. It is also available in other languages.

Grab the report here.


StatCounter - Free Web Tracker and Counter