Someone on the IE security team forwarded me a document that had additional details. So here, for your enjoyment, is a chart listing the default settings for each security level. To answer the newsgroup poster, "medium" and "medium-high" aren't the same.

About the formatting: to get it to fit within the width of the blog's text section, I've made some abbreviations.

In a few cases, the table shows a number rather than D or E or P; below the table is a description of each such entry.

At the very bottom of this post I've included the settings from the privacy tab, too.

Note: these settings reflect those for Internet Explorer 7 on Vista SP1. Please see the MDSN link above for differences between IE 6 and IE 7.

.NET Framework

.NET Framework-reliant components

     1 = High safety

ActiveX controls and plug-ins

Downloads

Enable .NET Framework setup

Miscellaneous

     1 = Prohibit downloads from software update channels
     2 = Cache content downloaded from software update channels
     3 = Automatically install software updates

Scripting

User authentication

     1 = Prompt the user for name and password
     2 = Automatic logon only in intranet zone
     3 = Automatic logon with current user name and password

Privacy settings (on the "Privacy" tab)

However, I should briefly clarify Paul’s note that “blackboard systems historically used a single memory model (i.e. multiple threads or processes using a single machine’s memory model)“.

In fact, there were many blackboard systems, some more than a decade old, that used a distributed memory data-model. What I think Paul meant to say, and my apologies to Paul for being so literal, is that “blackboard systems originally used a single memory model (i.e. multiple threads or processes using a single machine’s memory model)”

John McManus, former CTO of NASA, wrote an excellent PhD dissertation in 1992, Design and Analysis Techniques for Concurrent Blackboard Systems. John’s thesis, now more than 16 years old, examined many details of concurrent blackboards where memory is distributed. For example, refer to Figure 2.3. Distributed Blackboard System with Distributed Blackboard Data Structure, page 36 of John’s dissertation.

Quoting directly from page 37 of John’s disseration;

Rice, Aiello and Nii [20] present several options for gaining speedups in a distributed blackboard system.

• 1) Eliminate the centralized scheduling mechanism
• 2) Optimize system design for a distributed memory, message-passing hardware
• 3) Distribute the data across the blackboard to reduce hotspots

Quoting further from the same page;

Poligon [21] is based on a distributed memory hardware model when each processor is viewed as a blackboard node. They define a blackboard node as follows: “a blackboard node is a process on a processor, surrounded by a collection of processors able to service its requests to execute rules.” [22] The implicit assumption in this definition is that all knowledge sources are rule–based systems. This assumption may severely limit the performance of systems implemented using Poligon, and limits the types of problems it is suited to address.

In Blackboards for Complex Event Processing, Paul concludes,

“One suspects the blackboard systems domain and terminology is overdue some updates thanks to developments in the Complex Event Processing space.”

If you look at the historical literature, I would say that the following restatement is more accurate:

“The CEP domain and terminology is overdue some updates because folks working in CEP did not reference or incorporate the advanced event processing prior art in a number of very important areas, blackboard systems being only one.”

On the other hand, commercial off-the-shelf rule-processing technology such as TIBCO’s BusinessEvents (BE), advances the ability to economically implement myriad complex problems that blackboard systems are designed to address.

This customer had a massive application written in ASP classic. Since it was in ASP classic it had massive numbers of SQLi vulnerabilities. Everything from Blind SQLi to the always fun SQL statements in the URL. The customer said this application was roughly 250,000 lines of code with SQL hardcoded throughout. The reason the customer had called WhiteHat is because they where working on a big deal with a potential client and this client was asking for a security report on the application. They where also in the early phases of rewriting the application in .NET (yeah) with an estimated completion date 1.5 years out.

After seeing our report (100+ SQLi and 300+ XSS) and after a protracted developer battle(yes XSS is not good) they where left with two not good options.

1. Lose the customer.
2. Stop the rewrite and spend a few months digging through old code to fix these issues

Now from a business point of view neither of those makes sense. At the time we where in the WAF hater camp but we saw that in this case it made total sense. The customer deployed a WAF, configured it using our vulnerability data, and was able to mitigate the risk in about 3 weeks.

Bottom line and what people continually fail it understand is that every current solution on the market today has its short comings. In security everything does. Is there one magic network solution that will prevent all network attacks? No. You have spent a ton of money protecting your network infrastructure. Let’s take a quick look at the list of things you probably have spent money on today:

1. Firewalls
2. IDS/IPS
3. Network Vulnerability Scanning
4. AntiVirus
5. Configuration and Patch Management
6. Database Scanning
7. Database Encryption

Guess what, none of that protects you from the rush of SQLi, XSS, and other web based attacks. All that money and you still have big gaping holes.

To properly attack the Web Application Security problem you should be doing all of these things:

1. Secure coding practices
2. Source code review
3. Black box testing
4. Web Application Firewalls
5. Developer Training
6. Configuration and change management

The reality today is that people underestimate the size of the problem and therefore do not have the budget to do all these things. You can stretch those budget dollars pretty far with an open source scanner and mod_security (software cost $0). WhiteHat is not that cheap but we are very cost effective, combined with mod_security you can go a long way. Need a more robust solution, WhiteHat + F5 can scale to 1000 of web sites in a very cost effective manner. WhiteHat and our WAF partners can knock items 3-5 off your list while you go work on getting your coding practices in place. Even after you get those practices in place you are still going to find vulnerabilities and having that “instant” mitigation ability is very comforting.

Robert over at cgisec sees the light as well. He has managed and is currently managing web site security for some of the largest most frequently attacked web sites on the planet.

Post from: Grumpy Security Guy

The Business Case for WAFs + Testing

1. On May 16, 2008, notified the Merchant Bank, Bryn Mawr Trust of the potential security breach
2. On May 16, 2008, learned that Bryn Mawr Trust outsources the actual credit card functions of the Merchant Bank to TransFirst.
3. On May 16, 2008, contacted TransFirst and notified it of the potential security breach and was informed that it would notify the three credit card companies, Visa, MasterCard and American Express.
4. On May 16, 2008, Altman Weil independently notified Visa, MasterCard, and American Express of the potential security breach.
5. On Saturday, May 24, 2008, notified all card holders whose cards were current (i.e. the expiration dates had not kicked in yet) by telephone calls placed.
6. Notified all card holders by letter of the situation and the possible risk
7. Notified the following law enforcement agencies:

1. Local police department located in Newton Square, Pennsylvania, where Altman Weil is located on May 23, 2008.
2. Secret Service's ECTF and Electronic Crimes Working Group on May 24, 2008.
3. Every state Attorney General in the states where potentially affected cardholders reside on May 27, 2008.
4. Federal Trade Commission on May 27, 2008.
5. Office of Thrift Supervision on May 27, 2008.
6. Office of the Comptroller of the Currency on May 27, 2008.
7. Federal Deposit Insurance Corporation on May 27, 2008.
8. Board of Governors of the Federal Reserve System on May 27, 2008

8. Assured that the hosting company has preserved logs and electronic evidence, has logged all actions taken, and has not altered or compromised the systems.
9. Retained forensic auditors at are [sic] own expense to undertake a thorough technical investigation of the cause and extent of the breach.
10. Committed to be back in touch with those customers who might be at risk with further information, once we have it.
    

• State of Nature. State of Nature just means what the current state is.  There are two ISSA Journals on my desk right now - State of Nature statement.

• State of Knowledge:  Analysis derived from examination of State of Nature.  “One of these ISSA Journals has an article co-authored Donn Parker on ROI.  I’ve read it, and it makes some statements he regards as truth.  Looking at those, well, I know that risk is quantifiable, best practices have significant issues, and there are many, many other statements of authority in the article that I can refute on evidence.” - Analysis or State of Knowledge.

• State of Wisdom:  Synthesis from the analysis.  The “So” moment.  “So since there are many statements of authority made in the article that I can refute on evidence, I should be open but skeptical about whether the conclusions of this article are likely to have much value to me in my quest to understand the value of risk reducing investments.”  What I’ve synthesized from the quality of the article - State of Wisdom.

(Just a clue for our readers, anytime you read someone talk about risk and mention the term “actuarial” - be skeptical about the conclusions they have you draw from the statement using that word. 9 times out of 10 what I’ve read after someone says actuarial is made as authoritative but shows a level of ignorance on the subject.  If you really want to mess with them - say “Really! Well, tell me how you feel about the use of non-parametric Bayesian Methods” and wait… )

MMMMM-MMMMMMM CHECKLISTS!

So what about Checklists?  They’re worth discussing because we’re swamped by them!  Heck, we’ve got people in love with the idea of checklists of checklists and claiming GRC nirvana is not in the checklist itself, but in the mapping of checklists.

Here ya go:  Checklists have one of two uses -

First they can give us a path to accomplish something.  I make a checklist every morning I call a “Todo List”.   Useful Checklists could be as Curphey mentions - steps for operating machinery or performing a certain task (heck, scientific method could be said to be a checklist of steps in analysis).  Checklists are useful in this way because, well, we’re fallible, absent minded, and novices.  They serve to reduce some level of variability in a process.

Second, they can help us develop a State of Nature.  PCI or the ISO are very nice checklists that, once you’re done, certifies that you have the existence of a certain amount of control.  Again, this serves to reduce some level of variability, comparing you to a “best practice”.

And so…..

They are both useful in each use - as long as the limitations therein are understood!   And that’s where we get into trouble.  Too many times we believe that checklists are a State of Knowledge.  Checklists allow for some limited analysis, just like the use of ordinal numbers to describe “risk” - they only serve to identify some level of variability, nothing more.

But outside of that they usually offer us no analytical function at all, they cannot provide a State of Knowledge and therefore, more succinctly, Checklists are dumb.

As slightly paranoid, skeptical and jaded risk management professionals, we know this to be true.  A PCI compliant company may or may not be at all “secure” or “risk-free” or even “risk-reduced”.  That’s an aspect of analysis that the checklist is some prior information for, but not nearly all the information we need for an analysis of risk or even a statement about the ability to control or resist.  We know an ISO certified organization did what they claim they do enough to at least fool an auditor once, but cannot arrive at any other State of Knowledge without more effort.

Make no mistake, the checklists we commonly deal with provide a very, very limited State of Knowledge.  Only analysis (with rigor and testing) will provide that.  And note that a State of Wisdom (what we’re really after, after all) is predicated on a strong State of Knowledge.

WHAT ARE YOU MANAGING TOWARDS, REDUX
So if checklists only provide a State of Nature, and are incapable of really giving us Knowledge or Wisdom - then let me encourage you to think about the amount of time you spend just getting a certain State of Nature and the relative return on that investment vs. the amount of time you spend in analysis and synthesis.  Is your time best spent mapping checklist to checklist - or is it better spent developing the analytics that allow us to synthesize wisdom?

AMAZE AND CONFUSE YOUR FRIENDS AUDITORS
Let me finish by encouraging you to have a frank discussion with those who perform your audit function.  You must really pin them down if they are out to give you any analysis at all - and when/if they do provide analysis - press them on what rigor they use to create a State of Nature, and then the means by which they create a State of Knowledge (that belief statement based on the State of Nature they see).

My choice of words seems to raise a few eyebrows with my audience. You, like several others, may ask- “That seems like an ‘untechnical’ term, shouldn’t you say it ‘disables’ the port?” 

Well, no, we shouldn’t say that. When we talk about ‘enable’ and ‘disable’ for ports, that’s actually a port property designation within the switch. When we disable a port in the switch, we’re turning it off and preventing it from passing any traffic.

When we have an 802.1X-enabled port that’s unauthenticated, it still has to pass SOME traffic types, such as EAP (and possibly discovery protocols, such as Cisco’s CDP). Otherwise, we’d never be able to authenticate, right?

So, I, like many others in the NAC world, usually refer to an unauthenticated 1X port as being ‘shut off’ or ‘closed’ just as a means to distinguish it from ‘disabled’ which does have its own meaning.

# # #

Last week at RSA, Microsoft Chief Research and Strategy Officer Craig Mundie spoke and outlined a proposed vision for “End to End Trust.” Much has and will be written on that, and additional information and discussions can be found at the End to End Trust portal http://www.microsoft.com/endtoendtrust. In many ways, Craig’s talk was very unusual for Microsoft’s presence at RSA in that it wasn’t a big new product announcement, nor was it evangelizing a new technology or platform to innovate upon. Rather, it was a aimed at kicking off a dialogue by describing some of the current challenges and barriers we see to achieving a more trusted and privacy enhanced Internet, and some of our ideas on how both industry and society might be able to start a productive dialog about collaborating toward that end.    Make no mistake: this is tough stuff. This needs to be an industry-wide, long-term effort, and it’s about more than just technology. Enabling true End to End Trust will require that we continue to build on technology progress while aligning those innovations more closely with social, economic and political forces.

Along those lines, I wanted to take a few moments and comment on how SDL factors into that broader discussion on trust. Allow me to draw some analogies with some of my prior work…

In the late 1990’s, I was not yet working on computer security but on computer speech recognition and speech synthesis for Microsoft. Having an engineering background, I was (and still am) very interested in the opportunities and possibilities enabled by freeing people from computer keyboards and mice and allowing them to interact with computers in one of the same ways we interact with each other – by voice. Speech recognition was, and still is, largely assessed by a key metric of “what percentage of words spoken by a person did the computer correctly understand?” Nirvana for speech recognition is 100 percent accuracy (defined as “the computer correctly understood all of the words spoken”) with any audio stream (even with a microphone far away from a person in a noisy room) with an unlimited vocabulary (regardless if I am discussing sports using slang or detailed technical terminology) in any spoken language/dialect. State of the art of speech recognition technology today is not 100 percent accurate within the parameters I described, but let’s pretend for a minute that it is – then what? If you start thinking more deeply on this subject, you can quickly see that many other pieces of the puzzle are needed to realize the goal of “allowing people to interact with computers in one of the same ways we interact with each other – by voice. Natural Language Processing and designing an effective Voice User Interface (VUI) are two of the first major challenges encountered when trying to realize the broader vision of enabling people to interact with computers via voice. These are hard problems that I hope to see significant progress on in my lifetime. However, analyzing an audio stream and converting into some format (words or otherwise) is a fundamental requirement necessary for speech recognition. Yet, it’s also insufficient to realize the broader vision.

Some of you reading may be thinking “But wait Eric, this is a security blog so why are you rambling on about your former roles working on speech recognition?” Well, there is an analogy I’m trying to draw. The point I’ve been leading up to is that the SDL plays a similar role in the context of realizing the broader “End to End Trust” vision. Having software that operates securely without exposing systems or data to unnecessary risk is a fundamental requirement in order for people to trust their computers and software. Yet, that alone is insufficient to enable confidence and trust. As Scott Charney noted in the “End to End Trust Paper:”

“There remained, however, other more specific threats not well addressed by SD3 or Defense-in-Depth. For example, spam does not normally exploit vulnerabilities, nor would one turn off mail by default. There is also very little a specific user or enterprise can do to prevent a distributed denial-of service attack from a botnet. As a result, Microsoft started working on threat mitigations for specific issues. With regard to phishing and spam, for example, it engaged in broad consumer education campaigns and worked on developing technological solutions such as phishing filters and SenderID. For both phishing and botnets, Microsoft began working more extensively with law enforcement to identify phishers and botnet herders in an attempt to create deterrent to such activity, even though the deterrent effect is limited by the current environment because it is hard to find offenders, and criminal penalties may be applied without sufficient force.”

In the non-computing world, even if I keep my house, car, and other valuables under lock and key, I still am at risk of being victimized by criminal activity through no fault of my own. However, a broader set of societal constructs help offer improved assurances that if I don’t live careless or recklessly I will largely remain safe and secure. Note I said “improved.” Society is still not perfect; crime still exists and it always will! The online world is no different. The online world has not yet been around quite as long as human society, it too needs help in developing improved assurances – assurances that ensure I will largely remain safe and secure given I don’t live carelessly or recklessly. These assurances can’t be provided by any single vendor. They require collaboration from all of industry, and indeed society. Craig Mundie’s talk aimed to start a dialogue about how to evolve our online society to be a safer place, where devices and software enable people to make more effective trust decisions and take control over whom and what they trust online.

The creation of a more trustworthy Internet will benefit all of society, and an open dialogue among its members is critical component of achieving this. Feel free to go to http://forums.community.microsoft.com/en-US/EndToEndTrust/threads/ and chime in with your thoughts. As Scott Charney noted “"… if we want the internet to reach its full potential, we need a safer, more trusted online environment."

The fact that they’re such common ‘buzz words’ in today’s IT world makes people hesitant to ask questions. You know we IT-folk don’t like admitting we don’t know everything about anything! However, these are rather simple concepts with extremely complicated components and 98% of the technology world doesn’t really know as much as they’d like to about NAC and 802.1X. You’re not alone.

And so, here’s a short technology primer for you, to give you a little insight into the IEEE 802.1X standard and where it falls into the NAC picture. I said I was going to keep this short, so hang with me here.

What is it?   802.1X is an IEEE standard for Port Access Control, also referred to as Port-Based Network Access Control, but that term gets a bit confusing, so I prefer the former. It actually started about 10 years ago, and has been edited and revised since then to add support for new technologies, including adding some specific attributes for wireless implementations.

What does it do?   With 802.1X you can have switch ports, by default, be closed, or shut off. These ports will then only be opened once a user attempts to connect to the network and has been successfully identified as someone who is allowed access. At this point, we would say that this legitimate user is ‘authenticated’. Until this happens, no standard network traffic passes through the 802.1X port- so whatever is trying to connect will not even get an IP address. No IP address = no network access.

Why would I use it?   In a wired environment, you can use 802.1X to extend some physical or layer 1-type security to the edge. In a fully 802.1X-enabled environment, imagine every edge port is off, and completely inaccessible, until an authorized user attempts to connect through it. It’s a great way to secure edge ports, as well as infrastructure connections. You can use 802.1X to authenticate your network devices to one another, or to the network, and pretty confidently eliminate any chances of gaining rogue devices.

Note that, in reality, 802.1X is not something you wake up one day and willie-nillie enable on every port. You’ll want to start with edge ports in public areas, such as conference rooms, then roll out the rest in phases.

In the wireless world, 802.1X is the chosen authentication method to provide enhanced key exchange and rotation for a more secure wireless experience. In fact, it’s been so widely adopted for this use, that it’s commonly mistaken for a wireless standard (802.11 instead of 802.1).

How does it work?   Without dragging up a bunch of terminology you’re probably not familiar with, let’s talk about a couple of basic concepts. 802.1X leverages (or can leverage) your existing infrastructure. If your switches are 802.1X-capable, then they’re ready to go. How do they know that user trying to connect is legitimate? Your 802.1X switches are talking to your RADIUS server, and your RADIUS server is talking to your Directory (AD, eDirectory, or other LDAP). All stuff you probably already have.

You do need something called a supplicant on the endpoint. A supplicant is just an 802.1X client- it’s built into the majority of newer operating systems, and you also have the option of 3rd party supplicants that can be delivered/installed just like any other client.

Doesn’t sound too glamorous does it?

You’re probably wondering “where’s all the magic?” Well, 802.1X’s special power lies in the Extensible Authentication Protocol or EAP. Earlier, I said until a port is opened, ‘no standard network traffic’ is allowed through. Well, obviously something is allowed through, or else there would never be a means to communicate- that something that’s allowed is EAP. EAP carries information between your endpoint, through the switch and to the RADIUS server.

What about VLANs?   You’ve probably heard we can provision dynamic VLANs using 802.1X and that’s certainly true. That VLAN assignment actually comes from your configurations in the RADIUS server. The RADIUS server sends back information that includes ‘other’ attributes, such as the VLAN and QoS assignments. With the new RFC standards and RADIUS attributes, we can do all sorts of neat-o things.

What you end up with is a pretty secure, and fairly flexible solution- possibly without having to purchase any additional equipment or software.

And what about NAC?  If you’re wondering how 802.1X and NAC fit together, it’s pretty simple. Most of today’s network-based NAC solutions can work in conjunction with 802.1X to provide a robust solution with Layer 2 and up protection. Other NAC vendors that don’t leverage 802.1X are using a variety of Access Control Lists, either on switches, routers, a NAC appliance, or at the host. If you’re using 802.1X with NAC, we’ll generally say it’s Layer 2 NAC (since 802.1X is a L2 standard) and if it’s IP/ACL-based, it’s Layer 3 NAC. Some solutions will let you use a mixture. [Note: Layer 2 is generally accepted as being the more secure solution, but some vendors will try to pour their layer 3 Kook-Aid down your throat.]

That’s all. I’ve certainly grossly over-simplified the implementation of 802.1X. You do have to properly configure the RADIUS server and setup the switches to communicate with it. The list of EAP methods available is an arm’s-lenght long and supplicants aren’t ever as clear-cut as we’d like them to be. However, omitting the technicalities of integration, I hope you now have a better idea of what 802.1X is, how it works, and why you’d use it.

If you’re a glutton for punishment, I do have a fairly lengthy presentation I put together with a technical dive into 802.1X. If you’re interested in seeing that, email with (form on left) or post a comment (below) and I’ll send it your way.

# # #