Monday, 30 June 2014

Microsoft Security Baselines for Window 8.1 and IEII

As a nod to the idea that it's not just compatibility that you have to worry about, Microsoft has release their latest iteration security baselines for Windows 8.1, Internet Explorer 11 and Server 2012.

This collection of documentation and Group Policy Objects (GPO's) details a secure baseline for your server and desktop environments.

Here is a quick highlight of the topics included in this documentation pack;

  • Use of new and existing settings to help block some Pass the Hash attack vectors
  • Blocking the use of web browsers on domain controllers
  • Incorporation of the Enhanced Mitigation Experience Toolkit (EMET) into the standard baselines
  • Removal of the recommendation to enable "FIPS mode" 
  • Removal of almost all service startup settings, and all server role baselines that contain only service startup settings.

This documentation pack includes the following folders;

  • Administrative Templates
  • Documentation
  • GP Reports
  • GPO
  • WMI Filters
The two key sections in the Recommended Security Baseline Settings document (.DOC file) are the new settings in Server 2012 R2 and the removed (deprecated) settings for Windows and Internet Explorer.



Note: that this is a BETA version and is subject to change.

Thanks to Aaron Margosis's very nice MSDN blog for the update. 

Monday, 9 June 2014

Flash Compatibility in Internet Explorer 10


As like many of you, I have downloaded the Windows 8 and like a few of you, I have installed it on a number of machines, virtual environments and different hardware platforms. My DELL All-in-One is currently is my favorite as it supports a touch interface. That said, the Touch-enabled drivers are not quite there yet (gestures are not currently working) but otherwise the initial experience has been positive.

And now, for the real world: my middle child (of three) was trying to visit a flash based "Barbie dress-up" site (no, not one of my favorites, for those at the back) and things got a little more complicated. The site loaded in the desktop view (currently our default) but would not in the Metro side of things.

Doing a little reading, I found about the IE 10 Compatibility View list on MSDN which reads; 
"While any site can play Flash content in Internet Explorer 10 for the desktop, only sites that are on the Compatibility View (CV) list for Flash can play Flash content within Internet Explorer 10 in the Windows Metro style UI."
And further on;
"Internet Explorer 10 uses the CV list to enable specific sites to run with the Flash Player functionality supported in Internet Explorer 10. Microsoft manages and distributes the CV list and determines which sites go on the list. Decisions regarding how sites that require Flash Player are treated on the CV list are evaluated based on the quality of experience of the site in Internet Explorer 10, taking into consideration factors like performance, responsiveness, touch interaction, security, privacy, and battery life."

So, if you have Flash site, you need to submit it to Microsoft to get it on the CV list, and see it in its wonderful glory on IE10 Metro mode. You can submit your domain and site to Microsoft at the following address; iepo@microsoft.com

If you want to just get things working (my preferred approach) you can also edit the following registry entry; HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Flash\DebugDomain

If you are wondering what WILL NOT work under Flash for IE10, Microsoft has provided a rather long list including;
  • Camera
  • Microphone
  • Printing
  • Feature bookmark (for example, Flash Anchors)
  • Relying on double-click (double-click is consumed by the player, for zoom to fit, and not propagated to the Flash content as a double-click event)
  • Use of rollover and rollout event
  • Relying on P2P (Windows Metro style design guidelines disallows the creation of a socket server)
  • Relying on the following Flash touch APIs: Pan, Zoom, Rotate, Swipe, and PressAndTap

I am not a fan of Flash, but it makes sense for Microsoft to support Flash (with a heavy future focus on HTML5 and JavaScript) and it appears that they have come a reasonable compromise with Flash support on desktop mode and not for Metro.

Read more here:

Developer Guidance for Web Sites with Flash Content in Windows 8

Developer guidance for websites with content for Adobe Flash Player in Windows 8