A Worst Case Scenario This week it was revealed that a severe vulnerability in a majority of processors has existed for nearly ten years, affecting millions of computers around the world, including all the major cloud providers who rely on Intel chips in their data centers. Essentially, this flaw grants complete access to protected memory, including secrets like passwords, from any program on the exploited computer. Even from the web. This flaw is so serious that allegations have already been made that Intel’s CEO sold millions of dollars of stock in the company after the flaw was found, but before it was revealed to the public, the idea being that a vulnerability of this magnitude would be enough to substantially hurt Intel on the market, even though it affects some ARM and AMD processors as well.
Microsoft’s enterprise software powers the majority of large environments. Though often hybridized with open source solutions and third party offerings, the core components of Windows Server, Exchange, and SQL Server form the foundation of many organizations’ data centers. Despite their prevalence in the enterprise, Microsoft systems have also carried a perhaps unfair reputation for insecurity, compared to Linux and other enterprise options. But the insecurities exploited in Microsoft software are overwhelmingly caused by misconfigurations and process errors, not flaws in the technology— patches are not applied on a quick and regular cadence; settings are not hardened according to best practices; dangerous defaults are left in place in production; unused modules and services are not disabled and removed. Microsoft has come a long way to bring its out-of-the-box security up to snuff with its famous usability, not to mention introducing command-line and programmatic methods by which to manage their systems. But even now, the careful control necessary to run a secure and reliable data center on any platform can be difficult to maintain all of the time at scale.
Managing complexity in heterogeneous infrastructures is a challenge faced by all enterprise IT departments, even if their environments are relegated to *NIX or Windows. In the case of the latter, UpGuard's new RSoP/GPO scanning capability streamlines remediation and compliance efforts by enabling Windows operators to easily scan and monitor the disparate security configurations of their Active Directory (AD) instances and Windows endpoints.
Whether you’re deploying hundreds of Windows servers into the cloud through code, or handbuilding physical servers for a small business, having a proper method to ensure a secure, reliable environment is crucial to success. Everyone knows that an out-of-the-box Windows server may not have all the necessary security measures in place to go right into production, although Microsoft has been improving the default configuration in every server version. UpGuard presents this ten step checklist to ensure that your Windows servers have been sufficiently hardened against most attacks.
The Mac is undeniably the platform of choice for designers and artists, and for good reason. Apple's designers—and Steve Jobs in particular, according to legend—took special care to make even the first Macs superior to PCs in ways that would matter to those in visual fields. Font selections and type rendering on computers, as one example, were decidedly crude prior to the Macintosh. It's a minor detail for the number cruncher or spreadsheet user, but can mean everything to those in the arts. For that reason and others like it, Apple has enjoyed the unflinching endearment of a certain subset of users.
Going from nothing to automation using one of the many tools available can be a daunting task. How can you automate systems when you’re not even 100% sure how they’ve been configured? The documentation is months out of date and the last guy to configure anything on that box has since left the company to ply his trade somewhere that will more fully appreciate his Ops cowboy routine.
Update: This is a preserved post detailing new (at the time) UpGuard product features, enhancements, or tutorials. The screenshots below may be out of date and/or make reference to GuardRail or ScriptRock—old names for the same great product. There are also many newer features that will drive you wild. Node Groups A Node Group is a way of logically grouping Nodes with common functionality. Instead of managing the same set of Policies on each Node you can now manage one set of Policies on the Node Group that will automatically get applied to any Nodes in the Group. Their use is best highlighted with examples. All of your Linux servers might need to comply with an underlying security policy, group them together using a Node Group called "Linux" and apply your security policy there. Your front-end web servers are identical behind a load balancer, add them to a Node Group called "Front-end Web Server." How you organize them is up to you, they can be as general or specific as you like.