how-to block ads
|
|
Share Topic
 |
 |
|
|
|
 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to Steve
Security Technology Investments & Roadmap Reminder: I'm a recording secretary, I mainly report what I hear, and saying that we were told X doesn't mean that I agree with X, approve of X, or necessarily even understand X. I don't record everything, either - I am trying to pay attention, so if I get behind I have to skip stuff.
Also, these sessions are limited ones: just the Security MVPs, so there's maybe 40 of us in the room.
It's really clear that Microsoft is making big noises about Security, and we've seen many of these improvements in the last few years. XP/SP2, Malicious Software Removal Tool, MS Antispyware, and lots of prescriptive guidance.
Their vision is much more than just keeping spyware from the machine, and our speaker talked about three fundamentals of the Trustworthy Computing Initiative.
MS has implemented a Security Development Lifecycle, which considers security from the very beginning. There are teams that do nothing but consult with the product groups: design, coding, threat analysis, testing. They have something like 100k man hours of security training.
They also have a group of internal pen testers: they get to bang on the product and make sure that it works securely not only in its own right, but as it integrates with other things. I met one of these pen testers (Peter) on a previous trip - he's very good at this.
MS understands that an enterprise simply can't take a month of testing before installing a patch: the badware often comes out 15 minutes after an advisory.
The three fundamentals:
System Integrity
This includes "Isolation", "Least Privilege", and "Least Connectivity", things that we've all talked about here. I have made it a point to ask every single presenter about running as an Administrator on their personal desktop: so far I've only heard that Jim Allchin does this. oops 
Vista includes much better support for running as a limited user.
Identity & Access Control
One thing he talked about were mechanisms for dealing with how to avoid getting your stolen laptop compromised. This involves a (I think) TPM chip that knows which OS you booted and won't let you boot an alternate recovery OS (Knoppix, for instance) to extract the password.
This is apparently NOT the same as the DRM stuff that says that Disney gets to control how you watch your content.
Threat & Vulnerability Mitigation
This is much more about the "obvious" things like Antispyware - and enterprise details are "coming soon" - but no real details.
Internet Explorer 7
This was re-architected for security (which sounds like a HUGE job), and it really has a lot of things that make sense.
Example: Phishing filter. If you visit a site that's in their database, looks suspicious (numeric IP, for instance), it will treat the site differently with a warning, and a way to provide feedback ("Hey, this is a phishing site").
There are all kinds of privacy and performance concerns at play here - you're essentially sending a ping to Microsoft to ask if the site is valid or not - but it's of course voluntary. They say that the information is anonymous and is not tracked back to me, but I expect the privacy nutbars to come out of the closet on this one
IE7 on Vista will provide and ActiveX Opt-in on what I think is a per-site basis, and will have a low-rights option that puts everything in what I'd call a sandbox. It looks really promising. We're getting an IE session tomorrow and will get more details then.
Microsoft AntiSpyware
Apparently this is the most popular download ever, and everybody at MS seemed really jazzed about it. Everybody asked about the enterprise version (managable via Group Policy, probably), but nobody can talk about it. It's really been maddening to see no movement on this as far as we can see. Beta forever!
The SpyNet community system gets 20,000 votes per hour, which has to be a fantastic way to leverage the community and respond to new threats quickly.
We have an AntiSpyware session tomorrow.
Antigen/Sybari
This is the antivirus solution, and it looks like it integrates with pretty much everything: filesystem, Exchange, IM, Sharepoint, etc. They have support for multiple scan engines which ship with the product, and can set your preferences: Max Certainty (use them all) through Max Performance (use one). Scanning is done in parallel so it's not running through the engines one at a time. It has enterprise support too.
This is technology they apparently acquired from Sybari, and it looks really well done. We get a full session on this later in the week, and I'm really impressed with it.
ISA Server
I know the least about this of anything, because I use SonicWall, so much of it is lost on me. But he talked about my favorite security technology: Network Access Protection.
A client - the laptop of the idiot VP - connects to the network after being in hotels for two weeks, and we want to keep his infested laptop from burning the whole network. When he connects, the DHCP server gives him access to a highly restrictive network (a protected VLAN) and he connects to a server for a health check. Latest patches? Antivirus up to date? Scan run lately? Whatever you want.
Only when the device is deemed "healthy" does it get access to the real network - otherwise it's quarantined with access only to resources to get healthy. This has been in use with wireless and VPN for some time, but Longhorn will support it for everything. This requires the ability to talk with the network switches for VLAN management and the like.
I love NAP, and you can find more about this at »www.microsoft.com/nap/
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
| Great stuff, Steve. Keep it coming. Much appreciated | | |
|
ghost16825Use security metricsPremium
join:2003-08-26 | reply to Steve
said by Steve:The three fundamentals: System IntegrityThis includes "Isolation", "Least Privilege", and "Least Connectivity", things that we've all talked about here. I have made it a point to ask every single presenter about running as an Administrator on their personal desktop: so far I've only heard that Jim Allchin does this. oops Vista includes much better support for running as a limited user. I know you're only repeating what you heard, but are they really pushing Least Privilege as a priority? Previous security guides like »The Antivirus Defense-in-Depth Guide v1.1 give the impression that Microsoft gives much less emphasis to this idea than other security mechanisms.
--
Admin of the Kerio 2x-like open source project:
http://sourceforge.net/projects/kerio/
http://kerio.sourceforge.net/
| |
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by ghost16825:I know you're only repeating what you heard, but are they really pushing Least Privilege as a priority? This depends largely on whether you go by "what they say" or "what they do" - I made it a point to ask nearly every MSFTer I met, and only one ran non-admin on the desktop. Most knew this was not a good thing, but they had to get their work done. They have what I am taken to understand is a heavy and specific project to make this happen (the LUA project) on campus, but at some point you have to wonder whether they really mean it or not when I hear a lot of the "Yah, it's a great idea, but I don't do it myself".
It really is a serious pain in the ass, and one does have to get his work done every day, but it's still a disappointment. I am non-admin on my desktop, as well as on the laptop upon which I am typing these notes.
But I will say: I am sure there are departments for "those who eat babies" and "losers", but I haven't met any of them. One hundred percent of MSFTers I have met have been sharp, passionate, and really cared about their users and security. I have a pretty good BS detector, and there is a certain amount of being overly-cautious that goes with working for a quasi-regulated company, but I haven't found even one person I didn't like.
Really: you might hate how Microsoft does business, you may dislike their software, but nobody gets to say that these people are not passionate. This counts for a lot with me: passionate people do not just punch a time clock.
I have had my Linux "tux" pin on the whole time, and have gotten z-e-r-o flack for it. Lots of MSFTers have extensive experience with *ix (none more than me yet), and they appreciated things with merit. It's been really refreshing.
This evening the Security and Networking people had a shared dinner, and many Microsoft people were there. The networking was great, but they had hired this magician for ambient entertainment: he was astonishingly good. Steffan Soule had an amazing act, low-key personally but perfect execution, and I watched for at least an hour and saw neither a dup or a slip. Just an amazing presentation: if you live in the Seattle area and need a guy for a corporate function, he's soooo worth whatever he charges.
There is something about a skilled artisan that really rings well with me, and this guy just hit it out of the park.
It's after midnight, and I really gotta crash: will write more tomorrow.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
 CrazyMPremium
join:2001-05-16
BC Canada | Steve enjoying the magician ... | |
|
