 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to Steve
Windows Vista: Security Update Now we have the General Manager of Windows Security talking about Vista.
He first gave an overview of Microsoft's security approach, something we've gotten quite a bit about in the past. Periodic mandatory security training for devs, assigning security advisers for all components, and to use threat modeling as part of the design process. Security review and testing are now built into the schedule, and the testers have a LOT of clout to hold up product release.
They also seek "Common Criteria" (CC) Certification, though more than one of us speculated that this was more about the ability to make sales to the government than it was about security. Snicker.
While talking about Secure Startup - which means that you can configure your system to absolutely require a password to boot, and you can't mount a protected drive on a different OS - he said that an large investment bank reported that they lose one executive laptop per day. I think that if they started giving those executives all the unpaid time off they needed to locate those laptops they would find this problem solved itself 
Secure Startup/Full Volume Encryption
Trusted Platform Module: chip on laptop that holds a key which is required to boot. Machine just won't do anything without this key, and that stolen laptop is useful for nothing but reformatting the drive and selling on eBay. No access to the data.
But what if the motherboard breaks and you need to move the HD to a new system? They have a mechanism to backup the key onto (say) a USB flashdrive, and this can be restored to another machine. There are other integrations that allow a recovery key to be saved in Active Directory, so they've really thought about the whole process.
At this point I had a customer emergency and couldn't pay attention, so I missed the sections on Service Hardening and User Access Protection.
They have a new Crypto Infrastructure, which looks really extensible. The new one is supposed to replace the CAPI (Crypto API), and I had a good impression even though I don't really operate at this level - I just don't play in the huge enterprise world.
We do, however, have some extraordinary MVPs who know this space inside and out - it was really useful to hear some of the questions even if I didn't know what it means
They are really trying to get into smartcard multi-factor authentication. They bought a company "Alacris" whose technology they are integrating, though - again - I'm not that kind of enterprise guy. They really want to make it easy to use smartcards in your enterprise if you want to.
Then a section on Certificate Services, which I have zero experience with and couldn't really absorb.
---
All the speakers today were excellent: they knew their material, got very little marketing BS (which does not go over well with MVPs), and gave a great roadmap for the future. Questions were very lively as they always are with us.
Next is the product-group dinner: we're going to Building 40 to have dinner with the Networking group and a bunch of Microsoft people. They try very hard to intermix MVPs and MSFTers so there is extensive networking. These are among the best parts of Summit: we get to find resources within the company.
Will report more later.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site |
