how-to block ads
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| MVP Summit Notes - Thursday
I have wireless internet in the technical sessions: yay! So I can file my reports.
This morning was exec day: all 1500 or so of us went to a single large auditorium where we saw a handful of executives say hello, thank us for our service, and talk about new stuff. Last year we had a full day of this, but the MVPs were really clear that we'd rather spend our time with the product teams.
First was Steve Ballmer, and this guy is just one fantastic, compelling, captivating speaker. Even if you don't like Microsoft and hate everything they stand for, SteveB is as entertaining as it gets.
He took questions, and I asked whether he was an Administrator on his own box. Don't know if I can tell you the answer 
We saw some demos of Vista, which were very cool. I'm going to look up what's public information tonight and highlight a couple of the high points. I think I need to run this on a test system and start playing.
Then lunch, then a bus ride to the MS campus where I am now; will use one post per session.
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
| said by Steve  :Don't know if I can tell you the answer. I assume that's because we try to avoid excessively profane language in this forum? | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Steve
Security Technology Investments & Roadmap
Reminder: I'm a recording secretary, I mainly report what I hear, and saying that we were told X doesn't mean that I agree with X, approve of X, or necessarily even understand X. I don't record everything, either - I am trying to pay attention, so if I get behind I have to skip stuff.
Also, these sessions are limited ones: just the Security MVPs, so there's maybe 40 of us in the room.
It's really clear that Microsoft is making big noises about Security, and we've seen many of these improvements in the last few years. XP/SP2, Malicious Software Removal Tool, MS Antispyware, and lots of prescriptive guidance.
Their vision is much more than just keeping spyware from the machine, and our speaker talked about three fundamentals of the Trustworthy Computing Initiative.
MS has implemented a Security Development Lifecycle, which considers security from the very beginning. There are teams that do nothing but consult with the product groups: design, coding, threat analysis, testing. They have something like 100k man hours of security training.
They also have a group of internal pen testers: they get to bang on the product and make sure that it works securely not only in its own right, but as it integrates with other things. I met one of these pen testers (Peter) on a previous trip - he's very good at this.
MS understands that an enterprise simply can't take a month of testing before installing a patch: the badware often comes out 15 minutes after an advisory.
The three fundamentals:
System Integrity
This includes "Isolation", "Least Privilege", and "Least Connectivity", things that we've all talked about here. I have made it a point to ask every single presenter about running as an Administrator on their personal desktop: so far I've only heard that Jim Allchin does this. oops
Vista includes much better support for running as a limited user.
Identity & Access Control
One thing he talked about were mechanisms for dealing with how to avoid getting your stolen laptop compromised. This involves a (I think) TPM chip that knows which OS you booted and won't let you boot an alternate recovery OS (Knoppix, for instance) to extract the password.
This is apparently NOT the same as the DRM stuff that says that Disney gets to control how you watch your content.
Threat & Vulnerability Mitigation
This is much more about the "obvious" things like Antispyware - and enterprise details are "coming soon" - but no real details.
Internet Explorer 7
This was re-architected for security (which sounds like a HUGE job), and it really has a lot of things that make sense.
Example: Phishing filter. If you visit a site that's in their database, looks suspicious (numeric IP, for instance), it will treat the site differently with a warning, and a way to provide feedback ("Hey, this is a phishing site").
There are all kinds of privacy and performance concerns at play here - you're essentially sending a ping to Microsoft to ask if the site is valid or not - but it's of course voluntary. They say that the information is anonymous and is not tracked back to me, but I expect the privacy nutbars to come out of the closet on this one
IE7 on Vista will provide and ActiveX Opt-in on what I think is a per-site basis, and will have a low-rights option that puts everything in what I'd call a sandbox. It looks really promising. We're getting an IE session tomorrow and will get more details then.
Microsoft AntiSpyware
Apparently this is the most popular download ever, and everybody at MS seemed really jazzed about it. Everybody asked about the enterprise version (managable via Group Policy, probably), but nobody can talk about it. It's really been maddening to see no movement on this as far as we can see. Beta forever!
The SpyNet community system gets 20,000 votes per hour, which has to be a fantastic way to leverage the community and respond to new threats quickly.
We have an AntiSpyware session tomorrow.
Antigen/Sybari
This is the antivirus solution, and it looks like it integrates with pretty much everything: filesystem, Exchange, IM, Sharepoint, etc. They have support for multiple scan engines which ship with the product, and can set your preferences: Max Certainty (use them all) through Max Performance (use one). Scanning is done in parallel so it's not running through the engines one at a time. It has enterprise support too.
This is technology they apparently acquired from Sybari, and it looks really well done. We get a full session on this later in the week, and I'm really impressed with it.
ISA Server
I know the least about this of anything, because I use SonicWall, so much of it is lost on me. But he talked about my favorite security technology: Network Access Protection.
A client - the laptop of the idiot VP - connects to the network after being in hotels for two weeks, and we want to keep his infested laptop from burning the whole network. When he connects, the DHCP server gives him access to a highly restrictive network (a protected VLAN) and he connects to a server for a health check. Latest patches? Antivirus up to date? Scan run lately? Whatever you want.
Only when the device is deemed "healthy" does it get access to the real network - otherwise it's quarantined with access only to resources to get healthy. This has been in use with wireless and VPN for some time, but Longhorn will support it for everything. This requires the ability to talk with the network switches for VLAN management and the like.
I love NAP, and you can find more about this at »www.microsoft.com/nap/
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | Great stuff, Steve. Keep it coming. Much appreciated | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Steve
Windows Vista: Security Update
Now we have the General Manager of Windows Security talking about Vista.
He first gave an overview of Microsoft's security approach, something we've gotten quite a bit about in the past. Periodic mandatory security training for devs, assigning security advisers for all components, and to use threat modeling as part of the design process. Security review and testing are now built into the schedule, and the testers have a LOT of clout to hold up product release.
They also seek "Common Criteria" (CC) Certification, though more than one of us speculated that this was more about the ability to make sales to the government than it was about security. Snicker.
While talking about Secure Startup - which means that you can configure your system to absolutely require a password to boot, and you can't mount a protected drive on a different OS - he said that an large investment bank reported that they lose one executive laptop per day. I think that if they started giving those executives all the unpaid time off they needed to locate those laptops they would find this problem solved itself
Secure Startup/Full Volume Encryption
Trusted Platform Module: chip on laptop that holds a key which is required to boot. Machine just won't do anything without this key, and that stolen laptop is useful for nothing but reformatting the drive and selling on eBay. No access to the data.
But what if the motherboard breaks and you need to move the HD to a new system? They have a mechanism to backup the key onto (say) a USB flashdrive, and this can be restored to another machine. There are other integrations that allow a recovery key to be saved in Active Directory, so they've really thought about the whole process.
At this point I had a customer emergency and couldn't pay attention, so I missed the sections on Service Hardening and User Access Protection.
They have a new Crypto Infrastructure, which looks really extensible. The new one is supposed to replace the CAPI (Crypto API), and I had a good impression even though I don't really operate at this level - I just don't play in the huge enterprise world.
We do, however, have some extraordinary MVPs who know this space inside and out - it was really useful to hear some of the questions even if I didn't know what it means
They are really trying to get into smartcard multi-factor authentication. They bought a company "Alacris" whose technology they are integrating, though - again - I'm not that kind of enterprise guy. They really want to make it easy to use smartcards in your enterprise if you want to.
Then a section on Certificate Services, which I have zero experience with and couldn't really absorb.
---
All the speakers today were excellent: they knew their material, got very little marketing BS (which does not go over well with MVPs), and gave a great roadmap for the future. Questions were very lively as they always are with us.
Next is the product-group dinner: we're going to Building 40 to have dinner with the Networking group and a bunch of Microsoft people. They try very hard to intermix MVPs and MSFTers so there is extensive networking. These are among the best parts of Summit: we get to find resources within the company.
Will report more later.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
ghost16825
Use security metrics
Premium
join:2003-08-26
| reply to Steve
Re: Security Technology Investments & Roadmap
said by Steve :The three fundamentals: System IntegrityThis includes "Isolation", "Least Privilege", and "Least Connectivity", things that we've all talked about here. I have made it a point to ask every single presenter about running as an Administrator on their personal desktop: so far I've only heard that Jim Allchin does this. oops Vista includes much better support for running as a limited user. I know you're only repeating what you heard, but are they really pushing Least Privilege as a priority? Previous security guides like »The Antivirus Defense-in-Depth Guide v1.1 give the impression that Microsoft gives much less emphasis to this idea than other security mechanisms.
--
Admin of the Kerio 2x-like open source project:
http://sourceforge.net/projects/kerio/
http://kerio.sourceforge.net/
| |
jabarnut
Light Years Away
Premium,MVM
join:2005-01-22
Galaxy M31
| reply to Steve
Re: MVP Summit Notes - Thursday
Wow!
This really is some great stuff. Will be following this thread as I have some of the others that are related to this summit....and events from summits of the past. 
I'm certainly no MVP (far from it), but I am enjoying your reporting of these events immensely.
Thanks for the hard work Steve .
You are indeed an EXCELLENT "recording secretary". 
--
I had a life once.....now I have a Computer and a Modem. | |
Great Report
@207.195.x.x
| reply to Steve
Thank you for the Summit Notes, Steve . This is the kind of news this forum sorely needs and craves. I am bored to death with the current dearth of mundane topics in the Security Forum. Your report is a wonderful read, but I am left to wonder....
Where are the pictures...;)? | |
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
| said by Great Report :
I am bored to death with the current dearth of mundane topics in the Security Forum. A dearth of mundane topics in this forum? Au contraire... we've got 'em coming out of our ears. | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
| reply to Steve
LOL, Dave.
Steve,
I have to say, Microsoft makes me very angry on a fairly regular basis, but I am once again becoming optimistic about their future offerings.
I've said this many times in the past and been horribly dissapointed, but I think this time may be different. I'm guided by a single thought -- "How long can a company with billions of dollars who is serious about security continue to fail at it on a massive scale?"
I think the answer has to be, "Not much longer." I truly believe that all the problems we've seen from Microsoft over the years have been a result of them, 1) not being serious about security, and 2) dealing with the massive deployed codebase once they did get serious.
I truly won't care if Microsoft does get their stuff together when it comes to security. It'll be one less source of comic relief, but it'll be better for the world.
Here's to hoping.
--
dmiessler.com -- grep understanding knowledge | |
Great Report
@207.195.x.x
| reply to dave
said by dave :A dearth of mundane topics in this forum? Au contraire... we've got 'em coming out of our ears. I know what dearth means. I was being sarcastic. | |
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| reply to Daniel
Microsoft is very serious about security and every coder here gets training on how to write secure code and processes and such are engineered now to include security in every step. To give an example of how much of a difference this is making one stat that was kicked about was of the 90 bulletins for Windows 2003, 88 were for legacy code, only 2 were for new code written since Microsoft implemented their training and new processes. As a software designer/developer I can honestly say that is very impressive.
Now as Steve captured there was a huge pile of stuff talked about today in terms of what is coming from Microsoft, so its obvious that Microsoft is not done with security as it is still a high priority topic here, but what is interesting is that they are getting caught up a bit and are starting to look at proactive methods of security, so they will be putting the heat on the black hat community to step up their game in response. Now I don't have any doubts that the black hat community isn't going to pack up and blow town, but they are going to need a taller ladder to get at the low hanging fruit. That said adoption rates of this new technology isn't going to happen across the board and people will no doubt still be running unpatched Windows 98 boxes, but some people you just can't help and so we just have to move on and leave them behind, sorry but that is how it is. As Microsoft closes one door, hackers will just knock on others and certainly there are lots left to be knocked on, but that is the name of the game when chasing hackers. Certainly the black hat in my mind still sees opportunities for successful hacking, but Microsoft is slamming doors hard at a faster rate then ever before which is great.
Now I'm going to say something that Linux people might not want to hear, so if you like the penguin skip this section. With all the management and security which will be built into Vista, Linux is going to have a hard time keeping up and hence Microsoft will definitely claw back server share from Linux, because of what we saw today. Even if Linux was to start now on these features its too late as the big machine has heard you and is responding and frankly innovating how security and management can be done (yes Microsoft innovates and we saw proof of that today). Sorry kids but I don't see how Linux can compete as Microsoft is in a much higher gear then Linux and hence going much faster then I think Linux can go. In short I think if the penguin was ahead (debatable), then its about to become road kill. Now I know some people will be upset or whatever, but in two years we will find out if I'm right or wrong.
Now did I like everything I heard, mostly. We have a lot of large Enterprise MVPs in our group so of course today was tailored to them, but I would like to hear about what all this means to Joe User, or what the Home Edition will feature in terms of security and management, but I don't doubt it will be good (Now I've been running Longhorn for awhile and I've liked it thus far and it has been getting better all the time, so by release it will be amazing).
Now the things that I grouped in 'mostly' were not 'thats the dumbest thing I've ever heard', but 'that cool, but that feature is a little odd, was that like a Monday morning feature' and I asked for some statistical evidence that what they were doing was actually effective which to their credit they did have, so I'm impressed with that as obviously someone asked those questions before and someone went out and got the answers, but now I need to read those as I'm just not convinced in my mind that the value of some of the features are as high as they think, but as unbelievable as it might be, I've been wrong before.
Now I have a concern with Microsoft as they are about to churn out cool technologies at an unbelievable pace as the next year is going to be unprecedented in terms of product releases. I'm not sure that we are going to be able to digest this flood of products and technology. I think there is a lack of supporting materials like books and training which would enable people to use all of these cool products correctly, so I fear there are going to be adoption issues. For example from a developer's viewpoint, .Net 2.0 and Visual Studio 2005 with C# are about a month away from release and there is a lack of books or training materials (where is MSPress for example on this). People are going to buy into these technologies as they are way cool, install them on their machines and then what? As with most great things with huge potential these products are not trivial and so training and a bit of a mind shift are needed to achieve maximum benefits, but I fear the supporting materials need for this are missing or are so far off the radar that they might as well be missing.
I think you would be hard pressed to find anyone who would tell you that the IT industry hasn't been spanked, and is running hard with what they have now (staff shortages, budget cuts etc), so training is going to be difficult (for example I had to take vacation time and pay my own expenses to come to this meeting, but I handed them my resignation before I came so hopefully I'm off to my next big adventure whatever that might be in about a month). Steve Ballmer once said that we were just entering an extremely exciting year, but there are way to many IT folks who are barely keeping up now with current workloads to learn new technologies and hence opportunities will be missed.
As always I'm looking forward to tomorrow's meetings as I'm once again learning lots, from not just Microsoft but also my fellow MVPs.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Steve
Rock'em Sock'em pit at the security diner. I don't think my insurance would have covered old fat guys like me playing this .
Blake | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to ghost16825
Re: Security Technology Investments & Roadmap
said by ghost16825 :I know you're only repeating what you heard, but are they really pushing Least Privilege as a priority? This depends largely on whether you go by "what they say" or "what they do" - I made it a point to ask nearly every MSFTer I met, and only one ran non-admin on the desktop. Most knew this was not a good thing, but they had to get their work done. They have what I am taken to understand is a heavy and specific project to make this happen (the LUA project) on campus, but at some point you have to wonder whether they really mean it or not when I hear a lot of the "Yah, it's a great idea, but I don't do it myself".
It really is a serious pain in the ass, and one does have to get his work done every day, but it's still a disappointment. I am non-admin on my desktop, as well as on the laptop upon which I am typing these notes.
But I will say: I am sure there are departments for "those who eat babies" and "losers", but I haven't met any of them. One hundred percent of MSFTers I have met have been sharp, passionate, and really cared about their users and security. I have a pretty good BS detector, and there is a certain amount of being overly-cautious that goes with working for a quasi-regulated company, but I haven't found even one person I didn't like.
Really: you might hate how Microsoft does business, you may dislike their software, but nobody gets to say that these people are not passionate. This counts for a lot with me: passionate people do not just punch a time clock.
I have had my Linux "tux" pin on the whole time, and have gotten z-e-r-o flack for it. Lots of MSFTers have extensive experience with *ix (none more than me yet), and they appreciated things with merit. It's been really refreshing.
This evening the Security and Networking people had a shared dinner, and many Microsoft people were there. The networking was great, but they had hired this magician for ambient entertainment: he was astonishingly good. Steffan Soule had an amazing act, low-key personally but perfect execution, and I watched for at least an hour and saw neither a dup or a slip. Just an amazing presentation: if you live in the Seattle area and need a guy for a corporate function, he's soooo worth whatever he charges.
There is something about a skilled artisan that really rings well with me, and this guy just hit it out of the park.
It's after midnight, and I really gotta crash: will write more tomorrow.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
CrazyM
Premium
join:2001-05-16
BC Canada
| Steve enjoying the magician ... | |
|
