how-to block ads
|
elvey
Spamassassin
join:2001-02-17
San Francisco, CA
 ·Pacific Bell - SBC
 ·Comcast
·SONIC.NET
| reply to Steve
Re: MVP Summit: Friday notes
Thanks, Steve. A lot of interesting stuff there.
said by Steve  :Your BBR login information is referenced by a cookie, and most of us would prefer not to login every time. I have to login (almost) every time, I guess cuz I'm (almost) always coming from a different IP.
I wonder how hard it would be to use a macro player to automate MSAS enterprise-wide. (I miss the 'Recorder' Acessory that was in Windows (thru WfW 3.11, IIRC).)
said by Steve :the folks at Intuit don't ever hear about this except from a a couple of whiney Microsoft MVPs. We're not customers, so they could hardly care less. Have you obtained a refund for said clients from Intuit? As I've mentioned on BBR, I did this with AV vendors and it had the desired effect. (Well, at least there was a correlation, and the support folks did state that they would fix the problem...)
"All QuickBooks products have an unconditional 60-day money back satisfaction guarantee." - »www.quickbooks.com/support/servi···ectronic
--
SBC is the world's second-largest SpamHaus and leads an Organized Crime Syndicate. | |
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to jig
said by jig :"Clear my tracks" does/doesn't scrub the physical disk location where the browser history etc were before deletion? You mentioned FBI... I was very surprised to hear about this and I did ask them about it as I have built tools for forensics in this area in the past and what most people don't realize is the information is in a couple of different hives so doing a 'delete files/cookies' from IE didn't get rid of your history as far as anyone doing forensics on your system was concerned. The response was that the hives would be cleared but the drive space wouldn't be reset and by this they mean that yes the information within the hives would be removed, but that space on the drives wouldn't be cleared so technically you could reconstruct the hive as far as 'deleted' data wasn't written over on the drive (or you have access to an electron microscope sort of thing).
I'm sure there are a number of security groups who are not overly pleased about this, but in reality the bad guys are going to be the first in line to get IE7/Vista anyways as it really is way more secure and no one needs security like people with something to hide.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to jig
said by jig :Does the windows rights management services suite include a widget to scrub documents before distribution? My guess is no, since the services seem to be meant as a general tool, rather than office specific, say. It does not. RMS doesn't know anything about applications - it appears to just manage data streams - but an application can choose to do what it likes. Office is what defines and enforces the list of things ("no printing", "disallow paste", etc.) to restrict.
I don't know of any "scrub document" features, but I seem to remember hearing that Office might have this somewhere. But I doubt RMS has anything to do with it."Clear my tracks" does/doesn't scrub the physical disk location where the browser history etc were before deletion? You mentioned FBI... It doesn't do a secure erase, I was joking about the FBI, and this is a fine time to remind everybody that I speak for myself only and never ever speak for Microsoft.IPsec without encryption is sniffable, correct? Yep, sure is: ESP+NUL is essentially in cleartext. In a switched environment, sniffing is not quite the same risk that unauthorized access of resources is.What is Antigen? It's an antivirus technology that they seem to have purchased from Sybari, with unknown plans for some kind of integration into Windows. I saw a drive-by of the technology on the first day, but I skipped the Antigen deep-dive session on Saturday so I could learn more about IPsec.Is it particularly hard to falsify IPsec credentials? I think it's pretty hard, but it depends on how the key exchange is done up front. One can use something really simple, like a manual shared secret, or more advanced stuff with certs and/or kerberos, but in any case it's not something so simple as sniffing a password or replaying a session. IPsec seems to be based on solid crypto.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
jig
join:2001-01-05
Hacienda Heights, CA
| reply to Steve
Some quick questions:
Does the windows rights management services suite include a widget to scrub documents before distribution? My guess is no, since the services seem to be meant as a general tool, rather than office specific, say. But, at the same time you mentioned that you could allow/deny copy paste so maybe revision history is also locked down by default or something.
"Clear my tracks" does/doesn't scrub the physical disk location where the browser history etc were before deletion? You mentioned FBI...
IPsec without encryption is sniffable, correct? IPsec domain isolation sounds fun.
What is Antigen? Or maybe a better question, why do they call it antigen?
Is it particularly hard to falsify IPsec credentials? | |
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:  | reply to Steve
And the sad thing is that Jim Allchin goes to retirement or elsewhere when VISTA is Gold.
That is the saddest news from the Summit.
The replacement plans for senior exec's is unclear. Jim will be missed big time. | |
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Steve
One of the big cheeses had the correct response in my mind anyways and you know if he is going to do it, then everyone else in the company (except maybe one guy) is going to do it also (that would be a hint for just about anyone). He is currently running as Admin for another couple of months when he switches over to Vista at which time he will be running as a non-Admin. The problem is while the current OS had multi-lever users, it was never used in such a fashion by anyone, hence a lot of software breaks at non-Admin level including the OS. So a new OS is needed to correct these problems, and once that is done the idea of running as a non-Admin works, hence why the short wait at MS, and the slightly longer wait for the rest of us. Now I run my kids with non-Admin on their computers which works fine as they don't have too many issues, but certainly issues exist for people using more advanced software. Microsoft knows this and I think they 'got it' with Vista and so its workable as a non-Admin, now the question is will the third party vendors get it. Link Logger works with non-Admin as it was a goal for me four years ago, but somethings are only available to Admin users as that was part of the 'security' setup (ie only Admins could change the IP address of the firewall). Users will also have to learn that some software features or functionality of some products will be reserved for Admin level users and that is in itself is an issue. In short based on what I saw and heard from Microsoft during the meetings and some of my discussions with other folks (both Softies and otherwise), I know I can safely say that Microsoft 'got it', and their future products will demonstrate that.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to dave
Re: take no prisoners
said by dave :Coerce, hell. They should set out to deliberately break non-conforming software, and pre-emptively tell customers why they're going to do it. "QuickBooks is a security hazard. Microsoft will protect you from dangerous software like that." If they just changed the default account type in XP to limited user, I think they'd be there today, except for the "Hall of Shame" prompting. Maybe if they were to channel someone/something like Marvin from "Hitchhiker's Guide to the Galaxy" for insulting prompts it could be mildly entertaining...although I guess it depends on whether one insults the user or the ISV.
--
Feedback? e-mail: stuff@lupwa.org | |
Tuulilapsi
Kenosis
join:2002-07-29
Finland
1 edit | reply to Steve
Re: MVP Summit: Friday notes
Yes, I understand there are in fact many programs that due to bad coding flat out refuse to work on nonadmin accounts. I suppose I've been lucky with my software. You, of course, are a programmer, so I can see how you'd run a much wider variety of different software than I do, and so you'd be more likely to face misbehaving apps.
That's a very good point you make about creator/owner, and one which people often seem to forget when recommending the use of MakeMeAdmin and the kind. I myself keep my admin and nonadmin accounts strictly seperate. The only thing I need to elevate my account to admin status for is changing the power saving options, but I only have to do that once, with the new installation, and that doesn't create the creator/owner issue.
I've been increasingly trying to spread the word, contacting the developers and urging others to do so as well, upon discovering programs that misbehave as non-admin. The day we see Windows nonadmin accounts become as common as Unix user accounts is the day many of the Windows security sucks myths come crashing down. Loudly.
Edited: I would actually readily support Dave's suggestion. 
--
And lead me not into temptation - for I can find my way there myself easily enough. | |
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
 ·Verizon FIOS
| reply to psloss
take no prisoners
said by psloss :but it's actually going to be more effective for them change Windows than to try to coerce third party developers to "correct" incompatibilities in third party code. Coerce, hell. They should set out to deliberately break non-conforming software, and pre-emptively tell customers why they're going to do it.
"QuickBooks is a security hazard. Microsoft will protect you from dangerous software like that." | |
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to Tuulilapsi
Re: MVP Summit: Friday notes
said by Tuulilapsi :I believe MS should market limited user much more aggressively. That would be good for both their users' security and the reputation of NT as a secure operating system. It's bloody amazing how many "professionals" don't know about limited user on Windows. (Sorry for extending this tangent again, but...)
We've already gone back and forth on non-admin accounts in the past week, but I think it's worth noting again: limited/non-admin accounts are incompatible with too many apps. Microsoft may have had an opportunity way back when (perhaps with the NT 4 move to the Windows 95 Shell) to try to influence developers to make NT-compatible software, but it's actually going to be more effective for them change Windows than to try to coerce third party developers to "correct" incompatibilities in third party code.
(I would presume that the "Win9x emulation" being built into NT 6.0/Vista to provide Win9x compatibility will allow limited/non-admin user accounts to be marketed more heavily.)
I'm not sure what to make of the answers to Steve's "dogfooding" question. In the absence of information about other factors, it seems disappointing; however, I'd be more specifically interested in whether their application development and support "groups" (and others) walk that talk. I'd be curious about that breakdown of the presenters/speakers.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Tuulilapsi
said by Tuulilapsi :Frankly, I don't know why so many people who know of limited user do not run as limited. Because the difficulty involved depends on the mix of programs you use, and RunAs doesn't always really deal with it properly. I run as non-admin and it positively sucks: too much software just doesn't do the right thing, and fighring out how to Make It Work can be a real challenge.
Quickbooks, for instance, requires opening up HKEY_CLASSES_ROOT at the very top level, which removes much of the benefit of running as non-admin.
Note: if you temporarily elevate yourself to admin so you can install software and then remove yourself from the Administrators group, you're not getting any real protection (hint: CREATOR/OWNER). Likewise with Power User - escalation to Admin is not really that difficult.
The only way this will ever happen is if users demand ot from their vendors and vote with their wallets. I think this is a very tough row to hoe: "running as a limited user" is not even on the top 10 things that people care about when evaluating (say) an accounting package, so the folks at Intuit don't ever hear about this except from a a couple of whiney Microsoft MVPs. We're not customers, so they could hardly care less.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
Tuulilapsi
Kenosis
join:2002-07-29
Finland
| reply to Steve
Hell, I won't argue against you on that. Leading by example, that should be self-evident. Frankly, I don't know why so many people who know of limited user do not run as limited. I like to think of myself as a power user, yet I can do pretty much anything I need to do frequently without an admin account. If it takes two seconds to use Run As a couple of times a week, I can live with that. Maybe I'm just not busy enough.
--
And lead me not into temptation - for I can find my way there myself easily enough. | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Tuulilapsi
said by Tuulilapsi :I believe MS should market limited user much more aggressively. They should use it first.
I asked nearly every presenter about this, and nearly every one of them was admin on his or her own desktop. Personally, I get zero benefit from running as non-admin on my own system, and neither would these security-savvy users, but this is about "dogfooding" your own security best practices.
Apparently there is a large campaign to actually do this, but with the push to get Longhorn/Vista out the door (which is quite a bit better ont his front), I dunno how far it's going to go.
I like to think of myself as walking the walk: not sure I can say the same for Microsoft.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
Tuulilapsi
Kenosis
join:2002-07-29
Finland
|  reply to Steve
This thread needs a huge thumbsup.
I believe MS should market limited user much more aggressively. That would be good for both their users' security and the reputation of NT as a secure operating system. It's bloody amazing how many "professionals" don't know about limited user on Windows.
--
And lead me not into temptation - for I can find my way there myself easily enough. | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Steve
Rootkits
I was looking for this, because Lee Yan is a fantastic presenter, and top-notch nice guy to boot. He's talked with us at the last three Summits, and each time it gets more interesting - what an arms race out there.
I didn't really take any notes because the material was highly detail-oriented, and I couldn't have possibly captured it all. It would have also been really hard to actually follow along had I been transcribing. I started coming down with a cold yesterday morning, and this has (and still is) slowed me down some.
Bottom line: if the trusted computing base is no longer trusted, the game is over, and ultimately if people install rootkits, there won't ever be guaranteed reliable ways to find them (in spite of what has been claimed here in the past). But that doesn't mean that the rootkit-writers are the only smart guys around.
Like all malware, rootkits do "bad stuff", but take extra steps to cover their tracks: By diving into kernel mode, they can do some very effective hiding.
For instance, if rootkit.exe is the badware which injects the kit into the kernel, it can intercept the list-files API to simply omit itself from a listing. So doing a DIR won't show the file if the rootkit is running. Likewise, it can intercept requests to show all running processes to omit itself.
I believe that most rootkit detectors operate by finding cases where the rootkit performs incomplete hiding, and by asking for the same data in different ways, discrepancies point to suspicious behavior.
There are several ways to get file listings: at the Win32 API level, the NT API level, and others as well. One grabs the lists, does a diff, and it points to to funny business. So the goal is to find as many sneaky ways to ask these questions in ways that the rootkits haven't figure out how to lie about. They get much better over time.
The approach taken by Rootkit Revealer is to walk the filesystem with all the usual API function, and then to open the disk volume directly and decode the NTFS itself. Remember: the file has to actually be on the disk somewhere, so examining the volume directly is a sure way to see it, right?
Yes, but... The point is not so much seeing the file, but finding the diffs.
If the NTFS walk sees the file and the APIs don't agree, it points to a problem, but if they produce the same result then all appears well. This means that the rootkit can lie if DIR is asking but tell the truth of RootkitRevealer is asking. If you rename the scanner, the rootkits will figure it out by the file header or other signature.
Selective-lying makes for some amusing circumstance. The rootkit's configuration file can be told which file patterns are to be excluded from a listing (the main exe, support files, the trojan, etc.), and once in a while a customer reports that they create a file which suddenly disappears.
This is because the customer filename just happens to match a hide-from-the-user pattern, and it's a dead giveaway that there's a rootkit on the system. Seeing this behavior would surely qualify as "very strange".
The discussion got pretty technical - which I really liked - and strategies for tracking them down.
It seems to me that this is the single biggest reason to run as a limited user - admin is required to install a rootkit - though there was sadly very little "walk the walk" at Microsoft on this front. I run as a non-admin user.
This ended the technical sessions, and next was the MVP barbecue. Due to rain it was held indoors, but it was a nice time to network with our fellow MVPs and Microsoft staff.
I felt a cold coming on so left early to catch an earlier flight, and thankfully got in last night before it got too late. I'm typing this with a very stuffy head (only slightly less coherent than usual 
MVP Summit was fantastic, and we got exceptionally relevant sessions. A little bit of marketing - that's to be expected - but hugely valuable takeaway.
Looking forward to next year already!
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Steve
Ok, I'm back home from Summit and can recap yesterday.
The first was on Antigen, but I'll be more use to the community by diving deeper into IPsec, so I headed off to building 40 for essentially the same IPsec presentation we had yesterday, but with a bit more detail. Let me note carefully that I still don't have my arms fully around it, so I'm doing lots of hand-waving and skipping stuff that's probably important. But I think the big picture is at least in the right direction.
IPSec
The more I look at IPsec, the more I'm intrigued by it. Previously I'd always thought to use VLANs or isolated segments to protect things, but this is not very granular.
Scenario: customer's whole enterprise is built around processing of sensitive data (say, a payroll service bureau), and you want to prevent a vendor or visitor from plugging in a laptop to an open RJ45 jack and being able to wander around the network (Of course, there is clearly a physical security issue here - let's put that aside for the moment: the larger the enterprise, the harder this is to get right).
A simple approach is to have separate networks -- internal and external -- on separate VLANs and with a separate set of Ether jacks. This probably works ok when you can physically isolate the network (e.g., waiting rooms, lobbies, cafeterias are all on the "external" network, everything else is internal), but this really falls apart when you deal with a conference room.
You want a vendor to be able to plug in and phone home to get a proposal or whatever, but you also do internal training there. What: two jacks, with a "only authorized users use the one on the left" sign?
IPsec solves this problem. When a computer who's authorized to join the domain signs on, it does the usual credentials dance, and users logging in are able to fetch policies from the domain controller. These policies include IPsec stuff, including the rules on how you talk with other members in the domain.
The payroll server, which has the most sensitive data around, is configured to accept only IPsec-protected connections, and the rules include which credentials it will accept (perhaps the receptionist is a valid domain users, but with no rights to the payroll server).
So if I at my workstation make a "regular" TCP connect() operation, the server sees no IPsec header and simply drops it: the machine is not on the network as far as I am concerned.
Note - I got conflicting information on this point: either the non-protected packet is dropped entirely, or some kind of "IPsec required" response is sent which tells the client to try again. I believe it's the former but am not certain.
This means that the vendor who's plugged into the network doesn't even see the highly secure server and gets nowhere even if he somehow had the Administrator password.
It doesn't have to be (and rarely will be) all-or-nothing. That highly secure server might say "it's IPsec or it's nothing", but other parts of the network will be configured to either not require IPsec at all, to allow it if presented, or to only require it for certain features.
I'd imagine that one would allow DHCP and DNS servers to use unprotected connections - how else would the vendor even get an IP address? - but the fileserver might require it.
Remember that using simple firewalls or hosts.allow doesn't solve this problem that well: if most of your enterprise uses DHCP, then everybody pulls from common pools unless you start doing reservations. This is hard to manage.
It seems clear to me that this requires a great deal of thought to set up in an enterprise, and though I have a payroll service bureau I'd like to do this with, there's no way to "just turn it on" - I'm sure I would just break everything
An interesting tidbit: at Microsoft IT, they had apparently announced that they were going to use IPsec internal for most stuff, and would be turning it on as of a certain date. Just before this was to happen, the staff making it so got sidetracked on something unrelated, so they never pulled the trigger: but they still got tons of phone calls: "IPsec broke my blah blah blah".
Uh huh, sure it did
Some days later, when they actually turned it on quietly, they got no calls.
I think this is probably much more of a testament to the planning and testing ahead of time than it is to the underlying technology, but nevertheless it's encouraging.
IPsec in Vista has a lot of improvements, the most important of which (from my really limited experience) being much better configuration GUIs. I'd seen the IPsec dialogs before and it looked really daunting, but the new stuff is much better. What's particularly nice is that firewall and IPsec are integrated - this avoids having to do a lot of confusing duplicate configuration.
It looks like I have to deploy it at home first, which will give me experience not only with the non-VPN mode, but will let me learn something about interoperability: I have Linux machines in the mix and wonder how this all works and plays well together. It strikes me that Samba might have to get involved in order to fetch policy from the server.
Next: rootkits
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to MVPUser
said by MVPUser :
Those of us in the Networking track get a pretty good IPSec session tomorrow. Those of you in the Networking track will see my smiling face tomorrow morning: I'm going to that session rather than the Antigen session as part of the security track. I'm just not that much of a desktop guy.
A few minutes ago I got in from the evening's festivities: we took over Paul Allen's Experience Music Project, which is a beautiful venue but entirely uninteresting to me. My interest in music is strictly superficial, and the Bob Dylan or Jimi Hendrix or whatever exhibits are just entirely lost on me.
And the visit to the Sci Fi Museum is four minutes I'll never get back. Just not my thing.
But the food was good, hospitality was professional, and the networking was fantastic. I come to Summits to meet my MVP and Microsoft colleagues, and this - my fifth trip to Redmond - I'm kinda getting it down.
It's late and I'm beat: gonna hit the sack now. We have technical sessions in the morning, then the MVP BBQ, then on the plane home. It's been a great trip.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
MVPUser
@wabb.us
| reply to Steve
Those of us in the Networking track get a pretty good IPSec session tomorrow.
Today was pretty good with plenty of information about NAP (Network Access Protection) and how it integrates with 802.1x and IPSEC... | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Steve
IPsec
Well I was looking forward to this a lot: I've been working IPSec of late, including my An Illustrated Guide to IPsec, though I haven't used it how they do (I only do regular old VPNs).
This presentation is about IPsec improvements in Vista, and I'm looking to educate myself on the non-VPN scenarios. IPsec has many great scenarios that I simply don't understand. Note that this is of essentially zero interest to the home user (our MVPs who deal only with spyware cleanup on end-user desktops could have taken a nap
Right now, most networks achieve separation with physical means: VLANs, different segements, etc. but this doesn't really allow for the kind of fine-grained control that many enterprises could use. Instead, we'd rather see logical separation that provides better granularity.
IPsec focus of Windows Vista:•Remote Access/VPN
•Server isolation
•Domain isolation
•Network Access Protection Enforcement
The latter was interesting because I had assumed that VLANs were used for NAP, but I guess it's done with IPsec. Very cool.
A lot of this doesn't involve, surprisingly enough, encryption. Using ESP (encapsulated Security Payload) with NULL encryption, one can essentially authenticate the converations on the network, rejecting connections from rogue, unauthorized devices.
No matter how good your VLANs and DMZs are, it's hard to keep J. Random Laptop from plugging into an Ethernet jack and running all over your network. This really points to the need for logical separation, not physical.
An ESP packet in tunnel mode puts a small ESP header, has a blank space for the encryption, and adds a small authentication spot at the end (a hash or digital signature), so the actual packet itself is sent in cleartext, but you know where it came from. When it arrives at the server, it can tell if it's part of a known, authorized connection or not.
Server & Domain Isolation
Server Isolation is meant to protect high-value servers, such as your HR database or financial systems. One must restrict connectivity to the server with IPsec, and it can be done based on user or device. Encryption is optional, but not uncommon to protect high-value data from sniffing and the like.
There is a non-trivial amount of overhead involved here: CPU usage for encryption, the packets get a little bigger to carry the IPsec headers & authentication data, plus handshaking for the key exchange required. But it's possible to get IPsec support in the NIC card to offload the crypto, but I think you need to be a lot bigger than I deal with to care about that.
Domain Isolation protects managed hosts from unmanaged clients. This keeps the random machine that wandered in the building from running all over the network, and this is the only way to really protect a large enterprise unless you post security guards by all the Ether jacks.
This is all very abstract until you see a real case:
Let's say that I want access to the Microsoft source code: obviously the server is physically protected, and there are ACLs all over the place, but a defense in depth seems prudent. When the sourcecode server requires an IPsec connection, all IP attempts must be encapsulated, and they permit only users who are in a "Developers" group.
This permit/deny is done at the IP connectivity level, not the filesystem or application ACL level, so the server never really sees a client who's not allowed. Nothing to brute-force, and you don't tie access to certain IP addresses. Mobile users who have valid credentials get to see the goodies. Nobody else does.
Apparently there were a lot of complaints that configuration was a nightmare, and from what I understand this was the case. I have never set this up, but everybody hated the UI. They say they've really fixed it.
Previously, the domain controller was exempt (partially?) from IPsec because it needed to allow initial setup of clients (say, joining a new machine to the domain), but this left a really important machine unprotected. They somehow figured it out, so IPsec can be in play from start to finish. I don't understand enough to really get the details, but the enterprise guys applauded.
There are a lot of other improvements, but mostly this is distant from my own experience and I can't really elaborate on it much.
There is a good doc on Microsoft.com about how Microsoft IT itself uses IPsec for domain isolation and the like.
»www.microsoft.com/technet/itsolu···lwp.mspx
This got very technical, very interesting, and I'm looking forward to digging into this.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to Steve
Re: Microsoft Antispyware
said by Steve :This was a good session, though I really wish that CalamityJane were here: I am not all that involved in this area, but she sure is. I'm looking forward to whatever they come up with. Steve While not be there in person, I have been very much in contact with Microsoft on spyware issues throughout the entire year via email, Livemeeting, in person, and even telephone (Yes, they can call me at home or I can call them if they need my feedback, and they do!) I also had the opportunity to spend a week with the MSAS team and other Microsofties at Tech-Ed in Orlando in June. I "worked" the Antispyware booth all week (even have the MS-blue staff shirt to prove it ). Indeed the enterprise version was a hot topic and the need for it quite evident. I'm well aware of the problems in getting a quality product out there but they are determined to do it. So, yes, progress is slow, but you pointed out very well some of the logjam they have to overcome to make it useful for all enterprise environments and I very much am active with Microsoft regarding spyware issues. I continue to be impressed with their commitment to wage war on spyware on both the enterprise level and for the home users.
I normally represent the home users, but the interaction with some of the IT folks in the enterprise environment at Tech-Ed was an eye opener as to how prevalent the problem is and solutions needed. I worked with one IT Admin faced with 44,000 computers and most infected with the very difficult Look2me pest.  The Boss likes their free style working environment and thinks everybody should be allowed to download anything they want. Ack! Poor IT Admn 
I'm still convinced on how committed they are in this fight on all levels and there are many others out here who are new Security MVPs helping in the antispyware effort. Did you find Suzi? suzi She's big on the enforcement front and at SpywareWarrior and also now a very active MS MVP who is there at the Summit and probably working some of her new contacts now as we speak 
The MS Malicious Software Removal tool is becoming more and more useful. It is important to note that it now includes some rootkits detection/removal which the bad guys have decided to hit us with in a big way to hide their installs of Spyware/Adware.
P.S. Thank you again for your excellent reporting posts. We're eating this up Great stuff! Keep it up!
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
|
