Steve Riley on Security : TechEd

Sao Paulo, here I come

Steve Riley — Mon, 29 Sep 2008 20:31:02 GMT

I have a new TechEd destination this year: Brazil. It’ll be my first time to speak at our event there; indeed, even my first time to travel to South America. I’m looking forward to it.

The event runs during 14-16 October 2008. I’m delivering the same four presentations I gave at TechEd US (and have used at most other TechEds around the world, too):

Do these ten things now or else get 0wn3d!
Virtualization and security: what does it mean for me?
Privacy: the why, the what, and the how
21st century networking: throw away your medieval gateways

That’s gonna be a crazy week, because I’ll have been in Hong Kong for TechEd there the week prior. I get home from Hong Kong on Saturday, spend the night in Seattle, then on Sunday fly down to Sao Paulo! Oh well, I still love my job :)

If you’re headed to TechEd Brazil, be sure to introduce yourself to me after one of my talks. See you soon!

TechEd 2009: Never too early to start planning

Steve Riley — Mon, 25 Aug 2008 21:25:45 GMT

What's on your mind? What do you want to learn more about? Tell me, tell me...

Oh, and for 2009 I plan to stay at TechEd US for both weeks. I want to start spending more time with developers -- they need some security love too :)

Directly connect to your corpnet with IPsec and IPv6

Steve Riley — Wed, 25 Jun 2008 23:55:00 GMT

Contrary to popular belief, the rumors of my demise have been greatly exaggerated. Well, ok, no actual rumors, but hey, one can dream, huh? My spring calendar was full of events in Asia and Australia, then TechEd US seemed to suddenly appear out of nowhere! So I've been kinda swamped. I've missed writing here; it's good to get back into the swing.

At TechEd this year, I gave a presentation called "21st century networking: time to throw away your medieval gateways." (Actually, I've given this same talk before, at events in Amsterdam, Brussels, Oslo, and numerous on-campus customer meetings. It's time to bring the knowledge to the masses.)

I described an idea of using IPv6, IPsec, NAP, and group policy to build a pretty slick replacement for clunky VPN gateways. Turns out we've been piloting this very idea on our internal corpnet. Like a good little bunny I got myself enrolled in the thing and -- pardon the unattractive gushing -- this thing rawks! Here's a brief rundown of the parts you'd configure on managed clients:

Windows Vista Enterprise or Ultimate editions (those with Business edition and Software Assurance can upgrade to Enterprise)
That are domain-joined
Users run as non-admin
Group policy applies numerous settings
UAC is enabled
BitLocker is configured to protect confidential information stored offline
The Windows Firewall is enabled
NAP is used for checking health
Forefront Client Security for keeping malware off the box
Smart cards for strong authentication of users
IPsec is required for connection authentication and traffic encryption
IPv6 is required for worldwide Internet connectivity
A DNS suffix search list represents the data center name space
Static IPv6 DNS servers provide name resolution for hosts in the data center

What does this give you? True anywhere access, anywhere in the world, directly to corpnet resources from managed and secure client PCs. The Internet has replaced private WAN links for good reason: enormous cost benefits. The only thing holding us back from fully utilizing this development has been a lack of way to enforce and monitor the security of clients not physically located within the corpnet. Well, those days are over. Now you can build PCs that are trusted just as if they were on the corpnet, without knowing or caring anything about the underlying network connections. And let me tell you, it's as addictive as a few other substances I could mention, but will refrain, since this is (I hope) a family blog :)

Maybe you've heard of the notion of "deperimeterization." Taken to its extreme, I think it's a bit silly. To put a SQL Server directly on the Internet is just plain stupid -- not because I don't think I could keep it protected, but simply because that's unnecessary risk. Only my web server -- and no one else -- should be talking to my SQL Server. But that web server will be in the same subnet as the SQL Server, and IPsec policies used also here will govern who can connect to the SQL Server. Warning to any and all network DMZs: your days are numbered!

Shrink your perimeter to that which really matters -- your data center. All your clients live (as we would say in the olden days) "on the outside of the firewall." Now then, there are two kinds of clients. Managed clients, as I described above, establish IPsec-authenticated/encrypted, group-policy-configured, NAP-enforced IPv6 connections directly to corpnet resources without going through any kind of access gateway. The router connecting you to your ISP is fully sufficient for blocking denial of service attempts. Be sure to follow my advice in "Configure your router to block DOS attempts," and then add two more rules to permit incoming port udp/500 and IP protocol 50 over IPv6. That's it. No NATing or other unnatural network acts are required (finally, you can stop lying to your significant other about why you squirrel yourself away in the computer room all those weekend nights).

Unmanaged clients will continue to use IPv4 to access published Web and Win32 applications through a gateway like IAG. Since you can't trust these clients nor can you trust the data they're throwing at you, you have to inspect and validate at the perimeter. You can take advantage of IAG's application-modifying capabilities to "wrap" security around poorly-written web apps; you can even download an ActiveX control to unmanaged clients to perform some basic health checking, policy enforcement, and cache clearing. None of these eliminates the final requirement to continue inspecting and removing malware from servers where users store data: Exchange, SharePoint, Office Communications Server, and file servers.

Machines are mobile, data is mobile. The mainframes and large desktop PCs of the past posses an effective security attribute: the heaviness of the machines. You couldn't easily saunter out the front door with a PC-AT in your pocket! These days, we all line our pockets with tiny little mobile phones stuffed with 16GB of storage. It's now a fact: data moves. And like water, data moves wherever it can, as rapidly as it can, often beyond your control if you don't prepare for that. With properly-configured and managed clients we can enjoy a single access and authentication experience no matter where the computer is physically located. For example: I can sit in my house and enter '"http://internal-web-site-name" in my browser. The DNS suffix search list adds the appropriate suffix, my browser's resolver performs an IPv6 name lookup, and my computer makes an authenticated and encrypted connection, after it meets the NAP policy, directly to that internal server. Very nice. As far as I'm concerned, there's no difference between the Internet and my corpnet. It's all just there.

For a while now many of you know I've been speaking and writing, mostly at the conceptual level, about the day when such a way of remote computing will arise. Well, my friends, that day is now. You can indeed build it now, with the products you have. I won't admit it's all peaches and cream: there's a fair number of moving parts here, it's true. But most of these moving parts are parts you're already familiar with: I'm simply encouraging you to move them in a specific way. You'll need to do some custom scripting for client-side connection diagnostics, but that's about it.

My next step is to create a more detailed guide, which I plan to publish through TechNet Magazine. I'm targeting (but not promising) the October issue. The article will include greater details about configuring your infrastructure to support the managed clients I describe.

I've lost track of the swelling number of individual conference attendees and the plethora of email writers who've expressed a desire to build this in their own environments. The one common thread from everyone is "I want to do it now!" Folks, it's really pretty exciting for me to see so many of you ready to cross the chasm from the perdition of paleo-networking (layer upon endless, complex layer of DMZs) into the paradise of flat, simple, cheap, and secure access to information. If you haven't yet, please take the time to read through some of our information (especially Scott Charney's paper) on end-to-end trust. Friends, the idea I describe above is the plumbing for realizing the end-to-end trust vision.

Videos of some of my presentations

Steve Riley — Tue, 05 Feb 2008 21:14:38 GMT

TechNet Spotlight features videos of many presentations from our TechEd conferences. Here are some of mine.

It's 11:00 PM, do you know where your data is?
IT Forum: TechEd Europe, November 2007
The fortified data center in your future
TechEd US, June 2007
Windows Mobile 6 security in depth
TechEd US, June 2007
Making the tradeoff: be secure or get work done
TechEd US, June 2007
Defending layer 8: how to recognize and combat social engineering
IT Forum: TechEd Europe, November 2006
Windows Vista firewall and IPsec enhancements
IT Forum: TechEd Europe, November 2006

All of my videos on TechNet Spotlight
There are older videos, too, including a four-part security basics series with Jesper Johansson.

My presentations at TechEd 2007

Steve Riley — Fri, 13 Apr 2007 01:47:00 GMT

Hello everyone! Yes, it's been a while since I've written. I've been pretty busy lately with a security roadshow in Southeast Asia. It's become an annual thing, it's a lot of fun, and I get to spend a good amount of time in what's becoming my favorite area of the world.

Anyway, the planning for TechEd 2007 is well underway. This year I have five presentations (SEC 303 is repeated), I've put the abstracts below. I'll sign up for TechEd Connect soon, the hosters are working to fix a problem with my ID. And during the event, as usual, when I'm not speaking I'll hang out in the exhibition or cabana area. My time that week is your time, so don't be afraid to sit down and have a chat. It's one of the highlights of the event for me.

SEC203 Making the Tradeoff: Be Secure or Get Work Done
Are you the kind of security person who enables a setting just because it's there? Do your users constantly seek ways to bypass all your fine-tuned security, just so they can do their jobs? Every security decision your organization makes ought to consider the security-usability (or even the security-usability-cost) tradeoff. While perfect security seems an admirable goal, in reality we must remember that usability often will trump our strongest desires. If people can't get work done, they'll either circumvent the security (without understanding they just created new attack vectors) or your company will simply lose out to your competitors. Steve Riley discusses several examples of real-world tradeoffs and helps you learn how to navigate the tradeoff in your own organization.

SEC301 The fortified data center in your future: Build it now and they will come
Relax for a moment. Let your mind wander to thoughts of your corporate network—with its myriad authentication schemes, its haphazard collection of client computers in various states of (non)conformance, its proliferation of access methods, its data centers with too many ways in and out. Feel like you want to just burn it all down and start over? Well, perhaps you should—and when you do, you can implement something that’s simpler, more secure, well managed, and less expensive. Over the years, Steve Riley has hinted at this idea, advocating the demise of the traditional corporate network, with its no longer useful distinction between “inside” and “outside.” Instead, organizations should move toward using the Internet as their infrastructure, where all clients and a physically and electronically fortified data center live “live on the ‘net.” The question, then, is how to build this data center? Effective security and management are absolutely essential to realize this vision. Steve will show how combining the Microsoft ForeFront family of security products with the System Center family of management solutions provides the necessary foundation for building your data center of the future—today. Don’t delay, because your business competitors are already doing it!

SEC303 It's 11:00 P.M., Do You Know Where Your Data Is?
Long gone are the days when you knew your data was safe because it resided only in your data center. The explosive proliferation of laptops, notebooks, handheld computers, smartphones, removable drives, and Internet file storage demands that we rethink how we protect information. Because it's the information the bad guys are after, and because the information flows so freely from device to device, our obligation is to protect the information. People want to work wherever they can find a computer and an Internet connection. How can you do this safely? Steve Riley considers strategies and explore technologies to help you solve a number of thorny problems: how to classify mobile data, how to keep track of where it is, and how to control its movement. We explore the new Data Encryption Toolkit for Mobile PCs, technical guidance and deployment tools that help you plan and implement EFS and BitLocker throughout your enterprise, with lower cost and extended centralized management and control. One question we will ponder: maybe it's time to do away with the locked-down desktop?

MBL409 Microsoft Windows Mobile 6 Security In-Depth
Seems like Windows Mobile 5 came out just the other day, but yes, version 6 is now ready. We listened to your feedback and incorporated several enhancements and new capabilities to make Windows Mobile 6 truly enterprise ready. We take an in-depth look at how Windows Mobile now supports Rights Management Services (enabling you to work with protected Office documents), a new certificate enrollment process, encryption of storage card contents, and more. We also review existing security features that are important for enterprises to understand and implement. Join Steve Riley as he shows you how Windows Mobile 6 can become your trusted platform for secure mobile access to corporate information.

Ah, the joys of speaking about pre-release software!

Steve Riley — Wed, 06 Sep 2006 12:26:00 GMT

Two weeks ago I delivered my Windows Vista System Integrity presentation at the TechEds in New Zealand (Auckland) and Australia (Sydney). It was largely the same as the presention at TechEds in America and India, but updated to reflect changes made in the product between the time I wrote the presentation and now.

Pre-release software is like that: it changes. And when you give presentations on beta software, you rely on the details you have to give the most accurate information possible. But there is, of course, no guarantee that functionality as explained in the presentation will exactly match what's delivered when the final product is released. And indeed, in my post on mandatory integrity control, I mentioned some changes.

Code integrity and signatures

The latest version of the presentation includes more details on code integrity and code signing. Previously I had described code integrity as applying to all binaries in the operating system; in fact, code integrity applies to the following:

All code loaded into a protected process
Modules implementing cryptographic functions
Modules loaded into the software licensing service

Kernel mode creates special cases that vary depending on the edition of Windows. For 64-bit:

All kernel mode code loaded anywhere at any time must be signed -- applies to drivers and non-drivers

For 32-bit, non-driver kernel mode code doesn't require a signature. For drivers, the allow/warn/block behavior of prior versions of Windows is gone. Windows Vista raises a warning if you attempt to install a driver without a signature (only if you're an administrator; standard users can't install unsigned drivers). Drivers with signatures install without prompts. Signatures can come in three forms:

Manufacturers can obtain WHQL signatures from Microsoft as part of the Windows logo program; this indicates a certain level of quality
Manufacturers can sign drivers themselves; this indicates authenticity but nothing about quality
IT departments can self-sign drivers; this allows organizations to silently deploy approved drivers, even if they otherwise lack signatures

For more information, read the whitepapers for 32-bit plug-and-play drivers and 64-bit kernel mode code.

Protected processes and high definition content

The Protected Media Path (PMP), part of the new Windows Media Foundation, contains two protected processes. PMP provides a more robust playback environment for high definition rights-protected content. Code integrity checks that all protected processes have valid certificates and that they haven't been revoked.

Based on some details provided to me, I stated that in only 32-bit Windows Vista, next generation high definition protected content will not play at all; 64-bit is the platform for playing back such content. Then I added some conjecture: the media companies wanted this because the risk of unsigned kernel mode code present in memory could thwart content protection.

Turns out that my information and my conjecture weren't correct. Windows will never decide not to play content. PMP itself isn't monitored by code integrity, but it does consume the output of a report generated by the operating system about unsigned code in memory. When you load next generation high definition protected content into a playback application, Windows reports the status of kernel mode drivers loaded into memory: the names of the drivers and whether each of those drivers is signed.

Based on that report, the playback application -- not Windows -- decides what to do: it will either play the content or raise an error and refuse to play. It's also possible for the content itself to indicate what to do, based on instructions contained within the content's embedded license.

Unfortuantely, my initial explanation sparked the interest of a journalist. Originally he was going to write that Microsoft has dropped support for BluRay and HD-DVD movies. I never said that, of course, although I can see how it's easy to leap to that conclusion. Even after I met with the journalist, to ensure he understood the details (as I knew them at the time), his article still generated some controversy: I got Slashdotted!

Keeping you informed

I guess that's the risk you take in a job like mine. It's a risk I'm willing to take, because I still believe I have the coolest job in the world: helping you learn everything you can about how to design and operate environments using Microsoft technology as safely and securely as possible.

Fortunately, mechanisms like this blog allow us to ensure that you, our customers, get the most up-to-date information we can give you. Now that I understand how PMP functions with respect to code integrity, I can let all of you know here, as well as ensure that future deliveries of the system integrity presentation will be as accurate as possible.

As always, I extend my sincere gratitute to everyone who takes time to attend my presentations. It means more to me than you'll ever know. I look forward to continuing to see familiar faces at events around the world, and also meeting new folks too. :)

Mandatory integrity control in Windows Vista

Steve Riley — Sat, 22 Jul 2006 07:20:00 GMT

One of my favorite new security features in Windows Vista is Mandatory Integrity Control (MIC). It’s a classical computer science concept from the 1970s that’s finally getting its first commercial implementation—and of this I’m quite proud.

While discretionary access control lists (DACLs) are useful, they have some limitations. They do little to safeguard system stability and they can’t stop malicious software from tricking users into executing it. MIC adds the notion of trustworthiness evaluation into the operating system. Subjects with low degrees of trustworthiness can’t change data of higher degrees; subjects with high degrees of trustworthiness can’t be forced to rely on data of lower degrees. MIC implements an information flow policy and provides the enforcement mechanism.

When a user logs on, Windows Vista assigns an integrity SID to the user’s access token. The SID includes an integrity label that determines the level of access the token—and therefore the user—can achieve. (The SID’s format is S-1-16-<label>, where <label> is a number that represents the integrity level.) Securable objects (files, folders, pipes, processes, threads, window stations, registry keys, services, printers, shares, interprocess objects, jobs, and directory objects) also receive an integrity SID, which is stored in the system access control list (SACL) of the object’s security descriptor. The label in the SID specifies the integrity level of the object.

During an access check, before checking the user’s access through the DACL, Windows Vista checks the integrity level of the user and compares it to the integrity level of the requested object. If the user’s level dominates (that is, is equal to or greater than) the object’s level, the user will be allowed to write to or delete the object, subject of course to the DACL. If the user’s level doesn’t dominate the object’s, then the user can’t write to or delete the object regardless of what the DACL says. Integrity control, therefore, trumps access lists.

Windows Vista defines four integrity levels: low, medium, high, and system. Standard users receive medium, elevated users receive high. Processes you start and objects you create receive your integrity level (medium or high) or low if the executable file’s level is low; system services receive system integrity. Objects that lack an integrity label are treated as medium by the operating system—this prevents low integrity code from modifying unlabeled objects.

For those keeping track… Yes, there’ve been some changes since I spoke about MIC at TechEd. First, the label numbers have changed from 100/200/300/400 to 4096/8192/12288/16384, which in hex are 1000/2000/3000/4000. So don’t use the numbers when referring to labels, because they might change again! Second, processes no longer receive the lower of your integrity or the file’s integrity—instead, process integrity behaves as I described above. Third, we no longer use MIC to enforce Windows resource protection (WRP). All operating system files are now unlabeled, meaning they default to medium integrity. The files are ACLed such that only the trusted installer has write access; everyone else, including administrators, has only read and execute access.

Consider a scenario. Say you receive an attachment in email. When you save it, it’s written with low integrity because it came from the Internet—an untrusted source. When you execute the attachment, its process runs at low integrity because the file object is labeled low; therefore, your data (labeled medium or high) is protected from malicious writes by the attachment. It will, however be able to read your data. MIC implements a form of the Biba model, which ensures integrity by controlling writes and deletions. Contrast this with the more well-known Bell-LaPadula model, which describes levels of confidentiality by controlling reads.

Internet Explorer Protected Mode (IEPM) is built around mandatory integrity control. The IEPM process and extensions run at low integrity and therefore have write access only to the Temporary Internet Files\Low folder, History, Cookies, Favorites, and the HKEY_CURRENT_USER\Software\LowRegistry key. MIC prevents IEPM from writing anywhere else in the file system or registry—so no more silent installs of keystroke loggers into your Startup folder. And because the desktop runs at medium integrity, IEPM can’t send messages to it—thwarting shatter-style attacks. Because these new restrictions might break some applications, a compatibility mode virtualizes access to medium integrity resources (like the Documents folder and the HKEY_CURRENT_USER hive) by redirecting writes to low integrity locations (Documents and Settings\%userprofile%\LocalSettings\TemporaryInternet Files\Virtualized and HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\InternetRegistry).

While it’s completely invisible, mandatory integrity control is an important advance in maintaining the security and stability of Windows Vista. I hope you’ll come to appreciate it as much as I do.

Should your ISA Server be in your domain? Film at 11!

Steve Riley — Thu, 22 Jun 2006 02:21:00 GMT

So it would seem that a statement I made during TechEd US last week in Boston has mildly stirred a bit of controversy -- no surprise there, I guess, heh. One of my presentations gave an overview of what's new in ISA Server 2006 (download your copy of the release candidate or try it out in some virtual labs). An important new feature is expanded support for additional authentication methods on web listeners and web publishing rules. You can now select LDAP, SecureID, and other one-time password mechanisms, and finally make real use of client certificates through support for Service4User2Proxy in Windows Server 2003 Kerberos.

I made the statement that this additional flexibility makes it easier to build your ISA Server standalone -- rather than domain-joined -- and still enjoy the improved security benefits of authentication delegation. Tom Schinder, our beloved ISA Server MVP, prolific author, and host of the fine www.isaserver.org community site, attended the presentation. It was my apparent preference for standalone servers that Tom disagrees with -- and he wrote about it in a whitepaper on his site.

I have enormous respect for Tom. ISA Server's popularity and success is due in large part to his unflagging dedication and support. He's an entertaining writer, from whom you can not only learn something new but enjoy yourself while doing it. Plus, he advocates improved security that addresses modern threats and rails against the old guard unwilling to give up their stone knives and bearskins.

In this particular case, though, either Tom misunderstood my point or I misstated my point -- it doesn't really matter which. My preference is that, indeed, your ISA Servers should belong to your account domains. In his paper, Tom puts forth some very well-reasoned arguments for doing this -- arguments for which there is very little room to disagree. I don't believe I ever said "the ISA Server should never be a domain member" during the presentation, but honestly I don't remember now.

Yet there's a certain reality among many of the customers I work with, a reality that simply won't abide any firewall having access to account information. This reality is exactly the kind of fossilized thinking that Tom (and I) become so disgusted with. The fact is, ISA Server is one of the strongest, most resilient firewalls on the market. In the seven years since ISA Server 2000 was released, only ten security bulletins were issued for it, and of those, only three are marked critical. In the three years since ISA Server 2004 was released, zero security bulletins have been issued. ISA Server is some of the best code Microsoft has ever created. I have yet to learn of customers experiencing attacks that compromise either an ISA Server or a network protected by one.

Still, all this evidence isn't enough to convince the old guard. Very rarely do we see ISA Server replacing older, less capable firewalls in an organization. What we do see is a slow (too slow) migration toward using ISA Server in the DMZ, configured to publish resources in the internal network. And it is the intrusion of, yes, a Microsoft firewall into the realm of the "networking guys" that requires a delicate dance even still today. I've been advocating this architecture since 2002; you'd think these days we wouldn't even have to discuss DMZs as anything other than the paleo-networking artifacts they are, huh? (And I used to be one of those "networking guys.")

ISA Server's ability to remain standalone while still enabling authentication delegation solves two rather intractable problems: it protects internal web servers from attack while simultaneously existing in a configuration that the networking guys will grudgingly allow. Tom's excellent arguments in favor of domain membership reveal the deployment scenarios probably more common in his consulting work: using ISA Server as a forward proxy. The customers I have conversations with typically use that DMZ-located ISA Server only for reverse proxy. So it's from that viewpoint that I talk about standalone ISA Servers during presentations at conferences.

Tom, you and I are approaching the problem from different experiences, that's all. We are in violent agreement here, and that's a good thing. :)

My music

Steve Riley — Tue, 08 Nov 2005 20:37:00 GMT

Those of you who've seen me speak at various events know that I like to play my own music before the presentations begin. In industry parlance, this is called "walk-in music." My experience, though, is that many times the music they provide is better described as "walk-in, lie down, and go night-night music"! Think about it: a romantically darkened room, often with the temperature set a bit too warm, a stomach full of lunch (sure, it's conference food, but it's fuel)...

So I bring my own music. Yeah, it's trance music straight out of some of the biggest clubs in the world. But it works! It keeps people awake, energizes them, and is interesting to listen to. Because many of you seem curious about the music, here's a sampling.

Chicane: Live from Palladium
you can get this and many other wonderful mixes from Trance Addict
Talla 2XLC: Live at Technoclub SSL
also from Trance Addict
Angels of Trance
an album of female vocal trance, wonderful stuff
Epic Trance Ascension
ethereral and melodic trance hits
Hands to Heaven
an album full anthems that always gets the dance floor moving
House Trancemissions vol. 1
my first electronic music purchase; fascinating blend of trance and house with soaring melodies and vocals
Trance 'n' Bass
interesting blend of trance and drum-and-bass; on the heavy side
4 Strings: Believe
good collection of anthems by one of the better trance artists

Some videos of me

Steve Riley — Sat, 24 Sep 2005 06:13:00 GMT

Microsoft UK has posted videos of various European events of the past year. Various speakers are featured, including Andreas Luther, Dennis Karlinsky, Eileen Brown, Graham Calladine, Jesper Johansson, John Craddock, Justin Alderson, Kalpit Jain, Kimberly Tripp, Mark Licata, Mark Cribben, Mat Young, Paul Cullimore, Rafal Lukawiecki, Ryan Burkhardt, Sally Storey, Scott Schnoll, Steve Riley, and Travis Wright.

My solo session is TCP/IP for security administrators

And also the IT Forum 2004 precon with Jesper, Practicing better than best: Getting and staying secure the right way
Part 1
Part 2
Part 3
Part 4
Part 5

Updated TechEd worldwide -- new China dates

Steve Riley — Mon, 25 Jul 2005 07:02:00 GMT

The dates for TechEd China have changed (venue issues), and I've added another city. Here's the updated list:

Europe, in Amsterdam (4-8 July)
Japan, in Yokohama (2-5 August)
Asia, in Singapore (24-26 August)
New Zealand, in Auckland (28-31 August)
Australia, in Gold Coast (31 August - 2 September)
China, in Shanghai (19-20 September)
China, in Beijing (23-25 September)
Taiwan, in Taipei (27-29 September)
Hong Kong (3-6 October)
South Africa, in Sun City (23-26 October)

Securing Terminal Services over the Internet

Steve Riley — Tue, 28 Jun 2005 19:54:00 GMT

In my presentation on remote access at TechEd, I gave three scenarios:

web-based access to internal resources, published with ISA Server
"desktop over the Internet" using Terminal Services and the remote desktop web connection
full IP-based virtual private networks with L2TP+IPsec

In the discussion on TS over the Internet, I failed to mention a very important bit. There is no mechanism built into RDP to authenticate the server to the client. This creates an opportunity to conduct a man-in-the-middle attack. Tools now exist to do exactly this.

In Windows Server 2003, you can configure TS to use TLS for server authentication and data encryption. This is extremely important for anyone running TS over the Internet. See KB 895433 for the step-by-step details.

TechEd 2005 Worldwide

Steve Riley — Fri, 17 Jun 2005 01:25:00 GMT

As usual, I'm speaking at several TechEds around the world. Here's the list:

Europe, in Amsterdam (4-8 July)
Japan, in Yokohama (2-5 August)
Asia, in Singapore (24-26 August)
New Zealand, in Auckland (28-31 August)
Australia, in Gold Coast (31 August - 2 September)
China, in Shanghai (15-17 September)
China, in Beijing (19-21 September)
Taiwan, in Taipei (27-29 September)
Hong Kong (3-6 October)
South Africa, in Sun City (23-26 October)

Plan to come if you can...it'll be fun!

All done for another year: TechEd US 2005

Steve Riley — Fri, 17 Jun 2005 01:17:00 GMT

Ah well, antother TechEd has come and gone. These have become my most favorite events -- the amount and quality of customer interaction simply increases year after year. You know you guys are really finally starting to understand it all! :) I get better questions that show a higher level of understanding the real problems, the threats, and the solutions. It's really wonderful to see.

A deep thanks for all the positive comments in the evaluations. It humbles me to know that you truly appreciate the work I'm doing; you should know that I'm doing it for you.

I've posted all my PowerPoint decks, including the Sunday pre-conference, on my web site. You can find them here. Feel free to reuse whatever materials you'd like in presentations of your own. Enjoy, and be sure to let me know if you have any questions.

TechEd US 2005

Steve Riley — Wed, 13 Apr 2005 00:25:00 GMT

This year at TechEd I have three sessions. The policy talk is really a lot of fun, I guarantee it'll make you think! The privacy talk I am co-presenting with my good friend Byron Hynes (http://spaces.msn.com/members/byronphynes).

Security policies? Ugh, just give me a firewall
Start | Programs | Firewall | Rules | Add rule | Permit all hosts destination port 4695/tcp. Um, why did you just do that? Was there a business justification for creating that hole, and was the decision backed up by your security policy? You do have an up-to-date, regularly reviewed policy, right? Surprisingly (or not), security policies in many organizations are hidden, reflect thinking ten years ago, or simply don't exist. All security decisions should be based on business needs and guided by relevant, timely, and flexible policies. Steve Riley will help you understand why it's important to have a security policy, how to encourage end-user participation, and provide suggestions on what makes up a good policy.

Protecting Privacy on the Microsoft Platform: "paper security" vs. real security
In the era of proliferating privacy regulations worldwide, encryption requirements are everywhere. However "encryption" doesn't necessarily mean protection -- if we hand over the keys to a robber, then he's going to get in our house despite the lock on the doors. We'll discuss various encryption approaches that organizations have proposed or deployed, and distinguish between those that merely satisfy a simple "checkmark" on a privacy auditor's list, and those that actually provide the protection that was intended by the regulations. We'll also explore encryption options in Windows and delve into how Windows protects important secrets.

Secure remote access
Remote connections extend your network's perimeter far and wide across the globe, often into networks that you know very little -- or nothing -- about. Because remote access to corporate networks is critical for business these days, it's absolutely essential that you take the necessary steps to protect your own network and your remote clients from threats that lurk along the way. Basic requirements include not only strong user authentication but also knowledge of the remote computers and configurations that erect barriers against attack. Depending on the needs of your user community, some might require the flexibility of full IP-based virtual private networks (VPNs), others might need only simpler Terminal Server or web-based "remote display" access. Technologies for secure remote access include Windows Routing and Remote Access Services (RRAS), VPN quarantine, strong authentication with smart cards, securing Terminal Server over the Internet, and web-based remote access to internal services. Steve Riley will help you understand the unique security requirements for various kinds of remote access and how to deploy the appropriate technology safely, to keep your network assets and your information protected.

Go to http://www.microsoft.com/events/teched2005/default.mspx to register!