Last day of Tech-Ed EMEA event, we are unhappy but everything have an end so go on!!
We have started the day with a session of other of the Microsoft Security experts: Mark Minasi. The session was titled Uncovering Vista's Two Least-Understood Security Stars and was focused on two new security technologies included in Vista: User Account Control (the windows that appear every time that you try to do something...) and Windows Integrity Levels.
When you log-on on Vista you get a token (SID + privileges + group memberships), every process that you run get this token and can do things on your behalf. Vista and 2008 check your token when you log-on and if it has admin privileges it creates a second token that it is a copy of the first but without admin privileges. When you run a process Vista attach to it one token or other based on several criteria, the default token to use is the "normal user" one. If you try to open an admin tool as Computer Management a window appears asking for your consent to "elevate" it and run it with your admin token. This is the User Account Control technology.
Windows Integrity Levels: every user token, object and process have an integrity level (0000, 1000, 2000, 3000, 4000, 5000), processes can't change objects unless they have a IL >= the object's IL.
Mark made some demonstrations that how a "bad guy" can use the UAC to run a trojan or warm in our machine when we consent Vista to use our admin token, or how a "bad guy" can create an object (other trojan or warm) in our machine an assign to it an elevate IL to avoid that we can delete it although we find it.
Very interesting...
Connect Your World session has introduced the Microsoft Web 2.0 applications that you can download from their site. These are some of the applications:
-
Windows Live Photo Gallery is a photo manager which more significant feature is a face identifier. When you add a new photo, it gets the facial characteristics of the people that appear in the photo and search them in your contacts (other photos in the Gallery and people in your Live Spaces site).
-
Photosynth: enables a 3D views of monuments, buildings, etc. grouping photos about a same object. In the demonstration they use a museum as example and it was very achieved (you could "walk" on the museum rooms and look the pictures) but some months ago when it was a beta I tried the same with the Taj Mahal and the result was very poor. It depends of the number of photos that you have. You have the option to create your Synth.
-
AutoCollage 2008: You select a folder that store some photos and it creates a collage with them in a few seconds.
-
Microsoft ICE: Image Composite Editor is a tool to create panoramic images.
-
Windows Live SkyDrive: As you know this is an online hard disk that you can use to share files on Internet.
-
Windows Live Writer: This is the tool that I am using to write this blog, Edgar Sanchez introduced it to me some months ago and I recommended it to all of you. You can find more info about that on these other post on my blog: Live Writer and Polaroid Pictures.
-
Live Mesh: Synchronizes all your devices including Mac machines.
-
Other applications have been Windows Mobile, Windows Live for Mobile, Windows Live Spaces, Windows Live Messenger, Virtual Earth and WorldWide Telescope.
Next session: How IT will change in next 10 years and why should you care?
Miha Kralj, Senior Architect in Microsoft's Platform Architecture Team, has provided an interesting and nice presentation about the future of IT in the next years. Evidently, the basis for the IT industry in the next future are virtualization and cloud computing that are changing it now, and from an employees point of view the impact of the social networks was the most important thing.
We have decided to finish the day and the event attending to the session of Mark Russinovich Windows Security Boundaries.
During the presentation we could see the difficult to know what is a boundary and it is not. If I have not understood bad a security boundary is a wall through which code and data can't pass without the authorization of a security policy. For Windows to define a security boundary:
-
It must be worth defending
-
Policy and who can set it must be well-defined
-
Policy doesn't always have to guard entire boundary, but can guard unpoliced tunnels
-
It has a high cost (violations of policy are reported in a security bulletin as a bug by Microsoft Security Response Center - MSRC)
As Mark shown, Windows has a few security boundaries applied in Vista and Windows Server 2008, but other that can seem a security boundary at the beginning, aren't it. Some examples of security boundaries could be the following:
- A machine used to access to Internet could accept data from un-trusted sources on the network. Goal: Prevent arbitrary code execution and data access from the network. Implementation: all network-facing code must assume malicious clients. It is a boundary, a violation of that is a MSRC Critical security bulletin.
- A VM should not be able to modify data, read data or execute code in the host or other VM. Implementation: VM Monitor mimics physical system boundaries. It is a boundary, a violation of that is a MSRC Important security bulleting.
- Users should not be able to read or write another user's data. Goal: Require users to explicitly share data. This is a security boundary (for standard users) and a violation is reported as an Important security bulleting by MSRC. In this case, without a boundary, Microsoft couldn't tell corporations that terminal servers are secure.
An example of non-security boundaries could be the processes. Processes contain executing code (DLLs, virtual memory, security context, etc.) and they are running in a user's security context. By default, they can modify other processes in same security context, any policy prevent it. But the session boundary (the third listed above) separates processes running as different users.
And this was all... I am wishing to enjoy the sessions that we couldn't attend during this week, the problem in the Tech-Ed event is that you have several interesting sessions at the same time and you have to select just one, but for this reason exist the video streaming. I will publish on my blog the URL to access to the media content of the event as soon as Microsoft publish it, until then you can see some presentations and "special moments" on this link. Enjoy it!!
No hay comentarios:
Publicar un comentario