Morning at the Microsoft Security Summit

Coming down to the security summit I was hoping to really gain some good insight on Microsoft's security stance. I appreciate learning more whenever I can and thought it would be well worth the investment in time.

The keynote reinforced everything coming out of Microsoft over the last year. Andy Lees, the VP of Server Tools provided a good foundation for people who might not know what Microsoft has been up to. (Why wasn't Ballmar up there yelling "Security, Security, Security, Security" ???) Unfortunately, there was nothing new here for me. Maybe being to close to the ground I have heard it so much before that I lost the benefit of the keynote. The demo of XPSP2 was basically the same one from the RSA conference, and since I am running it already on my laptop I have already used everything presented. It was interesting to see more on the domain side of things to use group policies for the Windows firewall, so I did get something out of it.

If you attended the security webcasts over the past year you didn't need to come to the first session. The first one is on the Introduction of Application Security and is the same presentation that is on the security webcast I blogged about back in February. As a Level 200 session, I realize that my time can be better utilized elsewhere. The presenter is engaging, and there is much you can learn if this is new to you... but this got boring fast for me. I want to leave, but I am jammed in a crowded room which makes it difficult. I also don't wish to show any disrespect by interrupting the process and getting up, especially since it is an otherwise good presentation. I have to say I was floored when the presenter stated that he doesn't know how to make Explorer run as a different user, forcing him to log off as a normal user and jump to an administrator account to do a bit of work. I will have to go show him how to make a shortcut to iexplore.exe and set the "Run with different Credentials" box to do just that. (Update: He was very thankful that I showed that tip)

Making my time here useful, I am going through the conference materials; I notice Microsoft included a great security resource kit in the package. Going through it I can see a lot of interesting whitepapers, how-to's and supporting guidance information which I have posted about before. Nice to have that all in one package.

I think I am going to break out of the developer track and go over to the IT Level 300 track in the next session. It might be more challenging, and give me some new content to learn about.

Actually, this session just ended... so lets jump over to the IT Level 300 track now...

... OMG. I am in an awesome session on Implementing Application and Data Security that is being presented by Steve Riley, the Product Manager for the Security Business & Technology Unit at Microsoft. This guy is amazing. He is so engaging and knowledgeable on the topic it is quite refreshing from the earlier session. Not only am I learning how to better secure Exchange, he is showing compelling reasons why the new ISA Server 2004 makes sense for me. Isolating out OWA away from the perimeter DMZ and slamming an ISA 2004 box to deal with the authentication before it even hits OWA, I can see the benefits of reducing the attack surface by cleansing the input at ISA instead of relying on IIS, which I don't have a lot of trust in. The deployment scenarios he has shown is really interesting; I will have to follow with him about this offline.

I am just floored at the rights management services (RMS). This isn't the DRM you are used to hearing about. Steve has shown some neat ways to use RMS within an organization, from time-basing documents to authorizing who can print or forward an email. I think they have a ways to go yet in dealing with it offline (especially for stand alone files), but it looks promising. Seeing some of the concept videos for Longhorn, I can see how this will be more closely coupled into the secured environment of the future.

I already reached my ROI on the trip last night when I got to see Team System. This was icing on the cake! Speaking of cake, its time for lunch. Hopefully the afternoon will be as useful.