Afternoon at the Microsoft Security Summit

After a great box lunch I attended the Implimenting Advanced Server and Client Security session, put on by Steve Riley at Microsoft. There were a few interesting 'take aways' for this session.

First was a point I have made for some time. I think it shocked the room when Steve said it was bullsh*t to disable your broadcast SSID in your access points. It was useless anyways... all association request messages are broadcast clear text anyways. If you sniff long enough you will see legit traffic associating, giving you the SSID anyways. By enabling the SSID though... you allow the wireless access tools in Windows XP to 'just work'.

I also found out that later in the year Microsoft will be releasing Microsoft Audit Collection Services (MACS), which is basically the same functionality as what Unix has had forever with syslog. Neat difference is how it is designed to import directly to a data source like SQL server. This is nice; it is about damn time.

I have been wrestling with Active Directory stuff as of late, and I enjoyed Steve's 30 second AD structure. Some organizations take weeks, months even years as they try to organize an Active Directory structure that fits in with the politics of the organization. Steve gives us a quick way to deal with it:

• Forests and Domains = Physical geography
  
• Organizational Units = Administrative Model
  
• Security and Distribution = Organizational Chart

Basically Steve wrapped everything up into 4 bullet points (even though he had over 120 slides for a 90 minute presentation *shudder*)

1. Authenticate everywhere
   
2. Validate always
   
3. Authorize and audit everything
   
4. Encrypt when necessary

After this presentation I decided to head back to the developer track and sit in on Implimenting Application Security using the Microsoft .NET Framework. Great presentation by the same fellow who did the morning session.

Nothing really new here, except I did learn about the checked keyword that I never knew existed. It allows you to do arithmetic overflow checks in your code. If it crosses a boundary and overflows, it will trigger a System.OverflowException. Never knew that before.

The demo for role-based security code blocks through imperitive and declaritive security were neat. I use WindowsIdentity and WindowsPrincipal a lot but didn't realize you could build your own with GenericIdentity and GenericPrincipal. I will have to look into it. Of course, lately I have been doing more declaritive access control by using PrincipalPermission attributes. ie:

Works great, and constricts code by access control on each method.

With that session done, the Security Summit was over. It was time to head back to Canada. Thanks for a great time Seattle.

Only wish I had enough time to do some kayaking on Lake Union. Hey, maybe if everyone takes Steve's advice of opening the SSID next time I am down... I might even go War Kayaking and beat Phillip's mapping.