The 5 Rules of Regulatory Compliance - Slidedeck

For those of you brave souls that sat through my presentation today at the Microsoft Small Business Summit, you can download a copy of my original slidedeck here. The version they used in the LiveMeeting should be available later this week at www.sbsummit.com.

Thanks to Susan Bradley for doing a great job answering questions during the session.

And again, I apologize for the "Barry White" impression. This cold came on fast, and its trying to kill me. I think I might take the rest of the day and go recouperate. Maybe an afternoon of watching movies and drinking orange juice can battle this puppy. *sigh*

Poor design decision for ACL control with UAC?

So one of the most interesting things that goes on at an MVP Summit is the parties at night. Never a good sign when Security MVPs whip out laptops, start cackling in the back corner and dive deep into subjects of interest. Of course a LOT of it I can't talk about, but there was one issue Gabriel and I discussed that is worth talking about publically, since its already known to the public.

That would have to be a design decision, that externally, looks kind of bad when it comes to elevation of file/folder access on Vista. When a Standard User tries to enter a directory it doesn't have access to an elevation prompt occurs. All good so far. If the credential check succeeds, Vista grants that user read access for that folder (and its children) by extending read access to the ACL for that folder. You would kind of expect that.

But then nothing more occurs. You would ASSUME that the ACL would be returned to its previous state when the session ends. But you would be wrong. And it doesn't change when you log off either. Once the permission has been granted, you now have read access forever... or at least until you manually remove the ACE for that DACL.

Is this a security vulnerabiity? Depends on who you ask. I don't think it is. You have given that user access. Nothing prevents them from taking a complete snapshot of all data at that point in time. However I do believe its a bad security decision. Because it never reverts access control back to the previous state, it is EASY to forget about the access change, and later place sensitive data in that directory that someone else may have access to that you don't expect.

I would love to understand the thinking behind this. I understand the concept of changing the ACL, but I would have expected that the ACL would be reset when the session ended. If anyone from Microsoft would like to comment, I would be sure to link to the post. I would love to learn the reasoning behind this design decision.

Personally, I think it was a poor decision. However, I don't have the luxury of looking at the threat model that was performed on this part of the system. I have no idea what I may not be considering here. Elevating access permanently just doesn't seem reasonable to me unless you inform the user of that fact. And that never occurs.

What do you think?

Life, the Universe, and where the hell is Dana?

Lack of posts. Yuk.

I wish I had a good reason. I don't... past being swamped. I am touring like crazy talking about information security, (mostly about strong authentication these days), presenting to crowds varying from small user groups to large conference halls. Not to mention the fact that I spent over a week with Microsoft before and during the MVP Summit last week. That was an awesom trip, which I can't really talk about due to the NDA nature of the event. There is a scary picture on Flickr of a group of us wearing our Team Canada jerseys at Bill Gates keynote. (You can even see me in there if you know what I look like). That's right... a sea of red and white. How patriotic.

And to boot, I have been balls to the wall working on some identity and access management code at work. Let's see, I have written a two-factor authentication server using web services and written a web service proxying layer to allow it to be used in things like Windows logon agents, RADIUS servers and web servers. All exposed via COM and web services to make it easy to place anywhere on the Windows stack. And did I mention the backend has the capability to hook in CardSpace? Some of this has been integrated into LOB apps already, including a neat deployment to a company we all know and love (which I can't talk about yet). Ya.... I've been busy.

Been going crazy wanting to get some thoughts on my blog, and hope to do that in the coming weeks. I just have a few conferences (like Microsoft's Small Business Summit) that I need to put behind me first. Speaking at these funtions are always fun... but require quite a bit of effort to pull off.

So, yes, I am alive. Just busy doing the security ambassadorial role and building the software to protect you guys from the baddies out there. ;-)

If you are interested, here are some upcoming events I am presenting at:

• March 22nd, 2007 in Redmond, WA: Microsoft Small Business Summit - Presenting on my 5 Rules of Regulatory Compliance for small business
  
• April 28th, 2007 in Bellingham WA: Linuxfest NorthWest - Presenting on adding strong authentication to Unix environments
  
• May 3-5, 2007 in Islandia, NY: SMB Nation East - Presenting on strong authentication in Windows environments
  
• May 29-June 2nd in New Orleans: Small Business IT Disaster Planning for Risks and Recovery Conference - Presenting on the role of security and risk management during IT disaster planning.
  

Yep.... going to be a busy few months. In between there, I have a new version of our strong authentication software at work to be released, as well as some new goodies. Time to get the Dew intraveniously I think.