This isn't a new talk, and is actually one I originally saw at last year's MVP Summit. But its always fun to watch his demos. Atleast, it was once AV showed up and fixed his demo machine.

But it had me thinking about boundaries that exist in Windows that we just aren't leveraging effectively. He mentioned .NET CAS. Code access security is an example of a mechanism that provides evidence, permissions and policies that can enforce boundaries, and limit access exposure. It is rarely used, and when it is, is used ineffectively.

It had me thinking though of another piece of technology introduced in Windows Server 2003 to the masses. That's the Authorization Manager, or AzMan as we normally call it in the security groups. AzMan gives the system and its applications role based security to provide constrained whitelist behaviour. A process that is AzMan aware is capable of enforcing policy to ensure that only users within a given role can be made availabe to take action and be restricted in what tasks they can do within a context. A well defined use of security boundaries in Windows.

But no one knows about it. Did you know about it before this post? Probably not. But you should... because at this years RSA conference Microsoft announced it's end-to-end trust initiative which is heavily directed towards role based security.

I think Microsoft is doing a great job in thinking ahead and providing the infrastructure so we can design and deliver more thought out secure solutions. But I wonder if they are doing enough to actually educate the world about just what they ARE doing in this space. This isn't the "Field of Dreams" where if they build it, we will come. Microsoft and its advocates are all going to need to ensure messaging about what Windows is truly capable of (good and bad) is clear, concise and to the point.

I think AzMan is a great piece of role-based goodness that should be much easier to use, deploy and explain. The Visual Studio team needs to step up and tool better to make this easier for developers. What do you think?

Last week was RSA Conference, as well as The Microsoft Strategic Architects Summit. This week its the Microsoft MVP summit in Seattle. Then to Dallas for the SMB Summit before finally heading home.

In the midst of all this, I wanted to make sure I got this thought down for fellow developers who design secure softwrae. Currently at the MVP Summit I am seeing a TONNE of stuff inside of Microsoft that I obviously can't talk about due to NDA disclosure. But I wanted to say one thing without breaching the essence of the protection document:

Microsoft, you need to cross-breed TAM and your own SDLC threat modeling tool. That thing is just wicked.

For those that don't know, Microsoft does NOT use the threat modeling tool produced by their ACE team. Instead, they use their own internal tool, which I am not sure I am even allowed to mention by name. But it makes sense; the SDLC is much different than SDL-IT. A picture taken from the ACE TAM blog could help with that.

I am a fan of TAM, but hate that I cannot easily design my own data flow diagrams. There is too much focus on entering in critical components like use cases before the DFD is laid out. The MS internal tools isn't like that. I can't really go into details, but lets just say they figured out how to layout a DFD right. It's not just a simple Visio shape template like we are used to. There are rules and collection points that can be quite useful.

So Microsoft, when would you like me to babysit that abomination? I'd love to see the two tools converge. Anyone else think so too? Let Microsoft know.

I have to apologize for a few of the pauses during my presentation. We are having a snow storm and the heat in the building has went out. I had people walk into my office with portable heaters and they disturbed my thoughts and flow, and I had to stop to let them plug in in the heaters so I could warm up. (I could almost see my breath)

No matter though. All is good. Thanks to Microsoft for inviting me to come speak, and to all of you that came out to listen!

Sounds great. Anyone tried to use their OpenID from a different IdP to get into Yahoo? Ya, not so easy. Nor will it be expected too. How about AOL? Or Google? They all are fine being the IdP... but no one wants to trust the IdP I want to trust.

This is the problem with OpenID. Everyone wants to be the provider of the identity. No one wishes to consume it and trust someone else. Well, except for the smart guys over at 37Signals that use their OpenBar for single sign on.

We need more consumers.... not more providers. I talked about this back in 2006. Until we get more consumers going, OpenID will be on the cusp of being a geek thing.

And before I get nasty emails that will be routed to /dev/null.... numbers DO lie. Just because there are now going to be millions of OpenIDs thanks to AOL and Yahoo accounts means dick if they can't be used at each other's sites. Talk to me when I can use my favored IdP to log into both my Yahoo and Google accounts.

If any of you out there know of a really inexpensive ASP.NET module that will collect quiz results via SCORM, can you please drop me a line at dana@vulscan.com? I want to be able to collect the quiz results from Camtasia Studio output for use in some content where we want to measure the retention rate with small quizzes.

I really don't want to buy an LMS just to do this. If you know of any solutions, please let me know. Thanks!

Charlie and I have always hacked the registry to turn off autotuning, TCP Chimney and Receive-side scaling. Recently I had 3 employees within a matter of minutes come up to me complaining that their bandwidth sucked, which was actually affecting customers as they were getting dropped from our online chat support system. Not good.

So I mucked with netsh and remotely tuned their NICs. The result was quickly seen. They went from 700Kbit download speeds to 18Mbit. Yes that's right. It makes that much of a difference.

To be fair, Vista SP1 has this cleaned up pretty well now, but if you are like my employees and are freaking out and can't wait, start a cmd window as an administrator (* see below) ... and type this magic in:

netsh interface tcp set global autotuning=disabled
netsh interface tcp set global chimney=disabled
netsh interface tcp set global rss=disabled

Do that and then run another speed test. You will probably find it works REALLY well. Well, except to other Windows Server 2008 systems, where the stack really comes into play.

If you are unsure if you have the settings on or off, you can run:

netsh interface tcp show global

Of course, if you need to turn it back on, you can do this by typing:

netsh interface tcp set global autotuning=normal
netsh interface tcp set global chimney=enable
netsh interface tcp set global rss=enable

*NOTE: To start a cmd window as an Administrator click on the Start orb on the bottom left and type "cmd" in the Search field, but do NOT hit enter. Right click on the cmd window icon and select "Run as Administrator".

UPDATE: Thanks to Lawerence and Bruce for correcting the syntax for re-enabling it

More info here.

I don't normally talk about business on my personal blog, but this seemed like an opportune time to point out that all is not lost. Sometimes when one door closes, another opens. If you are a driven sales associate of RSA with a proven track record in Canada, the United States, or Australia you might want to check out the career opportunity posted up on the Scorpion Software corporate blog.

Come join our dynamic and exciting team focusing on delivering strong authentication and identity assurance solutions to small businesses. We are a lean, mean fighting machine that has a lot of growth potential. You know who we are; we are the team that builds AuthAnvil. You guys are visiting our site every day. :-)

For a third year in a row I have been given the MVP Award from Microsoft. I am in good company.

Looking back in the last year it's been really fun. I have spoken in the community from Microsoft's campus in Redmond all the way to their campus in Sydney Australia. I have keynoted at a few conferences and even helped work on the technical track at SMB Nation. I have been a subject matter expert in many areas of new products that aren't even public yet at Microsoft, and have been able to make a real difference in the direction of critical components in Microsoft product.

I have found critical vulnerabilities and stupid bugs, and was able to expand my circle of influence with new friends with brilliant minds in the security field. Many thanks to everyone who I have been able to engage with during this trek. I look forward to seeing many of you at the next MVP Summit!!!

And above all, many thanks to my close friends in the MVP community. For as much as I give back to the community, I learn even more from my peers. And I thank you for that.

Recently I wrote a post over on Microsoft Canada's TechNet IT Pro blog about Production Virtualization for SMB - SC-VMM, Server 2008 and Virtual Server 2005 R2 SP1.

When I show people how cool SCVMM is, the first thing I hear is about how expensive it must be. It's not. Microsoft is coming out with a SMB version in the new year which they are calling "Workgroup Edition". That allows you to manage 5 hosts and as many guests as you like, for about $100 a physical box. Great value for the money when you consider the centralized management and great visualization. Never mind the VM checkpoints which makes patch management much easier to manage.

So check out the post. And then give SCVMM a try. You might be pleasantly surprised how well it works in the SMB space.