Back from Microsoft Belgium where occurred an ISSA Belgian Chapter event about security of Microsoft Windows Server 2008.
The speaker, Ronny Bjones, started with some historical facts about the Microsoft products and security. He explained why Microsoft had lot of security issues in the past, due to the way developers worked, explaining the goal of SDL (Security Development Lifecycle).
ASLR and DEP were explained. Strange, those features are often disabled in the BIOS by OEM vendors. Why? Due to incompatibility for some software like Java machines. Fail!
Others interesting facts discovered by Microsoft, 80% of applications still require administrative privileges to store *.ini files in “c:\windows” or copy files to “c:\program files”. Once again fail! Developers must definitively have more security awareness.
The “User Account Control” system were explained. Ronny agreed on the fact that popup’s are a pain for the end-user. In the audience, Christophe asked why the system behavior wasn’t the same as the sudo! ;-)
Finally, the new security features of Windows Server 2008 were explained:
- network defenses
- host defenses
- data defenses
About the network defenses, the largest part covered NAP (Network Access Protection). As said Ronny, NAP is only a measure and not a bullet-proof security solution (it could be possible to create a fake NAP agent which will always reports the client as “clean”).
Another nice features was covered like the console mode of Windows Server 2008 which tend to reduce the attack surface by installing only a basic OS without the well-known fancy Microsoft components. Three modes of data defenses were explained: volume encryption, files/folders encryption and RMS (Right Management Service). About NMS, this could be successfully implemented if software take cares of the documents restrictions. As discussed with Christophe, Adobe has a “fail-open” policy with protected PDF files: if the feature is not available, the document will be processed anyway. And what about Microsoft? “Fail open” or “fail close”?
Except some more commercial slides like “Windows has less vulnerabilities than ***X”, let’s keep the war between Microsoft and UNIX users away for a while. The presentation was very nice and gave a lot of useful information. It seems clearly that Microsoft is pushing hard on security in its new products.
Sorry if I missed some information, my laptop battery died too quickly…