Well, It’s been over a week since Tech Ed New Zealand and Tech Ed Australia ended, so I’m assuming that I’m still gainfully employed. I did learn that Vegemite is not “apple butter” and should be used sparingly, and that Dr. Pepper, while a huge success here in Texas, is not much celebrated Down Under.
Tech Ed? Well, it was terrific! I want to thank everyone who attended and took some time to come to my sessions. I delivered two, one entitled “Vista Security Tidbits” which covered some of the aspects of Vista security that IT Professionals want to know more about (UAC, IE7, BitLocker, etc.) but since we only had an hour, I hoped it served as the “appetizer” to those later sessions which covered these topics in great detail. I also did a session entitled “Identifying Computer Attacks: Tips, Tricks, and Techniques” which demonstrated ways to identify an incident has occurred on the network. I even showed some of the more common digital forensics tools out there, such as Guidance Software’s EnCase and Access Data’s Forensic Tool Kit. All in all the scores were generous and the comments were welcome. I really appreciate the time I got to spend with the good people in Australia/New Zealand and I’d gladly make the trip back there. I did receive a few interesting comments during my visit. I’d love to open some debate around the ideas, and maybe help find a solution. I’m certainly not the “know-everything-security-related” guy, so I thought maybe some of you out there in the ether may have some ideas
- From Brisbane – (paraphrased) “The idea to create “Log On As” functionality so that administrators could log on as any user, without requiring that user’s credentials. The purpose? To allow administrators to configure user’s profile, troubleshoot problems that only occur when that user is logged in, etc. without having to have the user hang around so they can re-log in after reboots, or if the screen locks itself etc. Although on first examination the idea seems to be risky from a security perspective, I believe it would actually increase compliance. This is because, in practice, many users wind up sharing their passwords with administrators so the work can be done when they are not present. A “LogOnAs” utility would remove the necessity for this, without really giving the administrator any more powers for evil than they already possess. In effect it would replace an uncontrolled process with a controlled one. I imagine an audit trail would be mandatory, so that logs record “administrator logged on as BobS” rather than “BobS logged on successfully”.”
It does sound risky, and we know that auditing isn’t prevention. Is this the only solution? Is there a better one?
- From Auckland, NZ – (paraphrased) “One of the things that really bugs me about Vista as it currently stands is the all-or-nothing approach with User Access Control. The ability to selectively say "don't bug me anymore" when asking for administrative permissions for common actions would be great.”
I think we have this one nailed with Vista RC1, and the UAC is certainly less “chatty”. I think what this gentleman was getting to, was he’d like to see the UAC stop asking you after it realizes you’re going to say yes, after the 100th time. We’re talking about something completely different at that point, of course with regards to “AI that learns”. The UAC has been taking it on the chin lately, but the security fundamentals being introduced are crucial to success. We are trying to change “user behavior” and to those of you out there who attempt to do that daily, you know it’s not easy.
- I had several customers tell me that “auditing all those events (due to reg compliance issues) that the sheer volume makes retention and reading extremely painful”. No doubt. You shoudl consider the following options:
- Sit down with Legal and do an audit assessment to determine what is really important with regards to reg compliance
- Look at using System Center Operations Manager 2007 which will include the much awaited Audit Collection System.
- Know that Windows Vista will include XML based events for use with your favorite XML parser. Might also consider using EventCombMT.
Did I miss anything? Time for a Dr. Pepper!