Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

I got another shout out from the TechEd aggregator. It’s currently listed as the top entry at http://msdn.microsoft.com/en-us/events/teched/cc531163.aspx. Actually, they renamed my post to “Session notes and links on FCS/NAP”. Perhaps I should have chosen that title in the first place ;)

Permalink | Comments (0)

Just saw a cool talk for the very last session of the week: Security Compliance Management (http://technet.microsoft.com/en-us/library/cc677002.aspx). This is a free tool from Microsoft Solution Accelerators that integrates with the Desired Configuration Manager (DCM) feature of System Center Operations Manager (SCOM).

In summary, the download includes documentation and a set of locked-down security templates for Vista, XP, and Server 2008. The templates are XML-based, so you can modify them via the DCM GUI, or standard XML scripting/editing tools. The result is that the templates can be applied to machine groups, allowing reporting to be done on the inevitable state of compliance drift that happens to security configuration over time.

Still missing is auto-remediation. For example, the reporting mechanism can tell me how many (and which) machines are out of password policy, but they can’t automatically update that policy. I’m still dependent on Group Policy, which may be lagging or failing for some reason.

However, one of the audience members had a reasonable auto-remediation solution for now: within DCM, define the policy machine group to be based on the set of machines considered to be out of compliance base on a certain definition. For that set, advertise an update/patch - for example, an administrative script that SCOM will run on non-compliant machines to patch them up. It’s workable, and a clever idea, but not as “automatic” as customers will demand.

Still - SCM is a cool solution and worth checking out.

Permalink | Comments (1)

http://www.runasradio.com/default.aspx

I did an interview with them two days ago, which will reported be posted in a week or so. Stay tuned!

Permalink | Comments (0)

I had the privilege of helping Frank Simorjay with his talk this morning. We had the … distinction of being first thing in the morning, last day of the conference, after the conference party the night before. Tough crowd! Actually, things went fine, and anyway I love a challenge. Here’s the official talk title:

SEC366 Get the Best Out of NAP with Microsoft Forefront Client Security: Better Protect Your Environment and Support Advanced Access Control to Your Network
Friday, June 13 8:30 AM - 9:45 AM, S220 E
Level: 300 - Advanced

The purpose of this session was to showcase the new Forefront/Network Access Protection Solution Accelerator (http://www.jwsecure.com/dan/2008/06/04/forefrontnap-solution-is-now-live/). This being a 300-level session, Frank invited me to provide commentary about the implementation. Here are my notes (modified slightly for this medium).

Acronym Reference
[Every technology domain has its own terminology and acronyms. Here's a reference for this one.]
NPS = Network Policy Server (the NAP server)
SHA = System Health Agent (client-side NAP plug-in)
SHV = System Health Validator (server-side NAP plug-in)
SoH = Statement of Health (sent by the client)

FCS NAP Architecture
[Refer to the diagram about half-way down this page - http://technet.microsoft.com/en-us/library/cc512107(TechNet.10).aspx]
How does NAP implement sandboxing for non-compliant clients - in other words, how are unhealthy computers are kept separate from the healthy computers?

Suppose the NAP enforcement scenario is DHCP. In other words, client computers won’t be given an IP address on the corporate network unless they are deemed compliant by NAP. The first step is that the NAP agent on the client sends a Statement of Health along with the request to the DHCP server. In the diagram linked above, the client could be either of the laptop-shaped images on the left-hand side. The server in this picture, at the bottom of the larger oval, is playing two roles: DHCP server as well as Network Policy Server, or NPS.

The DHCP server receives the DHCP request from the client, extracts the Statement of Health, and relays it to the NPS to be evaluated. In this example, that’s just a question of one service talking to another service on the same server.

If the Statement of Health is considered to be compliant, then the DHCP server responds with an IP lease on the main, NAP-compliant, corporate network. If the Statement of Health is not compliant, then the DHCP server grants the client an IP lease on the restricted, non-compliant, sandbox network.

[A brief digression about deploying NAP in its DHCP scenario, since this came up a few times this week: be aware that there are some limitations inherent to DHCP. Namely, it's not possible to implement server authentication and message integrity with the current standard-compliant DHCP. DHCP is an old protocol and wasn't designed to do those things. Thus, organizations interested in NAP are wise to evaluate other NAP scenarios, such as 802.1x and IPsec, in which a higher security bar can be set.]

So how does the new FCS NAP solution play into this? It’s a question of what information is included in the Statement of Health, and how it’s evaluated by the NPS. FCS NAP consists primarily of two plug-ins: a System Health Agent (SHA) for the client and a System Health Validator (SHV) for the server (NPS).

Data Flow
[Refer to the diagram about half-way down this page - http://technet.microsoft.com/en-us/library/cc512113(TechNet.10).aspx]
The client SHA adds Forefront-related information to the SoH to be evaluated by the SHV. To the FCS NAP SHA, the SoH is effectively a bitmask. For example, one bit gets set only if the Forefront client is currently running (arrow #2 in the diagram referenced above), and another bit gets set only if the client’s virus signatures are up to date (arrows #1 and #3).

When the FCS NAP SHV receives that SoH bitmask (arrow #5), it evaluates each bit against the health policy configured by the administrator. For example, if the bit indicating whether Forefront is running is un-set, then the SHV checks whether the current policy indicates that Forefront must be running on healthy clients.

After evaluating each bit in the SoH bitmask in that way, there are generally two possible states the SHV can report to the NPS: the client is either healthy/compliant or un-healthy/non-compliant. In the latter case, for each non-compliant policy item, the SHV provides a message to explain to the user the reason, or reasons, why the machine is non-compliant. For example, “The Forefront client isn’t running,” and “The virus signatures are out of date,” etc. These messages are visible via built-in tools such as napstat.exe and netsh.exe.

There are two NAP configuration scenarios that affect how the SHV behaves: auto-remediation enabled and auto-remediation disabled.

Without auto-remediation enabled, the SHV again behaves as described above. That is, each aspect of non-compliance is addressed with a string explaining what’s wrong. However, the SHV must place different information into the SoH response when the client is non-compliant. The auto-remediation response information consist of two things:

First, different strings are used to distinguish between the scenarios in which the user is expected to take corrective action manually, versus the scenarios in which corrective action will be taken automatically by the SHA. The latter is what auto-remediation is all about.

Second, the auto-remediation SoH response must include instructions from the SHV to the SHA about what specific action to take. For example, if one of the required Forefront services isn’t running, and policy requires that it must be running for the client to be considered compliant, then the SHV will set the bit in the SoH bitmask instructing the SHA to attempt to automatically start the service.

Permalink | Comments (0)

Since I’ve been working the Forefront Client booth this year at TechEd, I’ve had a lot of questions about the value proposition for the next release, codename Stirling. I’ll summarize my response in one word: manageability.

Why do I say that? Well, I don’t deny that there’s continuous innovation happening on the client component - the anti-malware engine. That applies to all of the major providers - Symantec, CA, etc. But the client engine is not where the Enterprise-targeted product differentiation is happening right now.

In choosing an anti-malware (anti-virus, anti-spyware, etc) suite, an organization must first ask itself - what are our requirements, what are the applications we need to support, what are the policies that we need to have exposed, and what are the tools that we’re using today? Once you’ve got answers to those questions, evaluate competing solutions to determine what’s best for you. Forefront may or may not be it.

But what Forefront has going for it, specifically in the next release, is a consistent management experience. Consistent in three ways. First: client, server, and edge security products are all managed from a single console. Second: that console is based on the standard Microsoft user-experience/GUI guidelines that your admins already understand - and that lowers TCO, don’t forget! Third: management is AD/group-policy based. Again, you leverage your existing knowledge and infrastructure.

For the official spiel about the product, see here - http://www.microsoft.com/forefront/stirling/en/us/default.aspx.

Permalink | Comments (0)

Jeff was very kind to invite me to the Q&A session to end his TechEd talk today (http://blogs.technet.com/nap/archive/2008/06/09/nap-ing-teched-orlando-2008.aspx), and to let me take a question about locking down NAP clients. Specifically, the NAP health model is based on receiving information from clients. Can’t it be spoofed?

In short, yes. But it’s important to understand two things:

Number one, NAP is about compliance. (A) what are the network policies? And (B), what’s the reality? NAP helps customers answer the second question. In fact, many NAP deployments today are finding that quarantine enforcement isn’t even necessary. Simply by creating awareness, among both administrators and users, about which machines are violating which network policies, the compliance bar is quickly being raised.

Number two, NAP, like many client security features, is dependent upon trustworthy client administrators from an enforcement perspective. That is, if a user can muck with the system binaries, then the NAP Statement of Health data can be spoofed. Ditto, with injecting network traffic, depending on the scenario. If your users are local administrators on their workstations, then you are implicitly trusting them to behave themselves.

Of course, life is much more complicated than that in practice - there are a number of situations in which not providing users with local admin access is just too difficult to support. It’s debatable whether that’s going to change any time in the near future.

An alternative solution to the above problem, which also may or may not be available in the near future, is a supportable TPM key hierarchy and deployment story. In that case, the integrity of the system, from BIOS to user-mode start-up, can be cryptographically verified. In that beautiful utopian world, spoofing data from a NAP client will in theory require compromising a tamper-resistant chip on the motherboard.

Permalink | Comments (0)

The first day of TechEd IT Pro has been very busy! I’m just now getting a chance to write up my notes from the keynote this morning. If you’d like to hear the original, looks like you can do that here (http://wm.istreamplanet.com/customers/ms/100_ms_teched_080610.asx).

The first guest was Hunter Ely, an IT expert who used SharePoint and Groove to help lost family members find each other during the aftermath of Hurricane Katrina (more here - http://blogs.technet.com/nap/archive/2008/02/22/nap-heroes.aspx). Hunter is definitely good people.

Next topic was the re-introduction of Microsoft’s Dynamic IT marketing initiative. It’s a 10 year effort and they’re half-way in. The first bit mentioned was Infrastructure Optimization (here’s a MORG link; I can’t seem to find a better one - http://www.microsoft.com/midsizebusiness/mmrp/deploy/it-infrastructure-optimization.mspx).

After that came “Managing Identities - Federation”. Specifically, the announcement of Identity Lifecycle Manager 2 Beta 3 (http://www.microsoft.com/windowsserver/ilm2/default.mspx). There were two ILM demos: one showing an integrated employee on-boarding work flow with SAP, another showing how an approvals process can be driven by email.

Next came Interoperability. The first bit was a reminder that Operations Manager supports Linux now (http://blogs.msdn.com/scxplat/archive/2008/04/29/announcing-system-center-operations-manager-2007-cross-platform-extensions-and-connectors.aspx).

The second interop item was probably the most technical of the keynote demos, with some developer content having been included. In summary, the demo started with a stock trading application based on .NET 3.5 + WCF + WPF (for a smart client). Then a representative from WSO2 (http://wso2.com/) came up and showed interoperability of the same web service based solution with PHP, Apache, and native C (for the Axis2 project). Finally, they showed replacing the .NET backend with a Java-based order processing service to receive requests from the .NET middle tier.

Then the keynote moved on to Virtualization. Microsoft is working with Citrix to present virtualized Vista on dumb terminals. Next up, a video showing how Kroll (http://www.kroll.com/) uses Windows Server virtualization technologies in its data center.

Muglia took this opportunity to talk about Hyper-V, basically with a lot of superlatives about how Microsoft’s brand-new technology is totally production ready. Then he briefly introduced application virtualization that left me totally confused - no idea what points he was trying to get across in this little segue piece.

But things got much better with a System Center Virtual Machine Manager 2008 (http://www.microsoft.com/systemcenter/scvmm/default.mspx) demo. They showed integration with VMware ESX to present a single VM management console (owned by Microsoft) compatible with both product suites. The console is reportedly completely PowerShell based, so everything it does can be scripted - they even have a button you can click on each action window that allows you to capture the equivalent script for subsequent automation.

He also showed the Performance Resource Optimization (http://blogs.technet.com/virtualization/archive/2008/04/29/system-center-virtual-machine-manager-2008-beta-has-arrived.aspx) feature of SCVMM, which allows virtualization-related operation center alerts to be handled automatically (e.g. VMs overloaded? The system will bring up a new web server image to balance.).

As an aside, the PRO demo was based on DinnerNow (http://www.dinnernow.net/)!

Muglia next mentioned SoftGrid (http://www.microsoft.com/systemcenter/softgrid/default.mspx), a segue into the demo of the recently acquired Kidaro (http://www.kidaro.com/). This one was pretty cool. They first showed a client VM policy that dictates in which directions the clipboard may be accessed (e.g. you can
paste into the VM, but not from the VM).

The second Kidaro demo showed hosting an XP-only application in a VM window with a red border, running on Vista. Seamless. And they can do the same thing with Internet Explorer. Have a website that only supports IE6, but you need to access it on Vista? Launch the URL and a virtualized IE6 window comes up.

The final piece that I caught (I left a bit early, partly out of boredom and partly because I wanted to get over to the Forefront demo pod) was Software + Services. Microsoft’s hosted offerings include Exchange, SharePoint, and LiveMeeting. A demo showed Exchange with a management console that integrates hosted directory data with what’s available locally.

Permalink | Comments (0)

I had gotten into the habit of stopping into Starbucks in the morning, at least a couple of times per week after hitting the gym, in order to buy one of their now-infamous (see below) breakfast sandwiches (protein + calories = yum) and a cup of coffee (critical). Pretty tasty, but a guilty pleasure for at least two reasons: it’s expensive, and those sandwiches aren’t exactly the most healthy thing for breakfast. Although after a strenuous workout, I could do worse.

But then two things happened. First, I started getting sick of those darn sandwiches, and began wondering if life didn’t have something else to offer for breakfast, you know?

Second, Starbucks had a major management shake-up (http://www.reuters.com/article/hotStocksNews/idUSWNAS629620080111) early this year. That, in turn, resulted in Starbucks launching its new Pike Place Roast coffee (http://biz.yahoo.com/bw/080407/20080407006099.html?.v=1), which I don’t like. And an announcement that Starbucks would stop serving my breakfast sandwiches (http://www.fool.com/investing/general/2008/01/31/starbucks-stinks.aspx)!

My initial reaction to the whole sandwich thing was outrage. But then I started paying attention to the context of the announcement. Starbucks’ CEO said the sandwiches were overwhelming the smell of the brewing coffee. But the real reason is that, by serving coffee and breakfast sandwiches, Starbucks found itself competing more closely with McDonalds (http://www.businessweek.com/print/magazine/content/08_16/b4080000943927.htm) - and losing.

I thought to myself, well, I don’t like Starbucks coffee anymore, because Pike Place roast is no good (full disclosure: I actually drink decaf, which always tastes worse than regular, but still, their old decaf was much better). And I was already looking for an alternative to their breakfast sandwiches. So why not switch over to McDonalds?

Brilliantly, right when the shake-ups at Starbucks started, McDonalds, smelling the blood in the water (or maybe just the sandwiches), initiated a major marketing push for their breakfast menu and new coffee-shop-like coffee drinks.

Where is this all going? Well, I went to McDonalds this morning for the first time in many years (ok, aside from visits made out of desperation on road trips - but even those are rare). I got a Sausage Egg McMuffin and a decaf coffee. And it was … really good. Better than Starbucks. And I didn’t have to get out of my car (yes, there are a number of drive-through Starbucks in Seattle, but none of them anywhere near as close to me as McDonalds). And I paid 25% less!

What’s the future look like for Starbucks? The economy is bad, which CEO Schultz admits in one of the interviews above is hurting sales of $4 lattes - a luxury item by any metric. Their stock has gotten pummeled (http://moneycentral.msn.com/companyreport?symbol=sbux), while McDonalds (http://moneycentral.msn.com/companyreport?Symbol=Mcd), by comparison, is actually doing okay (McDonalds also has a better net margin). Of course, the economy won’t be bad forever. But Schultz’s command-and-control management style leaves little room for executive growth, and succession planning has never seemed to be one of his priorities.

I think Starbucks is in trouble.

Permalink | Comments (0)

Microsoft has posted its Forefront Integration Kit for Network Access Protection, aka FCS/NAP. In summary:

  • The kit includes NAP client and server plug-ins which allow the network administrator to ensure that all machines on the network have active Anti-Malware protection, that the related client services are properly configured (and running), and that the latest signatures and patches are installed.
  • Those machines that aren’t compliant/healthy are either quarantined (in NAP enforcement mode) or logged (in NAP reporting mode).
  • Non-compliant machines can be automatically fixed-up. Your helpdesk (and users, and administrators) will thank you for not having to explain how to make manual configuration repairs in order to get someone connected to the network!
  • Last, but certainly not least, the documentation is thorough. Seriously. There’s no shortage of really bad (or completely missing) technology documentation out there, and the Solution Accelerators team is doing their part to fight that trend.

Why am I pimping this? Because JW Secure worked on it, of course! Check out the credits at the bottom of the Overview page - we did both code & document development.

This was an exciting project, and for me a great way to leverage my existing experience with the NAP plug-in model. As a firm, we also benefitted from seeing from the inside another real-world example of how a NAP solution can compliment an existing product line.

Permalink | Comments (2)
« Older PostsNewer Posts »