Microsoft MVP Summit

Microsoft is currently hosting the Global MVP Summit in Redmond, WA.
Several people you are probably familiar with from online forums and news groups will be in attendance this year. I am on the Security tract and hope to post some of the highlights as the summit progresses over the next few days. At least what I can share, alot of the content/discussions is covered by a NDA and cannot be discussed publicly.

Today was set aside for registration, programs and services expo and regional dinners.

Regards,

CrazyM

 

The venue for the Americas Regional dinner was QWest field, home the Seattle Seahawks.

 

At this regional dinner there was a raffle with all proceeds going to hurricane relief.

 

And the winner was MSeng, a regular poster at DSLR/BBR

 

Hey Jim,

Thanks for the pics and postings !
Keep them coming

For those interested : a few links at DSLR/BBR :

Off to Microsoft MVP Summit

[Info] MVP Summit 2005 News

MVP Summit Notes - Thursday

 

Thursday started off with all the MVP’s in attendance (approx 1500) altogether for some key note speakers: Lori Moore, Corporate VP Customer Service and Support; Steve Ballmer, CEO; Jim Allchin, Group VP MS Platforms Group and Kevin Johnson, Group VP Worldwide Sales Marketing and Services. They discussed the MVP program and direction MS is taking in a number of different areas. Q&A sessions followed each speaker.

Lunch was followed by a buses out to the MS campus for sessions specific to your MVP group/platform.

Security Technology Investments & Roadmap was the first session for Security MVP’s and briefly covered recent security improvements and the positive impact it has had (XP SP2). They then discussed how security is still a primary focus and where they were going with it.

From a Technology Investments perspective they discussed: System Integrity; Identity & Access Control and Threat & Vulnerability Mitigation. Along with things like Security Development Lifecycle – a process which includes mandatory security training for all developers and process that introduces security at the beginning and throughout all projects. They also touched on the Security Response Center and better updates and tools.

The 3 principles of System Integrity were: Isolation (eg. a program like IE would be run in an environment isolated from the system); Least Privilege and Least Connectivity.

Vista will see things like user account protection (what used to be called LUA), service hardening (some aspects of which would similar to behavior blocking) and secure startup.

Threat & Vulnerability Mitigation includes things like the Vista firewall having both inbound and outbound application based firewall and a continued approach to layered protection.

IE7 was discussed briefly with it’s security focus on thing like protection from fraud (phishing filter), giving users better control and protection from malicious software. ActiveX will be opt-in for protection against unwanted actions and noted above in Isolation, IE in Vista will run in protected mode to prevent malicious software.

MSAS development is still progressing and the anti-spyware program has been the most popular download in MS history with over 18 million users and approximately 20,000 Spynet community votes per hour!

User can probably look forward to some interesting developments with the Sybari Antigen AV which uses multiple scan engines and also does content filtering and can be centrally managed. This will be a value added product.

Something else that will make an appearance in Longhorn/Vista is Network Access Protection (NAP). A process where systems accessing a network will first have to meet a certain criterion (current AV, up to date with patches, etc.) prior to being allowed access to the secure network.

Identity & Access Control will focus on allowing only legitimate users, policy based access to machines, applications and data.

Windows Security Enhancements in Vista & Beyond was the second session for the afternoon and carried on with and expanded on the earlier session.

They discussed how all things would be built with security in mind, foundational protection (against threats and to reduce risk), secure and easier access to information and services and integrated control.

Windows service hardening would see things like reducing size of high risk layers, segment the services and increase the number of layers. Service behavior would also be moritored. A defense in depth approach.

Those are some of the highlights from today. Unfortunately my shorthand is not that great

Regards,

CrazyM

 

Friday's breakfast at the Microsoft Conference Center

 

Friday’s security track comprised of sessions on Windows Rights Management (RMS), Security Features in IE 7.0, Windows AntiSpyware and IPSec.

Security Features in IE 7.0

The top priority for IE 7.0 is “Ship the world’s most trustworthy browser”.

When defining the threat environment they consider:
Threats to the machine (eg. active x, malware)
Threats to user information (eg. phishing)

The security principles behind development include:
Secure by Default
Provide Defense in Depth (going beyond patches and being reactive)
Defending against current and future threats (a more proactive approach)

Protecting from threats to the machine includes:

Protected Mode, in the Vista version, and ties in with the User Account Protection (LUA) and will protect the machine, not the account. It will have only the permissions it requires to do it’s job. Add-ons inside of IE will run with low privilege by default. Writes to the user profile will automatically be redirected to a virtual sub directory in the temporary Internet files and new API’s to call/prompt users to save a file elsewhere. Protected Mode will also be zone aware.

Consolidated URL class will focus on previous problems encountered when special characters are introduced into the URL and complicated parsing. An example they used was www.good.com@bad.com where you would end up going to bad.com They will now have a single URL parsing object.

ActiveX Opt-in will look at what should run in a browser and prompt for everything.

Enhanced Cross Domain Protection will tighten up scripting issues and block where there is a change.

More Secure Zones will introduce a new Medium-High setting for Vista (protected mode). The Intranet Zone will be off by default (will prompt for action if detected). Trusted Sites will also be stricter by default with a Medium setting. The slide for settings will only permit safe settings for the zone. Users would have to manually change this and would receive a warning when doing so.

Protecting from threats to user information includes:

As users are still going to have to make decisions and remain the weakest link one approach is towards enabling good trust decisions. IE 7.0 is secure by default and will help users in making decisions and show as much information as possible.

There will be a new Anti Phishing filter which will work from block lists of known sites and heuristics. This means users would be prompted for both known sites and suspicious activity that could be a phishing attempt (eg. post to an IP address). This does involve sending data to Microsoft. All communication is over SSL and does not send anything other than host name and path. While white lists can also be maintained they will still be filtered for suspicious activity by the heuristics. The filter can be turned on/off.

There will also be improvements to SSL such as a lock in the address bar and more user friendly certificate information. Better handling of mixed content (default will be not to show insecure content) and less prompts.

Clear My Tracks is going to be an easy access (top level menu item) option to clear your history, temporary files and cookies. They insist it really works and it includes the index.dat file which gets zeroed.

International Domain Names handling will be improved. IE locks down what character sets may display in the address bar by default.

Other features include prompt on scripting clipboard (on by default), new search box permits non binary extensibility, warning for insecure Internet control panel settings, blocking status bar updates from script (hover over link) and dialogs will show address bar.

Overall it appears they have been working hard to achieve their top priority.

Regards,

CrazyM

 

The MVP party Friday evening was held at Experience Music Project/SciFi Museum which is next to the Space Needle in downtown Seattle. A great evening, but unfortunately they do permit photos in the exhibit area. I did get one of the light show wall, which is at least 3 floors high.