Live from Berlin at Tech.ed 2009 your Swiss Microsoft Student Partners (MSPs) are here to blog about the conference and the sessions we joined.
In this session (12 tips to secure your Windows System (Win7 & 2008 R2), Mark Minasi is here to give us some tips about security and new goodies in Win7. First Mark started by telling us some general problems about security. There are 2 categories of security holes: the silicium base and the carbon based (human). It is important to differentiate both of them because software will never correct carbon based problem, but it can always help!
He then mentioned that the security policies are always getting better but not the users. And that a first step to get good security is to be able to convince the user to follow the rules. You must talk to your management, once they are on board with your security policy, it is a half win. Then you must be persuasive with your users and make them sign the policies (you can even threaten them with punishment if needed).
Mark continued with some math: you can reaches asymptotically 100% security as money invested reaches infinity, therefore IT security has a price and we need to accept a risk (the same way when we take the car).
He then explained that the purpose of an IT guy would be to increase ease of access to resource and the purpose of a security guy would be to keep people access to resources.
Password was a big topic in the presentation, he explained how crucial point it is for security and that "bad passwords always beat good security". The evolution of password has changed a lot in the last 20 years. Whereas in old times 4 characters were good enough password, now a minimum would be 8 and a good one should have 12 characters (and become a passphrase) that are always transmitted in the form of a 128 bit hash function. The problem is that complex password is hard to guess but hard to remember too! And if we continue following Moore's law in 10 years the passphrase would be minimum 20 characters long. Finally a user won't be able to remember his password (especially if he needs to change it every 45 days), so the solution would be to use a smartcard (1000 to 4000 bit actually).
One other major problem is that many applications we use require admin right to run (generally because there are poorly written) and here is where UAC (User Access Control) comes in. With UAC you always login as standard user and when you need to become an admin you can just switch to have all the rights (previously you needed to logoff as a user, login as an admin, do your stuff, logoff as admin and re-login as user).
At the end he told us about services security issues. As almost all of them have to be run from system account, they have lots of rights and can do a lot of things, which make them first choice targets for worms who could then enjoy total system rights. Windows 7 provides more regulations tools for developers: there are now 34 subset privileges in the system account, which can be activated or inactivated independently by the developer. To check if a developer has done a correct job, use the command "sc qprivs servicename". Developers can now edit the rights of services with a laser precision, avoiding putting the whole system in danger if one of the services is hacked by a worm.
The first day of the conference was very nice and we look forward for the next days.
That was Steven Meyer and Mikhail Chatillon, for Microsoft Switzerland, direct from Berlin