A Good Reputation

Kim Cameron has some interesting discussion of the software here and here.

The following is a quotation from one of his posts:
There is no doubt that government has a legitimate interest in the safety of the Internet, and in the safety of our children.  But neither goal can be achieved with any of the unfortunate methods being used here.

Rather than so-called “blacklisting”, the alternative is to construct virtual networks that are dramatically safer for children than the Internet as a whole.  As such virtual networks emerge, technology can be created allowing parents to limit the access of their young children to those networks.

It’s a big job to build such ”green zones”.  But government is the strong force that could serve as a catalyst in bringing this about.   The key would be to organize virtual districts and environments that would be fun and safe for children, so children want to play in them.

This kind of virtual world doesn’t require the generalized banning of sites or ideas or prurient thoughts - or require government to “improve” the nature of human beings.

Two senior consultants on the AD RMS team, Enrique Saggese and Kiyoshi Watanabe, recently wrote some new content that details best practices for properly scaling and managing your AD RMS infrastructure.

The following abstract details the contents of this documentation:
Here we describe the scaling scheme for an AD RMS infrastructure, we define sizing parameters for the server roles in an AD RMS infrastructure, and we describe logging characteristics of AD RMS that enable adequate performance monitoring. We also present real-world data regarding Microsoft’s own production implementation of AD RMS in order to enable you to perform preliminary sizing estimates for your own infrastructure.

I had the chance to edit this content before it was recently posted publicly on TechNet, so I wanted to annouce it here on my blog. There is also an announcement of this content on the AD RMS team blog.

I recently ran across this short blog post by Ragnar Harper and I thought it was interesting enough to share.

There is no doubt that how we approach security needs to change. For too long now we have been thinking about building a castle to protect us with DMZ, Network firewalls and so on. Then we are challenged to face the needs of our mobile users, and we need to be able to talk with “the cloud”. There used to be a time when access control at the folder level was enough. Today, you might have no clue of where your information is. So, how is your folder structure going to protect you? The truth is, it wont. You need to protect your information, but you don't know where it goes, or how it gets there.

Using AD RMS the document is secured the same, inside or outside, on your SAN, or on someone's USB dongle. Even when send through email, your information policy is still travelling with the document.

This article outlines some of the features in the new version of Exchange. There is also a brief mention of its interoperability with AD RMS.

Using the Transport Protection Rules, it was possible within the administration interface to create customized rules to control how specific messages could be routed within an organization—for example, applying “no forwarding” rules to specific messages. This feature could also be tied to Windows Rights Management Services to provide deeper DRM-style controls over some messages.

Recently, at the RSA Security Conference, we had a demo that showed how an administrator (with Exchange 2010 and AD RMS) can set rules for e-mail messages, such as "if this message is sent from a full-time employee to a vendor, do not allow forwarding." Customers received it positively.

There is discussion here about some of Microsoft's plans for Geneva, disclosed at Tech Ed this week (you can also view the Tech Ed keynote here).

Are you planning to go to Tech Ed? Read the post about it on the AD RMS team blog.

I had a great time attending the RSA Security Conference last week. Downtown San Francisco is always interesting to visit. I’ve been there a few times, but there is always something new to see. This was my first time attending, and the conference was bigger than I had anticipated, in terms of the physical space and number of people.

I enjoyed mixing with members of the AD RMS product team and marketing team. I don’t get many chances to chat with them in person (since I work in California and most of them are based in Redmond). Each individual brings a unique perspective to AD RMS that I like to hear. 

The AD RMS demonstration environment that we brought with us highlighted the following: 

• Integration with Exchange 2010 – The demo showed how you can create rules in Exchange that take advantage of AD RMS protection. For example, we set up a rule that protected messages going from a full-time employees group, in Active Directory, to a vendor's group.
• Integration with SharePoint – The demo showed how to set protection policies on documents being added to a document repository.

Microsoft’s security partners had a visible presence at the conference. I had conversations with representatives from the following vendors:

• GigaTrust – They have made it possible to protect many non-Microsoft file types, and they have a hosted AD RMS solution, among other products. Their rep. told me that the hosted solution is typically used by organizations that have people outside their AD environment that they would like to share sensitive information with (and federation isn’t feasible).
• Titus – They make software that prompts content creators to choose an AD RMS policy. Their software can also add watermarks and confidential messages to content (I'm just scratching the surface here).

In conclusion, Microsoft’s security suite and AD RMS in particular were well received, in my opinion. There was a lot of interest in all of the Forefront products, especially Geneva and Stirling. I also felt good about the prospects for AD RMS, going forward. Customers had really positive responses to our demos. All in all, a productive week of personal education and interaction.

I’ll leave you with a smattering of questions from the conference attendees:

• What is all this? (speaking of Microsoft’s booth)
• What is Forefront?
• We don’t care for Microsoft, but we like RMS.
• Does RMS encrypt all the data on a USB key?
• I really like the granular control that AD RMS provides.
• Can you list all of the new features in Exchange 14?
• I’d like to get a job at Microsoft.
• Do you know George? He works for Microsoft. He was supposed to meet me here.

Here is the article from NETWORKWORLD about Microsoft's strategy for the Forefront brand. 

Microsoft Thursday began detailing a security strategy that will see it combine its identity management efforts with its Forefront security products built for clients, servers and the network edge.

The company plans to integrate its security and identity products under the Forefront brand, offer software-as-a-service versions and present it all as a layered defense of access and control for its corporate infrastructure software.

..."Customers are asking us to protect everywhere and access anywhere," says JG Chirapurath, director of the identity and security business group at Microsoft. "The protection is across multiple layers and on cloud, physical or virtual platforms."

I thought this article was a helpful discussion of the two technologies, particularly how their feature sets provide support for various information protection scenarios.

...in a few areas, there are overlapping standards that complement each other instead of directly competing. One relevant example is the case of Active Directory Rights Management Services (AD RMS) and Secure Multipurpose Internet Mail Extensions (S/MIME), two security protocols for protecting messages against exploitation.

Lately I’ve been running the AD RMS sample projects, included with the Windows SDK, and watching the values in the debugger to get a better understanding of each function. I thought perhaps that other developers might find this helpful. I’ll run through this process with one of the AD RMS sample projects (perhaps you don’t even know about these), in a step-by-step manner, so you can do it too.

Before you can run the AD RMS code, you need to set up an AD RMS development environment. You can set up your computer by following the instructions for Setting Up the Pre-Production Development Environment. The AD RMS Step-by-Step Guide is also helpful.

So, assuming that you’ve already set up your AD RMS development environment, you can go ahead and run some code. Navigate to the MachineActivation project on your development computer and open it up in Visual Studio:
C:\Program Files\Microsoft SDKs\Windows\<version>\Samples\Security\ADRMS\MachineActivation

If you have issues when you try to compile the project, you can check out my post concerning that and hopefully it will help you.

Once you get the solution to compile, make sure that you have the configuration settings set to Debug, and add a break point in wmain. You should now be able to Debug and step through the code while watching the local variables.

A court recently ruled that web sites do not have to release the identities of anonymous comment posters. But I suppose it will make you think twice before you post that flaming blog comment.

Here's a snippet from the article:

Web sites involved in defamation suits are not required to immediately hand over the identities of readers who leave anonymous comments, a Maryland court has ruled, laying out guidelines for future suits involving online anonymity.

The Maryland Court of Appeals on Friday overturned (PDF) an earlier ruling that would have forced Independent Newspapers, which runs the online forum NewsZap.com, to turn over the names of three unknown Internet posters who posted negative remarks regarding the cleanliness of a Dunkin' Donuts in Centreville, Maryland. The owner of the Dunkin' Donuts, Zebulon J. Brodie, claimed the anonymous posters defamed his store.

This article is based on a Gartner study on network security.

For large enterprises, the trend over the next few years will be towards the creation of "identity aware" corporate networks, according to Gartner, which will control access to some resources via user-based policies.

Rather than just verifying a user's identity at sign-on, and then leaving them free to use the network anonymously, identity-aware networks can monitor and audit user behaviour, and enforce access based on a user's identity, blocking access to resources that a user is not authorised to use. This can enhance security, and add compliance to regulations in those markets that require it.

End of support for Windows Rights Management Services V1.0

March 23, 2009 will bring a close to support for Windows Rights Management Services V1.0 as part of the Microsoft Lifecycle Policy. Microsoft will retire public and technical support, including security updates, by this date.

As of this date users will no longer be able to activate or re-activate clients, and may be unable to produce or use Rights-Protected content unless they upgrade to a newer version of Windows Rights Management Services Client.  This includes  Windows Rights Management Services Client V1.0 SP2, or the Windows Rights Management Services Client available as part of Windows Vista or Windows Server 2008.  When users attempt to activate Windows Rights Management Services Client V1.0 using Microsoft Office they will receive the following error message “This service is temporarily unavailable.  Ensure that you have connectivity to the server.  This error could be caused because you are offline, your proxy settings are preventing your connection, or you are experiencing intermittent network issues.”  Users attempting to activate via other RMS enabled applications may receive different error messages.

Microsoft is retiring support for this product because it is outdated and can expose customers to security risks.

We recommend that customers who are still running Windows Rights Management Services Client V1.0 upgrade to a newer version as soon as possible.  Windows Rights Management Services Client V1.0 SP2 can be downloaded from the following links.
Windows Rights Management Services Client V1.0 SP2 client (x86)
Windows Rights Management Services Client V1.0 SP2 client (x64)

Windows Rights Management Client V2.0 is also available as part of the Windows Vista and Windows Server 2008 operating systems.  Information about Windows Vista is available at http://www.microsoft.com/windows/windows-vista/default.aspx.  Information about Windows Server 2008 is available at http://www.microsoft.com/windowsserver2008

We recommend that customers who are still running Windows Rights Management Services V1.0 servers upgrade to a newer version such as Windows Rights Management Services with Service Pack 2 as soon as possible.

This article caught my attention this morning: Bill takes aim at anonymous hot spots -- like the local coffee shop.

It discusses a recent bill introduced in congress that would require customers that use wireless Internet service in a business or other public space to disclose their identity.

"Just because Wi-Fi is free to the user, it doesn't have to be sort of a free-for-all anonymous, irresponsible service," said MacKinnon. Many big chains that offer Wi-Fi access, such as Starbucks, do so via user accounts, he noted.

"It seems to me sort of strange that when it comes to Wi-Fi, people feel that Wi-Fi should not be managed by account. I think it's just because the culture preceded the capability," said MacKinnon. "Increasingly, people realize that if they try to create mischief from home or work, it's too easily traced to them, so their first thought is [to] go and use Wi-Fi in public. ... Unfortunately, that takes advantage of the businesses that are providing the free Wi-Fi."

Just the other day I was buying some songs on Amazon and I took note of the fact that they have about six or seven of my credit cards on file. Now Starbucks is going to know all the websites I visit.

This presentation by Dick Hardt is interesting and entertaining. Here is his blog.

Dick is has done a lot of work in the identity space, particularly co-authoring the OpenID 2.0 specification.

He has recently announced that he will be joining Microsoft.