Microsoft

Did you know you can disable the use of USB storage devices in Windows?

Ryan M. Hurst — Thu, 13 Nov 2008 10:28:17 GMT

Well to be honest the only way to really stop the use of external storage devices is to whip out your epoxy and fill all the external ports on a machine.

Any policy that is locally enforced is a policy that can be bypassed by an attacker with local administrative privileges or physical access.

Plus if the definition of an attacker also includes the authorized user of the machine there are vectors that do not involve physical media that can *and will* be used (email, IM, web, etc.) to get the data off the machine.

With that being said it is actually possible disable the use of USB storage devices in Windows, I know a few companies who actually do this when paired with Extrusion Prevention Systems and/or Information Rights Management (IRM) systems (Its important to note such systems are best effort also, I suppose information does want to be free??).

The mechanism I am speaking about is documented in KB823732, it is supported as of XP SP2 and once is set the devices function as read-only devices only.

People should think carefully before deploying such a policy, there are plenty of legitimate reasons to use USB drives and doing this and settings like this don't differentiate by use case.

What I have been up to for the last year...

Ryan M. Hurst — Sat, 08 Nov 2008 00:47:16 GMT

A year ago I announced I took a new job back in Windows Security, I have not had much chance to blog since I took the new job but even if I did have the time I could not talk about the stuff I had been working on.

But times are a bit different now, a week ago was the Professional Developers Conference and this week was WinHEC; these were really the 1st events where Windows 7 became a public thing so now its safe for me to talk about what I have been up to.

As I said in a previous post my groups mission is to build platform technologies and solutions that enable secure password-less authentication into Windows, networks and the applications built on our platform.

To that end over the last year we have defined and delivered a platform for Biometric Devices in Windows, the "Windows Biometric Framework", this has been one of the best projects I have worked on at Microsoft.

Its just amazing that a year ago we had a whiteboard drawing and now we have a full platform and solutions built on that platform with support from great partners like Upek and Authentec (there are others too but I can't name them yet).

The cool bits of this project are in the platform, not in the user interface but the part people get to see is always a good place to start, in the "Hardware and Sound" control panel you now see a Biometric Devices control panel applet:

It exposes a set of common tasks related to Biometric devices, these of course include "Use your fingerprint to log on to Windows".

The control panel applet itself includes a list of Biometric Units that are registered on the machine, this machine (my Lenovo X61) has a Upek based Biometric Unit, you can see it bellow:

From this location you can "Remove your fingerprint data" if you do not feel comfortable with this data being persisted on the machine, or you can manage/enroll fingers.

Currently the platform only supports fingerprint readers, but its designed to support other concepts like facial recognition, vein recognition, geometry, iris and more.

In future versions of Windows, as these technologies become more common I hope to see it expanded to include native support for them as well.

So far the feedback has been great, the solution is the fastest we have tested and it allows for these solutions to co-exist, so you can buy a laptop with a built in fingerprint sensor from one manufacturer and a mouse with a sensor from another and they can both work on the same machine, unfortunately today that's not normally the the case.

There is lots more in store for Strong Authentication in Windows 7 also, I will try to write more about this and other features in this area in the future.

Back from Cartes, had a great time v2...

Ryan M. Hurst — Sat, 08 Nov 2008 00:47:06 GMT

Last year around this time I had the pleasure of heading to Paris for Cartes, it was a good trip and this year qualifies as the same.

I had a number of great partner meetings, saw a bunch of neat products, attended PC/SC and of course got to see Paris.

These trips take a lot out of you, very little time for sleep but a good time none-the less, I am glad to be home though.

RFC 5216 is published!

Ryan M. Hurst — Sat, 22 Mar 2008 19:33:05 GMT

Previously I mentioned I was working on an update to RFC 2716 that process is now complete, the RFC number for this new work is 5216.

This update was really about adding clarifying text address common implementation issues, better aligning the specification with its dependent RFCs (like RFC 4346, RFC 3280, etc), updating to specification to represent actual implementation practices to aid in interoperability and of course improving security guidance for implementers.

To be clear, no new capabilities were added to this RFC; despite that the document increased 35.9934% in size (from 50.2 KB to 71.7 KB); larger doesn't always mean better but in this case I think it does.

Book: The New School of Information Security

Ryan M. Hurst — Sun, 09 Mar 2008 22:35:17 GMT

OK, so I was not a reviewer or contributor to this new title but I do know the author and he is a bright guy, Adam Shostack is about to release his new book "The New School of Information Security"; when I first met Adam he was with Zero-Knowledge Systems as their Most Evil Genius, who could forget a title like that?

So whats the new book about? In Adam's own words its:

The New School is a systemic look at dysfunction within information security, and a look at some of the ways people are looking to make things better. We think there's an emerging way of approaching the world, which we call the New School.

This is a concept I know I beleive in, one I have discussed numerous times with folks over beer; with that being said I can't wait to get my copy to see what the Most Evil Genious thinks.

Website was down, no longer though…

Ryan M. Hurst — Tue, 26 Feb 2008 00:09:15 GMT

One of the cool benefits of working at MSFT is the ability to participate in some of our dog food efforts, this site along with several others I run are hosted by one such initiatives at the company.

The downside of this is that this free hosting is expected to go down from time to time, last week there was a datacenter power outage and in the process of bringing everything back up it looks like one of the switches that front ends the trafic for the machine hosting my stuff lost some configuration settings that resulted in requests being dropped.

I didn’t have the time to file a request to get this fixed until this week but they took care of the problem as soon as it was brought to their attention, that’s what I call service!

When they resolved this issue they also told me they have recently moved me to a new beefy machine, the old machine was a single processor machine running a early beta of WS2008 with 4GB of ram but the new one is 8GB, two dual core processors and WS2008 RTM!

They tell me the new machine can handle a "site density" of up to 5,000 sites, that’s impressive!

We just had our WS2008 ship party last week, I actually didn’t get to attend due to a conflict the press is saying nice things about it, one of my favorites being from Tom Yager who said Windows Server 2008 “is an upgrade that IT can't refuse, … that eats commercial Linux “.

In any event, I suspect things will be running better now; let me know if you notice an outage or something odd.

What does my video archive / NAS look like?

Ryan M. Hurst — Mon, 18 Feb 2008 22:00:45 GMT

Recently on the My Movies forum there was a thread added about a huge 48TB NAS that is being constructed by one of the members over there; it has a ton of great data on his project around performance, power consumption, etc.

I have been running a smaller and slightly older configuration for several years now, I have blogged about it several times but I figured I needed a post where I could continuously update its every changing configuration, so here I go hardware wise we have:

1 x AIC RMC3E2-PI2 /w Reduntant N+1 650W PSUs

1 x Tyan Thunder i7525 (S2676)

2 x Intel® Xeon® Processor 3.0 Ghz /w EMT64 and HT

12 x 750GB (3.75TB) Seagate SATA II

1 x Areca 16 Port SATA-II to PCI-X /w 1GB cache (non-ecc)

4 x 1GB (4GB) PC2-3200 DDR2 ECC Registered

1 x 100GB 2.5" SATA II Hitachi OS Drive

1 x 250GB 3.5" SATA II Maxtor Swap/Temp Drive

2 x Open Cable Receivers

1 x Pioneer DVR-K17

This machine is currently running x64 VISTA SP1, its set up with a dedicated 100GB NTFS OS partition/disk and another 250GB NTFS disk/partition for the swap file and the recorded tv/live TV buffer.

The RAID is set up in a RAID 6 coniguration which leaves me about 7.5TB of storage; this allows me to have two drives fail at the same time without concern.

I originally started this machine with 250GB drives in RAID 5, I then migrated to 500GB drives in RAID 5 and as you can see am now at 750GB drives in RAID 6; the Areca controller has been great since it supports online capacity expansion and dynamic re-build I have had 99.999% availability of the RAID partition since I put the machine together (that includes one drive failure/re-build too!).

Many have asked me why I do not run Windows Home Server (WHS) on this configuration, I would actually love to but this machine plays double duty for my home, it is both my NAS and my MCE machine (we use extenders exclusively for all video/audio content in the house) and doing so would require me to have a 2nd always on machine which I am not prepared to do at this point.

On that topic, I have considered running WHS or MCE in a virtual machines to get both configurations working on the same hardware but I frequently run at 80% CPU utilization when doing video work on the same box and without a hardware upgrade I could not do this in a hiccup free way.

Another related question I get is why RAID and not the redundancy model used by WHS, well for one I did this system in 2004/2005 timeframe and there was no WHS and two that model gets expensive when you get above a few discs, I also like that my redundancy is rooted in a enterprise grade hardware that is independent from software since I do lots of selfhosting on this machine.

If you want to see a picture of this machine, one is here.

My Netflix is dead, long live My Netflix.

Ryan M. Hurst — Sun, 10 Feb 2008 22:50:24 GMT

Back in 2004 ended up getting a cold or flu of some sort that kept me from going into work for a day or so and I used that time to throw together a Media Center add-in called My Netflix; I have done a few minor updates over the years (http://unmitigatedrisk.com/archive/2007/08/25/119.aspx) but my work has become increasingly demanding and finding the time to give the project the TLC it deserves has been difficult at best.

As a result I am now officially announcing the death of My Netflix, I will no longer fix anything no mater how minor; if you have issues I released it under the MSFT permissive license and the source is still available (http://www.unmitigatedrisk.com/mce/mynetflixsource.zip) so you can go to town if you like.

With that being said, My Netflix has also been re-born (http://www.anpark.com/index.php/2008/02/10/new-vista-media-center-plugin-mynetflix-beta/); a kind soul (Anthony Park) has done a bunch of what I wanted to see done and re-wrote the add-in as a MCML application giving it experience more consistent with MCE plus he added support for Watch It now.

I have not been a Netflix subscriber for some time (they started rate limiting me, I think this is a dishonest practice) so I switched to Blockbuster (which has its own issues but that's another post) but from the screen shots Anthony has done a great job; in fact I think I will sign up for Netflix on one of the trials and play with it.

I can't say how excited I am to see this happen :)

Thanks Anthony!

Book: Windows Server 2008 PKI and Certificate Security

Ryan M. Hurst — Thu, 10 Jan 2008 15:59:42 GMT

Though its a few months before this book becomes generally availible (it will be April 6th according to Amazon), I wrote a side-bar for Brian Komar's next book "Windows Server 2008 PKI and Certificate Security", if this is the sort of thing that interests you consider pre-ordering the book, you will save some money and be one of the first to get the title.

Brian has given good coverage to some of the many improvements in Microsoft's PKI technologies that made it into Windows Server 2008, including the new OCSP server, certificate and key roaming and enrollment.

Book: Windows Server 2008 Networking and NAP

Ryan M. Hurst — Wed, 09 Jan 2008 21:51:00 GMT

While in the networking team I had a chance to review and provide feedback on a book by Joseph Davies on Windows Server 2008 Networking and Network Access Protection (NAP); the book is now availible here.