What I Learned from Attending the Windows Launch Event Today

Domain/server isolation

Ole Nielsen — Tue, 11 Nov 2008 12:07:20 GMT

Hi Jesper,

I think domain/server isolation is very, very cool. Network guys will always find a lot of reasons to hate it, but if we cut through the religion, they haven't got much of a case in my opinion.

Except for maybe one argument, they can throw at me:

What if there's a severe run-code-of-attacker's-choice vulnerability in IPSec, enabling an attacker to gain control over the server by crafting some sort of malformed packet during some part of some IPSec negotiation sequence?

To my knowledge there never has been such a vulnerability, but I suppose it could happen, right?

If there were to be discovered such a vulnerability, the attacker could take control over each and every machine, that requires or requests IPSec security. If there was a severe vulnerability in a network router/firewall device it would indeed be bad, but the attacker wouldn't have control over the servers behind the network device yet - he would still have to defeat the Windows firewall and other security mechanisms in-place on the servers. With an IPSec vulnerability, it would be game-over for the server right away...

How do you view this potential risk? How can it be mitigated?

Thanks a lot for your time in advance!

Best regards,

Ole

re: What I Learned from Attending the Windows Launch Event Today

(A different) Robert — Sat, 12 Apr 2008 05:43:35 GMT

Thankfully I had very different experiences at the launch event I attended.

The "experts" were giving away discs with powergui and quest's ad commandlets as well as breath mints :)

Nobody talked about windows advanced firewall :)

During the demo of NAP the presenter was VERY clear on the points you've raised and repeatedly reminded those present it was meant to be another tool and/or layer, not the solution.

The Hyper-V stuff was very cool. Seeing the presenter take a snapshot of 20+ VMs simultaneously and having it complete in about 40 seconds was impressive.

The Read Only Domain Controller demo was also pretty slick. It helpfully resets passwords for accounts that were allowed to be cached by the rodc if you remove it from the domain, but it is also smart enough to only reset those that actually were cached.

I assume RODCs are covered in your 2008 security resource kit book, I'm anxiously awaiting my copy so I guess I'll have to wait and see ;)

re: What I Learned from Attending the Windows Launch Event Today

rich — Wed, 09 Apr 2008 05:28:01 GMT

please come back to MS. we miss you here and heaven knows we could use the sanity.

re: What I Learned from Attending the Windows Launch Event Today

Ryan Hurst — Sun, 06 Apr 2008 03:15:12 GMT

More on NAP and "asking the drunk if they are drunk".

re: What I Learned from Attending the Windows Launch Event Today

Scotte — Wed, 02 Apr 2008 16:18:00 GMT

Thanks for confirming what I'd always suspected about NAP. I haven't had time to play with it at all, but could never figure out how it could be secure while relying on the potentially compromised machine to report its health.

I can see its usefulness for making sure non-admin users of laptops get their machines patched and updated once they get back to the production network. But, I've not seen NAP described that way. Its usually described as a way to make sure vendors get their machines up to your standards before they're allowed on the network. The problem is that they'll never be up to MY standards as long as someone outside of my group has admin rights on them.

re: What I Learned from Attending the Windows Launch Event Today

Susan — Wed, 02 Apr 2008 15:58:30 GMT

The difference is (I'm guessing) is that he may be in a program Microsoft calls the TAP program where people are supported to place it in production.

This is vastly different than downloading from TechNet and going it alone.

As you say, these TAP betas serve a great purpose, they put those beta bits in real networks .... and then there's the added bonus that the marketing folks love 'em as they get deployment stories for events out of them.

I told you, you should have said the SharePoint conference was last week :-)

re: What I Learned from Attending the Windows Launch Event Today

jesper — Wed, 02 Apr 2008 05:01:13 GMT

Good point Robert. I did not manage to get to the Hyper-V presentation unfortunately. It sounds like cool technology though, but, sadly, did not make it for Server 2008.

Using a server in production before it is released is not that unusual, depending on what you mean by "production" and where you work. At Microsoft, they have been running most, if not all, of their Domain Controllers on various builds of what eventually became Server 2008 for a couple of years. They run SQL Server in production too. For those of use whose job is NOT mainly to test pre-release software, doing so would... ill-advised, although I'm very happy someone does it.

re: What I Learned from Attending the Windows Launch Event Today

Robert — Wed, 02 Apr 2008 04:37:53 GMT

Don't forget Hyper-V which is one of the big selling points of Windows 2008 which was initially released as a Beta with the RTM Win 2008 and had a significiant redesign with RC0 (released last week). Brings new meaning to "We are all beta testers" if you are a Microsoft user...

And there was the one presenter that has been using SQL 2008 in a PRODUCTION environment for 6 months now - WTF!!!