Kurt Shintaku's Blog

Dreamscene was made available to Windows Vista Ultimate users today. 

For those that haven’t seen it, Dreamscene is a technology that provides desktop backgrounds that are effectively full motion videos that move around in the background while you’re working.  Some of them are quite nice:  A picture of Yosemite for example with the waterfall flowing in the background.  A video of a leaf with dew droplets coming off of it.  Waves of energy eminating from the "Windows Vista" wave picture.  Here’s a description of it as told by the Windows Vista Blog:
BLOG:
http://windowsultimate.com/blogs/extras/archive/2007/02/02/windows-dreamscene.aspx

Here’s a video showing what Dreamscenes looks like in various forms on the Windows Vista desktop:
VIDEO:  http://www.windowsultimate.com/photos/storage/extras/dreamscenesmall.wmv

The RSA Conference 2007–the premier computer security conference for business–was held February 5-9 in the United States, and will go to Europe and Asia later this year.

View a webcast of the San Francisco keynote speech by Microsoft Chairman Bill Gates and Chief Research Officer Craig Mundie. (Requires registration to RSA web site)

The transcript is available here:
http://www.microsoft.com/Presspass/exec/billg/speeches/2007/02-06RSA.mspx

SUMMARY OF PRESENTATIONS BY MICROSOFT AT RSA:
http://www.microsoft.com/security/rsa/default.mspx

REPLAY OF ALL RSA KEYNOTES: 
http://www.rsaconference.com/2007/us/content/webcasts/

As I’d mentioned before, I got the chance to talk with Mark Russinovich, Microsoft Technical Fellow and all-around nice-guy Windows-Internals brain.

He’s concerned that people are viewing User Account Control as one monolithic component within Windows Vista… and it’s not.  See, in order to make things simple for everyone to understand, the Windows client team took 4 different security related features & wrapped them all into a single concept called "User Account Control" with the intention of showing how much effort was placed in securing Windows Vista from malware… and then proceeded to market the hell out of it.

The truth is far more complex:  User Account Control consists of 4 separate components:
– System Virtualization
– Administrator Approval Mode
– Rights Elevation
– Integrity Leveling

I’m not going to get into the details of what each of these are except to point out that they are all separate aspects of security designed to accomplish the general goal of security, and the specific goals of:
– Encouraging software developers to write well-written, secured applications
– Minimize the rights applied to a user even when running as an Administrator
– Increase the number of individuals running as standard users instead of Administrators
– Minimize interprocess intrusion & security threats

MARK’S WARNING
"There is no guarantee that malware can’t hijack the elevation process or compromise an elevated application.  Solution?  Switch to a dedicated administrator account for securely running
as administrator."

Basically, what Mark is saying is that it’s not terribly hard for a rogue process that may be running in the context of a standard user, to "invade" or "intrude upon" the resources of another legitimately running process – EVEN IF THAT LEGIT PROCESS IS RUNNING AS ADMINISTRATOR DUE TO RIGHTS ELEVATION.

FOR CONVENIENCE ONLY
For convenience sake, prompted rights elevation (The infamous, "You need to be an administrator to do this.  Please type your Admin username & password now" dialog) was provided within Windows Vista to encourage the usage of standard user accounts and only use Administrative rights when necessary, instead of signing in with them and using them on a day to day basis.

For compatibility reasons however, it was necessary to make interprocess communication easily possible between the elevated process and other processes running in the standard user context. 

The fact is that your Admin account is "susceptible to intrusion" when used to elevate rights while currently logged in using lesser user account.  If

BOTTOM LINE:  ALWAYS LOG OFF
If you’re paranoid, or just don’t trust the end user you’re working with, always log off the user’s account before running administrative tasks using your own admin user account.  It might be possible that the end user got infected with a malware process and that process is waiting for you to use your account to elevate another processes privileges.

For example, if they downloaded something from a "warez" site and ran it, against the policies of your company.  If might appear to do nothing and the end user will just brush it off, when in reality it’s just sitting in the background waiting for Joe Admin to use the computer, elevate their privileges to, say, authorize the installation of a legitimate piece of software, and attack. 

EXAMPLES OF AN INTRUSION TECHNIQUES
One such attack might be to display a phony dialog box on the screen that looks just like the Windows Vista Admin Elevation dialog box when you run anything that requires admin rights.  The phony dialog box might appear over the legitimate one, capture the end user’s username and password, the print, "wrong password – try again", fooling the user into thinking they mistyped something, then show the REAL Admin Elevation dialog box behind it.  The admin would then legitimately log in and never know that his account had just been compromised.

HUMBLE NOTE:
Please bear in mind:  Mark Russinovich is a far frickin’ smarter than I am.  I can barely parse assembly language, shades of my days as a DOS hack, tearing up copy protection techniques with debug as a 13 year old.  Meanwhile, this guy writes in assembly language as a hobby.  So it’s probably better to read stuff straight from the guy’s blog. 

He’s written a blog entry at http://blogs.technet.com/markrussinovich/archive/2007/02/12/638372.aspx that covers this topic and is going through a campaign of sorts to help reeducate the world on how UAC affects people and why administrative rights elevation should be something that is viewed in a cautious light.

He’s also recorded a similar presentation to the one I attended on the topic that’s available online here:
http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=360

Bill Gates launched/announced the Windows Home Server at CES2007.  As of yesterday, the product went to beta for anyone that wants to apply for it and install the software.

Windows Home Server is designed to enable families with multiple PCs connect their home computers, digital devices and printers so they can easily store and access their digital media and documents.  HP has announced the first Windows Home Server-based product, dubbing it:  "MediaSmart Server".

The requirements are pretty simple:
– Two or more PCs
– A broadband connection and router
– A spare PC or server that can be dedicated to Windows Home Server software
…I’m pretty certain they’re looking for folks with PHYSICAL servers so for those of you thinking virtualization, please don’t apply.

REGISTER: http://connect.microsoft.com/WindowsHomeServer 
BLOG: http://blogs.technet.com/homeserver/ 
DISCUSSION: http://forums.microsoft.com/windowshomeserver/default.aspx?siteid=50

Wanna copy of 3D Golf for your Windows Mobile-powered device?  You can get it for free now at our web site.  Here’s a description of the game:

Hit the links with Nine Hole Golf, a challenging 3D game, perfect for playing wherever you are. Choose from six animated characters and three luxurious courses, each with a distinct climate and landscape. Plus, compete with your friends by adding up to four players to one game. Register now and find your swing.

The coolest thing about the offer is that they have Pocket PC versions, Smartphone versions with landscape displays, and Smartphone versions with portrait displays.

DOWNLOAD:
http://www.microsoft.com/windowsmobile/domore/games.mspx

It’s been a long time since I’ve had "Smartphone" envy.  Oh, I’ve laughed at Palm’s PalmOS-based Treo 680 and I’ve smirked at folks using that Blackberry Pearl with the weird keyboard input and lousy library of software.

I’ve even shook my head at the Windows Mobile-powered Treo 750.  Being that I’ve gone through the Windows Mobile-powered Treo 700w and the Windows Mobile-powered Treo 700wx, I’ve thoroughly evaluated these devices and I just can’t leave my ol’ reliable Samsung i730 Pocket PC Phone with the fast bandwidth and uber-fast processor (500mhz!)

But my wife’s now got a Samsung Blackjack i607, and this device actually has me drooling. 

• 3.5 ounces (the lightest Smartphone I’ve seen yet)
• Full keyboard with thumbwheel & joystick
• GSM/EDGE (850/900/1800/1900mhz frequencies)
• HSDPA high speed data networking (Max 1.8Mbps)
• 1.3mpixel camera
• Bluetooth 2.0
• 7 hours of talk time (No, that’s not a typo)
• 2 batteries – one thin, one extended
• Laptop tethering support over USB cabling or Bluetooth

The biggest feature is the high speed data networking:  This is the first device with faster bandwidth than my Verizon Wireless Samsung i730 Pocket PC Phone.  I can get 500kbps consistently on my Pocket PC Phone while tethered to my laptop which is pretty good for watching TV remotely over the ol’ Slingbox.  My wife can get 900Kbps-1.0Mbps, which provides a DVD-like quality video over the Internet.

You read that right:  DVD-quality on a GSM network.  And check this out:  If you’re willing to switch over to AT&T Wireless/Cingular, you can get the Blackjack for FREE:

Samsung Blackjack i607 FREE with 6 month service plan
http://www.amazon.com/gp/product/B000KJS8CI?ie=UTF8&tag=bdog-20&link_code=as3&camp=211189&creative=373489&creativeASIN=B000KJS8CI

Recently, I got the chance to sit down and chat with Mark Russinovich, Microsoft Technical Fellow, and all-around Windows Internals mogul.  You may recall that we acquired Mark’s company, Winternals and its sister site, Sysinternals. (Formerly NTinternals.com if you go back that far) 

Well, above all that, we got Mark – who is now a bonafide "blue badge" as they call it here in Microsoft-land and has been honored with the designation of "Technical Fellow", a rank bestowed only to 16 people in the company, including folks like David Cutler, father of Windows NT; Rakesh Agrawal, the inventor of the modern datawarehouse; and Anders Hejlsberg, the man responsible for Delphi, C#, and many of some of the most significant improvements in computer programming languages in the modern age.

I asked him quite a few things but the funniest thing that stuck out in my mind was: 

Wow.  Mark demos better than me.  Sigh.

You see, Mark consistently uses two of his tools from Sysinternals which are available for free off of Microsoft.com. 

1. ZoomIt v1.21
   The first is ZoomIt, which with a flick of the keyboard immediately zooms in on the portion of the screen the mouse is hovering over.  Zoomit makes it a cake walk for people in the back row to see exactly what you’re showing on the screen, and it allows you to "ink" the screen to circle and highlight things that you’d like point out to the audience.  ZoomIt is a tool I used to use 6 years ago but lost track of.  Now it seems that everyone within Microsoft is using it because it does such a good job of maintaining the audience’s attention.
   http://www.microsoft.com/technet/sysinternals/Miscellaneous/ZoomIt.mspx
2. BgInfo v4.0
   BGInfo is just a tool that runs and changes the background of your computer to list out the computer’s name, the IP address, CPU type & clockspeed, OS running, Service Pack level, etc.  It’s a very good way of identifying what computer is what when you’re running a demo with multiple computers or multiple virtual machines.
   http://www.microsoft.com/technet/sysinternals/Miscellaneous/BgInfo.mspx

This was the first time I’d ever gotten to talk with Mark and admittedly I was a little awestruck which is very rare for me.  This guy was brilliant.  I’ve met Brian Valentine, Jim Allchin, Mark Minasi, Bill Gates, Steve Ballmer, and other famous Microsoft icons and honestly, meeting Mark was right up there.

I’ll write more about what we talked about but suffice it to say, he’s got a lot to say and it’s extremely fascinating.

Q:  Have you guys heard of Access-based Enumeration for Windows Server 2003 SP1?

For those of you that remember the Novell world, whenever you hit a share that contained user directories, in Netware, everyone’s directory would be hidden except yours.  In the NT world, you’d see everyone’s directories but you wouldn’t have access to them.  This was a visual eyesore and would also cause help desk calls because users would try to get into these other directories, not realizing that they had no business trying to get into them.  For over a decade, since Windows NT 3.5, we never fixed the problem.

Finally here in 2006/2007 we quietly released a server side tool for Windows Server 2003 SP1 that does this called ABE or Access-based Enumeration.  The idea is that the server will only show the directories that the user has access to eliminating ambiguity and confusion – making it easier for the end user to navigate server shares.  It installs a new tab on folders that allows the administrator to optionally hide folders from users they don’t have access to and it can be made recursive throughout other folders in the hierarchy.  This is disabled by default but can be turned on using a 3rd party group policy.  

DOWNLOAD: 
http://go.microsoft.com/fwlink/?LinkId=69209
MORE ON ACCESS-BASED ENUMERATION: 
http://www.microsoft.com/technet/technetmag/issues/2006/09/UtilitySpotlight/default.aspx

I found a slide that we’d crafted, and I think it’s one of the best slides I’ve seen in a while because I think it captures the comprehensive nature of all our businesses while also, through its layout, demonstrates the relationships and integration between each technology group.

I’ve found it difficult as we’ve grown to show this all within a single slide, however through structure and color grouping, they seem to have done a nice job.

The Fundamental Computer Investigation Guide for Windows Solution Accelerator is intended for IT professionals who need to effectively conduct investigations of Microsoft® Windows®–based computers in their organizations.

It provides a computer investigation model as well as process and best practice information. The guide also provides a fictitious example of an investigation that involves unauthorized access to confidential information. This investigation uses the provided guidance and demonstrates the use of numerous tools. Information is also included about how to configure a lab to create the example scenario.

An appendix provides information about how to prepare for computer investigations, sample worksheets, contact information for reporting different types of computer-related crimes to appropriate law enforcement agencies, and lists of useful tools.

——————–
SOLUTION ACCELERATOR:
http://www.microsoft.com/technet/security/guidance/disasterrecovery/computer_investigation/default.mspx

DOWNLOAD:
http://www.microsoft.com/downloads/details.aspx?FamilyId=71B986EC-B3F1-4C14-AC70-EC0EB8ED9D57&displaylang=en