Thursday, November 02, 2006

Technet Briefing Brasov

As promised I write about Microsoft Days in my town. I attended today the TechNet Briefing, but since I didn't have an available Internet connection I could not blog live. So, let's take it step by step.

First it started with a quick intro and then a local partner (no advertising here but they are called 2Net) had a speaker telling about his company. Direct advertising if you ask me. They offered keyboards to "key partners" as "presents". Go figure... but the list was 22 companies long.

Then the local communities were presented. I am a member of one of them, and they are quite legit, so I am glad that they were presented. I admit that Microsoft is still helping them with sponsorships and logistics, but what the heck, those are the local communities that use and promote their products. Without any other fuss, here they are: Ronua, ITBoard, SQLServer and ProFox.

The first TechNet presentation was about SBS 2003 R2 (Small Business Server 2003 R2). I'll
highlight what I think is interesting: it is based on Windows 2003 SP1 and not 2003 R2, it incorporates Exchange 2003 and Web Share Services. It comes in 2 flavours: Standard and Premium. The Premium version has as extra SQL Server 2005 Workgroup Edition, Internet and Security Acceleration (ISA) Server 2004 and Office FrontPage 2003. The rest is the same. The recommended prices are 606 USD and 1315 USD respectively.

The second presentation was about the security in Windows Vista. That was by far the most interesting presentation for me. They introduced with Vista the "Improved Security Development Cycle". This is a defensive programming technique that by design gets rid of the "standard" attack vectors like buffer overflow. It also means that the Microsoft Security Team has veto rights over it. In other words any security flaw will stop the product from being released. I am truly impressed about this.
Another security improvement is that services run with far less security privileges. This means that if a service is compromised by an attacker or a virus, it is restricted big time to what the service is allowed to do... mainly nothing. This comes handy with the next improvement: all windows services are profiled for allowed actions. In other words each service must declare upfront what they need to be allowed to do, like the list of files they need to write or computers they need to connect to. So? So considering the previous improvement, those two combined will constrain the malicious code as much as possible and the damage will be minimal.
They also introduced several run levels (0, 100, 200, 300, 400 and 500) where level 0 is fully restricted and level 500 is absolute power. Each level can write down and read up. They are not allowed to write data to an upper level. So if a process is running at level 300 (user context and user desktop) it will not affect anything on level 400 (services level) or 500 (admin level). This means that any user application cannot change the services and cannot change the system. Worst it can do is mess up the user documents.
Big deal is also that not even the administrators run with administrative privileges. What? Yup! you read right, and it is logical when you think about it. Most users are administrators on their machines which means that they can mess up the entire system by mistake or by means of a malicious program. When an administrative task needs to be done, the user is asked for explicit user permissions. This is done by a window that runs in level 500, which means that it can be interacted with only from the keyboard and/or the mouse. No application or service can access it since it is in an upper level (remember that the desktop is on level 300 and the services are on level 400). Of course that this behaviour can be disabled, but I don't recommend it. Actually the administrators have a split security token, one with regular user privileges and one with the admin ones but which is granted only after that "pesky level 500 window" (namely the user at the keyboard) is giving the OK. Also, if an application is known as malware, that level 500 window will have only... the Cancel button. Handy, isn't it?
The firewall got bidirectional in Vista. That means that rules can be defined for outgoing connections too, not only for the inbound ones. It also has direct, built-in, IPSEC supports.
There are many improvements too. I will mention just one more: The GINA is... gone!

The 3rd one was about deployment of Vista. Here I will not get in details at all.

The 4th presentation was about Exchange 2007. The bad news is that it works on 64-bit processors only. However it can be evaluated on 32-bits ones too.
It comes with 5 possible roles: Edge Transport, Hub Transport, Mailbox, Client Access and Unified messaging. The last 4 roles can be hosted by the same server. There are also 4 mailbox types: users, rooms, equipments and linked. I will not get in the details of those.
A big improvement is that users and groups can be created directly from the Exchange Management Console. Also the new Exchange Server Shell (a command line management console) can do everything the GUI can do (including deleting all mailboxes...)
Also, when Outlook Web Access (OWA) is used, all links to the local servers are identified and the documents they point to are accessible for the user from where ever he/she is, all this over Internet. OWA is implemented with the AJAX technology and it features auto complete and fast searches.

The day ended with an Q&A session. Now let's see the two events from tomorrow...

No comments: