be-Id

XACML, or, why SAML is not sufficient

2011-10-05T14:42:00.001+02:00

For many, the title of this post may come as a surprise, because after all, SAML is used in many cases for authorization decisions in applications. But, if you are looking a bit closer at what is really going here, you will see that SAML won't give you authorization: at best it will give you the necessary elements such that you (or better said, your application) can make a decision for yourself: all that SAML will give you is a bunch of claims, which are not much more than attributes of a person that are being passed to the application after which the application is still doing the heavy lifting all by itself.

I personally think that XACML very nicely fills in that void. To quote wikipedia: (XACML) is a declarative access control policy language implemented in XML and a processing model, describing how to interpret the policies. Obviously, SAML won't give you this. If you would compare the two, I think it would be fair to say that SAML is much like hardwiring authorization into your application, which is very much what you would like to avoid when you want to decouple your application from authorization. I will agree that SAML is the perfect way to externalize authentication, not so much authorization.

If you want to have a high-level introduction to XACML, my friend Felix Gaethgens of Axiomatics is presenting tomorrow at Kuppinger Cole on this very subject (register here). For all the details on XACML, OASIS is the source.

Re-awarded Microsoft MVP for Forefront Identity Manager

2011-10-01T16:45:00.000+02:00

I'm proud to anounce that I have just received my confirmation e-mail: for the 4th year I am a Microsoft MVP for Microsoft Forefront Identity Manager 2010:

Dear Paul Loonen,

Congratulations! We are pleased to present you with the 2011 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Forefront Identity Manager technical communities during the past year.

Also in this email:
About your MVP Award Gift
How to claim your award benefits
Your MVP Identification Number
MVP Award Program Code of Conduct
The Microsoft MVP Award provides us the unique opportunity to celebrate and honor your significant contributions and say "Thank you for your technical leadership."

Toby Richards
General Manager
Community & Online Support

I want to acknowledge here the many people that have supported me: my family members, the MVP team and the DPE team over at Microsoft, my fellow MVPs, the winsec.be members, the Belgian IT-Pro community, my Avanade colleagues and I guess a couple more people that I am probably forgetting. Without all of these people, this would not have been possible.

One last thing: let's go for it one more year!

Usergroup collaboration - winsec.be and AZUG meet to discuss Identity-enabled apps in the Cloud

2011-09-30T11:16:00.002+02:00

Yesterday evening, I had the pleasure to be presenting together with Maarten Balliauw of AZUG, the Belgian User Group on Windows Azure, on how to identity-enable cloud applications. Of course, a large chunck of this was discussing Active Directory Federation Services (AD FS) and the Azure Appfabric Access Control Service (ACS).

The presentation can be accessed here:

Conclusion was of course that it is quite easy to build identity-enabled apps with the building blocks that Microsoft is offering us: ADFSv2, ACS and WIF. We did show how easy it is to build a scalable identity infrastructure and the steps needed to make applications integrate these building blocks and all this based on well-known industry standards.

Of course, a big thanks to Ordina to sponsor this event, enabling us to share the message!

BTW, winsec's next event (on October 27) will be around Forefront Identity Manager and reporting. More information on the winsec.be website. Registration for the event via this link.

Learning Resources - "Dive into the Summer" campaign

2011-08-02T11:53:00.000+02:00

With the nice weather these days in Belgium, you may want to look into some new learning resources available from Microsoft. These are part of the latest "Dive into the Summer" campaign launched a couple of weeks ago:

Virtualization
Desktop Deployment
Best of Techdays (Belgium) 2011

All of this goodness is available here.

Google, Privacy and GMail Man

2011-08-01T15:59:00.001+02:00

In an internal video, which now is also viewable via youtube, Microsoft is showing what is wrong with Google's popular GMail Cloud mail solution:

In short, if you value your privacy, you wouldn't use the service, as GMail is in fact analyzing the content of your mail in order to show advertisements. Which is something the competing Microsoft Office365 offering does not do. While Google's adds are contextual, Microsoft's aren't.

Windows IT Pro's Paul Thurrott presents a nice analysis here. I couldn't agree more, also with his suggestion to turn the video into a public add.

Community Day 2011 was good again

2011-06-24T18:20:00.000+02:00

As each year, Community Day was excellent. Great presentations, good interaction, and, last but not least, great food (@Gil: this year's food was a winner!). A worthy 5th aniversary edition. I'm really proud to be a part of this.

This year, I had the honour to present twice, as announced in a previous blog post. Until everything is posted on the Community Day website, you can access them from these links:

I hope to see everyone again next year, at an even better Community Day 2012.

Next up: Community Day Belgium 2011

2011-06-20T23:09:00.000+02:00

As slowly is becoming a tradition, I will be speaking at the Belgian edition of Community Day 2011 on June 23rd, an action packed day full of presentations hosted by the Belgian Microsoft User Groups.

This year, I'm going to be presenting two sessions:

Protecting Your Infrastructure using Microsoft Forefront Endpoint Protection 2010
Securing your Cloud

Presentations will be available here after the show and via the Community Day Website.

Registrations, agenda and the like are at the Community Day Website. Oh, and by the way, you can win your ticket to Microsoft Build event, hosted coming September in Anaheim, CA.

See you there!

End of the road for Forefront Threat Management Gateway?

2011-06-09T14:58:00.006+02:00

I happened to get access to Gartner’s Magic Quadrant for Secure Web Gateway courtesy of Websense. Obviously, I was interested to know how my favourite company located in Redmond, WA was doing with their TMG offering. Big was my surprise to notice that Microsoft is not represented anymore in this Magic quadrant. The reason comes a little bit later in the report, where we can read:

"Microsoft has informed Gartner that it does not plan to ship another full version release of its SWG product, the Forefront Threat Management Gateway (TMG). The product is effectively in sustaining mode, with Microsoft continuing to ship Service Pack (SP) updates; the next one, SP2, is planned for 3Q11. Microsoft will also continue to support TMG for the standard support life cycle - five years of mainstream support and five years of extended support. ... "

Obviously, this some bit of bad news. Not only is TMG a decent product that fits the bill for many Microsoft customers, but also one has to wonder what Microsoft's (edge) security strategy is and how it is going to evolve. I guess we'll have wait for Microsoft to come out with a public statement until which time we can only guess ...

BTW, if you can't access the Gartner report via the link I have provided above, this link should work.

Are you desperate to get NoDo on your Windows Phone 7 device?

2011-03-31T17:12:00.000+02:00

Well, the wait is over! I can confirm that the "hack" published at neowin.net works perfectly for me. As I'm writing this, my phone is being updated ...

To re-iterate the steps:

Start Zune
Turn off Data connection and Wifi on the Phone
Connect the Phone with the PC (USB)
Start the update search in Zune
About 3 seconds later, disconnect your PC from the internet (Turn WLAN off / unplug your network cable).
Zune finds NoDo-Update. Press OK.
Connect to the internet again and install the update.

Security Compliance Manager (SCM) v2 CTP available

2011-03-13T17:43:00.000+01:00

For those SCM fans out there, exciting news: Microsoft just released a CTP of SCMv2. The most important new feature is the ability to import a GPO backup and associate that imported GPO against a product. Another new feature is the ability to use an existing installation of SQL Server (2005 or later) instead of the SQL Express version that was forced until now.

While the current CTP is not yet feature complete, Microsoft expects a feature complete version for a April/May beta release.

You access the CTP by registering here.

SSO from your Enterprise AD to a Windows Azure application

2011-03-07T18:17:00.001+01:00

Following up on my TechNet Live session of last month. Just discovered a nice whitepaper by Vittorio Bertocci and David Mowers that contains step-by-step instructions for using WIF, Azure and ADFSv2 for applications that are deployed both on premises and in the cloud. You can find the downloadable version here.

If you are interested in more AD FS 2.0 step-by-step instructions, you can find this here.

Taking your Identity to the Cloud - presentation available now

2011-02-28T21:20:00.000+01:00

As promised previously, I would make my presentation talking about taking your Identity to the Cloud available.

So, here it is:

Identity Management in the Cloud

2011-02-20T22:18:00.000+01:00

Next Thursday (on February 24th to be precise), I'll be presenting for TechNet Live in Belgium how to extend your Enterprise Identity to the Cloud (register here for the Dutch language session and here for French language session), focussing on what Microsoft has to offer. Topics include Active Directory, Windows Azure ACS and Forefront Identity Manager 2010.

To get your copy of the presentation, please check back here after Thursday!

Microsoft U-Prove Community Technology Preview R2

2011-02-18T12:16:00.002+01:00

I'm really very excited about this one - when I'm thinking about it, the perfect Valentine present. It had been a while since the first Community Preview of U-Prove, available via Microsoft's connect website. As you will remember, U-Prove is an advanced cryptographic technology that, combined with existing standards-based identity solutions, overcomes this long-standing dilemma between identity assurance and privacy. This unlocks a broad range of scenarios that have historically been out of the reach of both the private and public sectors - cases where both verified identity information and privacy are required.

At the core of this technology are the so-called U-Prove Agents. These agents are intermediaries between websites and allows users to share their personal information in a way that helps protect their privacy. U-Prove Agents exist explicitly to represent the users’ interests in choosing to share (or not to share) their personal information with sites on the Internet.

Specifically, the Agent provides a mechanism to separate the retrieval of identity information from trusted organizations from the release of this information to destination sites. The underlying mechanisms help prevent the issuing organizations from tracking where or when this information is used, and to help prevent different destination sites from trivially linking users’ actions together.

The Agent is composed of a cloud-hosted service and optional client components. The cloud-hosted Agent can be used with all major browsers on Windows, MacOS, and several smartphones. The first optional client component is a Silverlight component which enables local storage of U-Prove tokens and enhances the privacy and security for the user. The second optional component is an IE plugin that looks for a U-Prove Agent object tag in the RP page and manages the launch of the Agent to ensure the user‘s choice of agent, if one was made, is respected. A second variation of the IE plugin that provides access to a smartcard for the purposes of two factor token binding is also available.

For the R2 CTP, available via the link mentioned above, Microsoft delivers a new documentation set, WIF Extensions that allow .NET developers to build applications that support the U-Prove token and protocols and a RP Toolkit, which contains a set of templates for Visual Studio for developing claims-aware ASP.NET applications with U-Prove capabilities.

Bitlocker Administration and Monitoring solution coming to MDOP

2011-02-17T22:45:00.002+01:00

Just stumbled over this one: Microsoft just announced MBAM, or, Microsoft Bitlocker Administration and Monitoring, which will be part of the Microsoft Desktop Optimisation Pack (MDOP). MBAM promises to be an enterprise solution for Bitlocker provisioning, monitoring and key recovery, a solution that is dearly needed to help enterprises securing their increasingly mobile workers.

Microsoft promises a beta version will be available in March 2011.

More information to be found here.

Getting started with the Security Compliance Manager (SCM)

2011-02-01T14:01:00.000+01:00

The SCM has always been one of my favourite tools. If you have been hesitant to get started with it, you can turn to this excellent guide, that gives you all the details on how to implement this wonderful tool in an easily digestable way.

Go harden your infrastructures!

Security Compliance Manager Setting Packs for Windows 7 and Internet Explorer 8 released.

2010-11-12T11:21:00.001+01:00

A common problem with the Security Compliance Manager (SCM) baselines released by Microsoft is that not all settings that you could implement using Group Policy are available in the baselines. You would be able to solve that if you could add settings to existing baselines, or, if you could create your own baselines. Alas!

While not a complete solution, Microsoft has released so-called "setting packs" that at least allow you to partially overcome this problem. The setting packs include the basic information required by the SCM tool to define custom baselines that you can use to create GPO backups, DCM configuration packs, and SCAP content. While you still cannot create baselines for products for which no setting pack is released, at least you can build your own baseline via the setting packs that Microsoft makes available.

For now, setting packs are released for Windows Server 2008 R2, Windows 7, Office 2010 and for Internet Explorer 8. The setting packs for Windows 7 and IE8 are new releases. Let's hope Microsoft soon releases setting packs for the other Products for which baselines are available.

Security Compliance Manager is available at http://www.microsoft.com/scm.

FIM 2010 SDK Available for download

2010-08-06T14:01:00.000+02:00

Microsoft have just made available the FIM 2010 SDK documentation available for download as a separate .CHM files. You can find the download here. Three separate files are made available:

ForefrontIdentityManager2010SDK_FIMCertMgmt.chm
ForefrontIdentityManager2010SDK_FIMService.chm
ForefrontIdentityManager2010SDK_FIMSyncService.chm

The documentation provided is the same as the documentation you would find on MSDN, but is of course nice when you are working in your little lab that has no internet connectivity when you need it ...

As a sidenote - this means that you would be able to generate the CHM files yourself: there is a small tool available on Codeplex, called "Package This", that does exactly this. More info on PackageThis is available here.

Updated Security Baseline for Windows Server 2008 R2, Setting Pack for Security Compliance Manager

2010-07-30T18:48:00.000+02:00

As already mentioned in my previous post, Microsoft released a security baseline for Windows Server 2008 R2.

We are not even 2 weeks later and already do we find a new beta of this package. This was announced today. New in this beta is that it now includes a setting pack.

This is what Microsoft has to tell about this "setting pack":

Since the release of the Security Compliance Manager (SCM) tool, one of the most frequent requests has been to add all of the available Group Policy settings to the Microsoft security baselines so that you can access them in the SCM tool. While our baselines include hundreds of settings, there are hundreds of additional settings available in Group Policy. In response to this request, the team created setting packs. The setting packs include the basic information required by the SCM tool to define custom baselines that you can use to create GPO backups, DCM configuration packs, and SCAP content. You can learn more about setting packs on the program description page.

Microsoft also announced that it is working on the following baselines and setting packs that would be shipped soon after the Windows Server 2008 R2 baseline ships:

Exchange 2007
Office 2010 with a setting pack
SQL Server 2008 and 2008 R2
Setting packs for Windows 7 and Internet Explorer 8

As mentioned in my previous post, more information and information on how to participate in the beta can be found on Microsoft's connect website.

Security Baseline for Windows Server 2008 R2

2010-07-15T10:30:00.000+02:00

If you followed my talk at Community Day 2010 ("The ABC of SharePoint Security"), you will remember that one of the elements I mentioned for securing your SharePoint server was the implementation of the Microsoft Security Compliance Manager Toolkit (SCM). You'll find more information about the SCM here. Of course, when you are working with the latest and greatest (Server 2008 R2, SharePoint 2010), some crucial elements are still missing. Microsoft is now filling in one of the gaps by releasing a beta of the Security Baseline for Windows Server 2008 R2, which is now available via Microsoft's connect web-site. If you are not yet a member of the relevant beta program, you can simply sign up here.

My favourite Outlook 2010 feature

2010-06-30T15:11:00.002+02:00

Maybe this also happens (or happened?) to you: Outlook 2010 becoming unresponsive with the only way to get it going again is to kill the process and restart it.

In my case this was apparently caused by some Outlook OST/PSTcorruption that, in the end, is easy to fix: Outlook 2010 contains a nifty utility called SCANPST. You find this tool in the Outlook14 folder contained in your Microsoft Office folder. When called to the rescue, as it's name gives away, it will scan your PST or OST file and fix any problems in the file. You might need multiple passes to get rid of all corruption, but, in the end, I got my Outlook back and I am once again a happy camper!

With this problem fixed, I can start looking for my next favourite Outlook 2010 feature :-)

Solution Accelerator for FIM 2010 deployment available

2010-06-30T10:06:00.000+02:00

Microsoft has established a long tradition in delivering guidance for the deployment of all kinds of infrastructure building blocks. The latest such building block is the FIM 2010 Infrastructure Planning and Design Guide.

This guide describes the process of planning a Forefront Identity Manager infrastructure. It addresses the following fundamental decisions and tasks:

Defining the project scope by identifying which FIM features will be needed and the connected data sources and user population in scope.
Mapping the features and scope into the FIM server roles that will be required.
Designing the infrastructure for the FIM Synchronization Service, FIM Service, and Certificate Management.
Designing the placement and fault tolerance of the supporting SQL Server databases.

Following the instructions in this guide will result in a design that is sized, configured, and appropriately placed to deliver the stated business benefits, while also considering the performance, capacity, and fault tolerance of the system.

This guide addresses the scenarios most likely to be encountered by someone designing a FIM infrastructure. Customers should consider having their architecture reviewed by Microsoft Customer Service and Support prior to implementation as that organization is best able to comment on the supportability of a particular design.

Other Infrastructure Planning and Design Guides can be found here.

Upcoming Forefront solutions webcasts

2010-06-21T10:09:00.000+02:00

There are some great opportunities coming up the next couple of days to learn about Forefront solutions:

TechNet Simulcast: Forefront Virtual Event
https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032454002&Culture=en-US

Register for the Forefront Virtual event on June 23rd and 24th to hear from the product team, ask questions and see great technical demos on FEP, FIM, TMG, UAG, FPSP, FPE, FOPE, and ADRMS + Exchange.

Deployment Webcasts

6/28/2010 11:00:00 AM -Deploying a Microsoft Identity and Access Management Solution (Level 300)
https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032453697&Culture=en-US

6/30/2010 8:00AM Best Practices for Deploying a Microsoft Secure Collaboration Solution (Level 300)
https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032453700&Culture=en-US

6/22/2010 12:00PM Using a Microsoft Information Protection Solution with RSA Data Loss Prevention
https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032453692&Culture=en-US

6/22/2010 9:00:00 AM - TechNet Webcast: Deployment Best Practices for Information Protection
https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032453503&Culture=en-US

6/16/2010 10:00:00 AM - Enabling Secure Messaging – FOPE Deployment Best Practices
https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032450259&EventCategory=4&culture=en-US&CountryCode=US

ILM Knowlege Bit Collection and ILM Experts Corner

2010-06-08T23:27:00.000+02:00

Today the ILM Knowledge Bit Collection (which I own) and the ILM Experts Corner (which is owned by fellow MVP Peter Geelen) went life on the ILM TechNet forum. The purpose of the Knowledge Bit collection is to collect all possible pieces of wisdom that people have gathered over the years while developing ILM solutions and make everybody's lives easier along the way. The ILM Experts Corner is a forum for discussion with ILM SME's.

Of course, contributions to both are requested. So, if you still have some pieces of MIIS, IIFP or ILM wisdom lying about, please contribute! When you contribute, please drop me a line such that I can add your contribution to the catalog page!

Microsoft Business Ready Security - Lab and Demo environment available!

2010-05-20T22:37:00.001+02:00

For those wanting to play with all of Microsoft's security solutions, Microsoft has released a new demo playground. You can find the download here.

Included are Virtual Machines (available only for Hyper-V, of course) and labs for

FIM 2010
AD FS
AD RMS
UAG
TMG
Direct Access
Forefront Protection for Exchange

What a shame the cold winter nights are over ...

Registration for Community Day 2010 is open!

2010-05-11T10:40:00.000+02:00

Register yourself for this free event at the Community Day website. The agenda for the event is now also available on the website. See you all there!

Belgian Community Day 2010 announced

2010-05-07T22:05:00.001+02:00

Community Day is back with the Fourth Edition of this annual community event on Microsoft technologies!

Fourteen Microsoft User Groups combine their efforts to organize this unique networking and knowledge sharing event. With so many new releases from Microsoft, the theme of Community Day 2010 is of course 2010: a new wave of products and technologies. This means that most sessions will be looking at Visual Studio 2010, Silverlight 4, Office 2010, SharePoint 2010, SQL Server 2008 R2, OCSR2...

Microsoft Community Day will take place on Thursday 24th June 2010 in Utopolis, Mechelen, where we will bring together over 300 IT Pro’s and developers. Save the date!

More information is available at http://www.communityday.be/.

Of course, winsec.be will be present. I will be presenting one of the many Microsoft SharePoint sessions: "The ABC of SharePoint security" which is of course suiting for winsec!

This is the abstract for my session:

SharePoint is hot in the market. This fact will also get the attention of the bad guys! Therefore, it is wise to think seriously about securing your SharePoint infrastructure. This session takes you through all the steps you need to take to arrive at a SharePoint configuration that can withstand the bad guys and then goes one step further …

Sorry everyone, this year no FIM 2010 session at Community Day. However, I promise to make up for this by presenting a number of TechNet live events to be announced in the coming weeks. Stay tuned!

Ellen loves her iPhone

2010-05-06T22:50:00.001+02:00

This one is hilarious. American comedian Ellen Degeneres created her parody of an iPhone 3GS commercial:

I just wonder when Steve J orders YouTube to remove this video...

BTW. Can't wait to get my Windows Phone 7 Series phone. A nice PowerPoint and video can be found here. Just search for Charlie Kindel when you're there.

We are so open we won't support Flash

2010-05-03T21:57:00.001+02:00

Apple is surpassing Microsoft in at least one way. Many people have touted Microsoft as being the Dark Side, but Apple is proving right now it is better at this and is even darker! Of course, I cannot be accused of being an Apple fan, though I will admit they build some great pieces of hardware. The point I want to make? Just have a look at this on Apple's website and conclude for yourself. The question remains: why is Apple and it's supreme commander picking on Adobe and Flash? No doubt, to be continued...

Everything you ever wanted to know about Kerberos ...

2010-04-26T22:52:00.000+02:00

... can be found here. Mainly as a note-to-self, but of course everyone can profit from this superb reference.

The importance of user-friendly technology

2010-04-12T16:25:00.000+02:00

In his newsletter, Dave Kearns repeated his old mantra "the technology is easy, it's the people that's hard." where technology stands for SSO, Self-Service Password Management, Multi-Factor Authn and whole lot of other technologies in the Identity realm.

I would go one further on this one. I think it is not so much the people that are hard (some people may be of course ;-) ). I would much rather say, "the technology is easy, mostly people are easy as well, most of the time technology is badly explained to people." Or even, us in IT seldom listen properly what people want. Which is usually a simple solution that most people could grasp in a couple of minutes and understand why they would want to use them and not the complex solutions most of us in IT come up with.

I couldn't agree more with those in the industry that go for simple solutions that people simply want to use!

Microsoft releases Security Compliance Manager

2010-04-08T10:48:00.000+02:00

Micrsoft released the Security Compliance Manager solution accelerator to the web. You can find the download here. More information is available here.

The Security Compliance Manager will help you accelerate knowledge to merge best practices, customize once to centralize decision making, and export to multiple formats to enable monitoring, verification, and compliance. The tool is designed to help accelerate your organization’s ability to efficiently manage the security and compliance process for the most widely used Microsoft technologies.

This end-to-end Solution Accelerator will help you plan, deploy, operate, and manage your security baselines for Windows® client and server operating systems, and Microsoft applications. Access the complete database of Microsoft recommended security settings, customize your baselines, and then choose from multiple formats—including Desired Configuration Management (DCM) packs, Security Content Automation Protocol (SCAP), XLS, or Group Policy objects (GPOs)—to export the baselines to your environment to automate the security baseline compliance verification process.

Microsoft Belgium's Luc Van De Velde announces the Microsoft 1Pad at Techdays 2010 Belgium

2010-04-01T21:52:00.003+02:00

In a surprise move, Microsoft Belgium's Luc Van De Velde announced the "Microsoft 1Pad" slate computer during the Belgian edition of the Microsoft Techdays 2010. And no, this is not an April fool's day joke: the keynote took place yesterday!

You can view yourself the video captured at the event. If you are the impatient type, you can fast forward to 3'30":

What Luc is showing is an old 2003 Compaq TC1100 running Windows 7, running all of it's applications rather well, including the Google Kindle application, video and the like. Thanks again for showing once more that what Apple is doing, is not really very innovative: they are 7 years behind the competition ...

BTW, if you are looking for the 2003 CNET review of the device Luc is talking about, you can find it here.

How unique is Your browser?

2010-03-30T22:06:00.003+02:00

Theory says that if you have enough data points, anything can uniquely be identified. This theory has in the past been applied to marketing and advertising, resulting obviously in alarming privacy issues.

Turns it, the same kind of game can be played with your browser. There is a nice little experiment being ran at the "Electronic Frontier Foundation" or EFF, called "Panopticlick" that aims to show how unique - and trackable - your browser is. Go ahead! Click the link and check for yourself.

This is what I got when I tested my browser: out of 770,962 browsers tested so far, these are some of the characteristics of mine:

This was after running the test twice on the same computer: I couldn't believe that the User Agent on my laptop was so unique that noone had ever had the same value. Sure, enough, after I ran the test a second time, the value was devided by two. Next test will be after I build my machine twice using Microsoft's Deployment Toolkit 2010 (which is great BTW) - am I still going to have uniquely identifiable browsers after that?

If you ask me: frightening stuff, especially considering that all of that can (and is) collected anonymously. Imagine what the authorities could do once they start matching browser fingerprints and people!

So far for being anonymous on the net!

ADFS for Dummies

2010-03-22T23:19:00.001+01:00

If you want to learn about Active Directory Federation Services, head over to Aaron Lademann's SharePoint blog, who has a really nice explanation of how all of this works.

Less for dummies is "Claims-based Identity and Access Control Guide" , posted over at Matias Woloski's blog. You'll find pointers to the book and the code samples (on MSDN).

Forefront Identity Manager presentation at Infosecurity.be

2010-03-20T12:51:00.001+01:00

For those in security in Belgium that would be interested in hearing about Forefront Identity Manager 2010, I will be presenting during Infosecurity on March 25th. You'll find me at Microsoft's booth.

The presentation can be downloaded here.

Kim Cameron to receive Honorary Doctor of Civil Law

2010-03-20T12:46:00.000+01:00

Anyone who does anything in Identity knows Kim Cameron. For many, Kim is (one of) the founding father(s) of what is today known as Forefront Identity Manager 2010. Even more important are Kim's seven laws of Identity.

In this post, I spotted the following:

The University of King's College is pleased to announce that will be Kim Cameron distinguished with an Honorary Doctor of Civil Law at its Encaenia Ceremonies on Thursday, May 20, 2010 at the Cathedral Church of All Saints in Halifax.

Kim Cameron is Chief Architect of Identity in the Identity and Security division at Microsoft and is widely considered a leader on identity issues. He has won numerous awards for his work including Digital Identity World's Innovation Award and was named as one of Network World's 50 Most Powerful People in Networking, both in 2005. Cameron graduated from King's with a bachelor's degree in physics and math at age 19. He developed his hacking skills while working on a master's degree of physics at King's and Dalhousie and moved on to study philosophy in Paris. In 1970 he started a doctorate thesis in computing and social phenomena at the Université de Montréal but was lured away by an equally fervent passion for music. By the mid-70s, he had joined the band Limbo Springs as lead guitarist, and the band eventually became the house act at Toronto's legendary Cheetah Club. While in Toronto, Cameron developed an interest in the microcomputer and was soon running the academic computing centre at George Brown. Along with a colleague he pioneered a meta-directory called Zoomit that they sold to Microsoft in 1999. In 2003 he went public with a technology he developed called InfoCard, which lets users control their identity information and is now a cornerstone of Microsoft's identity strategy. Cameron will be receiving an Honorary Doctor of Civil Law.

I would say, well deserved Kim!

BTW, don't go looking up Kim Cameron on wikipedia - you'll find an entirely different Kim Cameron there ... the above description could serve as a nice start for creating that entry!

U-Prove CTP available

2010-03-20T12:33:00.000+01:00

Just spotted this on the "Geneva" team blog:

U-Prove is an innovative cryptographic technology that enables the issuance of claims in a manner that provides multi-party security: issuing organizations, users, and relying parties can protect themselves not just against outsider attacks but also against attacks originating from each other. At the same time, the U-Prove technology enables any desired degree of privacy (including authenticated anonymity and pseudonymity) without contravening multi-party security.

Given these user-centric aspects, it comes as no surprise that we have integrated the technology into the identity metasystem, and in particular, using information cards. Users can now obtain information cards protected by U-Prove and present them 1) with higher privacy guarantees, and 2) without online connectivity to the identity provider when interacting with relying parties. The U-Prove technology helps realize the vision set forth by the laws of identity.

To encourage experimentation and gather feedback on the technology, the following software components are made available as part of the U-Prove CTP
Windows Identity Foundation Extension (U-Prove CTP): an extension to WIF that provides the ability to build a custom Security Token Service (STS) for U-Prove token issuance (for identity providers), and the ability to verify U-Prove token presentations (for relying parties).
Active Directory Federation Services 2.0 (U-Prove CTP): a U-Prove enabled version of AD FS 2.0 that has the ability to issue an information card that supports U-Prove; and that can act both as a U-Prove identity provider (IP-STS) and a relying party (RP-STS).
Windows CardSpace 2.0 (U-Prove CTP): a U-Prove enabled version of Windows CardSpace 2.0 that has the ability to obtain, store, and present U-Prove tokens associated with an information card.

Try it out, and let us know what you think!

The U-Prove team

Downloads & Links

Get the U-Prove CTP: http://www.microsoft.com/uprove

Watch the U-Prove videos:
Announcing Microsoft’s U-Prove Community Technical Preview (CTP)
U-Prove CTP: A Developer’s Perspective
Deep Dive into U-Prove Cryptographic Protocols
Learn what Microsoft’s U-Prove release is all about

Recording available for the first IT-Pro Chalk-Talk

2010-03-12T22:14:00.000+01:00

As mentioned before in this post, winsec.be, IT-Talks and pro-Exchange held their first IT-Pro Chalk-Talk in Belgium. The recording of this can now be watched here:

Warning: the audio is in Dutch.

Enjoy!

mySQL Extensible MA for MIIS/ILM

2010-03-09T23:06:00.000+01:00

This is a recurring request on Microsoft's ILM forum. So, I put a link to the source here such that folks can get to it without needing to ask. To make everything work, don’t forget to download the SQL.NET Connector from http://dev.mysql.com/doc/refman/5.0/en/connector-net.html as well. Oh, and if you came here through the ILM forum, mark that post as helpful to bump it up the list.

All this of course with thanks to the original author (whoever you may be - if you stumble on this, please leave a comment such that I can credit you properly!)

Recovering from a Kerberos Token Bloat Attack

2010-03-08T22:55:00.003+01:00

Last week, as announced in this post, we had our first IT Pro Chalk-Talk session, organized by the Pro-Exchange, IT-Talks and winsec.be Microsoft community groups.

One of the questions asked was arround token sizes. You know, how large a token can become, how many groups can be accomodated in a Kerberos Ticket and the registry key required to set the maximum token size. All this is fairly well documented on Microsoft's TechNet website.

Also relatively well-known is the tokensz utility that can be used to troubleshoot Kerberos token size related problems.

Less known is what is called a "Token Bloat Attack". A Token Bloat Attack is a kind of Denial of Service attack against your Active Directory Service. This happens when all users (including the default Administrator) are members of more groups than the Kerberos ticket can accomodate (which is 1015, give or take a few depending on e.g. the FQDN of your Windows domain). When a user is a member of more than this number of groups, the Active Directory will refuse to let him log on because not all group memberships can be evaluated, including membership that would deny access to certain resources.

When this happens, the question arizes how to recover from this situation. One might think that restoring the AD from backup would work. However this is usually not the case: usually, extra groups were created to execute the attack. After a restore (and after AD replication), these groups would still be present and users would still be members of these groups.

So, how to recover if you can't restore AD? Fortunately, Microsoft left a simple way to recover: you simply need to restart a DC in the domain using the Safe Boot option (not the Directory Services Restore Mode!). In Safe Mode, AD is loaded and the default Administrator can log on (even if the account is member of too many groups or when the account is disabled)! Of course, after logging on, the Administrator can remove the offending groups in the regular way (using Active Directory Users & Computers or any other way), and life is well ...

Forefront Identity Manager 2010 released!

2010-03-02T10:55:00.003+01:00

Today, Microsoft released FIM2010! In a press release that can be found here, Microsoft outlines progress toward a safer, more trusted Internet. The evaluation download can be found here, while TAP and RDP customers can download a full version from Microsoft's connect website. The release was officialy announced today during the keynote that was delivered by Scott Charney at the RSA Conference. This effectively ends a period of many delays and frustration over these delays. I'm happy that we finally can move on and start implementing this promising product at our customers!

During the same keynote, Scott Charney also shared details about Microsoft's U-Prove technology, which it acquired from Credentica back in 2008:

U-Prove is an innovative cryptographic technology that enables the issuance and presentation of cryptographically protected claims in a manner that provides multi-party security: issuing organizations, users, and relying parties can protect themselves not just against outsider attacks but also against attacks originating from each other. At the same time, the U-Prove technology enables any desired degree of privacy (including authenticated anonymity and pseudonymity) without contravening multi-party security. These user-centric aspects make the U-Prove technology ideally suited to create the digital equivalent of paper-based credentials and the plastic cards in one's wallet.

Further details and related downloads can be found here.

Putting missing kids on your 404 page

2010-02-25T20:03:00.001+01:00

Every now and then, you stumble upon a great idea. This post on "the other side of the moon" did that for me - why didn't I think of this! Simply put, the author suggests leveraging your 404 pages to find back missing kids. While the code presented works in the US and Canada and is geared towards Apache, it should not be too hard to make it work anywhere in the world for all kinds of web platforms...

ILM MVP Brian Komar publishes free eBook on FIM 2010 Certificate Management

2010-02-23T21:38:00.001+01:00

Just discovered this free title by fellow MVP Brian Komar. From the cover:

This technical book for information security professionals gives an introduction to Microsoft Forefront Identity Manager 2010 (FIM) and how to protect a FIM 2010 Certificate Management Server (CM) with Thales hardware security modules (HSMs).

Highly recommended!

First IT-Pro Chalk-Talk in Belgium

2010-02-23T21:24:00.000+01:00

On Thursday March 4th, winsec.be organizes together with the Pro-Exchange and IT-Talks a first "Chalk-Talk" event.

At this event, a group of Belgian MVP's and experts help analyze the public's IT architecture problems. Solution areas tackled are:

Exchange Server
Office Communications Server
Active Directory
Security
General networking TCP/IP
Group policies

Registration and practical information at http://itprochalktalk.eventbrite.com/.

my First

2010-02-22T23:29:00.000+01:00

Now isn't that classic. Somebody setting up a blog. This looks mighty empty, doesn't it? So, there comes the inspiration of writing the first post. Now let's make this easy. What will I be writing about? Anyone who knows me, knows also a bit about my passions, which are ... ok, technology mostly, more particularly Identity and Access Management, which is also what earned me my MVP for Microsoft Identity Lifecyle Manager. Most of my ramblings will be about Forefront Identity Manager 2010, the upcoming Microsoft entry in the IAM market (launched pretty soon now). Other things of course as well. Bits about security, bits about making life easier with technology. Bits about what I do outside technology (pretty boring actually, but, we'll see where this gets me). In any case, enough for a first post...