In addition to three presentations, I had more than 30 fantastic one on ones with attendees over the four days.

What was hot? Many of the same issues I blog about. In order of priority, most attendee discussions were on:

1) Endpoint security, application control and whitelisting. Microsoft is causing significant disruption in this market with its new version of Forefront Endpoint Protection and its change in licensing policies.

2) Strategies for protection against Advanced threats (note that this overlaps with #1 a bit)

3) Security trends – what are the major trends we are seeing in information security and are they missing anything? What investments should we be thinking about for 2012?

4) Virtualization and security – trust/assurance of the hypervisor for separation of workloads of different trust levels as well as protecting VMs as they move offsite into Cloud-based providers.

Surprisingly, I only had one or two conversations on application security – specifically looking for best practices to push security testing further back in the SDLC.

In terms of “Cloud”, I think most organizations are moving beyond the ill-defined hype of “cloud security” and looking for specific advice and best practices for addressing specific cloud-related computing concerns. That’s a welcome step forward. Cloud is a computing style, not a location. It’s great to see people embrace this computing style and look to proactively build security in. Thursday afternoon’s presentation on securing private clouds had a good crowd for the final day. The biggest reaction was on the evolution of security to a set of software-based services delivered by programmable infrastructure. I think most IT security professionals have become so accustomed to their firewalls as a physical box, they have a difficult time imagining firewall services decoupled from the physical hardware underneath and shifting to security policies based on logical, not physical, attributes. Indeed, I believe the biggest challenges to the security of private clouds will be related to cultural and mindset change issues, not technical.

If you follow my thoughts from the conference on twitter (@nmacdona), you’ll see some of the feedback on my context-aware security presentation.Despite losing AC during the presentation (not good in Florida, even in October!), the crowd stuck it out with some hanging out in the doorways to watch the presentation and catch a breeze at the same time.

As I have discussed previously many times, all of information security is becoming context-aware and adaptive and this attribute will be a key characteristic of all next generation security offerings (IPS, FW, endpoint protection, IAM, DLP, and so on).

Overall, it was another great Symposium conference (my 15th with Gartner!). They just keep getting better. For those of you that didn’t make it, I’m attending Gartner’s upcoming US Data Center summit in December in Las Vegas and we can catch up there.

Like Windows 7, Windows 8 will continue to raise the bar in terms of security capabilities of the base OS. Here’s a list I compiled of the new capabilities:

• Antimalware protection built into the OS – basically Microsoft’ Security Essentials (beyond just Windows Defender included with Windows 7)
• Earlier loading of security protection in the boot process to thwart rootkits and other boot-level malware
• File reputation services (SmartScreen) – was included with IE9, now expanded to protect the entire OS.
• Root of trust measurements of the OS based on UEFI – if we need this for hypervisors, why not all OSs? Microsoft has had something similar with BitLocker using TXT and has now extended this to all versions.
• Windows Refresh – to restore Windows back to a known good state, while preserving end user personalization, enabling Systematic Workload Reprovisioning.
• Windows now supports boot from USB – quite useful in specific scenarios. Combined with BitLocker and root of trust measurements, this becomes a way to place an unknown terminal device into a high assurance state.

For the new “Metro Style” side of Windows 8 (the WinRT side), it is clear that the security model of Apple and the iPhone/iPad has had an impact:

• Reduced rights and strengthening of mandatory integrity controls of the OS.
• Metro-style applications can only be delivered through the Microsoft application store which now includes security testing (a form of implicit whitelisting).
• Sensitive API access is proxied through a security policy enforcement mechanism which validates the application’s right to use them
• “Picture Password” as a touch-native way of authenticating yourself to Windows 8

Overall, Windows 8 provides evolutionary – not revolutionary — improvement in security capabilities and raise the bar in terms of what an OS should deliver in terms of security protection.

I’ve talked about this several times before – including here, here and here.

While it may not be feasible to remove administrator rights from all users, it is an absolutely achievable goal to continue to improve the percentage of Windows users running without administrator rights year over year for the foreseeable future. Make this your goal for 2012.

Case in point – I talked with a client today that had removed administrator rights from 90% of their users. This is a noteworthy achievement as they are only in the planning process of migrating to Windows 7. They had achieved this on Windows XP and for large numbers of XP-based laptop users. Impressive.

Better yet, I worked with this client on a strategy to move this to 95-97% using the migration to Windows 7 as a catalyst for further improvements – some coming from improvements in the Windows OS (like a new printer driver model) and some coming from the selective use of a third party tool for Windows privilege management.

If you are struggling with malware infestations and are considering switching out vendors, take a look first at removing administrator rights. For Gartner clients, I’ve outlined the best practices for achieving this in this research document.

Remember, if done correctly, removal of administrator rights does not have to equate to “lockdown”.

Full drive encryption should be considered mandatory for laptops and most organizations have implemented this – either with Windows 7 and BitLocker, by adding encryption into their endpoint protection platform contract or by purchasing a point solution.

However, there are several use cases where the use of FDE makes sense for fixed desktops:

1) For areas where physical security is lacking and there is a risk that the hard drive and/or physical machine may be stolen

2) For defense in depth as machines are retired to ensure that data is wiped completely. By ensuring that the key is destroyed, access to the data is impossible. Without the keys, they don’t have your data. This would supplement (and potentially replace) any manual wiping that is performed as machines are returned/retired/recycled/destroyed.

3) For protection of images in transit being shipped to remote locations – for example to remote offices.

With advances in hardware processing making the overhead of FDE nearly negligible and with the significant downward pricing pressure in the market (in the case of BitLocker. “free” if you are purchasing Software Assurance on the Windows OS), FDE may make sense for many of your fixed desktops as well.

If you are licensed under Microsoft’s Core Client Access License program, it now includes CALs for Forefront Endpoint Protection. For many organizations that are already licensed under Core CAL, this means that FEP is essentially “free”.

I’ve been getting dozens of inquires from large and small organizations in the last 6 weeks on whether or not Forefront makes sense for them. However, “free” doesn’t mean no cost. First, you have to be licensed under Core CAL. Second, you have to consider the cost of deployment and testing as well as the cost of removing whatever you have in place. Also, Microsoft has no solution for non-Windows platforms (as you might expect) and many organizations will be forced to use another type of solution to protect these systems.

There are many other pros and cons which I go into detail for clients in this research note that I just published:

Microsoft’s Forefront Endpoint Protection: Good but not Great

For some organizations, FEP will be a good solution. For others, it will be a not be a good fit. Which are you?

Does this mean that IT Operations and Security are converging?

I believe “convergence” is too strong of a word to describe what it going on. Convergence implies that one or the other goes away. That isn’t the case here. IT Operations and Information Security are like Ying and Yang. A healthy but necessary tension exists between the two.

While there may be convergence of the infrastructure underneath that carries bits out to the endpoints (in this case, the SCCM servers and agent), this shouldn’t be confused with convergence of policy administration. In other words, while the operational infrastructure might be used to deploy and update the policy enforcement mechanism (the Forefront agent in this case), this doesn’t mean that the need for separation of duties of policy administration has gone away. Leveraging operational infrastructure for security policy enforcement makes sense as long as separation of duties is maintained.

“Integration”, Interoperability” and “Reducing redundant infrastructure” are much better ways to describe what is happening – and it’s not just with the security and management of endpoints that this integration and leveraging of common infrastructure is happening.

• Standard users can install and execute well-written software on XP and Windows 7. For example Google’s Chrome and Firefox install just fine when users don’t have administrator rights.
• With Windows 7, standard users can install printer drivers.
• With Windows 7 and AXIS (Microsoft’s ActiveX Installer Service), standard users can install ActiveX controls that conform to policy within Internet Explorer.
• With Windows 7, standard users can now perform most of the standard day-to-day Windows functions that they couldn’t do on Windows XP including such things as changing time zones, changing monitor resolution, looking at (but not changing) firewall configuration, renewing a DHCP address and so on.

Net/Net – removing administrator rights from Windows users is not “lockdown”. This leads to two pieces of advice:

1) If you are removing administrator rights during the migration to Windows 7, don’t call this “lockdown”. For some reason, the term “lockdown” rubs users the wrong way.    As an alternative, how about telling users they are receiving a “security-enhanced desktop”? Seriously, they aren’t administrators on their iPads or iPhones and you don’t hear too many complaints. We can achieve a similar outcome on Windows. For some situations, a third party tool for privilege management may be needed, but it can be done.

2) If you truly want a “locked down” environment where users cannot extend their workspace, you’ll need additional policies and controls to implement this such as Application Control / Whitelisiting technology.

I discuss how to successfully remove administrator rights from Windows users in detail in this research note for clients complete with a list of the top 14 or 15 best practices for this initiative.

For clients, we’ve recently published a research note that details the best practices for removing administrator rights from Windows users.

One of the best practices is to use the migration to Windows 7 as a catalyst to remove administrator rights. Windows 7 helps the removal of administrator rights with a set of technologies under the umbrella brand of “User Account Control”; however, UAC has it own set of pros and cons.

Many clients have reached the conclusion that a third party privilege management tool will be required to help with the removal of administrator rights – at least for some percentage of their users.

The good news is that there are multiple competing vendors that provide this capability:

• Altiris (Symantec) – as a feature within its application control offering, sold separately on request
• AppSense – as a feature within its application manager offering but not sold separately
• Avecto
• BeyondTrust
• ScriptLogic
• Windows “Run As” (requires administrator credentials)
• Viewfinity

Note that ScriptLogic has moved beyond its free, community-supported offering to an enterprise version that includes support and more features.

If you are a client, give me a call if you want to talk through these solutions and whether or not they are required with your Windows 7 deployment.

From my perspective the announcement that will affect the most enterprises from a security perspective was a change in licensing related to Forefront. Some history — in 2010, Microsoft reorganized the Server and Tools Business Unit placing the Forefront Endpoint team with the System Center Configuration Manager team. In December 2010, Microsoft shipped the version of Forefront (Forefront Endpoint Protection) that uses System Center Configuration Manager as the backbone for the distribution and update of Forefront’s antimalware engine and signature updates.

Now to the significant licensing change. Previously, Microsoft customers licensed under its Enterprise Client Access License Program (ECAL) had rights to Forefront EndPoint Protection. Microsoft has lowered the bar and included rights to FEP with its Core CAL. These changes are detailed on Microsoft’s web site. This will change the competitive dynamics in the endpoint protection platform market.

Other observations from the event:

1) Brad Anderson was clear that Cloud is a computing model, not a location and that the attributes of Cloud computing are what really matter – scalability and elasticity, self service, shared, automated, etc. Organizations want this in their own data centers, thus a large part of his keynote talked about how Microsoft enables private clouds with “Concero” – a new web-based portal for self-service by application owners.

3) It was interesting that in the keynote demo of Concero, the presenter commented on the usability of the UI stating “working within a web browser doesn’t have to be clunky” which received applause from the audience. However, all of this was built on Silverlight, but no explicit mention of Silverlight  (see observation #7 in this post) was made on Monday or Tuesday.

4) Microsoft’s AVIcode acquisition provides Microsoft application performance visibility, including potential security-related issues (in addition to things like performance and connectivity).

5) In competing with VMware, Microsoft made the following points multiple times in the keynotes to reinforce the areas which it believes are significant differentiators:

• Microsoft has in-depth knowledge and context (Brad Anderson used the word “wisdom”) of the OS
• With AVIcode instrumentation, Microsoft’s tools will have in depth knowledge and context of .NET applications (it’s all about the applications – they can’t be treated as black boxes)
• Microsoft’s management tools span Hyper-V, XenServer and VMware hypervisor based environments

Tomorrow’s keynotes are all about the client side manageability and the impact of consumerization. I won’t be there, but there will be security implications to many of these announcements as well.

This is incorrect.

Software that writes to the user’s data directory, and that doesn’t write to protected portions of the registry, can install correctly as a standard user, and an increasing number of enterprise software vendors are doing exactly this (e.g., Google Chrome and Mozilla Firefox).

If the good guys can do this, so can the bad guys. Indeed, malware writers can use the same techniques to install software targeted at stealing end-user-accessible data and personal information, even when users don’t have administrator rights.

If you really want to control what applications a user is allowed to install and execute, you will need to do more than just run them as standard users. For example, Application Control (aka whitelisting) is one approach that I frequently discuss with clients.

I talk about the ability of standard users to install software and other issues in this research note for clients that just published. In this research, my colleague, Mike Silver, and I provide a comprehensive set of best practices for removing administrator rights from end-users on Windows. In terms of “security bang for the buck” you can’t do much better than this and most organizations have specific projects underway to do exactly this using Windows 7 as the catalyst for the removal of administrator rights from end users.