I just saw thisin the SANS vulnerability alert this week. If you don’t want to parse the text yourself, it is essentially four separate remote denial-of-service vulnerabilities in the MIT Kerberos implementation for krb5-1.8 and later.

It’s amazing to me that we are still finding fatal flaws in a core security service like this. I’m not sure exactly how old the MIT Kerberos implementation is, but the protocol as defined in RFC 1510(which has been obsoleted by RFC 4120) has been around since 1993, and as far as I know, the MIT Kerberos implementation was the original.

Patch your code!

This articledescribes how a disgruntled IT worker used a back-door account he had created to wreak havoc on his former employer. The story is notable not just in how familiar it is, but in all the ways basic identity and access governance (IAG) practices could have prevented the attack.

The story line goes like this (sing along if you’ve heard this one before): David Palmer, an IT administrator, was fired from his job at McLane Advanced Technologies, a military contractor and IT service provider. He had set up a back door account before he was escorted out. Some time later, he used his backdoor account to log into his former employer’s systems via the Wi-Fi at a local restaurant, and deleted the payroll files for one of McLane’s customers, and apparently accessed files belonging to another customer. The customer was unable to process timecard entry or payroll for a few days, and ultimately McClane contacted the US Secret Service to report that their computer systems had been attacked. Palmer admitted his guilt in Federal Court and stated that "The only reason for logging into any of these servers was to create general havoc and disorder for McLane Advanced Technologies the following day.” Just to add a little insult to injury, McLane advertises themselves as “… adhering to a strict set of values and ethical standards by doing what’s right for our customer” in the areas of (among others) “Software Development”, “Data Management”, and “Information Security”. Fine sounding words for a company that apparently couldn’t muster enough ethics to implement even basic identity and access governance processes. Thank goodness it was only a payroll system. What if it had been something more critical?

Ok, I’m being harsh. I don’t know the company, and perhaps there are some extenuating circumstances. But there are so many ways that this attack could have, and should have, been prevented, I can only conclude that no one was paying attention. Let’s see how many simple identity governance practices might have helped prevent this mess:

1. Appropriate delegation of administrative rights – assuming that Mr. Palmer’s job didn’t require routine creation of user accounts, he shouldn’t have been able to create his backdoor account to begin with. Nor should the account he created had any access to customer files.
2. Appropriate workflow around creation of a privileged account – apparently there was no review and approval for the creation of the back door account.
3. Proper auditing and review of user account changes – the creation of a privileged account should have fired an an alert and immediate review.
4. Privileged account management – privileged accounts should be normally disabled and “checked out” for use only after appropriate approval, and only for a specific amount of time.
5. Functioning account deprovisioning – when Palmer was fired, all of the accounts he owned should have been immediately disabled.
6. Access attestation and certification – no one attested to the validity and necessity of Palmer’s privileged back door account. To be fair, you usually do access reviews and attestations on some sort of a scheduled basis, e.g. quarterly, and he may have created and used his backdoor account within that period.
7. Appropriate authentication technology – As a general rule, privileged accounts should not be usable by people logging in from non-company-owned devices from public networks without a second form of authentication like a smart card or OTP. I’m assuming of course that both his company laptop and any smart card would have been confiscated when Palmer was fired.
8. Appropriate authorization technology – Smarter (e.g. dynamic and contextual) authorization technology would have saved the day here as well. An appropriate access policy for deleting customer files would have included rules like “only from a recently certified (attested to) account” and “not from a public IP” and “not from a public device”.

So that’s eight different IAG activities, any one or two of which would have prevented this attack. All of them are well-known practices, and all but the last one are implementable using commercial off-the-shelf software such as Quest One Identity Manager, Active Roles Server, Quest Privilege Manager, Change Auditor for Active Directory, and Defender. Some of these processes and controls are implementable (with effort and some scripting) just using what’s in the box with Windows. For a Gold Certified Microsoft Partner boasting a CMM Level 3 software development certification as McLane is, putting these processes in place should not have been a problem provided someone was actually paying attention. And there’s the point. If you host sensitive data on your computer systems (and who doesn’t?), someone in executive management has to be paying attention. Typically this would be the CIO or CSO, but at the end of the day it’s on the CEO to ensure that the company is taking due care to ensure that access to critical corporate assets is controlled and audited in a way that ensures the security of the data and of the company. Perhaps that’s something they should be teaching at Famous CEOs School.

In case you didn’t get that last reference, see Famous Artists Schoolon Wikipedia.

Believe it or not, this is the 10th year for The Experts Conference(formerly The Directory Experts Conference). We (as NetPro at the time) hosted the first DEC in Scottsdale, AZ in 2001 with an audience of about 40 or so who all shared a strong interest in Active Directory. Since then, we’ve tweaked and expanded the conference to reflect changes in the technology landscape as well as the fickle whims of our corporate masters (I exaggerate. But not really. :Q) Today we routinely bring 500 or more people together to provide advanced Microsoft technology training and professional networking, for the experts, by the experts.

Starting in 2008, we expanded the technology scope of the conference beyond Microsoft directory and identity technologies, while maintaining the model that has made TEC so successful. We added a conference for Exchange in 2008 (now moderated by David Sengupta), a conference for Sharepoint in 2009 hosted by Joel Oleson, and new for 2011 is the Experts Conference for Virtualization and Cloud, organized by Dmitry Sotnikov. The agendas for all of the conferences look really strong. Just browsing through the current lineup, several sessions jump out as being particular compelling (yes, in the interest of not showing favoritism, I picked one from each conference).

• Business in the Cloud, Identity Strategies and Technologies to Get
  Your Business Off the Ground – Brian Puhl
• After the Cloud: The future for Exchange Administrators – Tony
  Redmond
• Real World Implementation of Social Media Governance Leveraging
  SharePoint – Shaheed Eleazar
• How to Sabotage a Cloud Project – Felix Gaehtgens

There are a ton of other sessions of course, and you can check them all out at http://www.tec2011.com.

Another new item this year is the Powershell Deep Dive that will provide “deep technical and strategic engagement within the PowerShell community.” There should be about a half-dozen PS product group members attending, so you can get some quality face time with the guys who are building the next version of PowerShell. You can see that the size and scope of TEC has really expanded in the ten years we’ve been hosting it, and astoundingly, the same two women who organized the first TEC in 2001 for 40 people are laboring behind the scenes to bring you TEC 2011 for upwards of 700. Christine McDermott and Stella Lowe bring the attention to detail and their unique personal touch to each and every conference to make TEC the one conference you have to go to each year. Organizing a conference like TEC is a giant PITA, particularly when you have to juggle competing priorities, recalcitrant vendors, and technical prima donas that don’t know the different between a deadline and a lifeline. If you do make it to TEC in Las Vegas this year, take the time to give them a hug and say thank you. Bring a nice gift, perhaps some flowers or a bottle of wine (keep the Jack Daniels till the last day of the conference, ok?).

I hope to see you at the Red Rock in Las Vegas!

Robert deLuca and Dean Wells are organizing another Customer-Focused Design (CFD) session for TEC Europe. The CFD session they ran at TEC Europe last year was by far and away the most popular event at the conference, and I’m really excited that we get to have them do it again. For those of you who aren’t familiar with the idea, CFD is a structured process for generating and prioritizing software requirements. In this case, Dean and Robert will lead you through a process of developing requirements for the next version of Active Directory and its related technologies. I expect that a lot of the discussion will be around the connection between Active Directory and the cloud, but even so, I’m sure there will be a lot of features discussed for on-premises AD as well.

I will be delivering my “Auditing in Forefront Identity Manager” talk at TEC Europe later this month in Berlin. It’s largely the same talk I gave at TEC in Las Vegas this past March, but updated for the upcoming RC1 build of FIM 2010 (which sadly won’t be available for TEC Europe, but should be available not long after). In the process of updating my session, I exchanged (Hah! Get it?) some emails with Nima Ganjeh, Program Manager on the FIM product team and learned that there have been some substantial changes in the way FIM manages and exposes it’s object data.

Auditing FIM primarily involves pulling data from the FIM SOAP Enumeration endpoint, using a modified version of the WS-Enumerate protocol. In the RC0 build, FIM implemented the Infological data model [Langefors, 1973] in the object store, meaning that all relationships (attribute-value, object-attribute, etc.) were stored, indexed by time, and never deleted. Because data was never deleted or overwritten, it was possible to retrieve objects from the RC0 object store as it existed at any point in time. So if you wanted to know what the membership of the Administrators group was on March 30th last year, you could simply query for that object using the builtin XPath filter syntax function attime(), and voila!, you would see that group object as it existed at that point in time. This was in my mind one of the most significant benefits of FIM 2010. It provided what was in effect a builtin, automatic snapshot facility that answered the auditor’s question of “who was a member of this group back when the accounting data was compromised?”

Beyond the very cool data model, RC0 also maintained the transaction history for all object update operations by creating Request objects in the store. The Request objects, in addition to specifying the target object and operation, including the initiator of the update and the update parameters themselves. So not only could you look at the state of an object at any point in time, you could easily get a time-sequenced list of all of the changes made to that object, including what was changed, and by whom. This answered the auditor’s question of “who added Bob to this group back when our accounting data was compromised?”

But maintaining a complete history of the FIM object store had a price, or actually two prices: a rapidly growing database and insufficient performance. While RC0 would perform reasonably well on smaller datasets, it just wasn’t cutting it for larger environments. The FIM team decided that the performance impact of maintaining this historical data just wasn’t worth it, and in RC1, they have completely revamped the implementation of the object store. And sadly, RC1 has completely dropped the Infological data model and maintains no object history at all beyond the Request objects. The attime(), alltime(), and betweentime() XPath filter functions are gone, as is the ability to retrieve an object’s prior state through the web service. This is a big disappointment in my mind, but I can’t fault the FIM team for it… historical data or unworkably slow? It’s not a hard choice.

So how do you solve the audit problem in FIM 2010 RC1? I’ll discuss that in my talk at TEC in a couple of weeks and in this blog, but suffice it to say its not not as elegant as it used to be.

Nima will publish the specifics of the changes in the RC1 query facility in his blog soon, so keep an eye on it.

1. Langefors B. (1973) Theoretical Analysis of Information Systems

Want to see your name up in lights? Want to make yourself known in the industry? Have you done things with (or to) Microsoft Identity and Access technologies that most people haven’t? Then you should submit a session for The Experts Conference/Directory and Identity right away! You can submit your proposal at the TEC website. If you have any questions, or you only have vague idea of what you might want to speak about, you can just ping me through my blog and we can sort it out.

Have you ever wanted to define the feature list for Active Directory? TEC Europe 2009 might be your best chance to do just that. Robert deLuca (Microsoft Senior PM for Identity and Access) and Dean Wells (Senior PM for Directory Services) will host a “Customer-Focused Design” session at TEC Europe September 14 in Berlin.

Microsoft has developed a very structured process for gathering products requirements. I’ve been through the process a couple of times in Redmond (and I’ve used something similar for my own products), and it is pretty effective for figuring out what requirements you want to focus your product team’s efforts on.

The process starts out with a bottom-up approach, where the people in the room just write down all the requirements they think are important on Post-It notes. The key thing here is volume, and for people to focus on the problem-space not the solution-space. Developers and IT Pros are predisposed to solving problems and invariably come up with ideas like “move the user account control bits to separate attributes” or “prune and graft the directory tree”. These are solutions to problems, not problems per se. The problems should be more like “I can’t control the access rights on the individual user account control bits in Active Directory”, or even better “I need to separately delegate the ability to set the No Password Required flag and the User Account Disabled flag”. See the difference? The first is a possible solution to a requirement the IT Pro has in the back of their mind. The second is the actual requirement. It’s really important to get everyone writing down problem-space statements, not solution-space statements. Otherwise the next step doesn’t work.

Once the moderator makes sure all the problems are legible and understood (IT Pros are not known for their high-quality handwriting), the second step involves sticking the Post-It notes on a wall and organizing them into affinity groups, i.e. grouping the requirements in a way that “seems to make sense”. This is a group activity, and can be really fun to participate in (and to observe!) Basically, you start moving the Post-Its around and inventing categories that seem to fit a group of them. The goal is to organize the requirements (perhaps more than a hundred of them) into a manageable number of higher-level topics. It’s always surprising how, given the vague instructions, people seem to instinctively organize things in pretty much the same way. Sometimes it takes a few attempts to get the categories right, but I’ve never seen a real argument in this process.

Now the drama begins. In the third step you need refine the categories you developed in the preceding step into full-fledged problem statements that reflect all of the requirements in that category. So everything that you grouped under “Schema” is now covered by something like “I need to manage the schema without special consideration like review committees and or replication latency and be able to provide a complete audit report of all schema changes.” Honing the requirements statements takes a lot of back-and-forth discussion between the participants to make sure the problem statement reflects all of the requirements, and that it is reasonably coherent. Sometimes you have to go back to the board and re-categorize some of the requirements, and occasionally someone will decide their particular requirement just isn’t worth the effort.

The process I’ve described so far is one I’ve used for years in developing product requirements, and was taught to me by my friend Jared Spool at User Interface Engineering about 20 years ago, and it works pretty well. One of the problems with the process is that you end up with way more problems to address than you have time or resources. How do you prioritize them? Microsoft has added two steps where the participants rank how important each problem statement is to them, and how well or how poorly each problem statement is currently addressed by the shipping product. The first ranking gives them an idea of which problems they should focus on, and the second ranking gives an idea of how much effort they should expend on addressing the problem.

Normally this sort of thing can take most of an entire day, but for TEC, Robert and Dean are developing a skinnied-down process that should provide some meaningful results in the hour or so we have available. I think they are also going to use some of the birds-of-a-feather time to work on the problem statements. In any case, it will be a lot of fun.

So if you’ve ever found yourself completely frustrated because Microsoft didn’t fix your specific issues in Active Directory, come to TEC Europe 2009 and make sure your problems are heard and make it into the queue for the next version of Active Directory.