Windows .NET Server is Microsoft's new contender against Linux in the server market. Scheduled for release in 2003, .NET Server (which was originally released for beta testing under the codename "Whistler") is re-engineered from the Windows 2000 Server codebase. .NET Server's survival will probably depend on how users perceive its security. Bill Gates himself realized this when he released his "Trustworthy Computing" memo in Jan. 2002. His ultimatum echoed what hackers have been saying for years: get secure or fail.
This speech will focus on the new security features in .NET Server -- and how to break them. The purpose is to identify early weaknesses while the OS is still a release candidate so that developers and network administrators can make informed decisions before deployment. This talk is technical, using live examples and some source code, but there will also be enough general information to benefit anyone interested in .NET Server security. Coverage includes weaknesses and exploits in the following areas: Windows Product Activation (WPA) on .NET Server New Encrypting File System (EFS) changes .NET Server Smart Card support Kerberos implementation Wireless standard implementation Remote Desktop Security Death of the Microsoft Security Partners Program (MSSP) Microsoft security partners full disclosure "gag rule"