-
Today I attended the Microsoft 2008 server wave launch event in Seattle. In the process I learned a number of things: The launch event apparently does not need to coincide with actually launching anything. Server 2008 launched a couple of months ago. Visual Studio 2008 launched in November 2007, and...
-
Last Friday the last of the Windows Server 2008 Security Resource Kit finally went to press! This was a project I had not really planned and so, to complete it in time, I brought in an amazing crew of co-authors. Together, we managed to put together 17 chapters on how to manage security in one of the...
-
Even having used Internet Explorer 7 for about 18 months, I just discovered something new. IE has a hidden status bar, with four security-related buttons on it: Right next to where the zone is shown are a series of six boxes. I always figured it was some UI anomaly caused by the fact that the would occasionally...
-
On January 23, Jeff Jones, Director of Security at Microsoft, published his "One Year Vulnerability Report" for Windows Vista. In the report, he analyzed whether Windows Vista had fewer vulnerabilities in its first year than it's predecessor, Windows XP had in its first year. Jeff also...
-
The January issue of TechNet Magazine has an article I wrote about how to hack a system using autoplaying USB flash drives. While it is not possible to stop all attacks from USB tokens, Vista does include some interesting protective measures. However, the autoplay decision flow in Vista is quite convoluted...
-
For the third time in a week someone asked the question "If I want to use BitLocker with a Trusted Platforms Module (TPM), which computer should I get?" Wonderful question. For some reason, the hardvare vendors seem to treat the TPM chip as the ugly stepchild that they do their best to ensure...
-
When I was a child, I learned a saying that I still find important to keep in mind: Those who are sitting in a glass house shall not throw stones The good folks at Mozilla may want to look up what that really means. Two days ago, Mozilla published Firefox version 2.0.0.5 to fix a security vulnerability...
-
Snake oil , for those that are not familiar with the U.S. English vernacular, is a derogatory term for some product that makes unverifiable or exaggerated claims. True to the tradition, we now find " Vista Firewall Control ," complete with a PC World article that includes not only incorrect...
-
As with Protect Your Windows Network I wrote some tools for the Windows Vista Security book that just came out. However, the Vista book does not come with a CD. Rather, Wiley has made the tools available for download . If you solemnly promise that you will buy the book, you may get the tools from there...
-
Windows Software Update Services (WSUS) is one of the more entertaining products Microsoft has created, if by entertaining you mean trying to put logic behind the installation of some relevant subset of 4,381 updates (today's total). WSUS 3.0 has been out for a while now, and was supposed to work...
-
All U.S. Government computers are finally required to conform to one of two configurations. White House Memo M-07-11 , further clarified in M-07-18 directs all government agencies to use a single hardening guide. M-07-18 clarifies that it is to be the NIST guide . Overall, this is welcome news. The agencies...
-
In my most recent article in TechNet Magazine I wrote: Unfortunately, icacls.exe can’t show you the owner of an object. There is no way to actually see, from the command line, who the owner of an object is. Furthermore, if you save the ACL for an object, it does not save the owner of the object. As an...
-
TechNet Magazine just published the first of several articles with excerpts from the Windows Vista Security Book . " New ACLs Improve Security in Windows Vista " is what they called the first of two excerpts from the Access Control chapter. The same issue of the magazine also has an interesting...
-
OK, so whose bright idea was it to put the F12 key so close to the Delete key on the keyboard? And whose bright idea was it to map F12 to "Save As..." in every MS Office application? And, whose bright idea was it to default the Save As... option to the users home directory, even if that directory...
-
As you may know I am just putting the finishing touches on a new book. Roger Grimes and I teamed up to write Windows Vista Security . In the course of doing the research for the book, and just keeping up with the popular press lately, it has become obvious that there is a lot of confusion about User...