Jesper's Blog

Obligatory file photo: I am a Senior Security Strategist in the Security Technology Unit at Microsoft. My job is to explain to our customers how to run Microsoft products securely, and to the extent that it is needed, help the product groups figu

Jesper's Blog

  • Please don't disable security features, at least while we are testing them

    I couldn't tell you how many times I have either had the question "how do I turn off User Account Control" or heard the statement "boy, I sure hate all those annoying user account control popups in Vista." Yeah, security sucks, it gets in the way of...
  • Blocking certain extensions in ISA server

    For some reason I decided that today was a good day to figure out how to block certain file extensions from being accessible over the web. This could be very useful, for instance, if you are trying to prevent a particular exploit that utilizes a particular...
  • Death by PowerPoint

    I'm at yet another event, and this time I decided to go see a few of the other sessions instead of just trying to find as much free food as possible between my own presentations. This experience brought to mind an old concept: "Death by PowerPoint." It is almost embarrassing how some people use PowerPoint. Steve Riley frequently refers to e-mail as "the place where knowledge goes to die." Well Steve, you have it wrong. Nothing kills knowledge as fast as putting it in PowerPoint.
  • All good things must come to an end

    This is an excerpt from a mail I sent out internally today: The sands of time seem finally to have run their course. On September 1 I will not only celebrate the 5-year anniversary of my time here at Microsoft but also my departure from the company...
  • Conscientious Risk Management and WMF

    This past week there have been a lot of questions about the WMF vulnerability, what Microsoft is doing, and what the community should do to protect against it. For many reasons, Microsoft's response to the problem is best left to those who do this for...
  • Structuring Infosec Organizationally

    Last week I visited a customer and was greeted by two people who introduced themselves, respectively, as the "Chief Information Security Officer" and the "Chief IT Security Officer." Yes, they had two separate functions for this, one to secure information...
  • Are You A People Person?

    As my family keeps reminding me, I'm not much of a people person. It could just be that I am projecting myself onto others, but I am pretty sure that much of the IT industry is like me, which raises a number of serious security problems. If you are interested...
  • Windows Firewall: the best new security feature in Vista?

    It is interesting how some of the best security features in Windows receive either no attention, or get criticized for the strangest reasons. Case in point: Windows Firewall is one of the best firewalls out there, and yet much of the talk about it are...
  • Disable that Pesky Built-in Administrator Account!

    I'm working on an FAQ for passwords right now. Look for it in the Security Newsletter next month ( http://www.microsoft.com/technet/security/secnews/newsletter.htm ). However, one thing that has come up more than a few times in the recent past is what...
  • More security theater, in the air

    Recently I was on yet another flight, trying to get some e-mail done. This time, however, I was answering e-mail offline on my SmartPhone. Of course, the phone was in flight mode so the radio was off. I wouldn't want to "interfere with the aircrafts navigation...
  • Power Users are Admins who have not made themselves admins yet

    It seems kind of odd that in 2006 I would still get these questions, but twice in the past week have I had to explain the truth about Power Users to someone. Typically they are organizations who are trying to limit the rights of their users, who right...
  • What is a "zero-day"?

    Once again, it seems misguided reporters have appropriated a technical term and are misusing it in ways to confuse the field. "Hacker" was not the first term they ruined, but it is still the one that irks me the most. The primary definition of "Hacker...
  • Upcoming engagements

    The schedule for Spring 2006 is in full swing. Just in case anyone is interested in meeting up with me somewhere in the world (or has some new gig they think I should go to) I thought it makes sense to post my schedule here. February 6 and 7 - Albuquerque...
  • Becoming a better presenter

    This week I went to Dr. Edward A. Tufte's course on presenting quantitative information. Being a professional (yes, I know some people argue about the professionalism part) presenter I found this to be a reasonable way to pick up a few nuggets that might...
  • How to shoot yourself in the foot with ACLs

    My latest TechNet article, " How to Shoot Yourself in the Foot with Security, Part 2: To ACL or Not To ACL " was just published in the TechNet Newsletter . It turns out that ACLs is one of the major ways people destroy their systems, and of course it...
  • Exceptions to the rule - When you may WANT to turn off SMB message signing

    Being a security guy I see the world in black and white. People are either good or bad. Technical security means are either secure or not. We are either underpaid, or we are in marketing. No, seriously, nothing is that black and white. Take SMB Message...
  • Why Phishing Will Remain Lucrative For The Foreseeable Future

    Today I received a message that purports to be from Discover regarding a 5% cashback program on gas purchases on that card. (For the non-American readers, Discover is a credit card widely used in the U.S.). The e-mail had a couple of links to click, both...
  • I Really Do Not Hate Hardening Guides

    Unfortunately, it seems that people are getting the impression that I hate hardening guides. A few people told me that after I delivered the "Security Myths" presentation at Microsoft's Federal Security Summit West last week. It is really not the case...
  • Yes, it is unfortunately true

    I have unfortunately been prevented from speaking at TechEd in New Zealand, Australia, and Japan; the final events I was planning to speak at before I leave Microsoft on September 1. I cannot express how terrible I feel about this. The hope was that these...
  • Some Password Policy Settings Are Not Enforced When Disconnected

    This is a post I was asked to do a while ago and have been procrastinating on. I apologize for that. For various reasons, every so often, certain FAQ items come up again. One of them is whether certain password policies are enforced when a system is not...
  • Are we too simplistic in how we think about risk?

    Yesterday I had a fascinating meeting where we discussed a number of theoretical concepts, including how we think about risk. Risk, of course, should be the driver in everything we do in information security, and risk management should be the discipline...
  • Going Wild With Administrative Accounts

    Today I got a question that reminded me that I have not written a whole lot about how to manage the accounts used by system administrators. The question was whether I could think of any reasons why you would share an administrative account between several...
  • How to make ISA stop ALL useful traffic - for some users

    So I was actually in the United States for a couple of days last week and decided to get the long overdue ISA server running at home. After all, how hard could this be? In ISA 2004, with the new "firewall configuration by cartoon" interface, you just...
  • ISV support of patches

    Yesterday during a discussion I was having with some customers in Taiwan another chat I had with an MVP a month or so ago came back to mind. The question asked was about Independent Software Vendor (ISV, i.e. "not Microsoft") support of Microsoft patches for the OS. Specifically, how long is it reasonable to take an ISV to fully support their product on an OS patched with a particular patch, or rather, update, or a particular service pack?
  • Should you worry about password cracking?

    I have received more and more queries about whether to worry about password cracking, and what to do to avoid it. It seems it may be time to document this a bit better. It is all, of course, already in Protect Your Windows Network, but I am also working on a new TechNet column on the topic. In the meantime, here is an excerpt from the column. More than likely the column will be in the October TechNet Security Newsletter.