This is an excerpt from a mail I sent out internally today: The sands of time seem finally to have run their course. On September 1 I will not only celebrate the 5-year anniversary of my time here at Microsoft but also my departure from the company...

I couldn't tell you how many times I have either had the question "how do I turn off User Account Control" or heard the statement "boy, I sure hate all those annoying user account control popups in Vista." Yeah, security sucks, it gets in the way of...

I'm at yet another event, and this time I decided to go see a few of the other sessions instead of just trying to find as much free food as possible between my own presentations. This experience brought to mind an old concept: "Death by PowerPoint." It is almost embarrassing how some people use PowerPoint. Steve Riley frequently refers to e-mail as "the place where knowledge goes to die." Well Steve, you have it wrong. Nothing kills knowledge as fast as putting it in PowerPoint....

For some reason I decided that today was a good day to figure out how to block certain file extensions from being accessible over the web. This could be very useful, for instance, if you are trying to prevent a particular exploit that utilizes a particular...

It is interesting how some of the best security features in Windows receive either no attention, or get criticized for the strangest reasons. Case in point: Windows Firewall is one of the best firewalls out there, and yet much of the talk about it are...

This past week there have been a lot of questions about the WMF vulnerability, what Microsoft is doing, and what the community should do to protect against it. For many reasons, Microsoft's response to the problem is best left to those who do this for...

It seems kind of odd that in 2006 I would still get these questions, but twice in the past week have I had to explain the truth about Power Users to someone. Typically they are organizations who are trying to limit the rights of their users, who right...

Last week I visited a customer and was greeted by two people who introduced themselves, respectively, as the "Chief Information Security Officer" and the "Chief IT Security Officer." Yes, they had two separate functions for this, one to secure information...

As my family keeps reminding me, I'm not much of a people person. It could just be that I am projecting myself onto others, but I am pretty sure that much of the IT industry is like me, which raises a number of serious security problems. If you are interested...

I'm working on an FAQ for passwords right now. Look for it in the Security Newsletter next month ( http://www.microsoft.com/technet/security/secnews/newsletter.htm ). However, one thing that has come up more than a few times in the recent past is what...

Once again, it seems misguided reporters have appropriated a technical term and are misusing it in ways to confuse the field. "Hacker" was not the first term they ruined, but it is still the one that irks me the most. The primary definition of "Hacker...

So I got the Belkin Pre-N router today (it is a F5D8230-4) and was absolutely appalled at the way they have treated security in the thing. Now, this is not unique at all. I have tried Linksys, NetGear, and D-Link as well, and they all sin in about the same ways. Frankly, I have yet to find a wireless product that does security as well as the venerable Microsoft MN-500 802.11b router. Of course, it only does WEP, which is pretty much equivalent to no security at all these days, but when it came o...

This week I went to Dr. Edward A. Tufte's course on presenting quantitative information. Being a professional (yes, I know some people argue about the professionalism part) presenter I found this to be a reasonable way to pick up a few nuggets that might...

Recently I was on yet another flight, trying to get some e-mail done. This time, however, I was answering e-mail offline on my SmartPhone. Of course, the phone was in flight mode so the radio was off. I wouldn't want to "interfere with the aircrafts navigation...

Being a security guy I see the world in black and white. People are either good or bad. Technical security means are either secure or not. We are either underpaid, or we are in marketing. No, seriously, nothing is that black and white. Take SMB Message...

Several times in the past year someone has brought up an issue where they needed to "temporarily" grant someone administrative privilege to a system or a domain. Each time my answer has been the same: "why not just put them in the Administrators group...

I have unfortunately been prevented from speaking at TechEd in New Zealand, Australia, and Japan; the final events I was planning to speak at before I leave Microsoft on September 1. I cannot express how terrible I feel about this. The hope was that these...

The schedule for Spring 2006 is in full swing. Just in case anyone is interested in meeting up with me somewhere in the world (or has some new gig they think I should go to) I thought it makes sense to post my schedule here. February 6 and 7 - Albuquerque...

Unfortunately, it seems that people are getting the impression that I hate hardening guides. A few people told me that after I delivered the "Security Myths" presentation at Microsoft's Federal Security Summit West last week. It is really not the case...

I have received more and more queries about whether to worry about password cracking, and what to do to avoid it. It seems it may be time to document this a bit better. It is all, of course, already in Protect Your Windows Network, but I am also working on a new TechNet column on the topic. In the meantime, here is an excerpt from the column. More than likely the column will be in the October TechNet Security Newsletter....

My latest TechNet article, " How to Shoot Yourself in the Foot with Security, Part 2: To ACL or Not To ACL " was just published in the TechNet Newsletter . It turns out that ACLs is one of the major ways people destroy their systems, and of course it...

Today I received a message that purports to be from Discover regarding a 5% cashback program on gas purchases on that card. (For the non-American readers, Discover is a credit card widely used in the U.S.). The e-mail had a couple of links to click, both...

This is a post I was asked to do a while ago and have been procrastinating on. I apologize for that. For various reasons, every so often, certain FAQ items come up again. One of them is whether certain password policies are enforced when a system is not...

About a year ago Steve Riley and I built a presentation based on a set of security myths we put into the book . It was one of the most popular presentations we have ever made, and we kept coming up with more myths every time we delivered it, or talked...

Yesterday I had a fascinating meeting where we discussed a number of theoretical concepts, including how we think about risk. Risk, of course, should be the driver in everything we do in information security, and risk management should be the discipline...