This is an excerpt from a mail I sent out internally today: The sands of time seem finally to have run their course. On September 1 I will not only celebrate the 5-year anniversary of my time here at Microsoft but also my departure from the company...

I couldn't tell you how many times I have either had the question "how do I turn off User Account Control" or heard the statement "boy, I sure hate all those annoying user account control popups in Vista." Yeah, security sucks, it gets in the way of...

I'm working on an FAQ for passwords right now. Look for it in the Security Newsletter next month ( http://www.microsoft.com/technet/security/secnews/newsletter.htm ). However, one thing that has come up more than a few times in the recent past is what...

It is interesting how some of the best security features in Windows receive either no attention, or get criticized for the strangest reasons. Case in point: Windows Firewall is one of the best firewalls out there, and yet much of the talk about it are...

As my family keeps reminding me, I'm not much of a people person. It could just be that I am projecting myself onto others, but I am pretty sure that much of the IT industry is like me, which raises a number of serious security problems. If you are interested...

I'm at yet another event, and this time I decided to go see a few of the other sessions instead of just trying to find as much free food as possible between my own presentations. This experience brought to mind an old concept: "Death by PowerPoint." It is almost embarrassing how some people use PowerPoint. Steve Riley frequently refers to e-mail as "the place where knowledge goes to die." Well Steve, you have it wrong. Nothing kills knowledge as fast as putting it in PowerPoint....

Last week I visited a customer and was greeted by two people who introduced themselves, respectively, as the "Chief Information Security Officer" and the "Chief IT Security Officer." Yes, they had two separate functions for this, one to secure information...

It seems kind of odd that in 2006 I would still get these questions, but twice in the past week have I had to explain the truth about Power Users to someone. Typically they are organizations who are trying to limit the rights of their users, who right...

This past week there have been a lot of questions about the WMF vulnerability, what Microsoft is doing, and what the community should do to protect against it. For many reasons, Microsoft's response to the problem is best left to those who do this for...

For some reason I decided that today was a good day to figure out how to block certain file extensions from being accessible over the web. This could be very useful, for instance, if you are trying to prevent a particular exploit that utilizes a particular...

Today was my last "normal" day at Microsoft. (That's with a grain of salt - an exceptional company has few normal days). Tomorrow I just have the exit interview early and then I will be unemployed for a few days. I wonder when I am officially not an employee...

A while ago I once again got frustrated by LMCompatibilityLevel and the amount of confusion that is out there about it. There was also an intriguing thing in the SAMBA documentation that they (incorrectly) called "NTLM2 Session Response" that needed figured...

For about a year I have been telling a story to highlight how users running as administrators are much more likely to get malware installed on their systems than users who run as normal users. The story is actually in Protect Your Windows Network if you...

I have received more and more queries about whether to worry about password cracking, and what to do to avoid it. It seems it may be time to document this a bit better. It is all, of course, already in Protect Your Windows Network, but I am also working on a new TechNet column on the topic. In the meantime, here is an excerpt from the column. More than likely the column will be in the October TechNet Security Newsletter....

Some of Microsoft's amazing Most Valuable Professionals (MVP) made me a blog on a new site they call msinfluentials.com . I can't thank Susan , Nick , Vlad , Chad , and Wayne enough. You guys are truly special and exemplify all the best things about the...

I've been trying to come up with a list of attributes that a security solution needs to have to be complete and sufficient. The idea is to develop a set of attributes that can be used when analyzing security to see if it fulfills the needs of the situation...

Many of the attendees from the recently concluded Security Summit series in the U.S. have been asking for the slides. Since we will be doing web casts of the presentations we are not making the slides availble. What many people want though are simply...

Every parent knows that the main reason you have kids is for the comic relief they provide. However, watching them grow up is also fascinating. Yesterday my oldest son, who is now seven and a half, and I were sitting in front of the TV when he asked...

A friend just pointed me to an interesting blog post . The premise is that logon dialogs should not be asking for a username. Mostly the blog post points to why the username provides no value, not really expanding the argument that it is superfluous....

Being a security guy I see the world in black and white. People are either good or bad. Technical security means are either secure or not. We are either underpaid, or we are in marketing. No, seriously, nothing is that black and white. Take SMB Message...

Recently I was standing in a Geek bookstore in Sydney, trying to burn half an hour between meetings, when a book on passwords caught my eye. Naturally, given my somewhat odd interest in passwords, I picked it up to see if I had head of it before. Given...

The other day an old issue came up again: how do we mitigate the threat of sensitive data in page files. Page files are basically an on-disk repository of data that was in memory but not needed right at this moment. The system will page the data to disk...

Yesterday during a discussion I was having with some customers in Taiwan another chat I had with an MVP a month or so ago came back to mind. The question asked was about Independent Software Vendor (ISV, i.e. "not Microsoft") support of Microsoft patches for the OS. Specifically, how long is it reasonable to take an ISV to fully support their product on an OS patched with a particular patch, or rather, update, or a particular service pack?...

I have unfortunately been prevented from speaking at TechEd in New Zealand, Australia, and Japan; the final events I was planning to speak at before I leave Microsoft on September 1. I cannot express how terrible I feel about this. The hope was that these...

This morning when I tried to use FrontPage (don't even start) to edit one of my web sites, I was faced with this error: Error Code: 500 Internal Server Error. Internet Control Message Protocol (ICMP) network is unreachable. For more information about...