I converted my office fileserver to Windows Server 2008 (WS2008) a while back and I've never been happier - WS2008 is my favorite product ever. Nicely modular, pretty much everything turned off by default and some great tools for enabling just the components your need for a particular role. There is one more step I've been wanting to take and that is to enable the Hyper-V role and convert my fileserver over to just one virtual machine on the box, so I can set up other VMs on the same box. Today,...

In cast you didn't see it, the Microsoft Security Response Center (MSRC) team just announced the release of three tools to help customers fend off SQL injection attacks: UrlScan 3.0 Beta ( see Wade Hilmo's blog for more ), a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, the UrlScan helps prevent potentially harmful requests. Microsoft Source Code Analyzer for SQL Injection (MSCASI) CTP ( see the SQL...

I wanted to mention to folks that a new Security Development Lifecycle (SDL) web site went up earlier this month on microsoft.com. Amazingly, you can navigate to it via http://www.microsoft.com/sdl , instead of some long name you'd never remember. Of course, once you navigate to that URL, you get redirected to a long url that you'll never remember that is on the MSDN subsite, which is encouraging when you think about it. I have it on reasonably good authority (aka the site owner), that there are...

With Windows Server 2008, the Microsoft Windows Server team introduced a new installation option –Server Core. Server Core is a “minimal install” option of Windows Server that excludes much of the GUI and many applications – such as Internet Explorer and Windows Media Player – that would be present in a default installation. In this very short report ( download the full report ), I perform a brief analysis how much smaller the software footprint is for Windows Server 2008 Server Core and examine...

For those of you that are at TechEd today, I want to invite you around to my session on Security Advances in Windows Server 2008 today in room N320A. I'll be covering this general outline: SDL work on Windows Server 2008 Architectural security enhancements Security features and capabilities Looking at the security track record for the first 90 days Without a doubt, Windows Server 2008 is my favorite product that we've released over the past few years in general, but also specifically in terms of...

This paper is a compilation of vulnerability data for client operating systems for the first 3 month, January through March, of 2008. Vulnerabilities and fixes for the following products are discussed: Microsoft Windows Vista Microsoft Windows XP SP2 Red Hat Enterprise Linux Desktop (v. 5 client) Red Hat Enterprise Linux WS (V. 4) Ubuntu 6.06 LTS Desktop Apple Mac OS X 10.5 (Leopard) Apple Mac OS X 10.4 (Tiger) For January through March of 2008, Mac OS X users experienced the highest number of vulnerabilities...

In the wake of my Windows Vista One Year Vulnerability Report , I have received many questions regarding the current vulnerability record of Windows Vista as compares with Windows XP SP2. This short paper is a compilation of vulnerability data for Microsoft Windows Vista and Microsoft Windows XP SP2 for calendar year 2007 and a brief analysis to see if any benefit is apparent for users of one OS over the other. I found that Windows Vista offers benefit over Windows XP SP2 in the following ways...

I was excited when Dr. Crispin Cowan joined the company a while back - what security person wouldn't be! As one of the key drivers behind StackGuard , Linux Security Modules and co-founder of Immunix, which produced AppArmor - few people are as qualified as Dr. Cowan to talk about security features and security boundaries. So, when he asks " Is UAC a convenience feature, or a security feature ?", I would say it is worth reading at least twice. And if my recommendation is not good enough for you,...

Late Friday night, I was one of the millions of weekend viewers that help make Iron Man the second-best premiere ever . I am surprised by those results, but only because Iron Man isn't so well-known as other Comic Book heroes like Superman or Batman. Yes, I liked it and was pretty sure I would even before I wnt. However, Robert Downey Jr. really did an excellent job as Tony Stark and the movie was faithful to the Origin Story, though it was updated to modern times. I love to see the casting of good...

Yesterday, Microsoft published the new Security Intelligence Report for the 2nd half of 2007. (home page is http://www.microsoft.com/sir , and the download page is here ). As one of the contributors for the report, I'd like to highlight the findings summary for the Industry vuln trends: Vulnerability disclosures decreased by about 5 percent in 2007, reversing a multiyear trend of increasing disclosures. Almost all of this decrease was observed in the second half of the year, which had the fewest...