See all products »
Curah! curation service
Microsoft Tech Companion App
Microsoft Technical Communities
Microsoft Virtual Academy
Server and Tools Blogs
TechNet Flash Newsletter
Cloud and Datacenter
Windows Server 2012 R2
System Center 2012 R2
Microsoft SQL Server 2012 SP1
Windows 8.1 Enterprise
See all trials »
Microsoft Download Center
TechNet Evaluation Center
Compatability & Converters
Microsoft Virtual Academy
Free Windows Server 2012 courses
Free Windows 8 courses
SQL Server training
MCSA: Windows 8
Windows Server Certification (MCSE)
Private Cloud Certification (MCSE)
SQL Server Certification (MCSE)
Second shot for certification
Born To Learn blog
Find technical communities in your area
Support by product
Forefront Edge Security
Forefront Server Security
Other support links
Microsoft Premier Online
Microsoft Fix It Center
Security Bulletins & Advisories
International support solutions
Log a support ticket
Look up event IDs and error codes
Not an IT pro?
Microsoft Customer Support
Microsoft Community Forums
Steve Riley on Security
Formerly of Microsoft's Trustworthy Computing Group.
conferences and seminars
home and family security
infosec as a profession
the trade press
things that make me angry
things that make me laugh
things that make me worried
Browse by Tags
Steve Riley on Security
Poll: do you use scheduled scans for malware?
An interesting comment recently appeared on my older post about whether or not to use antimalware software. Peter van Dam wondered whether scheduled scans are really necessary, given that anti-malware products scan files as they enter (and sometimes exit) a computer. He raises a good point, and...
5 Jan 2009
Updated Microsoft Security Assessment Tool
Greetings. In case you haven’t already read about it, we recently updated the Microsoft Security Assessment Tool (MSAT). Version 4.0 hit the web on 31 October. It’s been four years since the initial release, and two years since the prior version. Between then and now your security world has evolved a...
2 Dec 2008
Who should do your security audits? Or, how do you organize the security department?
An interesting question came up today. The group responsible for configuring and maintaining the firewalls at a customer also believes that they should be the only ones to audit their configurations. Others in the security department are uneasy with this, and prefer that someone else do the auditing...
8 Feb 2008
More on Autorun
Last month, in my post " Autorun: good for you? " I described why I believe you should disable Autorun on all computers in your organization. I also explained how you can do this for XP and Vista computers. Well, it turns out that Windows will override this setting if you insert a USB drive that your...
31 Oct 2007
What's your data worth? More importantly, to whom?
This week, I'm attending and spoke at a cybercrime conference in Singapore. One of the presenters made a very good point, and I want to share it with you. When considering how to protect your data, don't consider how valuable it might be to an attacker. Always, instead, consider how valuable it is to...
25 Oct 2007
More on the necessity of antivirus software
A few days ago, I wrote a brief post about my non-use of antivirus software on my own computers. A number of people have asked me privately if I am recommending such a stance to other individuals or to organizations. Let me be perfectly clear: absolutely not. For the vast majority of folks, the four...
25 Sep 2007
Autorun: good for you?
Yes, if you're a five-year-old and you're tired of always asking mom or dad how to start the game on the CD. No need to know how! Just pick up the disc (a little peanut butter on your fingers helps with the grip), slide it in the drive, and wait for the game to start. Groovy! No, if you're a security...
23 Sep 2007
Antivirus software -- who needs it?
In the newsgroups a few weeks ago, someone asked about which anti-virus software is best for experts. This is a really curious question. I've been involved in computer security -- as a practitioner, a consultant, and an instructor/speaker -- for several years. I feel fairly confident in calling myself...
23 Sep 2007
Why administrative passwords will never be like nuclear missile launchers
During the past few months many people have lamented that Windows lacks a nuclear missile style control option for administrator passwords. Surely you've read about or seen photographs of missile silos where two operators, separated by a distance greater than the span of a single human's arms, must each...
21 Nov 2006
Did you know that you ALREADY have an e-mail policy?
An email access policy can be expressed in one of two ways: E-mail is mission critical to our business. Therefore, we permit employees to read and compose e-mail from any location in the world where employees can access the Internet, using either company-issued devices or public Internet terminals...
11 Sep 2006
Configure your router to block DOS attempts
Some time ago I had a discussion with a friend. He disagreed with my recommendations on how to configure a border router and the firewall behind it. I claimed that in the border router between you and your ISP, configure the six rules to block most denial of service traffic; in the firewall, configure...
10 Jul 2006
What do YOU need out of two-factor authentication?
Two-factor authentication continues to grow in popularity and emerge as a security requirement for many people I meet with. At Microsoft, we use smartcards internally for VPN access right now; soon we'll be requiring smartcards for domain logon, too. We are also looking at ways to require two-factor...
21 Apr 2006
Domain controller security: it starts at layer zero
Recently I seem to have had the same conversation over and over again, in places as far apart as Jakarta, Winnipeg, and Berlin. The question is usually worded like this: "What happens if someone steals one of my domain controllers?" There is, essentially, only one correct answer, which is this...
11 Mar 2006
It's me, and here's my proof: why identity and authentication must remain distinct
My February Security Management column is posted: http://www.microsoft.com/technet/community/columns/secmgmt/sm0206.mspx No matter what kinds of technological or procedural advancements occur, certain principles of computer science will remain -- especially those concerning information security...
16 Feb 2006
But I can't test! My boss won't let me
Yesterday I mentioned that there's no substitute for doing your own testing of updates. I mentioned virtualization is your friend -- building a model of your environment using Virtual PC and Virtual Server will save you a lot of money and it's something you can quickly tear down and rebuild whenever...
10 Nov 2005
When security breaks things
Now that the furor has waned, I want to comment on MS05-051. For those of you who don't memorize bulletin numbers (I am part of that set; Susan Bradley , for example, isn't, hehe), this is the security update that fixed a number of vulnerabilities found in MSDTC and COM+; it replaced five other updates...
8 Nov 2005
August article: 802.1X on wired networks considered harmful
Several months ago I learned from Svyatoslav Pidgorny, Microsoft MVP for security, about a problem in 802.1X that makes it essentially useless for protecting wired networks from rogue machines. Initially I was a bit skeptical, but the attack he described is in fact true -- I've seen it myself now. So...
11 Aug 2005
Airport security silliness
So today (Thursday 21 July 2005) I flew from Seattle to Dallas for a customer meeting. Since it's a short one-day affair, I packed my small carry-on size suitcase. In it was a pair of shoes, one pants, one shorts, two shirts, a toiletry bag, and my collection of wall warts (AC adpaters). Seems normal...
22 Jul 2005
The article is posted in the security management column section on TechNet and is the Viewpoint article in the July security newsletter. Check it out, and please tell me what you think. It's been generating some opinions :) Do you trust your administrators? That seemingly innocent question creates...
19 Jul 2005
Article in the works: trusting your administrators
At TechEd US this year Jesper and I noted a new worry many of you were having: trusting your administrators. Or, more accurately it seems, an inability to trust your administrators. This is troubling, since these are the people who have unfettered access to pretty much everything in your network. Seems...
17 Jun 2005
New column - debunking security myths
There is a lot at stake in security configuration guidance. First, it is easy to understand why people are clamoring for it. Everyone can see the benefit in turning on some setting and blocking an attack. In some environments, doing so is not even an option. A system must be configured in accordance...
12 Apr 2005
New column -- The case of the stolen laptop
Seems like once a week I hear from someone worried about stolen laptops -- or, worse, just joined the ranks of laptop theft victimhood. The best way to stay out of that club is to keep the thing with you at all times, or leave it in your hotel room when you don’t want to carry it around. Yes, everyone...
10 Feb 2005
© 2013 Microsoft
Manage Your Profile