Steve Riley on Security

Formerly of Microsoft's Trustworthy Computing Group.

Steve Riley on Security

  • Configure your router to block DOS attempts

    Some time ago I had a discussion with a friend. He disagreed with my recommendations on how to configure a border router and the firewall behind it. I claimed that in the border router between you and your ISP, configure the six rules to block most denial...
  • Internet Explorer security levels compared

    A pretty good question came across the newsgroups the other day. Someone was asking what are the differences between IE's "medium" and "medium-high" security settings. I did some digging, and found only this on MSDN: About URL security...
  • Myth vs. reality: Wireless SSIDs

    Do you ever wonder sometimes how it is that some ideas just won't die? Like the thought that not broadcasting your wireless network's SSID will somehow make you more secure? This is a myth that needs to be forcibly dragged out behind the woodshed, strangled...
  • BitLocker command line interface

    Last week at TechEd Europe I showed the BitLocker command-line interface. At other TechEds I've mentioned it but didn't show it. The CLI provides full control over BitLocker, including enabling it on any NTFS volume on the system (the Control Panel UI...
  • Changing the SSL cipher order in Internet Explorer 7 on Windows Vista

    Recently, the question of using AES for SSL has come up in the newsgroups and at some conferences. When IE makes an HTTPS connection to a web server, it offers a list of cipher supported cipher suites. The server then selects the first one from the list...
  • Directly connect to your corpnet with IPsec and IPv6

    Contrary to popular belief, the rumors of my demise have been greatly exaggerated. Well, ok, no actual rumors, but hey, one can dream, huh? My spring calendar was full of events in Asia and Australia, then TechEd US seemed to suddenly appear out of nowhere...
  • FanBox: the latest in password scams

    Looks like spammers have found yet another way to worm (ha ha) themselves into the computers of the unsuspecting. In my junk email folder this morning, I saw this message: From: Question It [mailto:question_it@fanboxapps.com] Sent: Monday, January...
  • Protect your data: everything else is just plumbing

    Take a few moments and indulge in a thought exercise with me. Consider your company’s complete collection of information processing assets—all the computers, the networks they’re connected to, the applications you use, and the data and information you...
  • Should your ISA Server be in your domain? Film at 11!

    So it would seem that a statement I made during TechEd US last week in Boston has mildly stirred a bit of controversy -- no surprise there, I guess, heh. One of my presentations gave an overview of what's new in ISA Server 2006 ( download your copy of...
  • Bogus Microsoft sweepstakes emails

    Over the past month I've received at least three enquiries from people asking about the legitimacy of emails claiming the recipients have won large amounts of money in a Microsoft sweepstakes or lottery -- often 500,000 British pounds. This is an easy...
  • August article: 802.1X on wired networks considered harmful

    Several months ago I learned from Svyatoslav Pidgorny, Microsoft MVP for security, about a problem in 802.1X that makes it essentially useless for protecting wired networks from rogue machines. Initially I was a bit skeptical, but the attack he described...
  • Mandatory integrity control in Windows Vista

    One of my favorite new security features in Windows Vista is Mandatory Integrity Control (MIC). It’s a classical computer science concept from the 1970s that’s finally getting its first commercial implementation—and of this I’m quite proud. While discretionary...
  • Autorun: good for you?

    Yes, if you're a five-year-old and you're tired of always asking mom or dad how to start the game on the CD. No need to know how! Just pick up the disc (a little peanut butter on your fingers helps with the grip), slide it in the drive, and wait for the...
  • Why administrative passwords will never be like nuclear missile launchers

    During the past few months many people have lamented that Windows lacks a nuclear missile style control option for administrator passwords. Surely you've read about or seen photographs of missile silos where two operators, separated by a distance greater...
  • My presentations at TechEd 2007

    Hello everyone! Yes, it's been a while since I've written. I've been pretty busy lately with a security roadshow in Southeast Asia. It's become an annual thing, it's a lot of fun, and I get to spend a good amount of time in what's becoming my favorite...
  • Mythbusters beat "unbreakable" fingerprint door lock

    My good friend Jamie Sharp sent me this link today. It's amazing: watch how Adam and Jamie easily defeat a fingerprint lock the manufacturer claims has never been broken. As if to snub the claims, they break it three times! Supposedly it monitors pulse...
  • More on Autorun

    Last month, in my post " Autorun: good for you? " I described why I believe you should disable Autorun on all computers in your organization. I also explained how you can do this for XP and Vista computers. Well, it turns out that Windows will override...
  • Ethernet and WiFi and Bluetooth, oh my!

    Customers have long requested a way to configure a computer to automatically disable its wireless NIC when its Ethernet is in use. Many third-party utilities can do this for you, but neither XP nor Vista have a built-in way to accomplish this, nor will...
  • Password policies. Once again.

    Recently in the newsgroups ( news:microsoft.public.security , to be specific) the question of password polices and the out-of-box defaults came up. The poster lamented a number of things: that Microsoft doesn't enable account lockout by default, that...
  • Good bye, and good luck

    Friends, as a part of Microsoft’s second round of restructuring, my position was eliminated yesterday and my employment with Microsoft has ended. While there were many rewards that came from my job, the most satisfying element was knowing that our time...
  • F*#$!@g spam!

    Yeah, it's been a while since I've written a post, and I have some ideas I'll get to once the prep work for TechEd this year settles down a bit. But look -- why in the world do the freaking spammers have to start targetting blogs now? I keep my comments...
  • Passgen tool from my book

    Way back in 2005, Jesper Johannson and I wrote Protect Your Windows Network . It’s still available , and although its product set is now somewhat dated (Windows XP and Server 2003), much of the practical advice about security policies, social engineering...
  • The opt-out from hell

    One problem with making your email address available (which I will continue to do, don't worry) is that folks with something to sell assume you're interested in their stuff. To wit, let's consider an email I received today (copied, headers and all, after...
  • America, wake up: stop being "security sheep"

    OK, I need to complain a bit here. Yesterday I went to Best Buy to get a new digital camera. I already knew which one I wanted, so I found a sales guy, pointed to the display unit, and said, "I'd like one of these." "Sure," he replied. He found...
  • What do YOU need out of two-factor authentication?

    Two-factor authentication continues to grow in popularity and emerge as a security requirement for many people I meet with. At Microsoft, we use smartcards internally for VPN access right now; soon we'll be requiring smartcards for domain logon, too....