Steve Riley on Security

Formerly of Microsoft's Trustworthy Computing Group.

Steve Riley on Security

  • Configure your router to block DOS attempts

    Some time ago I had a discussion with a friend. He disagreed with my recommendations on how to configure a border router and the firewall behind it. I claimed that in the border router between you and your ISP, configure the six rules to block most denial...
  • Myth vs. reality: Wireless SSIDs

    Do you ever wonder sometimes how it is that some ideas just won't die? Like the thought that not broadcasting your wireless network's SSID will somehow make you more secure? This is a myth that needs to be forcibly dragged out behind the woodshed, strangled...
  • Changing the SSL cipher order in Internet Explorer 7 on Windows Vista

    Recently, the question of using AES for SSL has come up in the newsgroups and at some conferences. When IE makes an HTTPS connection to a web server, it offers a list of cipher supported cipher suites. The server then selects the first one from the list...
  • FanBox: the latest in password scams

    Looks like spammers have found yet another way to worm (ha ha) themselves into the computers of the unsuspecting. In my junk email folder this morning, I saw this message: From: Question It [mailto:question_it@fanboxapps.com] Sent: Monday, January...
  • BitLocker command line interface

    Last week at TechEd Europe I showed the BitLocker command-line interface. At other TechEds I've mentioned it but didn't show it. The CLI provides full control over BitLocker, including enabling it on any NTFS volume on the system (the Control Panel UI...
  • Internet Explorer security levels compared

    A pretty good question came across the newsgroups the other day. Someone was asking what are the differences between IE's "medium" and "medium-high" security settings. I did some digging, and found only this on MSDN: About URL security...
  • Mandatory integrity control in Windows Vista

    One of my favorite new security features in Windows Vista is Mandatory Integrity Control (MIC). It’s a classical computer science concept from the 1970s that’s finally getting its first commercial implementation—and of this I’m quite proud. While discretionary...
  • America, wake up: stop being "security sheep"

    OK, I need to complain a bit here. Yesterday I went to Best Buy to get a new digital camera. I already knew which one I wanted, so I found a sales guy, pointed to the display unit, and said, "I'd like one of these." "Sure," he replied. He found...
  • F*#$!@g spam!

    Yeah, it's been a while since I've written a post, and I have some ideas I'll get to once the prep work for TechEd this year settles down a bit. But look -- why in the world do the freaking spammers have to start targetting blogs now? I keep my comments...
  • Mythbusters beat "unbreakable" fingerprint door lock

    My good friend Jamie Sharp sent me this link today. It's amazing: watch how Adam and Jamie easily defeat a fingerprint lock the manufacturer claims has never been broken. As if to snub the claims, they break it three times! Supposedly it monitors pulse...
  • Good bye, and good luck

    Friends, as a part of Microsoft’s second round of restructuring, my position was eliminated yesterday and my employment with Microsoft has ended. While there were many rewards that came from my job, the most satisfying element was knowing that our time...
  • More on Autorun

    Last month, in my post " Autorun: good for you? " I described why I believe you should disable Autorun on all computers in your organization. I also explained how you can do this for XP and Vista computers. Well, it turns out that Windows will override...
  • Passgen tool from my book

    Way back in 2005, Jesper Johannson and I wrote Protect Your Windows Network . It’s still available , and although its product set is now somewhat dated (Windows XP and Server 2003), much of the practical advice about security policies, social engineering...
  • Attacks against integrity

    I’ve been mentioning this frequently during my talks in the last 12 months: that accidental or malicious data modification is yet something else we need to defend against. Richard Bejtlich wrote last year about attack progressions , and this year summarized...
  • [OT rant] Are there any home WiFi routers that DON'T SUCK?

    Warning: rant ahead, and names named. When I'm not traveling, I like to work from home some days rather than endure the trek from Seattle to Redmond (although it's much better now that our own employee transit service has expanded into my neighborhood...
  • The opt-out from hell

    One problem with making your email address available (which I will continue to do, don't worry) is that folks with something to sell assume you're interested in their stuff. To wit, let's consider an email I received today (copied, headers and all, after...
  • Directly connect to your corpnet with IPsec and IPv6

    Contrary to popular belief, the rumors of my demise have been greatly exaggerated. Well, ok, no actual rumors, but hey, one can dream, huh? My spring calendar was full of events in Asia and Australia, then TechEd US seemed to suddenly appear out of nowhere...
  • Protect your data: everything else is just plumbing

    Take a few moments and indulge in a thought exercise with me. Consider your company’s complete collection of information processing assets—all the computers, the networks they’re connected to, the applications you use, and the data and information you...
  • Plan now to eliminate "power users" from your domains

    I've seen some conversations lately about the Power Users group -- how powerful is it, really, and why did we remove the group from Windows Vista? That group had rights install software and drivers. And if you can install software and drivers, then you...
  • What do YOU need out of two-factor authentication?

    Two-factor authentication continues to grow in popularity and emerge as a security requirement for many people I meet with. At Microsoft, we use smartcards internally for VPN access right now; soon we'll be requiring smartcards for domain logon, too....
  • Should your ISA Server be in your domain? Film at 11!

    So it would seem that a statement I made during TechEd US last week in Boston has mildly stirred a bit of controversy -- no surprise there, I guess, heh. One of my presentations gave an overview of what's new in ISA Server 2006 ( download your copy of...
  • I want a Model 22 HDD Hard Drive Disintegrator

    Here at Microsoft we have an active internal discussion group where most security-minded folk hang out. The topic of data destruction came up recently, it’s actually a lot more difficult than most people think. CIPHER /W and SDELETE do a reasonable job...
  • Password policies. Once again.

    Recently in the newsgroups ( news:microsoft.public.security , to be specific) the question of password polices and the out-of-box defaults came up. The poster lamented a number of things: that Microsoft doesn't enable account lockout by default, that...
  • What's your data worth? More importantly, to whom?

    This week, I'm attending and spoke at a cybercrime conference in Singapore. One of the presenters made a very good point, and I want to share it with you. When considering how to protect your data, don't consider how valuable it might be to an attacker...
  • Autorun: good for you?

    Yes, if you're a five-year-old and you're tired of always asking mom or dad how to start the game on the CD. No need to know how! Just pick up the disc (a little peanut butter on your fingers helps with the grip), slide it in the drive, and wait for the...