The new password management paper is part of the refresh of the Microsoft Identity and Access Management Series is available from the Microsoft Download Center. It is also available on TechNet

The Overview and Planning materials (chapters 1 through 4) are meant to aid architects and IT professionals in understanding the variety of threats posed by not proactively managing passwords or enforcing strong password policies.  They then examine the options available to increase security and improve manageability.  Finally, these materials examine the problems a fictitious company faces and apply these design principles to architect a solution that will mitigate these threats.

The Implementation material provides a concise set of detailed instructions for managing both internal user account passwords and extranet user identities and passwords, and for utilizing Group Policy to enforce "strong" password policy.  The Test and Operations content illustrates how to validate the proper installation and configuration of these systems, perform ongoing maintenance tasks, and troubleshoot common issues should they arise.

Microsoft Security Advisory (902333) "Browser Windows Without Indications of Their Origins may be Used in Phishing Attempts" has just been released. Point your IT staff and more advanced users there to educate them on how to spot attempts to make them into Phishing victims.

The advisory includes links to more security resources for end users, like the Security at Home site and the Protect Your PC site.

Oh, and BTW, I invite you to join me in leaving props for the SRC for starting this advisory site to disseminate important security information to supplement the secbulls.Then join the LUA bandwagon and go check out the non-admin wiki - some great tools and howtos there.

TS or audit folder access using the Effective Permissions tool built-in to Windows XP and Windows Server 2003.
To view effective permissions on files and folders:

1. Open Windows Explorer, and then locate the file or folder for which you would like to view effective permissions.
2. Right-click the file or folder, click Properties, and then click the Security tab.
3. Click Advanced, click the Effective Permissions tab, and then click Select.I
4. n Enter the object name to select (examples), enter the name of a user or group, and then click OK. The selected check boxes indicate the effective permissions of the user or group for that file or folder.

You must have permission to read the membership information. If the specified user or group is a domain object, you must have permission to read the object’s group information on the domain. Here are some relevant default domain permissions:

• Domain administrators have permission to read membership information on all objects.
• Local administrators on a workstation or stand-alone server cannot read membership information for a domain user.
• Authenticated domain users can only read membership information when the domain is in Pre-Windows 2000 capability mode.

For more information about how to use the Effective Permissions tool, please review the following topic: View Effective Permissions on Files and Folders

Go check out the new MOM team blog. If you have any doubts about how important subscribing to their feed will be to your future as an enteprise IT Pro - search for some of the TechNet blog posts from MMS 2005.

Welcome MOMsers!

Reading "How the Mind Works" by Steven Pinker. The last line of this page 15 excerpt has stuck with me...

An intelligent being has to deduce the implications of what it knows, but only the relevant implications. Dennet points out that this requirement poses a deep problem not only for robot design but for epistemology, the analysis of how we know. The problem escaped the notice of generations of philosophers, who were left complacent by the illusory effortlessness of their own common sense. Only when artificial intelligence researchers tried to duplicate common sense in computers, the ultimate blank slate, did the conundrum, now called “the frame problem,” come to light. Yet somehow we all solve the frame problem whenever we use our common sense.

Imagine that we have somehow overcome these challenges and have a machine with sight, motor coordination, and common sense. Now we must figure out how the robot will put them to use. We have to give it motives.

What should a robot want? The classic answer is Isaac Asimov’s Fundamental Rules of Robotics, “the three rules that are built most deeply into a robot’s positronic brain.”

1. A robot may not injure a human being or, through inaction, allow a human beig to come to harm.
2. A robot must obey orders given it by human beings except where such orders would conflict with the First Law.
3. A robot must protect its own existence as long as such protection does not contradict the First or Second Law.

Asimov insightfully noticed that self-preservation, that universal biological imperative, does not automatically emerge in a complex system.  It has to be programmed in (in this case, as the Third Law). After all, it is just as easy to build a robot that lets itself go to pot or eliminates a malfunction by committing suicide as it is to build a robot that always looks out for Number One. Perhaps easier; robot-makers sometimes watch in horror as their creations cheerfully shear off limbs or flatten themselves against walls, and a good proportion of the world’s most intelligent machines are kamikaze cruise missiles and smart bombs.

WSS Admin Guide

WSS SDK

WSS KB Feed

SPS Admin Guide

SPS SDK

Sharepoint Team Services KB RSS Feed

Is this helpful? Budling up some top resources into one post as a kind of "resource guide"? Leave feedback and let me know.

 Ever wanted to mee the 24/7/365 MSRC team (white hats) and ask /em stuff? Register for this June 30 2005

TechNet Webcast: Inside the Microsoft Security Response Center

MS05-027, the flaw in the SMB protocol (used to share files, printers, and serial ports, and to communicate between computers) is teh one to get cracking on PDQ.

This article on Techweb says:

"Neel Mehta, a team leader with Internet Security Systems' X-Force security research group, named it as his number 1 threat "because of its scope and the fact that user authentication's not required, nor user interaction." Writing an exploit for the SMB bug won't be easy -- Mehta called it "fairly challenging" -- but he said it wouldn't be long, perhaps within the week, that an exploit appeared. "It's actually more potentially dangerous than the February vulnerability in SMB," he added. "We're going to be tracking this carefully."

Windows XP SP2 users who have left the by-default-enabled Windows Firewall in place are protected to some extent, said several of the researchers interviewed, since it automatically blocks the external ports used by the SMB service. "But if someone has disabled the firewall, or has turned file sharing on," Mehta explained, "they could be hit."

And…

"Alfred Huger, vice president of engineering for Symantec's security response team is quoted  "Both the PNG and HTML (025 and 026) vulnerabilities are dangerous because they can affect so many end targets. Essentially, anyone with IE that's unpatched is at risk. And we've seen how fast phishers and rogue Web sites are in picking up on graphics vulnerabilities." Like Mehta, Huger expects to see vulnerabilities soon. "There will be exploits within the week," he said, of the PNG bug.

Run, don’t walk to the just-released WSUS site and get folks patched.

Point your users to this article on the Microsoft.com “At Work” site (The Hazards of Downloading, 6 pages) so they can educate themselves on the security issues around e-mail attachments and web downloads.

Self-service is a good thing for your users. The more they know, the farther you can go.

The article includes the following sections:

• The Hazards of Downloading
• Get Ready: Strengthen Your Computer's Defenses (includes stepwise instructions)
• Download with Caution: Think First. Click Later. (includes a great checklist)
• How to Save a File for Safer Downloads (stepwise instructions with screenshots)
• How to Remove a Program from Your Computer

Related reading:10 Ways to Work More Securely

Was this useful for you? Would you like to see more "I can reuse this today" -type information? Leave feedback.

Do you know their skills baseline? Do you have a good sense of where your IT organization lives in the “process maturity” matrix?

Take advantage of a Microsoft Skills Assessment for Organizations. The assessment will help you uncover areas for improvement that can boost staff performance and help increase ROI so you can concentrate on delivering business results, including showing you how to:

• Analyze skill gaps throughout your organization.
• Design custom learning plans to boost productivity.
• Improve business productivity.
• Reduce support costs.
• Optimize the potential of your personnel.

View a 7-minute assessment demo

You asked for it, we delivered. Here is the new RSS Feed for TechNet Briefings audiocasts, some folks call these podcasts, some call them blogcasts. This RSS feed provides an WMA and MP3 version audio file of each session, plus links to download the full video of the session as well as download just the supporting slide deck and transcripts.

Days after you asked for seperate feeds for WMA vs MP3, we delivered.

WMA Feed

MP3 Feed

Leave feedback here on how cool this is, and whether you are interested in getting TechNet briefings on video for your smarphone :-)

Get your friends and family, all those folks that come to you for computer help once their machines have become hopelessly hijacked and infected by spyware and malware, to learn how to run as non-admin.

Aaron does a webcast you can watch (passport sign-in required) to teach them all how to use Run As way more often and reduce the attack surface of their home machines. Once you clear the registration bars, you can download this preso for offline viewing. Find the preso here TechNet Webcast: Tips and Tricks to Running Windows with Least Privilege (Level 300).

Want to see what Aaron looks like?

Read Aaron's blog for more info. Like the info below:

The "why" posts:

Go read Josh's The Wonderful Truth of Corporate Blogging post (short read).

To which I say...

<soapbox mode on>

Amen and all that. On the other hand, one of the biggest benefits to Microsoft and the corporate bottom line is the effect blogging is having on US, not customers.

Making the commitment to dialogue with customers through blogs is not:

trivial

easy

career-promoting

...YET.

But, it does offer you growth opportunities that you can't get anywhere else inside Microsoft corporate culture right now.

One of the best ways to learn something is to commit to teaching it. Sharing what we are thinking, working on, producing makes us better, more effective employees even if we NEVER hear from a customer about it.

<soapbox mode off>

My team did a development exercise yesterday (Owl Inc ring any bells?) that showed us that a fundamental imperative for service org excellence is the ability to reduce the ignorance.

Do blogs do that?

What are the effects of blogging? Has anyone observed any change?

Do you have customer feedback? Personal feedback? Leave comments here.

This new Guide to implementing Quarantine on VPN is designed to help organizations plan a Virtual Private Network Quarantine system based on Windows Server 2003 Service Pack 1 Remote Access Quarantine Service. It highlights the issues faced and approaches to designing a quarantine Virtual Private Network.

Read about how we do it inside Microsoft:

Security Enhancements for Remote Access at Microsoft

Detailed discussion of how Microsoft IT significantly improved the security of its corporate network remote access solution using the latest generation of Microsoft products, such Windows XP Professional, Windows Server 2003, Internet Authentication Service, Internet Security Accelerator 2004, Microsoft Operations Manager 2005, SQL Server 2000, Public Key Infrastructure & Certificate Services, and Connection Manager. The solution deployed, called Secure Remote User (SRU), enabled Microsoft IT to manage specific remote desktop configurations, ensuring that all established security requirements are met when remote users access corporate network resources. SRU contributes to reducing the external attack surface of the Microsoft corporate network, thereby better protecting its intellectual property.

Downloads (Technical White Paper, Technical White Paper Presentation)

Windows Server Update Services, a.k.a WSUS is live - go download here. WSUS is the next version/evolution of SUS.  SUS was going to named SUS 2.0, then Windows Update Services (WUS).

MSDE2000a, WMSDE, or SQL Server 2000 with SP3 is a pre-req, as is BITS 2.0. Get BITS 2.0 at -- http://support.microsoft.com/kb/842773

The deployment guide is here.

Gord's Q&A is here.

In the poker movie Rounders the character Mike McDermott says: "Listen, here's the thing. If you can't spot the sucker in the first half hour at the table, then you ARE the sucker."

Acording to this Computer world article a recents study says Almost half of U.S. residents couldn't identify 'phishing' e-mail scams

Titled "Open to Exploitation: American Shoppers Online and Offline," the study was released today (download PDF). It involved 1,500 adult U.S. Internet users who were asked true-or-false questions about topics such as Web site privacy policies and retailers' pricing schemes. Respondents on average failed the test, answering on average fewer than 7 out of 17 questions correctly.

Interviews for the study, conducted between early February and mid-March, yielded some findings that the authors consider alarming. Those findings include:

• Seventy-five percent of respondents wrongly believe that if a Web site has a privacy policy, it won't share their information with third parties.
• Almost half of the respondents, 49%, couldn't identify "phishing" scam e-mail messages, which information thieves dress up to look as though they come from a legitimate company, such as a bank or store, to lure users to enter sensitive information. Requested information might include Social Security numbers, passwords and bank account numbers.
• Sixty-two percent of respondents didn't know that an online store can simultaneously charge different prices for the same item based on information it has on different shoppers, a practice that can make users into victims of what study authors call "price discrimination."

Do you know what the mailbox size limits are in your org? (We have a whopping 200 MB here at Microsoft) Do you know how close your mailbox is to that limit? If you are like most users, you probably don't know this info. That's what the Mytob virus writers are counting on.

Spread the word and beware of e-mails that look like they are from a sysadmin in your org threatening to shut-down your mail. This announcement has the details, including:

"Another variant of the Mytob worm began wiggling its way into in-boxes this week, enticing recipients to open an e-mail attachment that could allow a remote hacker to access and perform commands on an infected machine.

The variant, dubbed "Mytob.bi" by some security researchers, scans the hard drive of an infected machine and sends copies of itself to e-mail addresses it finds in the Windows Address Book, antivirus firm Trend Micro Inc. said yesterday. The worm poses as a message from an IT administrator, warning recipients that their e-mail accounts are about to be suspended, Trend Micro said.

Possible subject headers for the worm include "*IMPORTANT* Please Validate Your Email Account" and "Notice: **Last Warning**."

Information Security Magazine says that despite the hole we started out in, enterprise IT Pros have things much better now that they can resource plan for update tuesdays, and that this makes the IT security world a better place. FYI we don't call them patches anymore, we call 'em updates...

What do you think? Thumbs up for Microsoft on this one? Not so much really? Leave comments

The article is "Patch Tuesday, by Michael Mimoso and Bill Brenner" in the Jun 2005 issue (requires registration)

This article in Computerworld says IT Blogging is one sided, and...

"so far, the blogging conversation is mostly one-sided. As yet, there aren't many IT managers blogging about big-picture technology issues, based on interviews with vendors and Internet searches conducted by Computerworld.

"Clearly, vendors have much stronger pressure on them to have a relationship with the world," said Tim Bray, director of Web technologies at Sun Microsystems Inc. But CIO blogs would get instant attention from vendors, Bray added. "If a few of those guys started doing that, you can darn well bet that we would be reading them. I sure would," he said. "

What do you think? Would you like to see a blog from Microsoft's CIO? Leave comments here and I will see what I can do.

We crave stories. It is one of the oldest ways we know how to learn.

Wanting to learn, that's a different story...

I think this post says it well:

I'll never forget learning to ride a bike. My older brother's bike, with its long yellow banana seat and black tassels dangling from the handlebars, was way too big for me. I wanted to sail effortlessly down the street like he did, so I hopped on and fell off. I tried again knowing I would fall. I didn't worry much about failure and I didn't worry at all about grades. There was no test, no gold star or even a pat on the back at stake. I just wanted to ride that bike. While the pavement cut my knees, the pedals bit my ankles, and the bike bludgeoned my thighs, nothing could stop me. By the end of that first day I could ride and I have never forgotten how to jump on a bike and take off to this day. Why isn't classroom learning like that?