The Industry Insiders : Security

Treat all input as Evil until proved otherwise - how to prevent code injection

Steve Lamb — Mon, 07 Apr 2008 17:56:00 GMT

Adrian J. Beasley has provided us with another excellent article titled A General Defence Against Injection Attacks on Websites written in his inimitable fashion tackling the challenging subject of how to validate user input.

Windows 2008 protection from Accidental deletion

jamesone — Wed, 31 Oct 2007 19:18:00 GMT

Many thanks to Richard Siddaway for his article on protecting AD objects from Accidental Deletion. Well worth a read if you've ever deleted the wrong thing from AD.

Be proactive: Information Security as a Business Enabler

Steve Lamb — Wed, 29 Aug 2007 23:14:00 GMT

Thanks to Paul Vincent for contributing his article Information Security; The Business Enabler. Paul goes on to explain how information security is much more than setting every security control you can lay your hands on.

ID: Who do you think you are?

Steve Lamb — Wed, 22 Aug 2007 11:08:00 GMT

Thanks to Craig Murphy for contributing his article titled Who Do You Think You Are? - it's well worth a read. He talks about identity from the perspective of a variety of vendors and applications.

How to make sense of anti-virus reviews

Steve Lamb — Mon, 20 Aug 2007 11:10:00 GMT

Thanks to David Harley for sharing some of his vast experience of the anti-virus industry in his article titled An Insider's Guide to Comparative Anti-virus Reviews.

David explains in detail how independant labs evaluate software and includes links and guidance for further research.

The wonders of Software Restriction Policies and PowerShell Code Signing

Steve Lamb — Fri, 17 Aug 2007 17:55:00 GMT

Thanks to Adrian J. Beasley for providing yet another excellent article, this one's titled Software Restriction Policies and PowerShell Code Signing - Adrian provides a wealth of practical advice how to make the most of one of the most powerful yet under used security features of Windows XP, Server 2000, Server 2003 and Windows Vista

To secure your documents, or not, that's the question

Steve Lamb — Wed, 15 Aug 2007 20:43:00 GMT

Adam Vero is our newest contributor. I encourage you to read his pragmatic advice for securing information is his post titled Don't Secure Your Documents. His proactive "security as an enabler" perspective makes a refreshing read.

How to extend your Cryptographic Service Provider infrastructure

Steve Lamb — Tue, 03 Apr 2007 17:20:00 GMT

Adrian has written another enlightening article tackling the often confusing subject of Installing New Cryptographic Service Providers with aplomb. His article explains in some detail how CSPs work to integrate devices such as smart cards with the underlying Windows Operating System.

Creating Subject Alternative Name Certificates with Certificate Server

Eileen_Brown — Fri, 23 Mar 2007 17:57:00 GMT

Brian Reid has written an interesting piece about using Powershell to create certificate requests for other web sites that can be uploaded to Certificate Server. This allows you to have a certificate for more than one domain name. Brian uses Exchange 2007 extensions to Powershell to achieve this. It's yet another example of how powerful Powershell is to achieve the things you want to do...

His article is here...

Certificate Server Enterprise Edition and Smart Cards

Steve Lamb — Mon, 11 Dec 2006 12:08:00 GMT

Adrian Beasley wrote a wonderful article on Certificate Server Enterprise Edition and Smartcards - I particularly like it as he explains WHY each component is required rather than just diving into the detail - which he makes an excellent job of too.

I have edited this post as the original one had the article itself here rather than this introduction - this meant that those of you who scroll through the blog expressed frustration that the screen was somewhat cluttered.

Adrian's original post was one of the most popular on the entire site - in my view that's due to the practical way he tackled a complex subject. By all means hit the "comment" button and share your views.

Public Key Infrastructure (PKI) Benefits - Why PKI?

Steve Lamb — Mon, 26 Jun 2006 19:41:00 GMT

Adrian has written a short article enumerating many of the security threats that can be mitigated using asymmetric encryption. Click here to read Adrian's overview of the benefits of PKI

As Adrian goes on to explain, Public Key Infrastructure technologies can be used to attest the identity, integrity and confidentiality of information, systems and individuals.

Encrypting File System (EFS), Secure Messaging (S/MIME) and Internet Protocol Security (IPsec) are three incredibly power technologies that take advantage of asymmetric cryptography.

It's a suprisingly easy read and at only a couple of pages it's well worth a read.

Make Sense of Public Key Infrastructure

Steve Lamb — Mon, 26 Jun 2006 13:17:00 GMT

Adrian has written a wonderful overview of how Public Key Infrastructure words. If you don't know your certificate from your asymmetric widget then this is an excellent place to find out how it all hangs together.

Adrian provided the following introduction:

"These documents were written at the request of colleagues at a recent client; technically savvy guys but unfamiliar with PKI. Hence the rather demotic tone. I have been concerned to clarify aspects which caused me much confusion when I was learning the topic, in particular to keep very distinct the technology - asymmetric cryptography - which makes the whole thing possible, and the administrative process - PKI and all the rest - which controls it."

The Pro's and Con's of System Lockdown

Steve Lamb — Wed, 28 Dec 2005 16:59:00 GMT

Rodney Buike has written a thought provoking article about the challenges of locking down production systems whilst ensuring they still perform their intended business function. I'm sure that many of you who've worked in the field of Information Security have experienced such difficulties. "If I turn this feature off will the system still perform"?

Click here to read Rodney's article for yourself.

For those of you wishing to take the guesswork out of system lock down I suggest taking a look at Security Configuration Wizard (SCW) which is a feature of Windows Server 2003 Service Pack 1 - you can read more about it by clicking here - it's free and very effective.

Free Microsoft Support resources

Eileen_Brown — Wed, 19 Oct 2005 16:24:00 GMT

Blake has compiled an amazing collection of all of the support resources, newsgroups, how to articles, team blogs and tips and published it here... This must have taken an amazing amount of time to review and research and is just about the most comprehensive collection of resources on one page that I've ever seen.

Read, and bookmark this collection of tips here. An absolutely fantastic job. Thank you Blake...

What to do in the case of a security compromise

Steve Lamb — Mon, 15 Aug 2005 17:30:00 GMT

Harlan Carvey has written an interesting article examining misconceptions around incident response - specifically how you deal with a security breach. Like Harlan I've heard many people advocate booting a compromised machine off a LINUX boot disk to perform forensics - there are many drawbacks with this approach as you can read in the article. Getting to the root cause of the compromise is something which is often overlooked in the rush to restore service to the business. Like most things planning HOW you will recover IN ADVANCE is well worth the effort.

You can read Harlan's article by clicking here. Please post comments to share your experience.