http://blogs.technet.com/tristank/archive/2005/09/07/owapublishing.aspxIn a word: Keyloggers . The Client Menace. A particularly sharp chap at Tech.Ed asked me what I worried about when publishing OWA. More general than OWA, here's what I worry about in general web publishing terms: I'm an ISA guy (I know, ISA-related postsen-AUCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/tristank/archive/2005/09/07/owapublishing.aspx#410424Thu, 08 Sep 2005 00:33:28 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:410424Andrew DugdellMy first thought is ammend your security policy (if one exists) to have users change their password after public confences/road trips. If you need some incentive to convince them, the defcon wall of shame (www.techfreakz.org/defcon10/?slide=38) does wonders. And I totally agree with &quot;user re-education/awareness&quot;, training users to change their password at *trusted* locations. But these are just my personal thoughts. I'm keen to see what others think as well. <br> <br>PS: do you trust this keyboard: <a rel="nofollow" target="_new" href="http://dennisjudd.com/albums/funpics/tastatur.sized.jpg">http://dennisjudd.com/albums/funpics/tastatur.sized.jpg</a>http://blogs.technet.com/tristank/archive/2005/09/07/owapublishing.aspx#410425Thu, 08 Sep 2005 00:47:27 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:410425Dugie's musings on GlasshousesI had the unthinkable yesterday, I couldn't find my phone!&amp;amp;nbsp; This was slightly complicated by the...http://blogs.technet.com/tristank/archive/2005/09/07/owapublishing.aspx#410432Thu, 08 Sep 2005 05:05:57 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:410432tristankThat keyboard is about right for the mental image of keyboard dirtiness I'm trying to conjure up!http://blogs.technet.com/tristank/archive/2005/09/07/owapublishing.aspx#410577Sun, 11 Sep 2005 21:38:41 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:410577DoofusdanVery much on point. <br> <br>Re the certificate solution you mention - yes, maybe that means the machine was ONCE trusted. But given the current state of Windows in particular, if a machine is not patched, does not have current AV software running, does not have current antispyware protection running, and does not have a good software firewall protecting it, I am not sure I can trust it NOW. <br> <br>At the same time, I don't want to lock out access from clients that are not necessarily my company's to control. For maximum usefulness, people should be able to securely access web services from the widest range of machines, from potentially trustable ones (employees' personal computers for example) to completely untrustworthy ones - for example, those at a net cafe which pays no attention to security, because it doesn't seem to enhance the bottom line. In the middle of the spectrum are public internet access terminals at places which should be reasonably secured - like at a conference or university - but unfortunately it is so much work to keep clients secure that many such well-intentioned places do not necessarily cover all the bases. <br> <br>That's my problem. How do I address it?http://blogs.technet.com/tristank/archive/2005/09/07/owapublishing.aspx#410600Mon, 12 Sep 2005 14:16:14 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:410600Blog du TristankA keylogging comment dissected. And hopefully addressed. But mainly dissected.http://blogs.technet.com/tristank/archive/2005/09/07/owapublishing.aspx#410601Mon, 12 Sep 2005 14:17:12 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:410601tristankHi Dan - the response ballooned, so I posted a new entry for it here: <br><a rel="nofollow" target="_new" href="http://blogs.technet.com/tristank/archive/2005/09/12/keyloggingfollowup.aspx">http://blogs.technet.com/tristank/archive/2005/09/12/keyloggingfollowup.aspx</a> <br> <br>Hope there's something useful in the mess that helps clarify it all.http://blogs.technet.com/tristank/archive/2005/09/07/owapublishing.aspx#433582Wed, 07 Jun 2006 13:12:12 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:433582Blog du TristankIf elected I solemnly promise no further technical content until FY07.