[Funnies] Security Horror Stories

Hey everyone, it is Rodney here filling in for Sean with this weeks Friday Funny.  Sean sent a frantic message late last night, something to do with gerbils, a Lada, and a Krispy Kreme donut.  As we are prepping for the MY TechNet tour coming through in the October/November time frame, Damir and I held a review session with a few internal and external people to determine if we are on the right path.  During the conversation we started swapping security horror stories and I thought I'd share some of mine.  I will be protecting the companies involved (as well as my butt) and keeping that information confidential.

  • I went into an organization which had roughly 20 Windows 2000 servers running in their environment.  As I did an evaluation to find out what server offered what services (mistake #1 no documentation) I noticed that they all were running IIS.  Now this isn't strange as it was part of the default Windows 2000 install (mistake #2 is to remove unused services) but what made it scarier was that Apache web server was also installed on all 20 servers.  20 servers running IIS and Apache with no internal web presence, and no patch management plan for either 🙂

  • I was on a job working with a company that wanted to restrict user permissions on the desktop.  This was well before Vista ever shipped where UAC could have come to the rescue, so we started compiling a list of applications and finding out what needed to be done to work with a standard user account on Windows XP SP2.  We nailed them all except for an internal line of business application that kept failing.  After talking to the developers of that particular application we discovered that the authentication mechanism they built into the app required to read a few keys within the Windows Registry.  They had coded the app to request full control of the registry in order to read those keys.  Once that line of code was changed, and it was literally one line of code, it ran great as a standard user, and was a more secure application to run.

  • A funny story that happened to me directly was in my early days here at Microsoft.  I was on the job for 3 days and in the past I used a screen saver that would kick in after 5 minutes to lock my desktop.  It was just habit and I set up my new corporate PC the same.  Lunch time arrived and I headed downstairs leaving the notebook running knowing that the screen saver will kick in and lock my desktop.  I returned from lunch to have a nice email sent to me, from my account, saying "I will lock my desktop when I walk away!" in big large bold letters.  To this day I don't know who did that, but I have my suspects *cough*Bruce/Damir/Rick*cough*  The really bad part of this is that I wrote an article on Thelazyadmin.com about how to create an icon to lock your desktop with one click 🙁

Now I am sure you all have your own stories to tell so Damir, Rick and I will be recording podcasts throughout the My TechNet tour where you can share your stories and get a laugh (or heart attack) hearing those of others!  If you haven't registered yet, be sure to do so soon before your cities event is full!


October 11 Winnipeg
October 16 St. Johns
October 18 Ottawa
October 23 Quebec City
October 25 Montreal
October 30 Vancouver
November 1 Calgary
November 6 Edmonton
November 8 Regina
November 8 Toronto

Comments (5)

  1. ye110wbeard says:


    You Rascal… 😉

    Could be worse.    So what you’re telling us is…

    Rick has an evil sense of humor…

    Damir has an evil sense of humor…

    Don’t turn your back and leave your laptop floating about when they’re nearby…

    BTW, the Gerbils stopped eating all the Krispy Kreme donuts and the Lada was replaced by a Geo.   It runs off Gerbil Power.  Much cleaner than bullfrog power… Less ribbits per kilometer…

  2. ye110wbeard says:

    Ok ok… I can do this.

    How would like a weekend to redo the server.   Old client but setup was done by a previous company.

    No passwords given and we REALLY (I don’t remember the why) needed to keep the passwords intact.

    Got poor old l0pht out on the NT 4 database.   Blam!  Blam!  Blam!

    no matter, what we did, Couldn’t get any passwords.

    UNTIL….We all looked at each other.

    "Perhaps it’s because there are no passwords…"

    Sure enough…. "ENTER"

    I think even the Adminstrator account.


  3. adamca says:

    Many years ago, I worked with a large corporation for months planning their NT4 deployment.  We spent 6 months in a lab documenting every setting on every server.  The customer felt they had things in hand and that they wouldn’t need us consultants around the weekend they put the new infrastructure in place.

    Monday morning when we came in, they were in a panic.  A few users had been able to authenticate, but then the rest would fail until they rebooted the servers, at which point a few more could login, but then authentications would start failing again.

    Turns out they’d used MSDN versions of NT to install the production servers, which, back in the old days, were hardcoded to allow only 10 concurrent connections.


  4. ye110wbeard says:

    Come on everybody! Share!  

    The computer world can’t be so perfect that NOBODY has something goofy or incredibly absurd (Or even just downright shocking) to say.

    There HAS to be more MORE security horror stories than this… Come on all, chip in, join in.   Don’t be afraid to speak up or speak out!

    What about stories about evil consultants you have encountered or their results?

    Come on!   The hits to this site are HUGE.  SOMEBODY has got to offer something (Even itty bitty)

    I’ll give another.  How about a PC that turned out it wouldn’t boot because "Fluffy" a rather large dog bit the mouse cord in half.  Unplugged the mouse and the computer started.

    That’s SORT of security related.   Tie your wires away from large hungry animals…


  5. ye110wbeard says:

    HA!  I like THAT one!   I also know a trick to get about it but I won’t say…. Shhh it’s a secret.

Skip to main content