[Funnies] Security Horror Stories

Hey everyone, it is Rodney here filling in for Sean with this weeks Friday Funny.  Sean sent a frantic message late last night, something to do with gerbils, a Lada, and a Krispy Kreme donut.  As we are prepping for the MY TechNet tour coming through in the October/November time frame, Damir and I held a review session with a few internal and external people to determine if we are on the right path.  During the conversation we started swapping security horror stories and I thought I'd share some of mine.  I will be protecting the companies involved (as well as my butt) and keeping that information confidential.

• I went into an organization which had roughly 20 Windows 2000 servers running in their environment.  As I did an evaluation to find out what server offered what services (mistake #1 no documentation) I noticed that they all were running IIS.  Now this isn't strange as it was part of the default Windows 2000 install (mistake #2 is to remove unused services) but what made it scarier was that Apache web server was also installed on all 20 servers.  20 servers running IIS and Apache with no internal web presence, and no patch management plan for either :)
• I was on a job working with a company that wanted to restrict user permissions on the desktop.  This was well before Vista ever shipped where UAC could have come to the rescue, so we started compiling a list of applications and finding out what needed to be done to work with a standard user account on Windows XP SP2.  We nailed them all except for an internal line of business application that kept failing.  After talking to the developers of that particular application we discovered that the authentication mechanism they built into the app required to read a few keys within the Windows Registry.  They had coded the app to request full control of the registry in order to read those keys.  Once that line of code was changed, and it was literally one line of code, it ran great as a standard user, and was a more secure application to run.
• A funny story that happened to me directly was in my early days here at Microsoft.  I was on the job for 3 days and in the past I used a screen saver that would kick in after 5 minutes to lock my desktop.  It was just habit and I set up my new corporate PC the same.  Lunch time arrived and I headed downstairs leaving the notebook running knowing that the screen saver will kick in and lock my desktop.  I returned from lunch to have a nice email sent to me, from my account, saying "I will lock my desktop when I walk away!" in big large bold letters.  To this day I don't know who did that, but I have my suspects *cough*Bruce/Damir/Rick*cough*  The really bad part of this is that I wrote an article on Thelazyadmin.com about how to create an icon to lock your desktop with one click :(

Now I am sure you all have your own stories to tell so Damir, Rick and I will be recording podcasts throughout the My TechNet tour where you can share your stories and get a laugh (or heart attack) hearing those of others!  If you haven't registered yet, be sure to do so soon before your cities event is full!