All good things must come to an end

This is an excerpt from a mail I sent out internally today: The sands of time seem finally to have run their course. On September 1 I will not only celebrate the 5-year anniversary of my time here at Microsoft but also my departure from the company. On September 5 I start a new job…


Please don’t disable security features, at least while we are testing them

I couldn’t tell you how many times I have either had the question “how do I turn off User Account Control” or heard the statement “boy, I sure hate all those annoying user account control popups in Vista.” Yeah, security sucks, it gets in the way of doing things, some bad, some good, but that’s…


Death by PowerPoint

I’m at yet another event, and this time I decided to go see a few of the other sessions instead of just trying to find as much free food as possible between my own presentations. This experience brought to mind an old concept: “Death by PowerPoint.” It is almost embarrassing how some people use PowerPoint….


Blocking certain extensions in ISA server

For some reason I decided that today was a good day to figure out how to block certain file extensions from being accessible over the web. This could be very useful, for instance, if you are trying to prevent a particular exploit that utilizes a particular file extension for its payload. To do this go…


Windows Firewall: the best new security feature in Vista?

It is interesting how some of the best security features in Windows receive either no attention, or get criticized for the strangest reasons. Case in point: Windows Firewall is one of the best firewalls out there, and yet much of the talk about it are complaints that outbound filtering is disabled by default. I believe there are…


Conscientious Risk Management and WMF

This past week there have been a lot of questions about the WMF vulnerability, what Microsoft is doing, and what the community should do to protect against it. For many reasons, Microsoft’s response to the problem is best left to those who do this for a living. However, there is a lot of interest in…


Power Users are Admins who have not made themselves admins yet

It seems kind of odd that in 2006 I would still get these questions, but twice in the past week have I had to explain the truth about Power Users to someone. Typically they are organizations who are trying to limit the rights of their users, who right now run as admins. Unfortunately, they are…


Are You A People Person?

As my family keeps reminding me, I’m not much of a people person. It could just be that I am projecting myself onto others, but I am pretty sure that much of the IT industry is like me, which raises a number of serious security problems. If you are interested in reading about them, I…


Structuring Infosec Organizationally

Last week I visited a customer and was greeted by two people who introduced themselves, respectively, as the “Chief Information Security Officer” and the “Chief IT Security Officer.” Yes, they had two separate functions for this, one to secure information, and one to secure IT. This immediately seemed like something that would be logical for…


Disable that Pesky Built-in Administrator Account!

I’m working on an FAQ for passwords right now. Look for it in the Security Newsletter next month ( However, one thing that has come up more than a few times in the recent past is what to do with the built-in Administrator account. I’m not sure that it fits in the framework of passwords…