Directly connect to your corpnet with IPsec and IPv6

Contrary to popular belief, the rumors of my demise have been greatly exaggerated. Well, ok, no actual rumors, but hey, one can dream, huh? My spring calendar was full of events in Asia and Australia, then TechEd US seemed to suddenly appear out of nowhere! So I’ve been kinda swamped. I’ve missed writing here; it’s…

26

Plan now to eliminate "power users" from your domains

I’ve seen some conversations lately about the Power Users group — how powerful is it, really, and why did we remove the group from Windows Vista? That group had rights install software and drivers. And if you can install software and drivers, then you can elevate yourself to Administrator or SYSTEM. Vista includes a signed…

1

Microsoft IPsec diagnostic tool

IPsec is a wonderful technology for identifying computers and securing the exchange of data between them. I’ve written and spoken extensively about in the past. It is, however, a bit of a challenge to configure, especially if you’re newly learning about it. Microsoft recently released a diagnostic tool to help you create and test your…

2

Myth vs. reality: Wireless SSIDs

Do you ever wonder sometimes how it is that some ideas just won’t die? Like the thought that not broadcasting your wireless network’s SSID will somehow make you more secure? This is a myth that needs to be forcibly dragged out behind the woodshed, strangled until it wheezes its last labored breath, then shot several…

27

Password policies. Once again.

Recently in the newsgroups (news:microsoft.public.security, to be specific) the question of password polices and the out-of-box defaults came up. The poster lamented a number of things: that Microsoft doesn’t enable account lockout by default, that we don’t have a built-in mechanism for automatically disabling unused accounts, that the 42-day default expiration is troublesome. Here’s my…

21

Why administrative passwords will never be like nuclear missile launchers

During the past few months many people have lamented that Windows lacks a nuclear missile style control option for administrator passwords. Surely you’ve read about or seen photographs of missile silos where two operators, separated by a distance greater than the span of a single human’s arms, must each simultaneously turn a key in a…

11

Mythbusters beat "unbreakable" fingerprint door lock

My good friend Jamie Sharp sent me this link today. It’s amazing: watch how Adam and Jamie easily defeat a fingerprint lock the manufacturer claims has never been broken. As if to snub the claims, they break it three times! Supposedly it monitors pulse, sweat, temperature, and other attributes. First, Adam obtains an impression of…

13

Security myths and passwords

I like this a lot. http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/ In the practice of security we have accumulated a number of “rules of thumb” that many people accept without careful consideration. Some of these get included in policies, and thus may get propagated to environments they were not meant to address. It is also the case that as technology…

3

What do YOU need out of two-factor authentication?

Two-factor authentication continues to grow in popularity and emerge as a security requirement for many people I meet with. At Microsoft, we use smartcards internally for VPN access right now; soon we’ll be requiring smartcards for domain logon, too. We are also looking at ways to require two-factor authentication for web-based services, like Outlook Web Access, published…

41

It's me, and here's my proof: why identity and authentication must remain distinct

My February Security Management column is posted: http://www.microsoft.com/technet/community/columns/secmgmt/sm0206.mspx No matter what kinds of technological or procedural advancements occur, certain principles of computer science will remain — especially those concerning information security. I’ve noticed lately that, among all the competing claims of security vendors that their latest shiny box will solve all your security woes, a…

7