August 2004 - Posts
According to Eric Sink
, this morning's warning about NOT installing .NET Framework version 1.1 Service Pack 1
on a Vault machine was a false alarm
. I am glad they checked and double checked to make sure. I hadn't installed the new service pack yet, but it does point out the importance of taking time to install new service packs, plus making sure to test and retest first. The great thing is that with blogs and other sources, we get information like this quickly.
I have a couple more events I will be involved in the next two months:
1. Speaking at the Connecticut Microsoft.NET Developer SIG in Hartford, CT on September 21. This group is led by S.B. Chatterjee. I will be speaking on the same topic I did at the Downtown Boston .NET User Group on Code Access Security in .NET.
2. I will be at Cabana Night in Boston on the evening of October 6. Similar to what was done at Tech Ed, there will be seven (7) informal discussion rooms each with a separate topic and experts on hand to help answer those tough questions that developers may have. There is already a great line up of New England .NET experts, and from what I understand from Thom Robbins, this will be a regular event.
Don Kiely was featured on Dot Net Rocks last week talking about one of my favorite topics: Programming with Least Privilege.
Code Camp II is getting a lot of great speakers lined up for the October 17-18 weekend. Several of the speakers are coming from outside of the New England area: Kent Tegels, Don Demsak (DonXML), and Scott Watermasysk
I just noticed one of my favorite authors Jason Bock will be speaking as well. I have been a reader of his books (among others, he has written CIL Programming: Under the Hood of .NET, .NET Security, and Applied .NET Attributes) and his blog for quite awhile. He will be speaking on Creating Dynamic UIs in WinForm Applications.
Looking for some fun reading today?
Brian Johnson has posted a link to the latest Windows XP Security Guide documents and tools from Microsoft:
The Windows XP Security Guide has been updated with new information about Windows XP Service Pack 2. The overview page provides a content roadmap and a link to the complete paper on the download center.
Windows XP Security Guide
The Windows XP Security Guide provides recommendations for deploying Windows XP in three distinct environments. The first and most common of these is an enterprise environment that consists of Windows XP running in a Windows 2000 or Microsoft Windows Server™ 2003 domain. The second consists of Windows XP in a high security environment in which security risk mitigation can be implemented at the highest possible level. Finally, guidance is offered for deploying Windows XP in a stand-alone or unmanaged environment. Information is also provided about the numerous new security options that are available in Windows XP Service Pack 2 (SP2).
And, Don Kiely has also posted a link to NIST's Windows XP Security guide (in draft form at the moment):
The Information Technology Lab of the U.S. National Institute of Standards and Technology has issued a new draft of a very comprehensive document about securing Windows XP, Draft Guidance for Securing Microsoft Windows XP Systems for IT Professionals document and security templates, version R1.0.2, 147 pages of intense information for IT folks. Unlike the link I posted to the instructions from the SANS Institute, don't give this one to your family and friends.
I have started looking at both sets of documents -- great stuff here!
Over the last few months, I have seen my company's web site domain used as the originator of a lot of spam. I know this because I get the spam email bounced back, and checking the header information, I verify that my domain name is part of the email address. I know the spammers are not using my mail server as the relay point, but they are using my domain name as if it is coming from me (or "someone" at my company -- they always come up with clever names as if that person works for me).
Fortunately, there are some initiatives forming to stop this. Valery mentions this in his own post:
So, if inbound e-mail server was simply checking that sending e-mail server's IP address matches the IP address that is published in the DNS record, then at least that kind of scam would be detected! Good news here is that for helping to add such check to inbound e-mail servers for inbound e-mail processing, Microsoft recently released beta version of their royalty-free “Sender ID framework” and is working with IETF for approving it as an Internet standard. Here is the link:
Check it… use it… help to stop these nasty spooffers/scammers/spammers!
I completely agree; the sooner the better!
My friend Andrew just pointed me to this interesting post on a first CAS sample in Mono. That's great that someone is testing and working with CAS (Code Access Security) in Mono as has been done with .NET.
Like Sam, I was at the Windows Mobile Developer Day at Microsoft, Waltham today. This was a great event put together by Thom Robbins. I have only played around with the Compact Framework with my Pocket PC device, nothing serious, so this was a good introduction to some new topics (remember, I love to learn new things!).
Along with seeing some people I knew (including Thom, Patrick Hynds, and Chris Pels), I also got to meet Duane LaFlotte (rss), Security Depatment Lead, Senior Developer, and Architect at Critical Sites. He didn't speak on security today, but gave a great talk on Occasionally Connected Application Development. He just started a security blog, but doesn't have anything posted yet (hint hint Duane). I am looking forward to his thoughts and insights in the coming days. Subscribed.
I just watched and enjoyed Channel 9's view of the Indigo team (a video tour through the offices with Don Box). This was a fun video, especially getting to see the COM+/ES group (I got to know some of these guys earlier this year -- they rock!) and the XML/Messaging group responsible for much of what we take for granted in unmanaged and managed code.
As mentioned by Dana:
A new version of MBSA was released yesterday to allow users on XPSP2 to take advantage of the tool.
In case you didn't know, MBSA is the free, best practices vulnerability assessment tool for the Microsoft platform. It is a tool designed for the IT Professional that helps with the assessment phase of an overall security management strategy. MBSA Version 1.2.1 includes a graphical and command line interface that can perform local or remote scans of Windows systems.
You can go grab it here. More information can be found here.
I downloaded and ran this tool this morning and everything checked out on my new Windows XP build (with SP2). After my problems last week, I spent some time offline this past weekend and paved/rebuilt my Windows XP partition on my laptop. I made sure the required virus protection software, and other tools, plus SP2 were on the machine BEFORE connecting to the internet. Tools like MBSA verify that the right service packs and settings are in place as well.
More Posts Next page »