Geeks With Blogs
ex-blog Information security world May 2004 Entries
CLR Security, Future Developments and Security in Microsoft
Found interesting presentation (from MSR Academic Days in PT) by Ivan Medvedev: CLR Security, Future Developments and Security in Microsoft with information about future developments (PermCalc, managed ACL and CMS wrappers, etc) in Whidbey (sorry VS 2005) and famous Ivan's “security in pictures” ;-) ......

Posted On Monday, May 31, 2004 8:34 AM

Threat Modeling Tool
MS Threat Modeling Tool posted for download: The Threat Modeling Tool allows users to create threat model documents for applications. It organizes relevant data points, such as entry points, assets, trust levels, data flow diagrams, threats, threat trees, and vulnerabilities into an easy-to-use tree-based view. The tool saves the document as XML, and will export to HTML and MHT using the included XSLTs, or a custom transform supplied by the user.The Threat Modeling Tool was built by Microsoft Security ......

Posted On Tuesday, May 25, 2004 12:38 PM

Visual Studio Team System announced
Announcement #1 out of TechEd for Visual Studio developers: The Visual Studio Team System [rss] (aka Burton). This is the new set of life-cycle tools and will include (depending on edition): PreFast and FxCop help developers detect coding and security related issues earlier in the development cycle thereby reducing the overall cost of fixing code defects. unit tests Performance analysis tools Distributed System Designers that help reduce the complexity of developing and deploying service-oriented ......

Posted On Monday, May 24, 2004 5:57 PM

Security Guidance Kit v1
Security Guidance Kit v1.0, English is available for download (so contents of SGK CD is now available to the rest of the world): The Security Guidance Kit is a collection of how-to information, software tools, and detailed prescriptive guidance within a small "viewer" application. The materials within the Kit are all designed to help you implement security measures in your environment. The topics covered include patch management, anti-virus measures, securing remote access, and blocking unsafe email ......

Posted On Thursday, May 20, 2004 6:52 AM

WS-I Basic Security Profile Working Group Draft published
Via Martin Gudgin: The first public Working Group Draft of the WS-I Basic Security Profile has been published. This document profiles SSL/TLS, OASIS Web Services Security We've been working on this document for a while, it's great to get it into the public eye. Please send us your feedback. [Update] Web Services Enhancements 2.0 for Microsoft® .NET (WSE) is posted for download. [Update 22/06/2004] WSE 2.0 documentation is up in the online MSDN library [via Matt] ......

Posted On Wednesday, May 19, 2004 7:02 AM

Two approaches to check functions parameters
Larry Osterman posted interesting discussion about checking parameters in components - Should I check the parameters to my function?. Currently I'm using school one approach (always check incoming data with IsBadXXXPtr), but: The way you check for bad pointers on Win32 is by calling the IsBadReadPtr and IsBadWritePtr API. Michael Howard calls these APIs “CrashMyApplication&#... and “CorruptMemoryAndCras... respectively. The problem with IsBadReadPtr/IsBadWritePtr is that ......

Posted On Wednesday, May 19, 2004 6:56 AM

Microsoft Identity and Access Management Series
Microsoft Identity and Access Management Series available at TechNet and for download: This collection of technical papers is designed to help organizations understand identity and access management issues and related solutions that can be achieved with Microsoft technologies in heterogeneous IT environments. The Microsoft Identity and Access Management Series replaces the Microsoft Identity and Access Management Solution [via Anil John, via Brian Redmond] ......

Posted On Wednesday, May 19, 2004 6:30 AM

WinHEC 2004 Technical Sessions Slides
WinHEC 2004 Technical Sessions Slides are posted to WHDC site (conference papers are also available). Interesting presentations about ISA Server Architecture and NGSCB Update ......

Posted On Tuesday, May 18, 2004 11:57 AM

WTL released at SourceForge
Wow! All I can say is Wow!: Windows Template Library (WTL) released at SourceForge (with the same as in WiX toolset CPL license). As Nenad Stefanovic posted in WTL maillist: Hello everybody,WTL is now available as an Open Source project on WTLis now part of the Microsoft Shared Code initiative that enables thecommunity to contribute to the project.You can find the project at free to send your questions/comments/suggestions to me. I'm currently ......

Posted On Friday, May 14, 2004 11:37 AM

Security Guidance eLearning Training
Michael Howard mention that Security Clinics courses available free of charge at Microsoft eLearning site. I'm interested in Clinic 2806: Microsoft Security Guidance Training for Developers.

Posted On Friday, May 14, 2004 11:18 AM

Exchange Server 2003 Security Hardening Guide
Exchange Server 2003 Security Hardening Guide released: This guide is designed to provide you with essential information about how to harden your Microsoft® Exchange Server 2003 environment. In addition to practical, hands-on configuration recommendations, this guide includes strategies for combating spam, viruses, and other external threats to your Exchange 2003 messaging system. While most server administrators can benefit from reading this guide, it is designed to produce maximum benefits ......

Posted On Friday, May 7, 2004 6:49 AM

New Microsoft Crypto Newsgroup
Microsoft finally (after closing CryptoAPI list) launched dedicated newsgroup for questions and issues on all crypto related items (such as CAPI, CAPICOM, X509, etc). [via Shawn Farkas]

Posted On Wednesday, May 5, 2004 7:36 AM

WinHEC 2004 Conference Papers
WinHEC 2004 Conference Papers posted at Windows Hardware and Driver Central. I'm currently interested in Testing Tools section: overview of Static Driver Verifier and Driver-specific rules for PREfast. C++ for Kernel Mode Drivers: Pros and Cons also answers questions posted in OSR NTDEV list ......

Posted On Wednesday, May 5, 2004 7:08 AM

'Sasser' does not affect Win2003 and WXP SP2
Michael Howard posted a note about changes in Windows 2003 that disable flaw used by 'Sasser' worm (cleanup tool and doc available) : ... and Windows Server 2003 is not infected. Why? Because the RPC interface, which is accessible to anyone (ie; anonymous) on Windows XP and Win2000, was changed in Win2003 so that it requires a local admin to access. Not a remote admin, a local admin using the server's keyboard. I think it is done the same way as in Chapter 16 of “Writing Secure Code, 2nd Ed”. ......

Posted On Wednesday, May 5, 2004 6:55 AM

Copyright © John Doe | Powered by: