TechEd Bloggers Identity, Access, and Security

Private Cloud Security is no Security at All

Sam Johnston — Wed, 03 Feb 2010 17:33:26 GMT

Sam Johnston writes, "...don't take it for granted that private cloud offerings are secure, and in the unlikely event that the systems themselves are secure, don't assume you or your provider can run them in a more secure fashion than a "public" cloud provider could. Incidents like this go a long way towards realising one of my predictions for 2010...in that Private clouds will be discredited by year end..." more

Wed, 03 Feb 2010 17:33:26 GMT

Scenarios Using ADFS with Amazon EC2

Steve Riley — Thu, 14 Jan 2010 19:06:29 GMT

Steve Riley writes, "...release of a whitepaper written by David Chappell that explores these federation scenarios in more detail. David begins [with] your Amazon EC2 resources are placed in an Amazon Virtual Private Cloud (VPC) and joined to your own corporate domain; here, there’s no use of ADFS. Then he illustrates the two scenarios...and shows how it would work with both ADFS 1.1 and ADFS 2.0..." more

Thu, 14 Jan 2010 19:06:29 GMT

Apply Security Update if You are Using Windows Embedded CE 6.0

Don Patterson — Wed, 13 Jan 2010 19:59:39 GMT

Don Patterson writes, "...Rereleased this bulletin to add Windows Embedded CE 6.0 to affected software. The new update for Windows Embedded CE 6.0..." more

Wed, 13 Jan 2010 19:59:39 GMT

Windows Security Risk on Embedded OpenType Font Engine

Microsoft Security Response Center — Tue, 12 Jan 2010 21:18:59 GMT

Microsoft Security Response Center writes, "...Critical bulletin affecting all versions of Windows. The bulletin, MS10-001, addresses one vulnerability in the Embedded OpenType Font Engine and is Critical on Windows 2000. For all other versions of Windows...The following risk and impact slide reflects the aggregate severity and exploitability index rating for this bulletin..." more

Tue, 12 Jan 2010 21:18:59 GMT

Fix for OCS 2007, NTLM and Edge Server Login Problems

Aaron Tiensivu — Tue, 12 Jan 2010 06:47:01 GMT

Aaron Tiensivu writes, "...If NTLM is “broken” inside the domain between domain controllers and OCS servers (front End/edge), the Office Communicator client will act as if the user entered an invalid username or password. The error message on the client computer is very misleading and everyone external will not be able to log in...verall, assuming all your software and operating systems on your network work properly with NTLMv2, I recommend..." more

Tue, 12 Jan 2010 06:47:01 GMT

Security Advisory for Adobe Reader and Acrobat - January 7, 2010

Don Patterson — Fri, 08 Jan 2010 00:36:01 GMT

Don Patterson writes, "...Among other issues, this update will resolve a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier (CVE-2009-4324) on Windows, Macintosh and UNIX. There are reports that this issue is being actively exploited in the wild; the exploit targets" more

Fri, 08 Jan 2010 00:36:01 GMT

Client and Cloud Security whitepaper Download

Georgeo Pulikkathara — Tue, 15 Dec 2009 17:22:49 GMT

Georgeo Pulikkathara writes, "...security guidance from Microsoft Trustworthy Computing on client + Cloud security...talks about client + cloud security in today’s environment,and what you need to consider before taking off for the cloud..." more

Tue, 15 Dec 2009 17:22:49 GMT

ACS Noise Filter: Translating Server Security EventIDs to Windows Server 2008

Marnix Wolf — Mon, 14 Dec 2009 13:26:30 GMT

Marnix Wolf writes, "...what if you are designing an ACS solution for Windows Server 2008 servers? Yes, you can apply the filter as stated in those very same documents. But it won’t work...I ran the same ‘formula’ against the other matching EventIDs and the same number came out! Time for a test. I took a non-matched W2K03 Security EventID..." more

Mon, 14 Dec 2009 13:26:30 GMT

Securing Windows Live When Using ASP.NET MVC

Angus Logan — Wed, 09 Dec 2009 18:05:45 GMT

Angus Logan writes, "I’ve been working with some of our centralized Windows Live security and privacy folks recently. These guys are super skilled...lessons learnt about securing Windows Live when using ASP.NET MVC...." more

Wed, 09 Dec 2009 18:05:45 GMT

4 Microsoft Security Notifications - December 8, 2009

Don Patterson — Tue, 08 Dec 2009 23:27:28 GMT

Don Patterson writes, "...Vulnerability in Internet Explorer Could Allow Remote Code Execution...Credential Relaying Attacks on Integrated Windows Authentication...Extended Protection for Authentication...Security Enhancements for the Indeo Codec..." more

Tue, 08 Dec 2009 23:27:28 GMT

Deep Linking Your Way Out of Home Realm Discovery

Vittorio Bertocci — Fri, 04 Dec 2009 00:51:46 GMT

Vittorio Bertocci writes, "This method is not a solution to home realm discovery, rather it is a “shortcut” that piggybacks on existing home real discovery solutions which must be in place for this to work. Furthermore, this has to be arranged by every partner and relies completely on the fact that the users will access the application through the specially crafter URL as opposed to..." more

Fri, 04 Dec 2009 00:51:46 GMT

MS Security Bulletin Dec 2009 - 3 Critical 3 Important

Don Patterson — Thu, 03 Dec 2009 19:42:55 GMT

Don Patterson writes, "This is an advance notification of security bulletins that Microsoft is intending to release on December 8, 2009. 3 Rated Critial and 3 Rated Important..." more

Thu, 03 Dec 2009 19:42:55 GMT

Better Way to Synchronize a Remote Replica By Using a Proxy Provider

David P — Tue, 01 Dec 2009 01:36:50 GMT

David P writes, "There's a better way! A more efficient method is to use a proxy provider on the local computer. The proxy provider sends metadata and data to a provider that runs on the remote computer, allowing the bulk of synchronization processing to be distributed to..." more

Tue, 01 Dec 2009 01:36:50 GMT

New IE 6/7 Vulnerabilities - Move to IE8 More Secure

Harry Waldron — Wed, 25 Nov 2009 19:36:21 GMT

Harry Waldron writes, "...Please be careful at all websites and move to IE8 if possible as it's more secure. Many AV products have..." more

Wed, 25 Nov 2009 19:36:21 GMT

Updated RIA and WIF Samples

Eugenio Pace — Tue, 24 Nov 2009 21:03:41 GMT

Eugenio Pace writes, "...configured for Windows integrated security...The app has an “auto-provisioning” feature that automatically registers external users into the application. There’s a stored procedure that will try to locate the user name in the database (Users table), and if it is not found, it will simply add a new record:..." more

Tue, 24 Nov 2009 21:03:41 GMT

Security Advisory Released on IE 6 & 7

Microsoft Security Response Center — Tue, 24 Nov 2009 20:34:38 GMT

Microsoft Security Response Center writes, "...We just released Security Advisory 977981 concerning an issue affecting Internet Explorer 6 and Internet Explorer 7 that could lead to remote code execution. At this time, we are not aware of any active attacks seeking to use this vulnerability...I want to point out that Internet Explorer 8..." more

Tue, 24 Nov 2009 20:34:38 GMT

Keyboard Shortuct Tip Accesses Your Admin Rights

Kurt Roggen — Thu, 12 Nov 2009 19:56:24 GMT

Kurt Roggen writes, "...here is an easy way to gain access to your administrative rights (read: admin token) with a keyboard shortcut...This avoids the typical right-click “Run as Administrator” action..." more

Thu, 12 Nov 2009 19:56:24 GMT

Hashing Alone is Not a Life Saver

Prabath Siriwardena — Thu, 12 Nov 2009 19:06:53 GMT

Prabath Siriwardena writes, "...Hashing is a one way - irreversible algorithm which is used to store passwords in databases...The hacker who has access to your database can still replace your hashed password with a hash he caculated with a clear text known to him. Then he can login to your account with the clear text known to him - because..." more

Thu, 12 Nov 2009 19:06:53 GMT

Nov 2009 Security Bulletins Affect Windows - Win Server - Office

Microsoft Security Response Center — Tue, 10 Nov 2009 22:30:03 GMT

Microsoft Security Response Center writes, "...released six security bulletins addressing a total of 15 vulnerabilities. Four affect Windows and Windows Server and two affect Microsoft Office products (Excel and Word). As we do every month, we have prepared our Risk & Impact and our Deployment Priority guidance..." more

Tue, 10 Nov 2009 22:30:03 GMT

Outlook Web Access Social Engineering Malware Scam

Don Patterson — Thu, 15 Oct 2009 18:48:01 GMT

Don Patterson writes, "...discovered a new wave of malicious attacks claiming to be an update for Microsoft Outlook Web Access (OWA). Victims receive a message leading to a site to apply mailbox settings which were supposedly changed due to a "security upgrade." The especially dangerous thing..." more

Thu, 15 Oct 2009 18:48:01 GMT