Security

Myths #3: Give without giving

By Alexander Trofimov

One more mystery for me: how give everything without giving everything. This is exactly the question I see very often in various forums and other places. This is the question I hear personally from time to time. It can be in asked in several forms, the most frequent forms are: 1) How can I give a user local admin rights and be sure that they cannot do <put your own stuff here>? 2) How can I restrict my domain admin from accessing the <your very valuable information>? Naturally, at this point I start boiling and all that stuff, but let’s … Continue reading Myths #3: Give without giving

#RuTeched: answering the questions. Does the Dynamic Access Control work over replication?

By Alexander Trofimov

As I said previously my labs were a success, still I wasn’t able to answer some questions and promised to answer them later. the time has come for the first of them. One of the visitors told me that he had had an experience when some of files’ attributes wouldn’t replicate over DFSR and asked me if there is any problem with DAC in the same situation. I could definitely experiment myself (and I will), but any experiment of mine would just give me an answer: “yes” or “no”. Or “may be” for that matter. It wouldn’t explain why. As … Continue reading #RuTeched: answering the questions. Does the Dynamic Access Control work over replication?

Want to learn about cryptography? I know where.

By Alexander Trofimov

 Take notice: My new feed address is now http://feed.feedcat.net/806052. Please re-subscribe. Do you have some spare time and want to know how cryptography works? What is the most secure cipher? And why λ is always more than ε… Well, the latter is not true =) Anyhow, there is a place where you can learn more about cryptography for free. Stanford University provides such a course for free at https://www.coursera.org/#course/crypto. I’m at the second week now, and already tampered one cipher text and know how decrypted another (it’s not that tricky, but very time consuming). So welcome to the world of … Continue reading Want to learn about cryptography? I know where.

Myths #2: PKI edition.

By Alexander Trofimov

Take notice: My new feed address is now http://feed.feedcat.net/806052. Please re-subscribe. BTW, did you know what do certificate template options like “Allow private key to be exported” or “Prompt the user during enrollment and require user input when the private key is used” really do? Do they make you more secure or not? Certainly, some people who read my blog do know the answer, others have already guessed the answer: no. They don’t enforce any behavior on a client: it just communicate the requested by CA features. A good example of it was windows 2003: while you weren’t able export … Continue reading Myths #2: PKI edition.

Trustworthy computing: non-SDL view. Part 2: non-corporate.

By Alexander Trofimov

Do you think my latest post was about corporate products because only corporate products are subject to not being designed to be secure in deployment? No, consumer ones are built the same way. Say, the famous story about Windows Live Mail and Live Mail’s SSL. Till the recent changes you weren’t able to use both of them. Either you expose your communication without using SSL or you couldn’t use convenient client. I was very glad to receive the ability to use them both. To sum up: we have excellent products, which aren’t exploitable in the most of the cases through … Continue reading Trustworthy computing: non-SDL view. Part 2: non-corporate.

Trustworthy computing: non-SDL view

By Alexander Trofimov

Take notice: My new feed address is now http://feed.feedcat.net/806052. Please re-subscribe. Well, finally it is my time to scold Microsoft. I’m not a fun of this type of self-promotion, still I believe that the only way to move forward is to receive, process and answer some constructive criticism. So let’s begin: Several years ago Microsoft announced its widely-known Trustworthy Computing initiative (actually they just celebrated its 10 years). I probably don’t have to remind you the goals and means for the initiative to you, they all can be found without any problems. Anyway, this letter doesn’t pretend to be some … Continue reading Trustworthy computing: non-SDL view

MS SIR #12

By Alexander Trofimov

Okay, better late than never. I finally got to the latest Microsoft Security Intelligence Report. While usually there is not much unexpected this time I was almost shocked with the first section of the document. And I believe it’s excusable, because it is named… How Conflicker CONTINUES to propagate. Conflicker! The three-years-old malware! CONTINUES to be a THREAT! Are we going nuts? =) 60% of people who could have got it (if not for antivirus) have weak admin’s passwords. Also 17 to 42% (XP only) have the vulnerability which is used by the worm. Three years after the patch was … Continue reading MS SIR #12

%SystemRoot%\system32 secrets: cipher

By Alexander Trofimov

Next command in my list is what you never remember about unless user comes in with a cry: “I’ve reset my password and now all my EFS-encrypted files are gone!!!”. Are you familiar with the situation? I am not, fortunately, but I heard some related horror stories. Backup the encryption keys is the key. And updating of keys on the files. And creating of recovery keys. And backing up the encryption keys. All that the utility in the question can do for you. There are plenty of articles about the actions described above. But when I tried to look at … Continue reading %SystemRoot%\system32 secrets: cipher

Delegate permissions for creating GPO objects in other domain

By Alexander Trofimov

The task is obviously necessary to complete on your way to implementing Role-Based Administration concept. And, to be honest, being in euphoria after quick acquaintance with AGPM I thought that it was no deal at all: give an account or a group a membership in some special groups including “Group Policy Creator Owners” and voila – you’ve got it. Aha. Like hell it can succeed! =) This darn group is global and thus cannot be populated with objects from other domains. And moreover, you are unable to change the fact: everything is dimmed. At least I don’t know a way … Continue reading Delegate permissions for creating GPO objects in other domain

Wildcard certificates drawbacks

By Alexander Trofimov

That’s one of the referrers from search systems which leads users to my blog. Ok, there certainly are drawbacks, so why not? But first things first: what are those wildcard certificates? In order to protect communications with some web-services or web sites (not only them, actually) we use SSL certificates. I have to say, that it doesn’t, actually, mean that every site with https prefix and valid certificate is valid itself or communications with it are protected, but that’s not for today’s discussion. Anyway, SSL certificates are somewhat brilliant and somewhat ugly, but they are our reality for now and … Continue reading Wildcard certificates drawbacks