Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments
handy information from Microsoft covering some of the potential issues of hardening Windows boxes.
Sun BluePrints OnLine - Archives By Subject
very useful links with a large amount of white papers from sun covering security amongst other areas.
There's an article over at InfoWorld looking at the various measures that companies have been using to try and mitigate the current rising trend in phishing attacks.
My money's on server-based mitigations as opposed to client-based ones (like the anti-phishing toolbars mentioned in the article). There are several good reasons for this.
1. Companies don't and won't control the client environment, so they're not in a good position to dictate the client environment. Also given the current trend in spyware and virii, there's no way companies can place trust in a client based solution.
2. There are literally millions of clients out there which would need to be "fixed" to make a solution work, but for each company there is only one location that needs fixed...
Personally my monies on the deployment of 2-factor authentication like secureID. Most banks already use it internally, the main reason it hasn't been deployed for customers is cost... well if phishing starts placing a significant cost on the banks, then suddenly it starts being much more viable to deploy....
Of course there are some more complications involved as SecureID can still be vulnerable to a MITM attack, but it would still be a great step forward.....
Safety in Windows: Manage Access to Windows Objects with ACLs and the .NET Framework -- MSDN Magazine, November 2004
Interesting article on the code security features in .NET 2..
there've been a couple of sites pointing in the direction of what looks like an interesting security publiscation Security Journal
Theere's a very interesting post over at Dana Epp's ramblings at the Sanctuary : B.C Privacy Commissioner says the USA Patriot Act violates privacy laws
I think one very interesting thing which this action may stir up, is given the apparent dichotomy between US privacy laws and the EU Data Protection Directive, why hasn't more action been taken by the various european data protection commissioners to ensure that data relating to EU citizens is properly handled when in the US. Right now the guidelines (at least what I've seen of them) seem fairly vague and not really in keeping with the level of rigour that the rest of the act's provisions have...
Over at the Microsoft Security Guidance Center, there's an interesting looking list of Microsoft security documents for free download (unfortunately to get the PDF's you need to register and give some information that seems pretty unrelated to the documents like your address)
Found a cople of links which give lots of useful information on windows processes like the detail of what each does. links here and here .
Of course you should always be cautious about assuming that just 'cause a process has a given name that it will do what is contained in lists like this, as it isn't too hard to create a binary with any given name, however useful info. all the same.
Here's an interesting questionnaire published by the world bank as an assessment methodology for organisational security.
I've not had a chance to go all the way through it in detail, but it looks like it's got some interesting ideas in it. However one thing that I'm not too keen on in it so far is the section structure. they seem to have sections at very different levels of detail. For example one section for authentication/access control, quite a large area to cover and then one specifically for active content control for Internet access, which is a very specific area to cover!
An interesting blog entry on Locking Down The Obvious: USB
I think it's a point well made. Essentially companies need to look at USB ports in the same way they look at CD-ROM's and floppy drives. If CD's and floppies are locked down then USB ports should be as well... although it is more challenging technologically as USB ports have wider range of functionality than CD-Drives, which makes it more likely that they will need to be enabled.
It also looks like software products are coming into the market to manage this kind of functionality where required. For example Reflex disknet pro looks like an interesting way of controlling access to removable media, including USB keys....
