If you tell enough stories, perhaps the moral will show up.


What Goes into the W7 Workstation

First look into the Security Guide in the Windows 7 Security Compliance Management Toolkit. It's an interesting read and there's a lot of potential goodies. The takeaways for me are:

  • UAC looks good, but when you get down to it, there's less than you want. In particular you still need a really non-admin account for browsing and reading mail and it won't save ordinary users from cockups -- so they still can't be admins. Good. (Mark Russinovich says that the real purpose of UAC is to force developers to make their code work as non-admin. Better.)
  • The policy can all be pushed from group policy. The price of this is that W7 machines will need their own OU tree.
  • There are some sexy, seeeexy audit log options. A whole lot more to set.
  • There's an easier replacement for software restriction, but it relies on signed code.
  • Finer-grained control over devices means we might be able to have one less agent in the build
  • Still not sure about the malware tools. I can't see why I would object to the Malicious Software Removal Tool but the old rule about not mixing AV solutions may apply here. The native tools aren't enterprise capable, so they'll have to go.
  • This may be time for SUS. The solution we have is more capable, but since we only ever push MS hotfixes with it, I might just choose to save the licence fee.
  • They seem to have de-emphasised routine IPSEC since Vista, but I may have misssed the crucial bit.
I need a W7 install to play with.


You know you're a security professional if ...

...you ask the designers what the operational meaning of a user group is.


Performance problem? No, it's a security issue...

We block Internet browsing for accounts in admin groups. It's a malware control and I like it. But we hit a strange little problem with this using one particular app. It was fast to start with ordinary console accounts, but privileged accounts were really slow. It took a smart lad -- not me -- with a protocol analyser to spot that the startup sequence involved a certificate authentication, and the host certificate had a CRL access point at an Internet URL. The admin accounts couldn't reach this so they had to go through an agonising timeout. Problem solved!


An Aid to Promptness

It has been scientifically proven (by letting my music player run down) that an exercise mix track with at least 50% Girls Aloud (and other Xenomania Trilbies) gets you to to work ten minutes earlier.

PS. This only works if you walk to work. On the train? I can't help you.


Google Dashboard

So now we have the Google dashboard www.google.com/dashboard -- everything Google knows about you in the one place. Well that would be jolly nice, but it's really everything Google knows about your Google account, which is a slightly different thing.

Because it misses all those unauthenticated search strings which are Google's actual meat and drink. And there are already complaints about this.

But I won't be complaining. Because unless you co-operate with Google cookies, what that would show is everything sought from your IP address, which if it's like any of mine is NATed. Do you want to see what everyone in the firm has sought? Do you want them to see your searches? I think not!


I'll be hedgelaying along the road again this year, so appearance matters a little more. And at the same time I've pretty much run out of all the odd offcuts I've been using to hold it all together. Privet was good -- it grows into hard straight rods -- but it's all gone now.

I've asked all over but asking for "posts for hedgelaying" draws a blank -- you get offered fencing pales at eighteen shillings each. It's overkill and at two per yard it runs into expense.

It doesn't look like I'll ever find the canonical Hazel rods, so I'm falling back on plan B. I rang up one of the woodsmen in the Wealden Advertiser -- Brede Valley Fencing -- and asked him to make me the same pales used for cleft chestnut wire fencing, but five foot long and without the wire. He quoted me five shillings each and I bought four hundred which will keep me going for a while. They filled up the back of the Galaxy and I drove cautiously home, delighted by the smell of the fresh green wood.

Here they are in the shed. It's a weight off my mind. I feel I can set to work without worrying about running out.

Benders? No need -- I've got Willow wands coming out of my ears, and that certainly gets attention on the commuter train.


The non-Build Build

From time to time we issue non-build laptops to people who want to use the SSL VPN but don't have a suitable personal machine . It's not a practice that gives me much pleasure, as the temptation will always be to assume that it's OK to put firms data on one of these. And it's not.

So I've been developing a little list: what we should do to a standard manufacturer's XP install so that it can be placed in the permanent, unmanaged care of a regular user. Here's what I have:

  • Truecrypt set up for the system partition. (If there's and I386 on d: or e:, leave that in clear.) Why encryption? 1) because I don't trust them not to put firms data on it, and 2) it's an immediate downer for a thief.
  • The MVPS hosts file. It doesn't auto update, but it's a good start.
  • Default Browser: Chrome. It's not IE so it's under attacker's radar, but it does auto update even if you never run as admin
  • Microsoft AV -- seems to have difficulty with non-admin updates, but better than nothing.
  • The default log in takes you to a non-admin account.
  • Default settings on the Windows firewall, and Windows update.
It's not much -- in particular you can't make Adobe and Java auto update on a non-admin machine, but it is better than nothing.