Hello, I'm   Jason

Last night at our .NET Valley event, we discussed security. The conversation started with an open ended question by Microsoft TechNet Presenter, Mike Murphy, asking “How do you know if you’ve been hacked?” Many of the IT Professionals gave their answer and then one of the developers there gave the answer “Besides event logs, I’m not sure.” This was a great answer. Reason is, most developers aren’t sure how to detect hackers. I won’t go into things you can look for here, but rather point out that developers know what to do to prevent hacking. The problem that we all agreed on last night is that everyone needs to be on the same page. Meaning, developers have to chat with dba’s, network admins have to discuss upgrades with developers, etc. Probably the biggest gap is that non-IT employees have to understand why IT spends money on security and the implications it can have on the business. Since 9/11, many companies have implemented disaster recovery plans which is great. However, many of these plans don’t include disasters such as the backup jobs becoming corrupt (see DotNetValley.com for more info on this one) or data being leaked (Veteran Affair incident last week). Even more common than these two incidents are things such as using impersonation to impersonate the account Administrator, requiring applications have Full Trust in .NET, leaving the sa username enabled on a SQL box with a blank password, and using weak password on “face” applications (ie: websites, web services, etc). As developers, we need to ensure that our methodology or development process includes full testing for security because in many of these cases, an intrusion detection system (IDS) cannot recognize these issues. <ramble end="true" />

I’m not sure who came up with this idea but apparently Microsoft is working with a few other companies such as Lenovo and Intel to create a Pay as You Go service for PCs. This new service is called FlexGo. There are a few ways that FlexGo would work. What do you think about this type of service?

Little did I realize yesterday that when I posted the blog entry about the Microsoft Word exploit that this exploit does in fact affect other applications. In our organization one of our departments utilizes an application that uses Word for reporting capabilities. Since it merges data from a Pervasive SQL database, the easiest way for them to setup the reporting capabilities was by creating a macro library. However, the library needs access to things such as a network share, folder structures, and file permissions. So, these users needed Word’s macro security set to low. If we force all users to use MS Word in safe mode, these macros will not run. I wonder what other apps are affected? I didn’t try running safe mode yet with Microsoft Small Business Accounting, but I wonder if the Word reporting works in safe mode with SBA? SBA uses smart documents.

One of the items on my list of things to do was to create a vsi file for easy installation of a custom snippet library we had created. Since I never had to create a VSI file before and I remember that some ASPInsiders questioned the VSI file back around Beta 1 because there were some issues, I really wasn’t sure how easy it would be to create one. Then I found a great tutorial on MSDN called How to: Package Community Components to Use the Visual Studio Content Installer. It’s definitely a great resource to build VSI’s.

Microsoft Word was found to have a vulnerability by allowing remote execution of code. Although a patch is on the horizon, Microsoft is recommending that you run Microsoft Word in safe mode and disable Outlook from using Microsoft Word as the email editor. For more information, click on the link above.

Can you believe it? Another name change at Microsoft. Office 2007, which will most likely be called Office 2007 among IT professionals no matter what, has been changed to “The 2007 Microsoft Office System.” The full reasoning, which actually makes sense (especially points number 2 and 3), can be found here.

I must have missed seeing this somewhere but Wikipedia has a complete listing of the Microsoft Codenames (to the best of my knowledge anyway) with their meaning. You can read about them at http://en.wikipedia.org/wiki/Microsoft_codenames.

Microsoft has recently added a new section on their website that contains all of their RSS feeds. You can check it out here: http://www.microsoft.com/rss/default.aspx

I wish I could go to this year’s TechEd 2006 in Boston, but I’ll be on vacation. Besides a pre-TechEd User Group Leaders Summit, this year’s TechEd will also host the New England Mega User Group Meeting. This meeting will feature What’s Hot and What’s …

Today Microsoft launched a new IIS website dedicated to bringing IIS resources together in one central repository. The website can be found by visiting http://www.iis.net. Some of the highlights of the site include IIS 7 information and starter kits.