On December 18, 2015, the Internet Engineering Steering Group (IESG) approved HTTP Status Code Error 451 “Unavailable For Legal Reasons”. This code is a more specific version of the existing 403 “Forbidden” code. The new 451 code is intended to be displayed when accessing a web page that is blocked by government or ISP. In...
Read On...

With Windows Server 2008, Microsoft introduced Fine-Grained Password policies which utilizes a new Active Directory object called Password Settings Object (PSO). These objects allow you to more easily create and assign password policies to subsets of users, albeit with a bit of an unpolished implementation method compared to the old method via group policy (GPO). If...
Read On...

Are you tempted to click on a shortened link in your Twitter feed or a discussion forum, but you are unsure of the trustworthiness of the person who posted it? Usually when that happens, I simply move on. I’ve got more important things to do anyway, so I might as well avoid landing on a...
Read On...

A few weeks ago, David K. Sutton posted his thoughts on passwords on this blog, and since I had coincidentally just finished trying to hack a password around that same time, I thought I might add and/or elaborate a little on what he said, and offer some real world context and numbers. WORKPLACE CRACK Someone...
Read On...

To stay on top of security you need to regularly review your server configurations. It’s helpful to build a checklist to be used as part of an internal security audit review. Below is just such a checklist, specifically tailored to audit a SQL 2008 Server running on Windows Server 2008. Most of what’s in this...
Read On...

The Account Lockout Policy in Active Directory is not what it seems. Oh sure, at first glance it appears simple enough. Set a threshold, set a counter, and when that threshold is tripped in the allotted time, account locked out. What could be simpler right? Well, as with most things in IT, what should be simple isn’t....
Read On...

As part of an internal security review, I put together the following best practices guideline to secure SQL servers. This is just an example, and is not meant to be a comprehensive list of SQL server security parameters. DATABASE CREATION AND CHANGES New databases must be requested using a SQL database request form with proper...
Read On...

A guide for LAN Administrators who want to secure their systems without a user revolt. GOLDEN RULE OF PASSWORD CREATION: length + the uniqueness of your brain More on that in a moment. But first, if only we could trust our fellow human beings, there would be no need to secure our sensitive data. No need...
Read On...

Change tracking, resource allocation and security auditing are three very important issues for any IT administrator, particularly DBAs (database administrators). One item that can easily be overlooked is at the point of database creation. Why is the database needed? Who is requesting it? Will the database be used for production or testing/development? What are the...
Read On...