I decided to take the plunge and try running Vista on a daily basis. Thus far the following casualties must be reported:

• Matrox P650 PCIe. No drivers, thus no dual head. Sorry Matrox. In more than ten years this is now the first time that my machine has no Matrox graphics card inside.
• PDFCreator. For some reason the setup msi dies during installation, as well as during the subsequent uninstallation. Too bad.
• Daemon Tools. On the first try, it didn't work. Maybe I'll give it another shot.

Given my previous experiences on my two laptops, it really turns out that the graphics drivers (or lack of) are the #1 issue for getting productive with Vista.

Let's see how long it takes until I hit a snag that makes me return to XP. Copying Application Data stuff to Vista was already quite "interesting" because Firefox and Thunderbird store their settings in Roaming and not Local.

But Adobe thinks I am too stupid to choose my baseline OS on my own, and presents me with a rather limited choice:

Also note that IE 7+ doesn't render the page correctly (menu). Time to fix your Web page, Adobe.

When you run an application that needs administrative rights (in this specific case via a manifest file), you are prompted with an UAC dialog to allow this operation:

This is the dialog you get for the "default" user, the one you create during setup that is a member of the Administrators group. Contrast that to the dialog a standard user is presented with:

Now, I am fine with prompting the user to enter administrative credentials. However, I am not fine with providing the user with the name of the administrative user(s) on that machine. In my opinion, this is giving away security-related information without need.

Update Of course you can always use net localgroup Administrators to get a list of the members of the Administrators group (Markus pinged me on that one). This feature has been available for ages, true. However, I am not convinced that the UAC convenience of providing the administrative accounts on a silver platter is really necessary.

This is ridiculous considering that we are fast approaching mid-2006:

Michael Howard plugged his latest book The Security Development Lifecycle in his blog back in April (A New Book: The Security Development Lifecycle). It isn't yet available in stores, but I decided to preorder because I'm really looking forward to this book. Why? Because it describes a security process in development that works - the SDL @ Microsoft.

Be sure to check out IIS.net, the Web site dedicated to IIS7. There you will find forums, whitepapers, webcasts, HOL virtual labs, walkthroughs, FAQs and more.

Mildly surprising content on my blog: Office 2007 Beta 2 (public) is here! From the moment I saw the new UI at PDC05 I was waiting to get my (dirty) paws on this piece of software. Let's see what working with it is like, because the setup experience was already a positive one. 

A /. article pointed me to the blog post Reporting Vulnerabilities is for the Brave. Sounds familiar. Been there, done that. A customer had a Web site, and I told them about a problem. They told their vendor. And the vendor went after me - probably because, like most security-unconscious companies they felt threatened in one way or another.

Therefore I wholeheartedly agree with the instructions outlined, plus: lean back, and enjoy when the bad guys whack that company. Yes, this is controversial, but as long as companies don't "get it" that there are people that want to help them when reporting vulnerabilities, it is definitely better to keep your trap shut.

Aside from the cynical advice in the above paragraph, here is something to consider for your company: establish a policy - and publish it! - that you welcome security reports by security researchers (and Joe Average for that matter). This goes a long way to getting the threats mitigated before they are exploited.

Yesterday after my talk at MS' Big>Days 2006 in Vienna I was asked how to recycle an IIS app pool from within an application / script / code. I knew I had seen it somewhere before, so I promised to post the information in my blog as soon as I had dug it up.

There are actually a few others that have posted that information before, for example on the aspitalia.com blogs - Riciclare un application pool di IIS 6 da codice C#. It does exactly what the post title implies: recycling an application pool with C#. This approach uses ADSI (aka System.DirectoryServices) to do the bidding, and I have the non-ASP.NET bound version here:

using System.DirectoryServices;

...

public void RecycleAppPool(string machine, string appPoolName)
{
string path = "IIS://" + machine + "/W3SVC/AppPools/" + appPoolName;

DirectoryEntry w3svc = new DirectoryEntry(path);
w3svc.Invoke("Recycle", null);
}

So, now the question arises - how do I know the names of the app pools? One way is to enumerate all the existing application pools on a box - the blog post Control the Application Pool shows how to pull it off using WMI.

Finally, I went to the authoritative source, Chris Adams blog. He has a post up titled Recycling Application Pools using WMI in IIS 6.0, so this is along the lines of the previous one. He has samples in VBScript as well as C# online. He also shows a quick way (end of the post) how to find out which app pool is servicing which IIS Web application.

I think this should cover the topic nicely Also looking forward to how easy recycling app pools will be in IIS7.

The TAM tool is now available as release candidate 1. If you don't know it (already), here is the quick scoop from the download page: Microsoft Threat Analysis & Modeling tool allows non-security subject matter experts to enter already known information including business requirements and application architecture which is then used to produce a feature-rich threat model. Along with automatically identifying threats, the tool can produce valuable security artifacts such as:

• Data access control matrix
• Component access control matrix
• Subject-object matrix
• Data Flow
• Call Flow
• Trust Flow
• Attack Surface
• Focused reports

By the way, use this link to search for the video series on threat modeling in the Download Center!