LettersReaders Speak Out

SharePoint Content Types

I am looking for information that will give me a detailed view on using content types in Microsoft® SharePoint®. Where can I find this information?

—E.A.

A good source for this information is the Microsoft SharePoint Products and Technologies Team Blog (available at blogs.msdn.com/sharepoint), and Pav Cherny has written an article on standardizing data management with custom content types that you can find at technet.microsoft.com/magazine/cc194408. There is a white paper on managing enterprise metadata that you may find helpful, available at technet.microsoft.com/library/cc262729.

Another resource you might want to explore is Andrew May's blog at blogs.msdn.com/andrew_may. Andrew is a programmer-writer at Microsoft responsible for writing the developer documentation for the enterprise content management features in Windows® SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007. He blogs about content types and is offering posters of technical illustrations that deal with content types and explain the more complicated aspects of enterprise content management in a SharePoint environment.

Taking Security Further

I loved the article "The Great Debate: Secur­ity by Obscurity" (June 2008, technet.microsoft.com/magazine/cc510319). However, I was a little disappointed that the whole thing was focused on the changing of the Admin name alone. I mostly land on the side of Roger Grimes and Aaron Margosis regarding the Admin name debate because I do agree it is better than nothing and it has a low degree of creating management headaches. But there are so many meatier challenges—Admin shares was mentioned but not delved into wholly by the group, and that one does have some serious management headaches when it is blocked.

I would also love to see this group debate the pros and cons of attempts to "lower the attack surface." Lowering the attack surface is a slight variant of security by obscurity because most of the stuff people rip out is to shut down anything that broadcasts location or identity. For example, I have many customers ripping out IPv6 in the name of security by obscurity. Service removal is often done just like medieval doctors—close your eyes, reach in, and hope it doesn't kill the patient.

—Shelly B.

We completely agree with you about the limited focus on changing the admin name. Earlier drafts included a number of other examples, but the article would have been 20 pages long if we had not cut it down! So we picked one example to focus on, and the admin account issue seems to be the most often mentioned. Not to worry though—we've already begun brow-beating the authors into writing more on this subject in the near future.

Not Obscure Enough

"The Great Debate: Security by Ob­scur­ity" was a good article. Thinking about it, I realized two things. First, I believe that as long as the return on investment (ROI) on obscurity is high enough, then obscurity is a good thing. Second, I realized most IT security has always had an obscurity component.

Take passwords, for example. We have made them more and more obscure over time. In the early days, it was not necessary to have a password on most PCs. Then, as computers became more connected, it was sufficient to have a simple password. As connectivity increased, a password of at least eight characters became important. When that wasn't secure enough, we had to go to mixed characters, then to passphrases, and so on. I suspect we will find that our old obscure protections will continue to become not obscure enough.

—Tom B.

Thanks, Tom, for the very insightful comments. It will be fascinating to see how this trend plays out, especially as security concepts such as multifactor authentication (smart cards plus passwords, for example) become more commonplace.

TechNet Magazine Posters

I would like to get the Microsoft posters that have been included with a few issues of TechNet Magazine for the developers in my company. Can you tell me how to purchase them?

—Helen G.

The three posters available are: Microsoft Exchange Server 2007 Component Architecture, Windows Server® 2008 Active Directory® Feature Components, and Windows Server 2008 Feature Components. You can purchase them by calling 800-444-4881 in the U.S. and Canada, and 785-838-7500 in all other countries.

© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.