If I understand it correctly, it works similar to materials NASA uses on the space shuttle. By increasing the surface area of the heat sink, you get a better cooling effect. I believe NASA uses a foam made of 95% air or so for the tiles that are on the outside of the space shuttle. These in turn seem to allow heat in but can remain cool to the touch at very high temperatures internally. Somewhere I saw a video of someone holding a block made of this NASA material. In this case, having a "foam" made out of copper allows it to cool very quickly. I bet it would still work better to have some sort of fan blowing and constantly moving air across the foam.

Disclaimer: I do not claim to be an expert in the physics or technology behind this, but it seems logical to me.

It depends on whether you are running tagged or untagged VLANs. You are correct for trunk ports that carry tagged VLANs, but the catch there is that you have to have a tap or sit on a trunk port that can see the same tags. Both of these cases require physical access to monitor or make changes (or remoting into a switch). If physical access is a problem, you have bigger issues on hand. VLANs are not end all security, but to completely push them aside is ludicrous. Properly done, VLANs are a great augmentation to security, but I would not rely on them as the only means.

I mainly use VLANs with layer 3 routing so I can have firewall rules at the switch level between the VLANs which I put on separate IP networks. I avoid using the same network across multiple VLANs.

I generally haven't as well, but depending on your environment, automatically generated certificate requests may attempt to contain an internal domain. Hence why the default setup would no longer work once this rule takes effect. For instance, an environment that uses a domain.local that you cannot change because you have Exchange (Thanks Microsoft!). It is completely possible to have an internal interface and external and split the roles and certificates (this is what I do). Our internal interface has an internal CA cert and the external a public cert. The problem comes where all the service packs and cumulative updates I have applied required me to remove one of the virtual directories for things like OWA and ECP or the update would fail. The funny part is, they allow PowerShell to create those multiple directories, but the PowerShell scripts they put in the update expect only one directory. Fortunately its easy to export the config of one of the directories and recreate it later.

I have seen this so called "requirement" on occasion and think the company that requires it needs to go though a security audit of their own. I also think that anyone that requires Domain Admin/Root access for their software to run doesn't know a thing about security (I get this commonly too). The problem you may face will be through regulatory compliance for various things (as some here mentioned PCI already) There are other regulations you should probably try to discover if you are required to comply with especially if you will be hosting PII (Personally Identifiable Information). Not just talking HIPAA, but some e-commerce sites require a little more security for their data.

That being said, as long as there is a firewall to the internet and your server does not have critical internal only ports open, in most cases you would at least pass basic security requirements, albeit not optimally. Make sure you run a test using something like NMap! As for alternative ideas, you could set rules in the local firewall to allow unrestricted traffic between the servers involved while limiting access from all others to the default rules. You could also set up IPsec tunnels between machines to encrypt that traffic. I would at least make sure you have a path to separate as many features that require higher security as possible. For instance, PCI will require more strict rules and if that is a problem for this vendor, budget a separate server for transaction processing.

Some of those options may help find some middle ground between your requirements and theirs (after all, you are not limiting traffic of interest to them). I would push to have a Business Associates agreement signed by them saying that by not following your configuration requirements, they will hold some or all of the responsibility for a breach involving their solution. It would still hurt you in the case of a breach, but at least it puts them on edge to make sure they do everything they can to secure their solution since they now have a financial consequence for a breach.

Last but not least, make sure you put the POS system in it's own VLAN separate from all other systems. Lock down that network to only POS traffic and put no other device unrelated to the POS system on that network. This is part of the reason for recent breaches from some of the major retailers.

This may cause big problems for many of the existing systems out there. How do they determine internal names? Does it require a .com? Will it take into account any new top level domains that opened up? What about certificates for various systems that do not require domain names for communication (I.E. ADFS Signing/Encryption Certificates).

I think it should be required to not mix internal and external names in certificates, but to ban them completely is going to break many things. I know by default Exchange 2010/2013 and Lync Server require internal names in the certificate. You can split the bound IPs and use 2 different certificates, but it makes things more difficult to configure and manage. No to mention that Exchange patches really hate multiple virtual directory entries...

And it must be UTF-32 not UTF-7 or UTF-8

Antivirus applications would never be an end all solution in any case. There might be a chance they can catch it, but you have to be up to date on the definitions for most to be able to catch it. Some newer systems may be able to do heuristics and catch potential cases that look malicious, but can have false-positives and false-negatives. Even cases where you have the best of everything and are up to date may not completely eliminate risk. This is where Zero-Day exploits (or unpublished exploits) can find their way in and disable or bypass many of these countermeasures.

Firewalls would not be helpful for anything other than blocking known ports to command and control servers. In this case, using Tor would be an advantage for the ransomware as it would block any legitimate use you may have for Tor browsing (not that I would allow it for business use in most cases). You are most likely thinking of something like an IDS/IPS system that can sit on the network and sniff out malicious traffic. Some allow for Deep Packet Inspection with SSL decryption. Even that may not cover all cases. If they use custom protocols or a different method for encrypting traffic, it would most likely render such setup useless after an infection. It may help in the initial detection however.

In the end you can never be 100% covered for anything. I always live by the notion that it is not a matter of IF but WHEN something is going to happen. The best solutions are the simplest. Make sure you have recoverable backups (don't just set them and forget). It also helps to reduce your footprint and exposure as much as possible.

Just have to put this out there, but now that the government has taken control, how much do you want to bet the NSA will use this opportunity to spy? Even if they do not use Zeus long term, they could use it to install their own software on millions of PCs that are already infected.

I may need to look into this for home use again. The USB key was the reason I stopped using it at home since it was nearly impossible to find a consumer level device without a TPM and I got tired of the USB requirement for 7. Of course it has been a few years since I bought a laptop.

I have used both TrueCrypt and BitLocker and like them both, but to be completely honest, BitLocker is the better option for a business with several computers because of the recoverability. I hated having to know our employee's TrueCrypt passwords so I could work on their systems.

Also, I may be one of the few who actually likes Windows 8-8.1.1 (*gasp*) so this would not be an issue for me.

Correct. But there is a downside. In order to use BitLocker without one, you will require using a USB drive for unlocking the system. A big security risk with using that method in a company environment would be how many simply leave the key in the computer. That would be like leaving the key to your house in the keyhole on the outside of your house. If you have to go that route, you can also add a password with the USB drive to unlock.

Source: Experience

If I were a musician with a large following such as say Metallica (just an example). I would just look to google and say goodbye. Why should I be forced to something in another service just because I use YouTube for the music videos? Especially when anyone can currently upload to YouTube for free. I would then pull all my videos and music from the play store, YouTube, etc... and then start a campaign against this sort of thing with my cult fan-base. Considering some of the stores then revoke the music from those with subscriptions to Google Play and/or do not allow re-download if you forget to back up your local DRM (Had this happen with a couple of services) even though you paid for the service, who would be the one to suffer long term? I bet at that point, you would see a bunch of people leaving or using a service less and less.

Just my opinion anyway. Take it for what it is worth.

Think about what their thought process might mean for some Android devices:

Before we establish your call, you must watch a 30 second Ad. Only after the first 10 seconds will you be able to skip. You can skip every 20 Ads.

Just look what happened to YouTube.

If they started playing audio for the ads, I would be pissed. That would be worse in my opinion that the stupid drive by audio bombing advertisements that seem to pop up randomly on sites. At least chrome tells you which tab it is. This is also why I turn flash off unless I know an activity I am doing requires it. Which in most cases is very little.

For the most part that was restricted or disabled since the XP days (after one of the updates. Cannot remember which). You reminded me of the old school spam I used to get...

And the previous comment that this was in reply to is now gone....