Resolving Windows Insecurities

[InfoSec News <isn () c4i org>]

http://www.pcworld.com/news/article/0,aid,63323,00.asp

Microsoft program manager discusses company's efforts to make Windows
more secure.

Robert L. Mitchell, Computerworld
Monday, September 24, 2001

Steve Lipner is the lead program manager of Windows security at
Microsoft. He's responsible for Microsoft's Security Response Center,
and he's chief of the company's Secure Windows Initiative. Under his
watch, Microsoft has begun a security review of its entire code base.
Lipner spoke with Computerworld's Robert L. Mitchell about the Code
Red worm, the state of the Windows code base, and Microsoft's efforts
to improve the security of its products.


Computerworld: What role does the Secure Windows Initiative play at
Microsoft?

Lipner: The Secure Windows Initiative is an effort to improve the
security of all Microsoft products. It encompasses everything
Microsoft ships. We attempt to improve security by improving
processes, by providing training, by applying advanced tools, and by
improving the quality of our security testing.
  
Considering Code Red and the publicized vulnerability statistics of
other viruses, Microsoft Web servers would seem to be more vulnerable
to attack than other products. In terms of perception, I think a lot
of that is because we have a lot of systems out there and because when
there's a vulnerability, we shout it from the rooftops. We knew that
[Code Red] was a serious vulnerability from the day it was reported to
us. When we had the patch ready for that, we went out not only to our
customers, but also to the press to say this is a serious
vulnerability.

I think another factor is that because [Internet Information Server]
and Windows are so easy to use and because it's so easy to set up a
Web server on IIS, people may, in some cases, do that without
realizing that they have to worry about security, without realizing
that there are security steps or security configurations that they
have to apply.


CW: IIS doesn't install securely out of the box. For a Web-facing
product, why not default to a more secure install?

Lipner: With products that install with defaults, you're always making
a trade-off in terms of what features are available and how they're
configured.

That said, Internet Information Server 6 will walk you through a
dialog that will ask what services you want. We expect that dialog
will have the effect of getting the configuration right and secure for
most users.

We also make available on the Web the IIS Lockdown [security
configuration] tool and check lists for securing Web servers.


CW: Microsoft released a Code Red patch on June 18, yet a month later,
the worm infected more than 250,000 systems. How could that happen?
The patch for Code Red was very likely the most heavily downloaded in
our history. Why didn't more people install it?

Lipner: I think that it may be that people still don't subscribe to
the Security Notification Service. They still don't go to [the]
Windows Update [Web page], and we want to get the word out that those
services are there.


CW: Microsoft uses an internal program called Prefix to find
vulnerabilities in its code base. What have the results been so far?

Lipner: [Prefix] runs a scan of an entire product's source-code base
to detect patterns of potential programming errors that experience
tells us are likely to be security-related and flags them for human
review and correction.

Prefix takes a day or two to run across the entire Windows code base.
It's run every couple of weeks throughout the [Windows .Net Server]
development cycle. It started to be run after Windows 2000 shipped.
.Net Server will be the first product that's had a development cycle
of benefit from Prefix.


CW: How successful have you been at rooting out those infamous
buffer-overflow vulnerabilities?

Lipner: We've found and eliminated a lot. That said, it's important to
stress that there are an infinite number of ways to run a program. And
similarly, there are a vast number of ways that one can write a buffer
overflow. [Prefix] is not a closed-form solution.


CW: Last year, Microsoft released 100 security bulletins. What are you
doing to make sorting through the bulletins easier?

Lipner: We're rolling out a severity rating system that will help
customers understand how serious issues are. We're moving with Windows
XP and .Net Server to much more reliance on Windows Update and the
updating technology that will allow customers to install these patches
and get automated notification with less effort.

HFNetChk is a command-line tool that lets an administrator look at a
system to see what patches are installed and to prepare that
configuration with the set of patches we've released for that system.
It's a real-time tool in that it looks at an XML file we maintain on
our Web site. We also released Microsoft Personal Security Advisor,
which is targeted to the individual user with NT 4 or Windows 2000.


CW: Ultimately, many administrators would like to see fewer security
alerts and patches. When do you see that happening?

Lipner: I think that we're running at a slower rate in 2001 than we
were in 2000, just in terms of bulletins by month, so that's a
positive thing. It's our goal to continue to have the number of
bulletins decline, but it's not something that we can say with
certainty, "This is going to happen."


CW: What other security improvements will we see in future versions of
Windows?

Lipner: From a feature perspective, one of the key things will be
better integration and ease of use around Smart Cards, both in the
client and server product.


CW: What are the most important things administrators should do today
to ensure the security of Windows servers?

Lipner: We encourage them to run the HSNetChk tool or Windows Update
and install the patches it advises you to install. We also have the
Security Notification Service.

In terms of important patches or hot fixes, we encourage customers to
be on the latest service pack: SP 2 for Windows 2000, SP 6a for NT 4.

IIS patches are now being released as roll-ups, or cumulatives, so if
you apply a single IIS patch, it corrects all vulnerabilities going
back in history. We encourage users to apply that in [bulletin]
MS01-026 and then additionally the Code Red Patch, which is MS01-033.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.