[ISN] Resolving Windows Insecurities

From: InfoSec News (isnat_private)
Date: Tue Sep 25 2001 - 01:06:32 PDT

  • Next message: InfoSec News: "[ISN] Snooping Isn't E-Mail Delay Cause"

    Microsoft program manager discusses company's efforts to make Windows
    more secure.
    Robert L. Mitchell, Computerworld
    Monday, September 24, 2001
    Steve Lipner is the lead program manager of Windows security at
    Microsoft. He's responsible for Microsoft's Security Response Center,
    and he's chief of the company's Secure Windows Initiative. Under his
    watch, Microsoft has begun a security review of its entire code base.
    Lipner spoke with Computerworld's Robert L. Mitchell about the Code
    Red worm, the state of the Windows code base, and Microsoft's efforts
    to improve the security of its products.
    Computerworld: What role does the Secure Windows Initiative play at
    Lipner: The Secure Windows Initiative is an effort to improve the
    security of all Microsoft products. It encompasses everything
    Microsoft ships. We attempt to improve security by improving
    processes, by providing training, by applying advanced tools, and by
    improving the quality of our security testing.
    Considering Code Red and the publicized vulnerability statistics of
    other viruses, Microsoft Web servers would seem to be more vulnerable
    to attack than other products. In terms of perception, I think a lot
    of that is because we have a lot of systems out there and because when
    there's a vulnerability, we shout it from the rooftops. We knew that
    [Code Red] was a serious vulnerability from the day it was reported to
    us. When we had the patch ready for that, we went out not only to our
    customers, but also to the press to say this is a serious
    I think another factor is that because [Internet Information Server]
    and Windows are so easy to use and because it's so easy to set up a
    Web server on IIS, people may, in some cases, do that without
    realizing that they have to worry about security, without realizing
    that there are security steps or security configurations that they
    have to apply.
    CW: IIS doesn't install securely out of the box. For a Web-facing
    product, why not default to a more secure install?
    Lipner: With products that install with defaults, you're always making
    a trade-off in terms of what features are available and how they're
    That said, Internet Information Server 6 will walk you through a
    dialog that will ask what services you want. We expect that dialog
    will have the effect of getting the configuration right and secure for
    most users.
    We also make available on the Web the IIS Lockdown [security
    configuration] tool and check lists for securing Web servers.
    CW: Microsoft released a Code Red patch on June 18, yet a month later,
    the worm infected more than 250,000 systems. How could that happen?
    The patch for Code Red was very likely the most heavily downloaded in
    our history. Why didn't more people install it?
    Lipner: I think that it may be that people still don't subscribe to
    the Security Notification Service. They still don't go to [the]
    Windows Update [Web page], and we want to get the word out that those
    services are there.
    CW: Microsoft uses an internal program called Prefix to find
    vulnerabilities in its code base. What have the results been so far?
    Lipner: [Prefix] runs a scan of an entire product's source-code base
    to detect patterns of potential programming errors that experience
    tells us are likely to be security-related and flags them for human
    review and correction.
    Prefix takes a day or two to run across the entire Windows code base.
    It's run every couple of weeks throughout the [Windows .Net Server]
    development cycle. It started to be run after Windows 2000 shipped.
    .Net Server will be the first product that's had a development cycle
    of benefit from Prefix.
    CW: How successful have you been at rooting out those infamous
    buffer-overflow vulnerabilities?
    Lipner: We've found and eliminated a lot. That said, it's important to
    stress that there are an infinite number of ways to run a program. And
    similarly, there are a vast number of ways that one can write a buffer
    overflow. [Prefix] is not a closed-form solution.
    CW: Last year, Microsoft released 100 security bulletins. What are you
    doing to make sorting through the bulletins easier?
    Lipner: We're rolling out a severity rating system that will help
    customers understand how serious issues are. We're moving with Windows
    XP and .Net Server to much more reliance on Windows Update and the
    updating technology that will allow customers to install these patches
    and get automated notification with less effort.
    HFNetChk is a command-line tool that lets an administrator look at a
    system to see what patches are installed and to prepare that
    configuration with the set of patches we've released for that system.
    It's a real-time tool in that it looks at an XML file we maintain on
    our Web site. We also released Microsoft Personal Security Advisor,
    which is targeted to the individual user with NT 4 or Windows 2000.
    CW: Ultimately, many administrators would like to see fewer security
    alerts and patches. When do you see that happening?
    Lipner: I think that we're running at a slower rate in 2001 than we
    were in 2000, just in terms of bulletins by month, so that's a
    positive thing. It's our goal to continue to have the number of
    bulletins decline, but it's not something that we can say with
    certainty, "This is going to happen."
    CW: What other security improvements will we see in future versions of
    Lipner: From a feature perspective, one of the key things will be
    better integration and ease of use around Smart Cards, both in the
    client and server product.
    CW: What are the most important things administrators should do today
    to ensure the security of Windows servers?
    Lipner: We encourage them to run the HSNetChk tool or Windows Update
    and install the patches it advises you to install. We also have the
    Security Notification Service.
    In terms of important patches or hot fixes, we encourage customers to
    be on the latest service pack: SP 2 for Windows 2000, SP 6a for NT 4.
    IIS patches are now being released as roll-ups, or cumulatives, so if
    you apply a single IIS patch, it corrects all vulnerabilities going
    back in history. We encourage users to apply that in [bulletin]
    MS01-026 and then additionally the Code Red Patch, which is MS01-033.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 25 2001 - 08:30:14 PDT