http://www.pcworld.com/news/article/0,aid,63323,00.asp Microsoft program manager discusses company's efforts to make Windows more secure. Robert L. Mitchell, Computerworld Monday, September 24, 2001 Steve Lipner is the lead program manager of Windows security at Microsoft. He's responsible for Microsoft's Security Response Center, and he's chief of the company's Secure Windows Initiative. Under his watch, Microsoft has begun a security review of its entire code base. Lipner spoke with Computerworld's Robert L. Mitchell about the Code Red worm, the state of the Windows code base, and Microsoft's efforts to improve the security of its products. Computerworld: What role does the Secure Windows Initiative play at Microsoft? Lipner: The Secure Windows Initiative is an effort to improve the security of all Microsoft products. It encompasses everything Microsoft ships. We attempt to improve security by improving processes, by providing training, by applying advanced tools, and by improving the quality of our security testing. Considering Code Red and the publicized vulnerability statistics of other viruses, Microsoft Web servers would seem to be more vulnerable to attack than other products. In terms of perception, I think a lot of that is because we have a lot of systems out there and because when there's a vulnerability, we shout it from the rooftops. We knew that [Code Red] was a serious vulnerability from the day it was reported to us. When we had the patch ready for that, we went out not only to our customers, but also to the press to say this is a serious vulnerability. I think another factor is that because [Internet Information Server] and Windows are so easy to use and because it's so easy to set up a Web server on IIS, people may, in some cases, do that without realizing that they have to worry about security, without realizing that there are security steps or security configurations that they have to apply. CW: IIS doesn't install securely out of the box. For a Web-facing product, why not default to a more secure install? Lipner: With products that install with defaults, you're always making a trade-off in terms of what features are available and how they're configured. That said, Internet Information Server 6 will walk you through a dialog that will ask what services you want. We expect that dialog will have the effect of getting the configuration right and secure for most users. We also make available on the Web the IIS Lockdown [security configuration] tool and check lists for securing Web servers. CW: Microsoft released a Code Red patch on June 18, yet a month later, the worm infected more than 250,000 systems. How could that happen? The patch for Code Red was very likely the most heavily downloaded in our history. Why didn't more people install it? Lipner: I think that it may be that people still don't subscribe to the Security Notification Service. They still don't go to [the] Windows Update [Web page], and we want to get the word out that those services are there. CW: Microsoft uses an internal program called Prefix to find vulnerabilities in its code base. What have the results been so far? Lipner: [Prefix] runs a scan of an entire product's source-code base to detect patterns of potential programming errors that experience tells us are likely to be security-related and flags them for human review and correction. Prefix takes a day or two to run across the entire Windows code base. It's run every couple of weeks throughout the [Windows .Net Server] development cycle. It started to be run after Windows 2000 shipped. .Net Server will be the first product that's had a development cycle of benefit from Prefix. CW: How successful have you been at rooting out those infamous buffer-overflow vulnerabilities? Lipner: We've found and eliminated a lot. That said, it's important to stress that there are an infinite number of ways to run a program. And similarly, there are a vast number of ways that one can write a buffer overflow. [Prefix] is not a closed-form solution. CW: Last year, Microsoft released 100 security bulletins. What are you doing to make sorting through the bulletins easier? Lipner: We're rolling out a severity rating system that will help customers understand how serious issues are. We're moving with Windows XP and .Net Server to much more reliance on Windows Update and the updating technology that will allow customers to install these patches and get automated notification with less effort. HFNetChk is a command-line tool that lets an administrator look at a system to see what patches are installed and to prepare that configuration with the set of patches we've released for that system. It's a real-time tool in that it looks at an XML file we maintain on our Web site. We also released Microsoft Personal Security Advisor, which is targeted to the individual user with NT 4 or Windows 2000. CW: Ultimately, many administrators would like to see fewer security alerts and patches. When do you see that happening? Lipner: I think that we're running at a slower rate in 2001 than we were in 2000, just in terms of bulletins by month, so that's a positive thing. It's our goal to continue to have the number of bulletins decline, but it's not something that we can say with certainty, "This is going to happen." CW: What other security improvements will we see in future versions of Windows? Lipner: From a feature perspective, one of the key things will be better integration and ease of use around Smart Cards, both in the client and server product. CW: What are the most important things administrators should do today to ensure the security of Windows servers? Lipner: We encourage them to run the HSNetChk tool or Windows Update and install the patches it advises you to install. We also have the Security Notification Service. In terms of important patches or hot fixes, we encourage customers to be on the latest service pack: SP 2 for Windows 2000, SP 6a for NT 4. IIS patches are now being released as roll-ups, or cumulatives, so if you apply a single IIS patch, it corrects all vulnerabilities going back in history. We encourage users to apply that in [bulletin] MS01-026 and then additionally the Code Red Patch, which is MS01-033. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Sep 25 2001 - 08:30:14 PDT