|
|
Patrick Chinn
pchinn@oregon.uoregon.edu
In a company-wide memo issued in January, Bill Gates stressed that Microsoft
must now focus on security rather than features when writing software. Some
have compared this shift in strategy to turning an aircraft carrier: the process
will be lengthy and the results may take time to manifest.
Last February I attended a "Microsoft Security Update" meeting
in Portland to learn about the steps Microsoft has taken to improve the security
of its products, and it appears that the behemoth that is Microsoft is indeed
trying to change its course.
From the very early stages of product development to plugging known holes in
existing products, the company is making a concerted effort to improve security.
Rick Hattenburg, a Microsoft PSS Security Specialist, said that in February
Microsoft pulled its developers from their current projects to attend a month-long
series of workshops and seminars on writing secure code. Through this training
they hope to reduce or eliminate common security flaws like buffer overflow
exploits.
As an additional precaution, Hattenburg said that developer's code,
which was formerly reviewed by only the group manager, will now undergo additional
internal reviews.
Microsoft is now using Common Criteria as the basis for code and security reviews
of their products (see "References" at the end
of this article). Microsoft's Windows 2000 Professional Server and Advanced
Server appear on the list of products currently under evaluation.
Outlook and Exchange. Notorious sources of security holes, such as the
Microsoft Outlook and Exchange email client and server combination, are also
being tightened up. In the past, Outlook/Exchange holes allowed viruses and
worms to use Outlook's address book to send copies of themselves to the addresses
stored in that data file. Microsoft is taking steps to close that hole through
a method called Object Model (OM) guards. With OM guards in place (in Outlook
2002, for example), Outlook will notify the user as soon as any other application
attempts to send a message using data found in the address book. Users have
the option to accept or deny sending the message.
Microsoft has also taken steps to prevent users from opening executable attachments.
Outlook categorizes attachments based on their three-character file extension.
Any executable file attachment (.exe and .bat for example) is simply sequestered
from the user. Other files like MS Word and MS Excel documents are presented
as usual.
2000 server. On the issue of Windows 2000 server, Microsoft is also
examining configuration issues for security problems. For example, past versions
of Microsoft's server software shipped with nearly all services enabled by default.
Worms such as Code Red and Nimda take advantage of poor default security configurations
in Microsoft's IIS web server. Microsoft Security Specialist John Cho admitted
that, in hindsight, this was not a smart decision and said that future versions
of Windows 2000 Server will ship with most services turned off by default.
Cho also admitted that Microsoft's decision to put the IIS data directory in
the system32 directory (opening the door for the common IIS Unicode exploit)
was poor. Cho said that Microsoft will add the ability to locate the IIS data
directory in another location, preferably another partition.
Microsoft is building tools to create what it calls "baseline server security."
Previously, one needed to read through pages of security alerts, download multiple
software patches, and check for common security problems like blank passwords
to make a Microsoft server installation secure. Many consultants earn their
fees from locking down servers running Windows 2000.
Microsoft Security Tool Kit (Windows NT, 2000). Now Microsoft will automate
the process and put the tools in the hands of the system administrators.
Microsoft is making available, free of charge, the Microsoft Security Tool
Kit (see "References" below for the address to
order this kit). Aimed at Windows NT and Windows 2000, the Security Tool Kit
contains utilities like HFNetChk, URLSCAN and IIS Lockdown Wizard. A reduced-feature
version, called the Personal Security Advisor, is available from Microsoft's
website.
Windows Update security tool for 95/98/ME. For Windows 95, 98, and ME
users, Microsoft representatives say the best way to keep your computer secure
is to use Windows Update (available from the Start menu) to install critical
updates to your operating system.
Microsoft Office. Microsoft Office users have a similar website, although it lacks the automation of Windows Update. Office users can download product updates from the Microsoft Office Updates website (see the "References" list below).
MS TechNet Security home page
http://www.microsoft.com/technet/security/default.asp
MS Security Best Practices
http://www.microsoft.com/technet/security/bestprac/bestprac.asp
MS Personal Security Advisor (a web-based scan that checks your computer's
security)
http://www.microsoft.com/technet/security/tools/mpsa.asp
MS Security Tool Kit
http://www.microsoft.com/security/mstpp.asp
Subscribe to Microsoft security bulletins
http://www.microsoft.com/technet/security/bulletin/notify.asp
MS Office Updates
http://office.microsoft.com/ProductUpdates/
Common Criteria
http://www.commoncriteria.org/
and
http://niap.nist.gov/cc-scheme/