20041. Behold the New Service Pack 2By Scott Bekker

2. Should You Upgrade Remote 4Computers to Windows XP Service Pack 2?By Scott Bekker

3. Edge Servers: 6Upgrade vs. HardenBy Scott Bekker

4. Patch Management Need 8to KnowBy Doug Barney

5. Penetration Testing: 9Should You Hire a Hacker?By Lafe Low

6. Password Management: 11The Ex-Employee ConundrumBy Roberta Bragg

7. Password Management: 13Enforcing Strong PasswordsBy Roberta Bragg

8. An IT Pro’s Guide to 14Redmond White PapersBy Keith Ward

9. Anatomy of a Microsoft 16Security BulletinBy Michael Domingo

10. Tools and Tricks for 19Securing Your Apps By Paul Desmond

11. Social Engineering: 21Teaching Users Safe ComputingBy Roberta Bragg

12. Has Microsoft Made 23Computing Truly Trustworthy?By Keith Ward

Co n t e n t s

S P O N S O R E D B Y

Things You MUST Know To Protect a Windows Network

12IT Influencer Series

P a g e 2 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

Service packs have always containedimportant—sometimes even critical—updates for Windows servers and clients,as well as other Microsoft products. And,of course, Microsoft has always recom-mended (if not strongly encouraged)users to install these in a timely manner.

Recently, however, these mainstaysentered a new chapter with the Augustrelease of Windows XP Service Pack 2.Not only did this pack offer significantnew features alongside the all-too-stan-dard bug and security fixes, but

Microsoft actually ended up helpingusers find ways to delay the installationof this update.

This contrasts significantly withMicrosoft’s earlier philosophy towardthese packs. For example, just beforeWindows 2000 was released, the com-pany limited service packs to bug fixesonly. These packs typically bundledhundreds of security, compatibility andbug hotfixes that arose during six to 18months of production use. In additionto the convenience of having al the fixes

consolidated in one place, the servicepack offered the added comfort ofknowing that Microsoft had tested allthe fixes on many different systems toreduce the degree to which the fixesinterfered with each other.

There was something else to the firstservice pack for a product in the olddays—it was IT’s signal that the prod-uct was fully baked. Microsoft’s reputa-tion for rushing gold code out the doorbefore it was really ready to ship ledmany IT shops to wait for the regres-

1Behold the New Service Pack

By Scott Bekker

sion-tested collection of bugs in a firstservice pack before deploying a new ver-sion of Windows. In the pre-Windows2000 days, a service pack was the way tofix application compatibility problemsand blue screen-generating bugs inWindows.

Thankfully, those days are (largely)behind us. The size of Microsoft’s inter-nal quality assurance staff and the num-ber of beta test participants grows withevery successive Windows release, andthe products are generally solid rightfrom the release-to-manufacturing date,making the first service pack less of agate than before.

While Microsoft has been graduallytransitioning away from its fixes-onlyapproach, lately it appears that it’s run-ning at full speed in this direction. Infact, Windows XP SP 2 is the first serv-ice pack intended to break insecureapplications running on the operating

system rather than fix them (like theoverhauled Windows Firewall technolo-gy in SP2). Windows Server 2003 SP 1may have similar effects.

Not that Microsoft doesn’t have goodreason for this approach. Both XP SP2 andthe upcoming Server 2003 SP 1 begandevelopment under the old model—a col-lection of well-tested bug fixes. However, acombination of highly damaging wormsand nagging bugger overrun problemsover the summer of 2003 pressuredMicrosoft to think of a new way to giveWindows XP and Server 2003 users addi-tional security protections. With“Longhorn” releases still several years off,the company decided to drop new securi-ty features into the service packs.

Will service packs continue in thisvein after Windows Server 2003 SP1?It’s too soon to say. Unique eventsshaped the design of these two servicepacks. Consider that the previous

Windows XP service pack includedfeatures designed to comply with theterms of the antitrust settlement.Undoubtedly, some new unique set ofrequirements will pop up to influencethe next generation of service packs.

One thing is for sure, the servicepack is an increasingly important deliv-ery vehicle for Microsoft. TheLonghorn release has stretched from anearly 2005 deliverable to a 2006 or pos-sibly 2007 release. That stretches thetime between operating system releasesto at least five years for the client andpossibly as long for the server. With lagtimes like that, Microsoft needs theservice pack more than ever to keep itsfeatures up to date.

Scott Bekker is News Editor forRedmond magazine (formerly MicrosoftCertified Professional Magazine), andEditor of ENTmag.com.

P a g e 3 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

Key Microsoft Service Packs

Service Pack Date Notes

NT 4.0 SP2 Dec. 1996 Quality assurance nightmare

NT 4.0 SP4 Oct. 1998 Came with Option Pack full of new features

NT 4.0 SP5 May 1999 Widely viewed as the piece that conferred reliability on Windows servers.

XP SP1 Sept. 2002 Antitrust compliance features

XP SP2 Aug. 2004 Security overhaul

In the pre-Windows 2000 days, a service pack

was the way to fix application compatibility

problems and blue scree-generating bugs.

Mike Nash, corporate vice presidentfor Microsoft’s security business and tech-nology unit, advises the same thing overand over again about Windows XPService Pack 2—use it.

“I know that it’s not going to berealistic for every desktop system to runWindows XP Service Pack 2,” Nash saidat the recent Microsoft WorldwidePartner Conference in Toronto. “Formachines that are mobile or laptops,having those machines on Windows XPService Pack 2 is essential.” And he’s

given variations on that advice since atleast early April.

Thing is, the advice wasn’t verypractical when Nash first started dolingit out, given that Microsoft didn’t actu-ally finish Windows XP SP2 untilAugust. Now that SP2 is available, it’stime to reconsider Nash’s advice.

Advantages of Windows XP

Service Pack 2

Anyone worried about security shouldtake a serious look at Service Pack 2. Any

service pack is important because itbrings a system up-to-date on the hun-dreds of security and bug fixes that haveemerged since the last service pack. ButSP2 is Microsoft’s biggest security deliver-able since Windows Server 2003 and itmoves the ball forward in several areas.

The biggest change comes in theWindows XP personal firewall.Microsoft did much more than changethe name from the Internet ConnectionFirewall to the Windows Firewall. Thefirewall is now on by default, blocks

P a g e 4 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

2Should You Upgrade Remote Computersto Windows XP Service Pack 2?

By Scott Bekker

Microsoft VP Mike Nashstrongly encourages organiza-tions to upgrade remote systemsto Windows XP Service Pack 2.

many more types of traffic by defaultand can be configured in a much moregranular way through Group Policy.The new firewall also comes on whilethe system is booting and is runningbefore network connections are estab-lished. An on-by-default, flexible fire-wall offers obvious benefits for remoteusers, especially those with broadbandconnections in home offices and thosewho travel.

A less youted new security feature ofWindows XP SP2 that has obvious ben-efits for remote workers is the newWindows Security Center. Accessiblefrom the Control Panel, the SecurityCenter provides a simple dashboardshowing users whether their anti-virussoftware is running and up-to-date, ifthey have a firewall running and ifAutomatic Updates is set to downloadand install updates automatically.Usefully, Microsoft’s Security Centerdoesn’t assume that a disabled WindowsFirewall means no firewall is installed.There should be scads of firewall optionsbecause an API is available and severalthird-party personal firewall vendorshave already plugged into it. For remoteusers, especially for travelers who movetheir computers among different net-works, this simple tool will be invalu-able. Making it even more useful forremote users is a taskbar tray icon thatdisplays a red shield when one of the keysecurity components isn’t up to spec.

Internet Explorer sports many newprotections as well. Aside from theappreciated convenience of pop-upblocking, the new IE builds in seriousprotections against malicious down-

loads from the Web. Sites that attemptto download a program without userconsent are stopped and a messageappears in an Information Bar. Filesthat users do choose to download arenow checked by IE to make sure the filetype matches the description of the fileand it checks for other potential prob-lems. SP2 represents Microsoft’s currentbest thinking in its efforts to write secu-rity warnings and prompts in a way thatend users can understand. Repetitiveprompts to get end users to downloadsomething they don’t want can now bestopped with a user option to block allsoftware from a specific publisher byclicking on a checkbox. Another toolgives users a new view on spyware thatmay be running on their systems.Called the Add-on Manager, the IE toolcatalogs all the programs on the com-puter that are used by IE. Individualadd-ons can be enabled or disabledfrom the Add-on Manager list. Unlikeprevious versions, IE no longer assumesthe hard drive is secure. IE in SP2applies strong security settings to theLocal Machine zone to protect againstsome common attack types.

Thorns on the Rose

The new security features in SP2 make itworth a look for remote systems, butthere’s the usual litany of problems—inaddition to a few new ones. First is cost.Depending on how your organizationacquires OS licenses, upgrading remotesystems that aren’t already on WindowsXP to secure them could entail a hefty up-front expense. A related issue is adminis-trators’ time in upgrading systems.

Complicating the administrativetime issue is the biggest problem forSP2. The thing that makes theWindows Firewall extremely valuablealso makes it extremely time-consumingto configure. Its on-by-default func-tionality and aggressive blocking of traf-fic makes it a real application breaker.While Microsoft has been working withISVs for nearly a year to get applicationsready, some of Microsoft’s own applica-tions and dozens of third-party applica-tions have run into problems. Ofcourse, many home-grown applicationswill break as well.

Bottom Line

The fact is, most organizations that areserious about security already mandatepersonal firewall software on their remotesystems. Even organizations that arealready on Windows XP are often usingthird-party personal firewalls because theInternet Connection Firewall in WindowsXP gold was so limited. Fortunatelythere’s an option to turn the WindowsFirewall off and remove most of the appli-cation compatibility issues. The WindowsSecurity Center and the many IEimprovements are enough to make SP2 aworthwhile upgrade for many remote sys-tems. Those organizations that aren’tmandating personal firewalls on exposedremote systems probably need to test theirapplications quickly and turn on the fire-wall in SP2 right away.

Scott Bekker is News Editor forRedmond magazine (formerly MicrosoftCertified Professional Magazine), andEditor of ENTmag.com.

P a g e 5 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

Its on-by-default functionality and aggressive

blocking of traffic makes it a real application breaker.

One of Microsoft’s core bits of advicefor securing operations is to upgradeedge servers to Windows Server 2003.

As with some similar Microsoftadvice for Windows XP (see relatedstory, p. 4), upgrading is not a simplechoice. It involves possible up-frontexpenses depending on your licensingagreements. And the time it takesadministrators to test applications,perform the upgrade and reconfigurethe machines can be an even moresubstantial cost.

Although moving more licenses isalways a high priority in Redmond,

Microsoft isn’t merely concerned aboutits own bottom line. The company hasshown a genuine commitment to mak-ing its products more secure. The latestversions of the operating system areboth the most secure out of the box anddesigned to be easier for Microsoft tosupport with security fixes and configu-ration updates.

Windows 2003 has several assets rec-ommending it for Internet-facingservers such as Web servers, firewalls andgateways. Many of them stem from theTrustworthy Computing-based overhaulthat contributed to a release delay of

about a year for Windows 2003.The default configuration is heavily

locked down. More than 20 servicesthat were enabled by default inWindows 2000 Server are disabled orrun at a lower privilege in Windows2003. The most significant of thoseservices is Internet InformationServices (IIS), a factor that makes IIS6.0-based Web servers (which arelocked down and only run in Windows2003) much more secure out of the boxthan IIS 5.0-based Web servers.Another example of a potential securityhole that’s newly locked down in

P a g e 6 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

3 Edge Servers: Upgrade vs. Harden

By Scott Bekker

Windows 2003 is Telnet, which bothruns at a lower privilege and is nolonger installed by default.

Another major change is toInternet Explorer. While securitypurists often argue convincingly that aWeb browser has no place on a server,the fact is that for good or ill Microsofthas integrated it so thoroughly into OSfunctions and operations that it oftencan’t realistically be closed off.However, in Windows Server 2003, itships under a much more secure con-figuration, known as EnhancedSecurity Configuration. The IEdefaults alone have meant that severalsecurity vulnerabilities that were criti-cal on Windows 2000 and other OSesrepresent only moderate or low threatson Windows 2003.

Microsoft’s substantial educationeffort surrounding security has led toreams of documentation about lock-ing down Windows 2000. Nearlyevery setting that Windows 2003turns off by default can be configuredin Windows 2000. Organizationswith good processes for installing andmaintaining secure configurations forWindows 2000 have little to gainfrom a Windows 2003 upgrade,except for one thing. Microsoft initi-ated a security review of the OS’s esti-mated 50 million lines of code forbuffer overrun conditions and othercommon vulnerabilities. This meansthat even when configured andpatched identically, a Windows 2003system is more secure against undis-closed vulnerabilities than its mirrorWindows 2000 Server system.

Scott Bekker is News Editor forRedmond magazine (formerlyMicrosoft Certified ProfessionalMagazine), and Editor of ENTmag.com

P a g e 7 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

What is SP1?Part of Microsoft’s “Springboard” initiative for adding security

feature enhancements to shipping products, Windows Server 2003

SP1 is supposed to do for server security what Windows XP Service

Pack 2 does for client security. That will be in addition to the regres-

sion-tested fixes that are standard for a service pack.The fixes should

include all the security and bug fixes Microsoft created since

Windows Server 2003 shipped in April 2003.

When is SP1 coming?The service pack is way overdue. Originally planned for the fourth

quarter of 2003, SP1 was most recently delayed until the first half of

2005. Keep in mind that the first half of 2004 schedule for Windows

XP SP2 wound up meaning mid-August.

What new features will be in the service pack?Microsoft’s Server Roadmap document says the service pack will fea-

ture improvements in three key areas — reliability improvements to

address top customer issues, security enhancements and perform-

ance increases of up to 10 percent for key workloads. SP1 will serve

as the foundation for the Windows x64 editions, which are to be

released simultaneously.

What are the security enhancements?Microsoft has been relatively tight-lipped about specific features in

SP1, which is still far enough off that its feature set is fluid. Company

executives say SP1 will deliver the “server-relevant security tech-

nologies” that Microsoft delivered in Windows XP SP2. Microsoft’s

internal IT department, however, listed in a June document several of

the security features it is looking forward to in SP1. They include:

• Windows Firewall, a host-based version of the new Windows

XP firewall that can restrict incoming access on a port or protocol

basis.

• Enhanced Remote Procedure Call (RPC) security, to allow only

authenticated RPC calls to help avoid the transmission of worms and

other viruses, which currently propagate primarily by way of unau-

thenticated RPC calls.

• Security Server Roles (SSR), a tool for role-based

configuration to enable only the necessary services and functions.

Tell someone not in IT that the No. 1issue today is patch management, andyou’ll likely face a blank stare. Thenexplain that adding updated code to crit-ical systems is one of the most importantways to secure them, and there’s thatblank stare again.

It does sound odd that operating sys-tems and applications that took years todevelop and test need regular additionsto patch holes. But hackers are findingthese holes every day, and telling theirfriends how to attack them.

If you don’t have a great patch man-agement policy and procedure, read thisarticle, and then get started right away.You are more vulnerable than you canpossibly imagine. If you believe you havea great patch management policy andprocedure, read this article anyway—just to make sure. Then correct whereyou’ve gone wrong.

Choosing a great patch managementsolution is, obviously, a great idea. Butthat’s far from the first step. You mustunderstand your environment fullyfirst—and develop a plan.

Like any major initiative, you want the big execs on your side. Clip

a few articles (ENTmag.com andMCPmag.com are two good places tostart) about how hackers constantlyattack unpatched systems.

Next, figure out who on your staff (itmay be you) should be ultimately respon-sible for keeping machines up-to-date.

Working with that individual orgroup, clearly define procedures for patch-ing, including how to gather info aboutpatches, and how to test and deploy.

Now it’s time to look at yourmachines.

If you have an asset managementsystem, fire it up. You need to knowwhat PCs and servers are in place, andexactly what OS and key apps areinstalled. And you need to know whereyou stand with service packs. Don’tskimp on this. And don’t do it once.Once the inventory is complete, put inprocedures to keep it up-to-date.

Then the real fun begins. By work-ing closely with major vendors and per-haps some patch management players,analyze the patching status of your mostcritical systems. Where are they vulnera-ble, and what are the priorities?

Vulnerability assessment is an

ongoing process, so figure out how togather the data, and more importantly,how to analyze.

Then you need to research what itwill take to actually patch these systems.What are the requirements of eachpatch? Do I have to add a service packbefore I can even install a patch?

Ready to install? Not quite. Patchesneed to be tested so you don’t create abig problem trying to fix a small one.

Once the patch is deemed safe, it’stime to deploy. If you have a small shop,or a software installation system, you’regood to go.

But many shops find that choosing avendor partner is the way to go.Patching is research- and time-intensive,which only adds to your company’scompetitive advantage to the extent towhich you are more secure. Get somegood third-party help, and have yourstaff work on the more interesting, lead-ing edge technologies that will makeyour organization stand out.

Doug Barney is Editor in Chief ofRedmond magazine (formerly MicrosoftCertified Professional Magazine).

4 Patch Management Need to Know

By Doug Barney

P a g e 8 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

So, you want to see if there are anyholes in your corporate security infra-structure or any cracks in your firewall?Talk to Ira Winkler—renowned informa-tion security expert and author of theforthcoming book, Spies Among Us,which will be published in Spring 2005.Winkler, described as a “modern-dayJames Bond,” breaks into organizationsand reports back on how he did it.

Somewhat surprisingly for a man ofhis chosen profession, Winkler callsstandard penetration testing a waste of

money. Most companies sign up for apenetration test, when what they’re real-ly looking for is a comprehensive assess-ment of their vulnerabilities. There’s abig difference in philosophy andapproach, says Winkler. “Everybodywants a penetration test to see wheretheir holes are,” he explains. “The goalof a penetration test is to find one wayinto the organization, not to do a com-prehensive assessment.” So it’s critical tohave a clear goal for your security testand determine whether you need a pen-

etration test, a sweeping security assess-ment or a security procedural audit.

Knowing and trusting the peopleyou hire is also crucial. “Breaking into acompany is relatively simple,” Winklersays. “The skill is in doing it in such away as to minimize potential damage.”By that he means not causing harmfuleffects on the network, not crashingcritical systems or having to significant-ly re-build systems. But most impor-tantly, he means hiring people withwhom you trust sensitive company data.

P a g e 9 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

5 Penetration Testing:Should You Hire a Hacker?

By Lafe Low

“When I do a pen test,” Winklersays, “I get the crown jewels of a com-pany. If someone tells me something isvaluable, I’m going to get it. Do youtrust these people with something thatcould cripple your company if it gotout?” In his penetration tests, he’s foundinternal evidence of criminal employeebehavior, documents relating to multi-million dollar lawsuits, nuclear reactordesigns and has gained access to mil-lions of dollars in bank accounts.

This type of testing doesn’t comecheap. Depending on the size of yourorganization, Winkler says you canexpect to pay an average of $10,000 perweek per person on the test team. For asmall company, $25,000 could get areasonable penetration test. Largeorganizations may spend upwards of$250,000 to $500,000. Winkler cau-tions against someone who claims theycan do a full assessment for as little as$5,000. That’s not a security assess-ment, he says, that’s a network scan.

A good penetration tester will notjust perform individual break-ins, butalso look for trends in weaknesses whenperforming those break-ins. “It’s impos-sible to find every vulnerability,”Winkler says. “If I find that 3 percent ofthe systems are vulnerable in a certainway, it’s likely the rest of the 97 percent

have the same vulnerabilities.”It’s also important for the testing

team to put the results in context, notjust boldly declare success. “The con-cept is to go out and show them whatthe results of those vulnerabilities are,”Winkler says. One large company forwhom Winkler performed a penetra-tion test had hired four separate compa-nies to do the same thing. Each cameback and triumphantly declared to thesecurity manager and the CEO thatthey had full control of the network.The CEO was unimpressed. Winklerwent in after three days and presentedall the latest merger and acquisitiondata, the executive salary schedule anddata relating to numerous lawsuits.“Oh, and by the way, I have full controlof your network,” he added. The securi-ty budget was bumped up the very nextweek and each division was told to hiresecurity managers.

So does all this conjure up images ofblack clad spies infiltrating corporateheadquarters in the wee hours of thenight, equipped with the latest spy gad-getry? It’s not quite that sexy. In fact, itcan be disturbingly straightforward.

In one of Winkler’s favorite break-ins, he was hired by a corporate head-quarters to test the security systems andprocedures of the division that handled

nuclear materials. Posing as a corporateauditor, he drove up to the guard gate atrush hour and asked for the graphicsdepartment. Once inside and still pos-ing as an auditor, he asked to see thesystems where they created sales propos-als. “Are the proposals on a commonserver? Could I sit at your computer fora minute?” Seemingly innocent ques-tions, but once he sat down, Winklerfound the IP address of the server con-taining the documents he was lookingfor, called up an accomplice who had acomputer attached to the network, andwithin minutes had hacked into the sys-tem and downloaded the proposals.

So why are sales proposals such abig security risk? The engineeringdepartment that generated the data wasindeed secure, but invariably that datafinds its way into less secure depart-ments—like the graphics department.“I got the designs, price, deliveryschedule, more information than Iwould have gotten if I had gone toengineering,” Winkler explains. Thisproves that hackers are thinking cre-atively when planning their attacks. Tobest secure your organization, you’llhave to do the same.

Lafe Low is Executive Editor, Reviews,for Redmond magazine.

P a g e 1 0 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

In his penetration tests, he’s found internal evidence of

criminal employee behavior, documents relating to multi-

million dollar lawsuits, nuclear reactor designs and has

gained access to millions of dollars in bank accounts.

What do you do when employeesleave, either voluntarily or not so will-ingly? Most organizations have a list ofphysical items that must be surren-dered, including ID badges, keys andother credentials. This way, the formerworker can’t access company property.

That’s all well and good, but whatabout electronic access? IT must makesure that access to information systemsis blocked as soon as possible.

Best Practices for Managing the

Terminated Employee’s Account

Removing the former employee’s accessto information systems usually requiresthree steps:

• First, disable their account. Do thisin a way that prevents access by the for-mer employee, yet retains organizationalaccess to important systems and data thatmay have been exclusively granted to theaccount. Disabling—instead of immedi-

ately deleting—the account also lightensIT’s load, should the notification of ter-mination be false, or the employee forsome reason be immediately rehired.

• Next, remove that account fromany group it may be a member of. Ifaccess to resources is granted to groupsinstead of user accounts, removing theuser account from those groups pre-vents a disgruntled employee fromaccessing these resources should the

6 Password Management:The Ex-Employee Conundrum

By Roberta Bragg

P a g e 1 1 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

account be accidentally or maliciouslyre-enabled.

• Finally, delete the account whenthe former employee’s rights and accessare documented as available to otherappropriate employees.

Poor Access Management Processes

Mean Poor Exit Strategy

Of course, a good exit policy for IT pre-supposes a good employment policy. Ifyour users share accounts, if accounts arebound to a user role instead of a user, oraccess to resources is assigned to useraccounts instead of groups, then the pol-icy outlined above may not be possible.Disabling an account, for example, canprevent legitimate employees, alsoassigned to the account, from doing theirwork. Because of this, accounts will nottypically be disabled nor deleted. You alsocannot simply remove the terminatedemployee’s access by removing theiraccount’s membership in groups, becausethis also prevents legitimate users access.

Even if only one person is assigned toan account, when accounts are grantedaccess to resources directly, you may notbe able to remove the account becauseyou have no idea where it is grantedaccess. In this case there’s little you can do

to protect data and resources other thanchange the password on the account, orremove the account and periodicallydelete orphaned SIDS from resources.

Password management problems areoften the result of poor resource man-agement practices. Both password andresource management are essential tostrong protection.

Best Practices for Resource

Management Via Accounts

There are many things that need to be inplace to ensure appropriate control oforganizational resources—a good exitpractice is only one of them. Access con-trol policies and procedures must cutacross every part of your organization.Here’s a list of them:

• Assign each user an account. Thismakes it easier to assign responsibilitiesand to have accountability. When oneuser is assigned per account, you canaudit a user’s activity on your system.

• Provide access to resources andassign rights to user groups, not to users.This means you can easily provide a newemployee the access and rights they needto do their job (you’ve assigned thataccess and those rights to a specificgroup) and you can quickly remove thataccess and those rights should the userchange jobs or leave the organization.

• Give users, via their group mem-berships, only the privileges and accessthey actually need. If users need to readfiles but not change them, jsut give themread access. If users don’t need access toa network resource, block it. Designyour access strategy around the princi-pals of least privilege—no access isallowed by default. Block all access outof the box, then only allow access tothose who truly need it.

• Never assign default passwords toaccounts, or provide generic passwords.A common practice of network adminswas and sometimes still is to assigngeneric passwords to well-knownaccounts such as the local Administratoraccount, or the Microsoft SQL Serversystems administrator account. Havinga common password makes it easy foradmins to manage the plethora ofaccounts. Unfortunately, it makes iteven easier for attackers to penetrateand compromise computers, applica-tions and networks. Always assignunique, complex passwords for adminaccounts and never use easy-to-guess,well-known passwords for any account.

Roberta Bragg, MCSE: Security, CISSP,Security+, and Microsoft MVP is aRedmond magazine contributing editorand the owner of Have Computer WillTravel Inc., an independent firmspecializing in information security andoperating systems. She’s series editor forOsborne/McGraw-Hill’s Hardeningseries, books that instruct you on how tosecure your networks before you arehacked, and author of the first book inthe series, Hardening WindowsSystems. Contact Roberta atRoberta.Bragg@mcpmag.com.

P a g e 1 2 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

Never assign default passwords to

accounts, or provide generic passwords.

Developing and enforcing a strongpassword policy is the key to keepingcomputers, applications and data safe.There are three basic parts to the process:

• Develop a strong written policythat follows known security princi-pals and is championed by manage-ment. This policy should include thedesired password design, specifics on itsmanagement and directions for user andIT pro education on policy complianceand enforcement mechanisms. A strongpolicy should include:

– Passwords composed of upper andlower case letters, symbols and numbers.

– User identification (name, logonID, etc.) should not be part of the pass-word.

– Symbols and numbers must beplaced within the password, not at itsend or beginning.

– Password length must be longenough to discourage the use of knownbrute force cracking algorithms. InWindows this may be in the nine or 10character length, if other technical con-trols are in place.

– Maintenance of a password his-tory, ensuring that a password may notbe reused for some period of time.

– Minimum password life: a pass-word cannot be immediately changed.

– Maximum password life: a pass-word must be periodically changed.

• Implementation of technicalcontrols that support the policy.Microsoft Windows systems based onNT technologies (NT, XP, Windows2000 and Windows Server 2003, eitherstand alone systems or domains) supportall of the above with the exception ofenforcing the use of numbers, symbolsand upper and lower case letters, and therequirement that numbers and symbolsappear within the password and not onits boundaries. Using the password com-plexity selection in a Windows passwordpolicy will only enforce the use of threeout of four of the character requirements.That is, a password may be composedwith only upper and lower case charactersand numbers.

• Utilizing single sign-on where pos-sible and warranted. Single sign-onallows one set of credentials to enableaccess to all network information systemresources. This is not always achievable,nor is it always the best identity andaccess solution, nor the best security orprivacy solution. Security plusses are that,in most cases, a single credential (user IDand password, or other combination) iseasier to manage, both from an IT man-agement and an end-user perspective. Weknow that when users have multipleaccounts and passwords, they tend towrite them down more frequently, thusexposing them to those who would usethem illicitly. This also increases manage-ment cost, as passwords are forgotten,and IT must help users regain access.

Meanwhile, understanding and auditingwho has access to what and who is actu-ally represented by a specific ID is moredifficult with multiple IDs and pass-words. Identity management winsbecause an individual’s private informa-tion can be more securely and correctlymaintained if it exists in one centralizedplace. However, having one set of creden-tials also removes the layers of securitythat might be afforded to sensitive sys-tems. If single sign-on is used, and anattacker gets the single set of user creden-tials provided, he has full access to everything the user has access to. When multi-ple IDs are necessary, a successful com-promise is to have one set of IDs thatonly provides access to the resourcesaccessible to that set of IDs. Single sign-on to any Microsoft-related applicationsand machines can be accomplished bycreating Windows domains and trusts.Some Microsoft and third-party productscan be used to extend single sign-on tomainframe, Unix and other network-accessible resources.

Roberta Bragg, MCSE: Security, CISSP,Security+, and Microsoft MVP is aRedmond magazine contributing editorand the owner of Have Computer WillTravel Inc., an independent firmspecializing in information security andoperating systems. She’s series editor forOsborne/McGraw-Hill’s Hardening series,books that instruct you on how to secureyour networks before you are hacked, andauthor of the first book in the series,Hardening Windows Systems.You can contact Roberta atRoberta.Bragg@mcpmag.com.

7Password Management:Enforcing Strong Passwords

By Roberta Bragg

P a g e 1 3 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

No company cranks out more technicaldocumentation than Microsoft. That’sespecially true in the area of security,where there’s a white paper on seeminglythousands of topics. What follows here isa brief list of some of the most relevant,interesting white papers that can serve as astart to getting a handle on your security.

Security Threats: Best Practices for

Enterprise Security

This paper gives a solid, general overviewof security principles for those new to the

IT security game. It includes real-worldexamples of cyber attacks, which is alwayshelpful for giving insight into what thebad guys are really doing.http://microsoft.com/technet/security/bestprac/bpent/sec1/secthret.mspx

Security Strategies

If you haven’t yet implemented your secu-rity infrastructure (or you’re revisitingyour current system for possible changes),this is the place to start. This non-techni-cal white paper discusses strategies for

dealing with various threats. It lists differ-ent strategies for different types of attacks.For instance, the methods for dealing withan outside attacker are different thanthose dealing with an inside attacker—or,for that matter, a natural disaster.http:// microsoft.com/technet/security/best-prac/bpent/sec1/secstrat.mspx

The Antivirus

Defense-in-Depth Guide

Microsoft has generally left antiviruscoverage to third parties, but offers

P a g e 1 4 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

8An IT Pro’s Guide toRedmond White Papers

By Keith Ward

P a g e 1 5 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

here a comprehensive overview ofstrategies for dealing with viruses andworms. Included is a discussion of dif-ferent types of malware, and incidentresponse best practices. http://microsoft.com/downloads/details.aspx?FamilyId=F24A8CE3-63A4-45A1-97B6-3FEF52F63ABB&displaylang=en

Using Software Restriction

Policies to Protect Against

Unauthorized Software

Software restriction is a new manage-ment feature for Windows XP andWindows Server 2003. It allows you toblock what programs users can andcannot run on their machines.Software restriction policies are notvery well known yet, but they shouldbe. This white paper provides athorough briefing.http://microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx

Windows XP Wireless

Deployment Technology and

Component Overview

This is your diving board into the pool ofwireless networking. This very technicalwhite paper covers technology back toWindows 2000 and goes over connec-

tion, authentication andencryption issues for the

IEEE 802.11 wireless stan-dard. It’s also current with the lat-

est information on the wirelessupgrades offered by Windows XP SP2.

http://microsoft.com/technet/prodtechnol/winxppro/maintain/wificomp.mspx

Understanding Patch and Update

Management: Microsoft’s Software

Update Strategy

One of Microsoft’s greatest securityweaknesses has been its slipshod patchmanagement process. It suffers from a

lack of standardization, confusing evenIT pros who aren’t sure whether a partic-ular patch applies to their networks ornot. This white paper discusses patchmanagement in general, how to use toolslike the Microsoft Baseline SecurityAnalyzer (MBSA), Windows Update andSystems Management Server (SMS), andtouches on Microsoft’s efforts to stream-line the process.http://microsoft.com/technet/security/topics/patch/patchmanagement.mspx

The Smart Card

Deployment Cookbook

This is a series of white papers thatteaches you how to strengthen yourorganization’s security through the use ofsmart cards. This series of “recipes” takesyou through the planning, implementa-tion and deployment phases for addingbiometric authentication. It’s technicalin nature, but there are lots of diagramsto help.http://microsoft.com/technet/security/topics/smrtcard/smrtcdcb/default.mspx

Active Directory Disaster Recovery

Not for the faint of heart, this techni-cal, 33-page white paper gives direc-tion on how to restore AD after yoursystems have gone down. It’s Windows2000-based, but most of the princi-ples also apply to Windows Server2003. One very nice section has ADdisaster recovery flowcharts for differ-ent kinds of disasters, like corrupteddata or a domain controller that suf-fers a hardware meltdown.http://microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/support/adrecov.mspx

Keith Ward is Managing Editor ofRedmond magazine (formerly MicrosoftCertified Professional Magazine).

One of Microsoft’s

greatest security

weaknesses has been

its slipshod patch

management process.

Remember when Microsoft issuedsecurity bulletins right as software flawswere discovered? In October 2003 thecompany switched to issuing cumulativealerts on a monthly schedule (sometimescommonly referred to as “PatchTuesday”). The switch hasn’t done manyof us any favors. I continue to feel anxi-ety, developing a Pavlovian response topotentially bad news when one of those

bulletins hits my inbox. If you think I’mbeing a tad dramatic, you’d be right. It’sall in my head. “[Microsoft’s security bul-letins] shouldn’t serve as occasions to leapinto action,” says MCP Magazine’s resi-dent security expert Roberta Bragg. “It’smore of a monitoring thing.”

Bragg contends that networkswhich are “reasonably locked downwith updates, firewalls and other safe-

guards,” should be safe from immediatedangers. Only the severest flaws thatcan put your systems in imminent dan-ger—Microsoft calls them “critical” inthe bulletins—should be dealt with assoon as the fixes have passed your ownsystems testing.

Firas Raouf, chief operating officerof eEye Digital Security, points out thatthe bulletins are not aimed at high-level

P a g e 1 6 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

9 Anatomy of a MicrosoftSecurity Bulletin

By Michael Domingo

security experts. “Microsoft provides areasonable level of information forsecurity and IT professionals who havea low to medium level of technicalknowledge,” he explains.

The bulletins are simple. Microsoftreduces the problem to its essence: effects,symptoms, systems affected, severity and,if available, workarounds or solutions.The bulletins are bereft of other detailsthat can help, such as how Microsoftdetermines the severity level of a flaw orspecific details regarding the flaw’s discov-ery. Because of this, Raouf says to look forother sources of information, such asBugtraq www.bugtraq.org, or CERTwww.cert.org or the Web site of the com-pany who found the flaw. “We typicallyrecommend enterprises augment theinformation contained within the security

bulletin by reviewing additional informa-tion from the security research team thathas been credited with the vulnerability’sdiscovery, which is always listed in thebulletin itself,” adds Raouf.

While scrutinizing the bulletinword-for-word should be commonpractice, Bragg says that asking the sim-ple questions about the flaw’s impact isanother. “Is it something that could bea problem for networks or machinesthat I’m responsible for at the time? Forexample, if it has to do with BizTalkand I’ve no BizTalk, or Exchange andI’ve no Exchange?” is as simple as itgets. From there, she says, “[The prob-lem may be] easy to filter.”

Michael Domingo is Editor ofMCPmag.com.

P a g e 1 7 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

Additional Information

To get Microsoft’s security bulletins by e-mail, subscribe at

www.microsoft.com/security/bulletins/alerts.mspx.

How to tell if a Microsoft Security Bulletin is authentic:

www.microsoft.com/security/incident/authenticate_mail.mspx.

The e-mail is nifty, but Microsoft’s TechNet version of the security bul-

letins contain more detail and links and are archived; these bulletins are

written with security mavens in mind: www.microsoft.com/

technet/security/default.mspx.

For an unbiased view of contemporary security issues, Roberta Bragg

expounds on them weekly in her “Security Watch” newsletter; to

subscribe, go to http://lists.101com.com/NLS/pages/

main.asp?NL=ent&o=security.

SecurityFocus maintains the Bugtraq list at www.bugtraq.org, and

has forums for discussing all manner of flaws and cyberthreats—

against Microsoft and other platforms—that are in the wild.

CERT is located at the Software Engineering Institute at Carnegie

Mellon University, a federally funded program that monitors com-

puter flaws, vulnerabilities and incidents worldwide: www.cert.org.

P a g e 1 8 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

Security BulletinA: Summary: Basic description of problem and who is affected.

B: Severity Rating: Ratings are given to a vulnerability based

on the capability of exploitation and the number of customers the

flaw might impact. Ratings are Low, Moderate, High and Critical.

Critical updates often mean that exploits are in the wild and cus-

tomers should consider swift action to install fixes or updates.

D: Executive Summary: A concise, simplified description of

the flaw; if the flaw is related to an exploit, examples of exploits are

provided.The executive summary will also contain a quick explana-

tion of the solutions, covered in detail elsewhere in the bulletin.

C: Software Affected: Outlines the software that contains the

flaw; detailed accounts of the flaw’s impact for each affected soft-

ware is contained farther down in the Web bulletin.

E: Aknowledgement: Microsoft typically identifies the person

or company who discovered the flaw. Companies will often provide

more thorough detail of the flaw with more example exploits that

can be carried out, as well as methods used to discover the flaw.

F: Encryption Key: Microsoft provides the key as insurance to

you that the company is providing you with genuine information

regarding a security vulnerability.

A

B

C

D

E

F

C

email bulletin web bulletin

Long ago you installed antivirus soft-ware, your firewalls seem to be doing thejob, you’ve got VLANs set up for remotefolks, maybe you’ve even dabbled withintrusion detection systems (IDSes).Perhaps you consider your network to bepretty secure. But if you haven’t takenspecific steps to protect your applications,you best think again.

Increasingly, applications are thetarget of choice for would-be intruders,and for good reason: Numerous appli-cation vulnerabilities are just asking to

be exploited. Hardly a day goes by whenyou don’t read about yet another vul-nerability found in IIS, SQL Server orsome other application—all ready fod-der for the next virus or worm author.

It should be no surprise, then, thatnumerous vendors are coming to thefore with wares that purport to helpyou address the problem, from intru-sion prevention systems to Web appli-cation firewalls and vulnerability scan-ners. But such tools are only part of thesolution; experts say how you config-

ure your network and systems can go along way toward affording you solidapplication protection.

Tools of the Trade

Intrusion prevention systems (IPSes)have been around for a number of yearsnow, and seem to be gaining traction insome enterprises. Typically, they use sig-natures written to detect any attack thattargets a known vulnerability along withanomaly detection techniques that try todetect when an intruder tries to tweak

P a g e 1 9 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

10 Tools and Tricks forSecuring Your Apps

By Paul Desmond

protocols or other attributes in order todo his bidding.

Because IPSes have signatures writ-ten against a vulnerability, as opposed toa specific attack, they can—in theory—detect any attack written against thevulnerability that a worm or virus triesto exploit. The Blaster worm, for exam-ple, attacked a known RemoteProcedure Call (RPC) vulnerability. AnIPS that had a signature written againstthat RPC vulnerability would havewarded off the attack.

Douglas Brown, manager of securi-ty resources at the University of NorthCarolina in Chapel Hill, has had greatluck with his IPS. “We’ve been reallyhappy with it,” he says. “Since IPSes arewritten to the vulnerability, they pro-vide an umbrella of protection againstany future virus that takes advantage ofthat vulnerability.”

Another class of product, often (butnot always) called Web application fire-walls, takes a somewhat different tack.The products attempt to establish abaseline of normal traffic for a Webapplication, in essence learning what

the application is supposed to do. If anintruder tries to do something outsideof that norm, such as entering SQLcommands in an attempt to get at theback-end database server (known as aSQL injection attack), the firewall willsimply drop those packets.

“The Web application firewall isreally a new twist on application proxyand packet filtering firewall,” says WesNoonan, senior network consultantwith Collective Technologies, a consul-tancy in Austin, Texas.

Configuration Considerations

Noonan says properly segmenting yournetwork can help protect your servers—and thus your applications. One approachis to put all servers on their own VLAN,and force all server traffic to go through arouter where you can implement packetfiltering. For a SQL Server machine, forexample, you would allow only traffic onyour defined SQL port to get through. Ifsomeone tries to connect to the file serveron the database server, the connectionwon’t be allowed.

Roger Grimes, a CISSP and seniorconsultant with Banneret Computer

Security, a consultancy inVirginia Beach, Va.,recommends takingthat approach one

step further by notusing the default SQL

ports—or any defaultports for that matter.

“Kick the defaulthabit,” he says. Any

Internet-facing applica-tion should be installedin a non-default directo-ry and accessed from

non-default ports whenever possible.Perhaps on your extranet you’ve got anFTP application that isn’t needed by thegeneral public. Instead of using thedefault FTP port 21, use 43021 and justsend the client a link directing them tothat port. “Use high port numbers,because if a hacker does a port scan, hewon’t likely scan that high. Or if he does,it’ll cause the IDS to trigger.”

The same technique can apply toapplications such as Outlook WebAccess and Exchange, Grimes notes.Similarly, he says installing such appli-cations in non-default directories makesit far more difficult for intruders to findthem. “So the service is there and doesthe same thing, it just won’t be hackedand exploited all the time.”

Another tip is to grant only the bareminimum security permissions thateach application needs. Applicationvendors will routinely tell you theirapplication needs admin rights,Grimes says, but that often isn’t thecase. Using common utilities such asFilemon or Regmon, you can deter-mine exactly what files and registrykeys an application really needs anddeny access to everything else. In thatfashion, even if an intruder does breakinto the application, he’ll be limited inwhat he can do.

“IPSes and all that stuff are OK, butWindows and other operating systemshave plenty of tools that are alreadythere for free that you can use to secureapplications,” Grimes says. “It just takesa little bit of research.”

Paul Desmond is Editor of Redmondmagazine (formerly Microsoft CertifiedProfessional Magazine).

P a g e 2 0 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

Properly segmenting your network can

help protect your servers—and thus your applications.

You’ve all heard of hardware and soft-ware. Now get ready for wetware. Theword “wetware” refers to the humannervous system. For information securitypros, wetware refers to users that are partof an overall information security system.

The best information securitydesigns and implementations will failif the people part is ignored. If usersgive their password to anyone whoasks or posts them where anyone cansee, if administrators advertise securityweakness by asking for help in

Internet newsgroups, then someonewill take advantage.

The term social engineering is oftenused to stand for verbal, one-on-oneencounters, either in person or over thephone, where an attacker snags informa-tion and ultimately system access (onemight also get information without sys-tem access, as when a well-meaning clerklooks up information, provides a printout, disk or other portable information.)Social engineering is also used by theauthors and distributors of worms, virus-

es, Trojans, spybots and other malware toget a user to do something that will allowa successful malware attack. All compro-mises due to wetware, however, are notthe result of social engineering. They maybe due to poor design, inept program-ming, configuration errors or just plainstupidity. They may also come from themalicious acts of IT insiders.

The good news is that wetware, likeits counterparts hardware and software,can be hardened. Do the following toharden wetware:

11Social Engineering:Teaching Users Safe Computing

By Roberta Bragg

P a g e 2 1 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

• Train users in the organization’ssecurity policies. You cannot expect themto follow a policy if they don’t know whatit is and what it means.

• Educate users in the “why” behindcurrent security practices. When peopleunderstand the value, when they knowwhat can happen, they’re better equippedto resist social engineering attacks.

• Provide users with explicitinstructions on how they must act.Help them understand how to createstrong passwords—that are also easyto remember. Spell things out forthem. Do not expect common senseto rule their actions. Tell users not toshare passwords with anyone—evenanother employee.

• Provide information on securinghome systems. This may directly pro-tect your network assets, as users mayuse home systems to remotely con-nect. It also indirectly protects yourinformation as users who practicegood security at home are more likelyto do so at work.

• Encourage user questions andrequests. Users are everywhere and can

be a solid first line of defense. Theycan report strangers and suspiciousactivity, or be the first to notice a newattack.

• Train advanced users in security.As users with elevated privileges on thenetwork, they have to know how theiracts, however inadvertent, can com-promise systems. They can also be aresource to other users by providingcorrect responses to security-relatedquestions instead of guessing orrepeating incorrect information.

• Don’t forget the data center.Require IT pros to challenge thosewho might follow them into secureddata centers or other areas that requirekey codes or other proof of privilegedaccess. Train them in the types ofsocial engineering attacks often perpe-trated on techies. Attackers sometimesuse technical knowledge and familiari-ty with systems to “become” part ofthe technical staff without providingproper credentials.

• Get people from all areas talkingabout the issues. Managers, IT pros andend users must speak the same language

and work together to provide the bestpossible defense.

• Trust but audit. You must provideusers the access they need to do their job.You must trust them to use this accessresponsibly. However, you must alsoaudit system access. Let users know thatsystem access is audited and why. Manypeople have an innate objection to “beingwatched.” However, if they see monitor-ing and auditing as part of keeping infor-mation systems and data secure, they’llmore easily accept it.

Roberta Bragg, MCSE: Security, CISSP,Security+, and Microsoft MVP isRedmond magazine contributing edi-tor and the owner of Have ComputerWill Travel Inc., an independent firmspecializing in information securityand operating systems. She’s series editorfor Osborne/McGraw-Hill’s Hardeningseries, books that instruct you on how tosecure your networks before you arehacked, and author of the first book inthe series, Hardening WindowsSystems. You can contact Roberta atRoberta.Bragg@mcpmag.com.

P a g e 2 2 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

Tell users not to share passwords with

anyone—even another employee.

If there’s still any doubt aboutMicrosoft’s commitment to securityunder the “Trustworthy Computing”mantra, consider this: Windows XPService Pack 2 broke applications. That’snothing earth-shattering, of course; newprograms from all software makers (notjust Microsoft) break things sometimes.The difference in XP SP2’s case? It brokethem on purpose.

Think about that for a minute.Microsoft intentionally released an oper-ating system update that killed some key

applications. It didn’t make software easi-er to use; on the contrary, Microsoft’s ownlist of applications that XP SP2 stops deadwas at 50 as of late August, a number thatwill surely grow. Even more amazingly, itbroke some of its own programs, includ-ing SQL Server 2000, the MicrosoftBaseline Security Analyzer (how ironic isthat?) and its CRM software.

With XP SP2, Microsoft reversedits standard operating procedure forproduct releases. It made it harder touse software, not easier, all to enhance

security. Not only did the updatebreak programs, it broke the mold forhow Microsoft does business.

There’s no way to know if this iswhat Bill Gates had in mind when hereleased his legendary “TrustworthyComputing” memo on Jan. 15, 2002.Since XP had been released only a fewmonths prior (October 2001), manyof its flaws had yet to be exposed.Clearly, though, Gates recognized thegrave threat Microsoft faced if it didn’tstart getting serious about security.

12 Has Microsoft Made ComputingTruly Trustworthy?

By Keith Ward

P a g e 2 3 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

The original release of XP tooksome steps toward that goal, includingMicrosoft’s first built-in firewall. It alsohelped that XP, like its desktop prede-cessor, Windows 2000, was built on thecodebase of Windows NT, and not thesieve-like Windows 95 base.

Next came Windows Server 2003,the follow-up to Windows Server 2000.Windows 2003 included significantsecurity improvements, the mostimportant being its default behavior. Itshipped with Internet InformationServices (IIS) not installed by default;this alone closed an Alaska-sized hole.In addition, more than 20 services thatwere previously enabled by default weredisabled or run with lower privileges,meaning that even if an attacker infil-trated the system, he was less likely tohave the power to do serious damage.

The price for upgraded securitywas a substantial delay. Windows2003 was supposed to be Windows2002; Microsoft instituted a months-long code review of everything in theOS, a process that Microsoft said cost$200 million. In addition to takingdevelopers off other jobs to scrub thecode, they had to incorporate thechanges into the product.

XP SP2 builds on that foundation,with an improved firewall; popupblocking; security console to check var-ious settings; automatic updatesenabled; and more. The update wentout later than originally scheduled, andhad a rough first few weeks, with somesecurity holes found and some problemswith the update process. However, it’sreally more of a version upgrade thanjust a service pack release, so some diffi-culties are to be expected.

And despite those problems, it’sbeen embraced—on the whole—by theIT community. Take, for example, RussCooper of the security list NTBugtraq.Cooper, one of the best-known analystsin IT security, has been hammeringRedmond for years about its securityweaknesses. Not so with XP SP2. “XPSP2 is the most significant securityeffort Microsoft has ever produced,” hewrote to the list. “This is the first timethat Microsoft has put security overexisting, and frequently used, features… this is the first time that Microsofthas accepted the fact that their choice isgoing to lead to “some” incompatibili-ties,” according to Cooper.

Rob Pegoraro, technology writerfor the Washington Post, also likedwhat he saw. “Any firm that isn’t pre-installing SP2 by November has nobusiness selling home computers atall,” he said. And not just businesses:“Individual Windows users bear thesame responsibility: If you run XP, youneed to install SP2. Period. Loading asystem update this big is never risk-free, but the far bigger risk is to keepstumbling along with an unpatchedcopy of Windows XP.”

Not that XP SP2’s perfect; far fromit. After all, it still uses Internet Exploreras its browser. IE is Exhibit A forWindows security critics.

IE has suffered from never-endingvulnerabilities, requiring patches on asometimes weekly basis. The mostserious recent threat was theDownload.Ject Trojan. It messed upIE so badly that a working, effectivepatch wasn’t released until weeks afterthe virus hit. That’s despite Microsoft’sfrequent protestations that most vul-

nerabilities have long had patchesavailable, and that most problemswere caused by users’ and admins’ lax-ity in applying the fixes.

IE’s problems are severe enoughthat it’s driving many users into thearms of other browsers like Opera,Firefox and Safari. This should greatlyconcern Microsoft, especially withcompetition heating up in the serverroom with Linux, and the growingnumber of alternatives to Windows onthe desktop (Linux alternatives likeLinspire [formerly Lindows] andXimian) and office productivity suites(StarOffice). If these alternatives areseen as more secure than Redmond’sofferings, they could start to grab realmarket share.

Hence the radical shift in focus.Gates, in his memo, spelled outMicrosoft’s new priorities. “So now,when we face a choice between addingfeatures and resolving security issues,we need to choose security. Our prod-ucts should emphasize security rightout of the box, and we must constant-ly refine and improve that security asthreats evolve.”

Although there’s still a long way togo, it’s clear that TrustworthyComputing is more than just a mar-keting phrase to Microsoft. As Gatesdemanded in the memo, Microsoft,with XP SP2, chose security over fea-tures. It even went so far as to breakprograms, a sign that there’s a differentmentality at work in the world’sbiggest software company.

Keith Ward is Managing Editor ofRedmond magazine (formerly MicrosoftCertified Professional Magazine).

P a g e 2 4 • 1 2 T h i n g s Yo u M U S T K n o w To P r o t e c t a W i n d o w s N e t w o r k© 2 0 0 4 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / m c p m a g . c o m

Managing multiple SSL certificates can be a daunting

comes in. It lets you manage multiple SSL certificates

a few clicks. It also lets you automatically generate

businesses (and peace of mind) than anyone else. 

Stop worrying about mundane tasks and start thinking about bigger things. 

Simplify the security 

©2004 VeriSign, Inc. All rights reserved. VeriSign, the VeriSign logo, Security Sets You Free, and other trademarks, service marks, and logos are registered or unregistered trademarks of VeriSign and its subsidiaries in the United States and in foreign countries.

responsibility—a  complex  process  that  consumes your  time,  your  resources  and,  worst  of  all,  your sanity. That’s where VeriSign Managed PKI for SSL

from  one  central  point,  enabling  you  to  track and control all the certificates in your enterprise with just

comprehensive  reports  and  instantly  issue  SSL certificates to multiple servers. And VeriSign offers SSL certificates that deliver the strongest encryption available  to  each  site  visitor.  Period.  From  the company  more  people  rely  on  to  safeguard  their

Introducing VeriSign Managed PKI for SSL: Instantly provide secure certificates to all your servers in one convenient place.

of all your Web servers.

And, coincidentally,

Manage your SSL in one­third the steps. Get your FREE guide, “Cutting the Time and Costs of Managing Multiple SSL Certificates.” Visit www.verisign.com/dm/101MPKISSL or call 650­426­5115, opt. 2 .