Microsoft Security Whitepaper

An anonymous reader writes "Microsoft last week published a document on its Web site that describes how the company manages security on its own 300,000 node corporate network. The document is basically a dry discussion of IT risk management strategy, with lots of references to 'asset classes' and 'stakeholders,' and about five, nearly identical 'cycle of life' type diagrams showing how one risk management strategy leads to the next and so on, in a never-ending process. However, the document does open a window on how the biggest, richest software company in the world does security: from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?), to MS's admission that 'there is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class.' According to the document, that includes things such as source code or human resources data."

Good to see

[H.G.+Pennypacker]

It is encouraging to see a big security industry leader such as Microsoft make such a public display of its unwavering belief that security through obscurity is not security at all - by publishing an open document on its security infrastructure. Perhaps other large players could take a cue from this (IBM, Sun)?

Smart cards $50???

[terraformer]

from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?)

Where does the $50 figure come from? I have two of them in my wallet (AE and Fleet Fusion) and two readers (useless on a mac) that retail for $29.99 a pop that I got for free being that I was an "early adopter". So where does that $50 really come from? And yes, I read the story, I just want to have a better handle on why someone supposedly "in the know" would trow out a figure like that for a quantity purchase of 65,000.

Re:Smart cards $50???

[rindeee]

$50 is cheap for some cards. Depending on the type of card you have there are a lot more things than simply a contact chip involved (multiple frequency radio power/emitters, blah blah blah etc.). $50 is probably a good average figure when one considers the range of cards on the market.

On a different but related subject, I think that three factor authentication will become the universal norm...a good thing me thinks. If anyone has seen the new military ID's, they are also CACs for login, med, etc. Very cool once they (EDS) gets things to speed up a bit.

Re:Smart cards $50???

I was thinking along similar lines, then I has a look at the linked document which states:

"OTG estimated that at a price range of approximately $55-75 per user, including labor for deployment and tool development as well as hardware such as cards and readers, Smart Cards were an inexpensive way to significantly strengthen corporate security."

So evidently $55-75 per user is a reasonable amount for them to pay for each user inclusive of hardware and software development.

To be honest it sounds a lot to roll that out to 65,000 users, but when you consider that this cost is tiny compared to what those guys get paid, the actual investment across the workforce is negligible. I mean if you can afford to pay 65,000 employees, you can afford to spend $55+ on each of them. And considering that a network instrusion might be the outcome of not doing it (See Valve for more information) it's incredibly cheap.

"Highest value" stuff isn't

[Animats]

The real risk is if Microsoft loses a signing key, like the one that allows Active-X controls to be trusted implicitly by Internet Explorer.

Of course, that's a risk to Microsoft's customers, so that may not be considered as critical.

Uh, riiight...

[Svartalf]

I do believe the issue isn't just code compromise (i.e. putting back doors in...), but in the case of the closed source, finding exploits and backdoors. I need only point to the rationale that MS gave for not disclosing pieces of their source code- it would endanger National Security. Now, either that was a dodge, in which case, Allchin should be doing time in at least Club Fed for lying to a Judge, or it's the God's truth. If it's the God's truth, being in the open is going to reveal most of those things and get them zoomed right off the bat- if it's closed, only the people working on it know about the code (well, and anyone that manages to see it without them looking...) so you don't have as many people looking over the code in question so you end up with things like MS Blaster which caused a packet storm from Hell on the Internet.

Before I go drinking

[teamhasnoi]

Wouldn't a leak of Windows source be a great excuse for MS to sue everyone who codes, ala SCO?

I know when the BeOS source was leaked, every smart programmer stayed away from it - else be blamed for stealing 'IP'.

Consipiracy Theory #234,345,234: MS deliberately leaks the source to some EOLed code such as Win 95 or NT, and sues anyone who is making inroads with alternate OSes or applications, such as Linux, Mozilla, Open Office etc.

What fun! No doubt, there will be no need to show their code for National Security reasons. We'll just need to trust them.

Re:Real discussion

Thank you! I too tire of the 'ms sucks' posts.

I work with MS once and awhile to get a bug fixed. Like ANY major software out there they have bugs just like the rest of us. Worked with a nice gentleman yesterday. He traced through their code for me. I have done if I had the code. But its their code, and I respect that. They were looking into why an API I use in my code changed after a 'security' hotfix. After an hour of tracing he found that it was wrong. I knew that, but thats ok too, he had to prove it to himself. After all that he told me 'if its a security hotfix it will not be fixed your lucky the code ever worked the way you were using it'. He was right, I knew what they had done and its a good thing.

The moral here? They are deadly serious about security. They will not back out a fix just 'cause'. They are fixing the holes that are there.

I am convinced they are enduring some of the most punishing testing on the face of the planet. To use a term from open source, 'many eyes make all bugs shallow'. They are on a much larger number of desktops then any other OS out there.

I have never found them 'arrogant', 'loud mouthed', or 'bullying'. Like I find on slashdot sometimes about open source. I have found them to bend over backwards to fix ANY bug they have. They do not pounce on it. But they DO fix it. They do not 'hack' it into the code. They test it and make sure its good. If you act like an ass to them they respond in kind. They have THOUSANDS of bugs to fix and they have prioritized them. They only have so many 'core' developers and they are trying to write new stuff and retrofit old stuff.

They have a serious challange. The code is basicly done. They now have to go through it ALL and fix things that were never a priority for them. I would cringe at someone coming up to me and saying my code has the same serious problem in every module, and every function. That is basicly the problem MS has. And making the code 'open source' would make the problem better in some ways, but much worse in others. Also would you want them to rush out a fix for something? Or test it and make sure it works? Also if you want top shelf support out of MS you need to talk in the language of the corporate world. You need money to wave at them. Otherwise get in line with the thousands of other people.

Also do not be fooled by that linux has no 'serious' bugs. They exist, can you say 'root kit'. If you belive that linux is secure by default your living in a dream world neo.

I look at the two systems as tools for me to do things. I have both types of boxs. I use both for many things all the time.

300k node?

[Billly+Gates]

That seems a bit excessive. Especially since only 50k workers work there since the last time I looked.

Not to sound old fashioned, but I wonder if using several large systems and dumb terminals would help lower costs and problems?

This was the standard motto in the early 80's when pc's were considered toys.

But 300k nodes sounds like an administrative nightmare.

I wonder if we would all be using network computers and thin clients now if MS never existed. They put all sorts of fud and raised the price of client licenses of terminal servers to make it look like a pc, in every desk was cheaper then a windows terminal.

Re:more of the same, over and over and over

[Lehk228]

What about menuet? it can run a tiny server and was coded in pure assembly, I wouldn't be suprised if it's code was tight enough to resist any network attack due to the very small number of network services (shoutcast server, web server, and i think an FTP server) I'm not a security expert but i would imagine a product like that could be made air tight, perhapse boxes running customizable Assembly coded OS's will be the future of network security for at least the highest priority systems,

Re:Microsoft is its (only) good customer

[The+Bungi]

Everybody elses corporate networks running Windows are dogshit

Really now. When was the last time you saw my network that you can make such a sweeping, generalizing statement?

MS Products: Mom's love itr

[S7urm]

I find one issue that people rarely bring up when discussing Ms vs. Open Source OS's is that if the tables turned, people would shit on Nix's as openly and wantonly as MS products. Microsoft realized they had a profitable and viable piece of coding that could become the core of their company. So in turn they didn't allow open sourcing. Now with all these great operating systems available that ARE open source Microsoft becomes the "giant that stole christmas"

Linux and OS's like it have successful security implementations because they have an unlimited amount of programmers to work on the code. There is no over head, no one to say "That's not a profitable solution" and no one to gripe when you sit down for hours on end tweaking your source. Open sourcing becomes a pet project, a hobby, and a way of life. A battle cry, held upon high by rogue programmers who sit at their consoles running a MS product at work, wishing they could do something besides regediting to add finesse to their OS. So they go home, fire up the ole' Red Hat and tweak till' they turn blue in the face. And it's a great thing to behold. BUT a problem with a lot of open sourcing is personal preference. MS products were intended for the masses of "dull" witted purely PC users. It had to be the friendly OS by design or it wouldn't have profit potential. THAT is why every person in your neighborhood has a PC, because SOMEONE took the time to gear it down to the "regular Joe" (I mean could you imagine your 57 year old mother running BSD?) However, Open Sourcing has a tendency to be modded personally, so that the OS operates to YOUR personal preference. That is the beauty of running a *Nix your can dumb it back up.

Basically my point is this, Security was not a primary concern when Windows was produced, they were worried about the little guy who could barely turn on his monitor, but you have to admit your Mom loves Bill Gates because getting email is cool!

This is a fake post

[spitzak]

The wording here is really a bit too strange and not like a normal Microsoft attack. First of all anybody with any knowledge of history would put the "rock solid" joke on ME, not 95. And I never heard the "just for ME!" line before, in fact this is pronounce emm-e by every Microsoft hater. Though the background of XP is obvious teletubbies appearance, most Microsoft haters attack the candy-coloring bubbles which don't resemble Teletubbies scenery much at all. And "the radiator would dislodge?" How about "when you go over a bump it would stall" or otherwise do an obvious failure.

It should be obvious that Microsoft is setting this up. They want to attack OSS on security. Their plan is to put a hole or exploit into the code by compromising some system to infect the code. Possibly this has been caught three times now, but there may be a missed one already planted, so everybody check carefully! Notice that they plan to announce this "security" stuff apparently in sync with 2.6 being released.

The far easier way to plant a hole in Linux would be to pay off or threaten some developer to do it. However they cannot do this because of the obvious fact that this can be done to one of their employees as well. They have to do it by "hacking" and they need to print this paper to show that they are extremely well-protected against "hacking", while open-source is "vulnerable"

The several posts like this, which seem out of character (ie treating Microsoft as childish rather than a threatening if clumsy evil), I think are planted. They want to point out that this coming failure of open-source has nothing to do with the security of the software on your desktop, but everything to do with the fact that people can work on the code.

People ask when Linux will lead instead of follow

[JimmytheGeek]

"The open source world needs to learn a little about UI consistency and try to make things easy to use if any Open Source OS is ever going to be taken seriously on the desktop or in the home."

Here is an opportunity for Linux to bring something entirely new to the table: UI consistency. The gratuitous UI changes from one windows flavor to another are deeply frustrating. Finding a particular admin applet is like playing whack-a-mole. As I recall in NT 3.51 the hard disk management applet was easily reached. Every generation hides it deeper.

And the default XP screen is really infantile - inspired by Teletubbies. You can see Po and La-la on really hi-rez screens.

Inbound cx's from PRC

[JimmytheGeek]

When I was a contractor/whore a colleague in development showed netstat connections from the PRC, where MS had no development. Not in our project, anyway.

Totally owned. MS netsec had no interest. The report impugned their competence. I have no idea if things are any better now. Maybe there was a shakeup after Code Red infected the very web servers that distribute patches for us all.

Re:there's nothing RF about these cards

As a fellow employee, you're not incorrect, but you're not really right, either. In particular, the smart card part of your badge is limited to the small chip you can see on the back side, and it's a perfectly vanilla smart card. I'd guess they cost less than $0.50. The RF bit is in the white plastic, and you can tell that because an intern or vendor badge (without the smart card part) can still open doors or be scanned for food.

Massive breakin expected?!?!

[nurb432]

Regardless of who we are talking about, they are predicting a successful attack on the largest company on the planet. And they DO know what they are talking about, they have a better idea of internal security issues then any of us here on the outside.

That's rather scary if you ask me... as that leaves all the smaller companies that cant afford to keep up wide open too..

We could see a really bad year in 04 for attacks and break-ins.. Even worse impact on our industry than the 'litigious 03'...

Re:Microsoft is insecure? I never saw that coming!

[TheNetAvenger]

Buffer overruns have been well understood for years, are easy to automate tools to search source code for and any that leak through are easily tested for

If you think buffer overruns are a Microsoft OS only problem, you have no idea what you are talking about.

I've heard (and mine) are about the damned cartoonish color scheme and the total waste of screen space in each and every window that dosn't add any functionality to the GUI itself.


And the funny thing, you can turn on/off what level of extra functionality you want in the GUI, even the Colors. In fact you can skin it to look like a MAC if that is your bag (using a simple UI patch)

As for the added functionality, have you actually ever looked at the items in the sidebar of an open folder? There are a lot of quick features available for novices and even power users that like to be able to click "Play Selected Songs 'Albums' " and just have the songs play.

And if you are real power user that needs the screen space, just turn off the side bar, these features are also available from a right click even if the side bar is off.

Maybe Microsoft is foolish in assuming that users have displays greater than 640x480 and are using the extra screen space to add functionality, but then again, maybe it is time for some people to get a new monitor. 1024x768 is becoming a minimum for desktop real estate. Even my laptop is 1600x1200 and it a year and a half old.