Slashdot Mirror

← Back to Stories (view on slashdot.org)

Looking Back At Windows Security In 2003

Posted by simoniker on from the pane-shattering-trackback dept.

thebatlab writes "Help Net Security has an interesting look at security in Windows during 2003, with various blurbs from related parties at Microsoft as well as security 'bigwigs' such as Russ Cooper. It's interesting to read the comments from external parties, as they tend to be very reasoned comments and don't simply attack away over recent 'indiscretions' and 'security lapses' Microsoft has had over the year."

18 of 327 comments (clear)

  1. Re:Its crap but just as crap as anyone else by abh · · Score: 2, Informative

    Perhaps you've heard of a company called Cisco, they make a thing called a Pix, which is probably the most popular hardware firewall product.

  2. Slashdotted by tomoe27 · · Score: 1, Informative

    Looks like it's been slashdotted...

  3. Re:Biggest problem with windows security by abh · · Score: 4, Informative

    Is clicking the checkbox to disable the Auto Update feature too difficult?

  4. Re:Myth: Linux is more secure than Windows NT. by Anonymous Coward · · Score: 2, Informative

    "Administrators cannot delegate administrative privileges: a user who needs any administrative capability must be made a full administrator, which compromises best security practices." man sudo

  5. Re:Its crap but just as crap as anyone else by ePhil_One · · Score: 2, Informative
    As opposed to hardware based firewalls running custom operating systems. Granted, almost anything based in silicone could be considered a "computer", but running a general purpose OS on generic hardware is a far cry from what companies like Netscreen are producing.

    --
    You are in a maze of twisted little posts, all alike.
  6. Re:Hey, Sherlock.... by AntiOrganic · · Score: 5, Informative

    Or how about just applying the patch that's been freely available for six months?

    *glares at manager*

  7. full text of the article by Anonymous Coward · · Score: 4, Informative
    The site took forever for me to load. Looks like it is slashdotted. Here's the full text:

    An In-Depth look Into Windows Security in 2003
    by Mirko Zorz - Monday, 22 December 2003.

    When it comes to security predictions for next year, basically everyone says it's going to be worst than this year despite the increased spending on security and some progress made when it comes to security awareness. Let's take a look at some interesting happenings that made the news during 2003 when it comes to Microsoft security and perhaps you'll be able to judge for yourself what 2004 will bring.

    The experts that voice their opinion for this article are Russ Cooper (Surgeon General of TruSecure Corporation/NTBugtraq Editor), Ed Skoudis (a security geek who is focused on computer attacks and defenses, author of "Counter Hack" and "Malware: Fighting Malicious Code") and Arne Vidstrom (a security researcher and author of many security tools for Windows).

    It's January and things don't look good

    Just as we were getting used to writing 2003 instead of 2002 in our letters, here comes the Slammer worm and all hell brakes loose as thousands of computers are infected worldwide.

    This, however, was not Microsoft's fault since a patch was available several months ago before the worm was unleashed. This has put the issue of irresponsible users into the spotlight while others said the reason why some servers weren't patched is because administrators are worried about the side-effects that come with a patch.

    Russ Cooper said: "Firstly, SQL patches have been notoriously difficult to install, so I would argue that despite the availability of a patch, its lack of installation was not entirely the user's fault. Further, MSDE (Microsoft SQL Desktop Engine) inclusion in 3rd party software had never been tracked by Microsoft. This resulted in many people being vulnerable to Slammer who never knew they needed a patch. The method the SQL group has used to handle the SQL vs. MSDE issue have been very poor, with KB articles typically only being found by searching for SQL rather than MSDE. Finally the SQL Server Resolution Service, the service targeted by Slammer, isn't even mentioned in the SQL 7.0 documentation either as being present, installed, or enabled by default."

    Lessons learned according to Cooper: "What Slammer showed us more than anything was the need to embrace more basic controls, such as "Default Deny". There's little reason to expose the SSRS to the Internet without any restrictions. Some hosting providers have argued that their customers required access to the service and, therefore, they exposed it directly to the Internet. While this might seem reasonable, the additional cost of locking down such connection points to, at least, an identifiable IP address range surely couldn't put them out of business compared to the risks they put the entire Internet at. Of course the same holds true for businesses, but there the problem was more of a problem with the "Default Installation". We have long known that default installations are inherently insecure. Knowing what you're installing, and installing only what you know, are crucial to achieving baseline security. The habit of simply accepting the defaults and no additional steps is yet another reason problems like this occur."

    "Another aspect of "Default Deny" is the enforcement of *Outbound* rules as well as inbound. Habit says that inbound is what we fear, yet outbound is left entirely untouched. Slammer demonstrated just how harshly such a policy can affect the Internet. There was no reason for those systems to initiate connections outbound on UDP 1434, even if we accept there was a need to allow the inbound connections from other infected hosts. Ergo, had such rules been in place, machine

  8. Re:Does anyone know... by NOT-2-QUICK · · Score: 4, Informative
    You can search for MS security bulletins based on various criteria (product, service pack, time frame, etc...) on the technet site here.


    However, as per this this article, Microsoft does not intend on pushing any new security patches throughout the month of December. But then again, apparently Microsoft can even manage to NOT patch correctly...

    --
    Beer is proof that God loves us and wants us to be happy. -- Benjamin Franklin
  9. Re:Myth: Linux is more secure than Windows NT. by Anonymous Coward · · Score: 1, Informative

    Linux only provides access controls for files and directories

    Maybe you didn't learn about the unix convention of "everything's a file".

  10. Re:Slashdottism by zulux · · Score: 5, Informative

    You did enable the built-in firewall before connecting your machine to the internet, didn't you?

    All Windows XP computers are vulerable to Blaster during bootup.

    Even if you have the Windows firewall turned on.

    Windows XP doesen't ahve a firewall in place while the computer is booting - only after a full boot is the firewall policy pushed down to the network interfaces.

    SP2 will include a "block everything" firewall policy during bootup, and you can have a firewall policy over all network connections - including new connections that you may install.

    but for now - Put your XP behind a real network operating system like OpenBSD.

    --

    Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.

  11. Re:Slashdottism by Cyno · · Score: 3, Informative

    We installed blaster, I mean, XP in the office here and before the install was complete it got the blaster virus. Didn't have a chance to firewall it. It was already behind a firewall. But that doesn't help you when you have a bunch of Windows systems on your network. You have to physically disconnect the ethernet from your PC before installing XP to be absolutely sure it won't get infected before you have a chance to "secure" it.

  12. Re:Myth: Linux is more secure than Windows NT. by Anonymous Coward · · Score: 5, Informative
    Reality: Windows actually has serious design issues. Neither is perfect. The quality of your admins has way more to do with ultimate security.

    On your specific points:

    • Agreed that NT has access controls on every object. However they are not visible and not used very much by end users and administrators. The UNIX ones are simple and very easy to understand. Here you have the choice between complicated (you do know the difference between discretionary and inherited rights filters?) and pervasive (every object) versus simple and pretty much only on files (which almost every OS object is anyway).

      Many (if not most) Windows programs get it wrong. Heck even Microsoft has been released games that can only be played if logged in as administrator.

      Linux does let you do delegation, but that is mostly left as a user space implementation issue. That is the purpose of setuid/setgid, group memberships, sudo etc.

    • The Windows acceditation is a crock. It is in a non-networked environment with no floppy disk or CD drive. Show me anyone who deploys that way. Here are some relevant articles: Win2K evaluation IBM/Suse evaluation. I have one specific question: if the Windows architecture is so fantastic, why did the NSA choose Linux to acheive their goals? Why did Microsoft claim that fundamental design flaws in Windows were the reason they couldn't release the Windows code? (And we won't even go into the ability of any process in a desktop session being able to send messages to any other process which is probably the flaw Microsoft alludes to).
    • And you deploy Microsoft patches immediately without worrying that they will break the other products you run and use? You can get Linux advisories from whatever distro you use. There are also services like CVE. At least with Linux you can choose to fix things yourself. With Microsoft, you are stuck with whatever amount of time and problem severity they determine. If they don't want to fix something for 6 months, there is nothing you can do about it.
    • SCE is nice, but is only needed because the whole OS has so many places where ACLs are applied. And it doesn't do things like registry access control (you have to use regedit) or the filesystem. So you do have to use a number of tools, and understand everything. In Linux you have to understand chmod. In either case, a clueless admin will do way more harm than the OS you picked to run.
  13. Re:Slashdottism by spongman · · Score: 2, Informative

    yeah, but you don't need to be connected to the internet during bootup, do you? Once the computer is booted you can enable the firewall, connect to the internet and download the patches...

  14. Re:My guess. by 1lus10n · · Score: 2, Informative

    http://news.netcraft.com/archives/2003/12/19/sun_d iscontinuing_cobalt_linux_servers.html

    according to that link, quite a few cobalts out there. And since i work for sun i can attest that most people running them are fairly clueless. and they arent exactly up-to-date either.

    --
    "Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
  15. Re:Its crap but just as crap as anyone else by maunleon · · Score: 2, Informative

    Believe it or not, I have not had to clean up any worms from my Windows machines last year.

    Why? Because my network has a firewall. Then my machine has a firewall. And I run a virus checker. And I keep reasonably up to date with patches. And no, it's really not a big deal.

    In our last audit, guess what we found. Windows 2000 servers on the audited networks were patched. Linux machines were not patched for recent holes. Why? The metality that Linux is secure out of the box. We showed how the audited network's firewall (running Linux, because it's k00l and the admin was a linux zealot) was rooted in 15 seconds using a familiar recent exploit.

  16. Re:Does anyone know... by Puppet+Master · · Score: 2, Informative
    Doing a little more research, what you wanted was this:

    Linux (ANY)

    and

    Windows XP

    But even this is unfair... It should be Windows (ANY), if you're going to compare any flavor of Linux to any flavor of Windows.

    --
    The day Microsoft creates a product that doesn't suck, it will be known as the Microsoft Vaccuum Cleaner!
  17. Re:Myth: Linux is more secure than Windows NT. by Skilf · · Score: 2, Informative
    very member of the Windows NT family since Windows NT 3.5 has been evaluated at either a C2 level under the U.S. Government's evaluation process or at a C2-equivalent level under the British Government's ITSEC process.

    Concerning the C2 level certification, the only microsoft products that have this certification are Microsoft SQL Server 2000, Win NT 4.0 and Win NT 3.5 according to microsoft itself

    But anyway, these certifications are bogus, since the products are evaluated "against the Trusted Computer System Evaluation Criteria (TCSEC) and its interpretations" also called the Orange Book. However, the Orange Book applies to standalone machines and operating systems! Wow. great.

    This standard clearly has no meaning anymore in modern computer security (if it ever had one).

    Skilf

  18. Re:Biggest problem with windows security by Tim+C · · Score: 2, Informative

    IIRC, when you first install XP (or patch a 2k machine so that it has AutoUpdate installed), AutoUpdate pops up a little systray icon asking you if you want to enable it. At that point, you can tell it to switch off.

    Even if I got that bit wrong (and it has been a while), one thing is definitely true - the default config is to prompt you to download, then prompt you again to install updates. No Windows machine automatically downloads and installs updates unless someone configures it to do so.

    --
    It's official. Most of you are morons.