Looking Back At Windows Security In 2003

thebatlab writes "Help Net Security has an interesting look at security in Windows during 2003, with various blurbs from related parties at Microsoft as well as security 'bigwigs' such as Russ Cooper. It's interesting to read the comments from external parties, as they tend to be very reasoned comments and don't simply attack away over recent 'indiscretions' and 'security lapses' Microsoft has had over the year."

Re:Biggest problem with windows security

[abh]

Is clicking the checkbox to disable the Auto Update feature too difficult?

Re:Hey, Sherlock....

[AntiOrganic]

Or how about just applying the patch that's been freely available for six months?

*glares at manager*

full text of the article

The site took forever for me to load. Looks like it is slashdotted. Here's the full text:

An In-Depth look Into Windows Security in 2003
by Mirko Zorz - Monday, 22 December 2003.

When it comes to security predictions for next year, basically everyone says it's going to be worst than this year despite the increased spending on security and some progress made when it comes to security awareness. Let's take a look at some interesting happenings that made the news during 2003 when it comes to Microsoft security and perhaps you'll be able to judge for yourself what 2004 will bring.

The experts that voice their opinion for this article are Russ Cooper (Surgeon General of TruSecure Corporation/NTBugtraq Editor), Ed Skoudis (a security geek who is focused on computer attacks and defenses, author of "Counter Hack" and "Malware: Fighting Malicious Code") and Arne Vidstrom (a security researcher and author of many security tools for Windows).

It's January and things don't look good

Just as we were getting used to writing 2003 instead of 2002 in our letters, here comes the Slammer worm and all hell brakes loose as thousands of computers are infected worldwide.

This, however, was not Microsoft's fault since a patch was available several months ago before the worm was unleashed. This has put the issue of irresponsible users into the spotlight while others said the reason why some servers weren't patched is because administrators are worried about the side-effects that come with a patch.

Russ Cooper said: "Firstly, SQL patches have been notoriously difficult to install, so I would argue that despite the availability of a patch, its lack of installation was not entirely the user's fault. Further, MSDE (Microsoft SQL Desktop Engine) inclusion in 3rd party software had never been tracked by Microsoft. This resulted in many people being vulnerable to Slammer who never knew they needed a patch. The method the SQL group has used to handle the SQL vs. MSDE issue have been very poor, with KB articles typically only being found by searching for SQL rather than MSDE. Finally the SQL Server Resolution Service, the service targeted by Slammer, isn't even mentioned in the SQL 7.0 documentation either as being present, installed, or enabled by default."

Lessons learned according to Cooper: "What Slammer showed us more than anything was the need to embrace more basic controls, such as "Default Deny". There's little reason to expose the SSRS to the Internet without any restrictions. Some hosting providers have argued that their customers required access to the service and, therefore, they exposed it directly to the Internet. While this might seem reasonable, the additional cost of locking down such connection points to, at least, an identifiable IP address range surely couldn't put them out of business compared to the risks they put the entire Internet at. Of course the same holds true for businesses, but there the problem was more of a problem with the "Default Installation". We have long known that default installations are inherently insecure. Knowing what you're installing, and installing only what you know, are crucial to achieving baseline security. The habit of simply accepting the defaults and no additional steps is yet another reason problems like this occur."

"Another aspect of "Default Deny" is the enforcement of *Outbound* rules as well as inbound. Habit says that inbound is what we fear, yet outbound is left entirely untouched. Slammer demonstrated just how harshly such a policy can affect the Internet. There was no reason for those systems to initiate connections outbound on UDP 1434, even if we accept there was a need to allow the inbound connections from other infected hosts. Ergo, had such rules been in place, machine

Re:Does anyone know...

[NOT-2-QUICK]

You can search for MS security bulletins based on various criteria (product, service pack, time frame, etc...) on the technet site here.

However, as per this this article, Microsoft does not intend on pushing any new security patches throughout the month of December. But then again, apparently Microsoft can even manage to NOT patch correctly...

Re:Slashdottism

[zulux]

You did enable the built-in firewall before connecting your machine to the internet, didn't you?

All Windows XP computers are vulerable to Blaster during bootup.

Even if you have the Windows firewall turned on.

Windows XP doesen't ahve a firewall in place while the computer is booting - only after a full boot is the firewall policy pushed down to the network interfaces.

SP2 will include a "block everything" firewall policy during bootup, and you can have a firewall policy over all network connections - including new connections that you may install.

but for now - Put your XP behind a real network operating system like OpenBSD.

Re:Myth: Linux is more secure than Windows NT.

Reality: Windows actually has serious design issues. Neither is perfect. The quality of your admins has way more to do with ultimate security.

On your specific points:

• Agreed that NT has access controls on every object. However they are not visible and not used very much by end users and administrators. The UNIX ones are simple and very easy to understand. Here you have the choice between complicated (you do know the difference between discretionary and inherited rights filters?) and pervasive (every object) versus simple and pretty much only on files (which almost every OS object is anyway).

  Many (if not most) Windows programs get it wrong. Heck even Microsoft has been released games that can only be played if logged in as administrator.

  Linux does let you do delegation, but that is mostly left as a user space implementation issue. That is the purpose of setuid/setgid, group memberships, sudo etc.

• The Windows acceditation is a crock. It is in a non-networked environment with no floppy disk or CD drive. Show me anyone who deploys that way. Here are some relevant articles: Win2K evaluation IBM/Suse evaluation. I have one specific question: if the Windows architecture is so fantastic, why did the NSA choose Linux to acheive their goals? Why did Microsoft claim that fundamental design flaws in Windows were the reason they couldn't release the Windows code? (And we won't even go into the ability of any process in a desktop session being able to send messages to any other process which is probably the flaw Microsoft alludes to).
• And you deploy Microsoft patches immediately without worrying that they will break the other products you run and use? You can get Linux advisories from whatever distro you use. There are also services like CVE. At least with Linux you can choose to fix things yourself. With Microsoft, you are stuck with whatever amount of time and problem severity they determine. If they don't want to fix something for 6 months, there is nothing you can do about it.
• SCE is nice, but is only needed because the whole OS has so many places where ACLs are applied. And it doesn't do things like registry access control (you have to use regedit) or the filesystem. So you do have to use a number of tools, and understand everything. In Linux you have to understand chmod. In either case, a clueless admin will do way more harm than the OS you picked to run.