http://blogs.technet.com/b/industry_insiders/archive/2005/06/14/406324.aspxMicrosoft Security Initiatives in SP1 and SP2 - nothing but a complex toy? By Dennis Lundtoft Thomsen I recently read Kevin Day's book " Inside a Security Mind " - not because I pretend or intend to be a security guru but because I'm aware of the facten-GBTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/industry_insiders/archive/2005/06/14/406324.aspx#406842Fri, 24 Jun 2005 17:49:53 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:406842Richard M. ConlanI am a graduate student in Northeastern University CC&amp;IS and am interested in HCISEC issues. HCISEC concerns the design and implementation of UI elements such that a general user can make informed security decisions. <br> <br>The outbound firewall issue is one of the examples I tend to use regarding the need for HCISEC research. WHY do users just click Yes? For the personal firewalls I've used (ZoneAlarm and Sygate Personal Firewall) the reason is pretty clear: <br> <br>1) The typical user cannot tell from the information presented whether it is safe to allow the outbound connection because the data presented to enable the choice is confusing/opaque. <br> <br>How is a typical user supposed to know what to say when they get something like &quot;Would you like to allow WINWORD.EXE to make an outbound connection?&quot; <br> <br>2) The typical user does not necessarily understand the security ramifications of allowing an outbound connection. Popular understanding of security risks tend to focus around hackers, viruses, and the like trying to get IN. <br> <br>Extended the above example...what harm could allowing WINWORD.EXE an outbound connection possibly do? <br> <br>3) If the user does say NO and things break it tends to take a series of rather complex steps to reverse the decision. This gives the user an incentive to say YES just to avoid the hassle of trying to fix it. <br> <br>To a degree these are user education issues, but to an even greater degree they are a question of how well the technology presents the user with security options and facilitates the users making informed decisions amongst those options. <br> <br>SSL suffers from all of the same problems as the personal firewalls. So do MOST things that are content to prompt the user on the assumption that the user will always make an informed and appropriate decision. <br> <br>To reuse the quote from Day's book: <br> <br>“.. a security device, no matter how expensive or complex, is nothing more than a toy if it does not function within a greater security framework.” <br> <br>MANY MANY security devices are reduced to toys because they do not function within the greater security framework that is the user's security experience. <br> <br>Feel free to contact me with any thoughts on these issues.<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=406842" width="1" height="1">http://blogs.technet.com/b/industry_insiders/archive/2005/06/14/406324.aspx#406576Mon, 20 Jun 2005 17:15:04 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:406576Dennis Lundtoft ThomsenHi Susan, <br> <br>Sorry for the late answer, here it goes - <br> <br>According to my references / testing it is enabled by default during a clean Windows Server 2003 SP1 installation (Although PSSU isn't invoked after an upgrade). But as soon as you press &quot;Finish&quot; in the PSSU Wizard the Firewall is disabled. It is a big step forward but IMHO it should still be enabled after this point and then by using SCW you would open only the necessary ports for your specific server role(s). I do agree that the way outbound filtering mechanisms are handled today in most Personal Firewalls isn’t perfect as non-IT users are inclined to use the &quot;sure I want to go outbound&quot; button – so we need to find a better way to handle this (E.g. open outgoing ports as part of a “SCW” workstation role tool and as part of MSI installation packages for each application). <br> <br>Btw. keep up the good work with your SBS blog ;-)<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=406576" width="1" height="1">http://blogs.technet.com/b/industry_insiders/archive/2005/06/14/406324.aspx#406393Wed, 15 Jun 2005 09:06:50 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:406393SusanAre you sure about the statement &quot;Furthermore, I think it’s disappointing that Microsoft didn’t have the nerve to enable the firewall by default in a slipstreamed Windows Server 2003 SP1 installation&quot; as it is enabled until our SBS boxes go out and get patches as least. I thought this was true for normal server as well? As far as not allowing outbound filtering of connections, that's discussed in the TechNet Radio and the found that users would just click &quot;sure I want that go outbound&quot; and it served no purpose. <br> <br>SBS 2003 doesn't need it because we're pretty tweaked as it is, but I do have to &lt;sigh&gt; sometimes when someone says &quot;oh I'm secure I have a firewall and I don't need them inside the network.<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=406393" width="1" height="1">http://blogs.technet.com/b/industry_insiders/archive/2005/06/14/406324.aspx#406362Tue, 14 Jun 2005 23:04:12 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:406362msgoodiesI've written an essay on the security initiatives in SP1 and SP2 for the Industry insiders forum and it can be found here ...<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=406362" width="1" height="1">http://blogs.technet.com/b/industry_insiders/archive/2005/06/14/406324.aspx#406328Tue, 14 Jun 2005 13:04:34 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:406328The Industry InsidersDennis has written an article which examines the role of Service Pack 1 for Windows Server 2003 and Service...<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=406328" width="1" height="1">