Microsoft & Security (1 of 3)
Microsoft Listed as Most Secure OS - Surprised?
'Microsoft is frequently dinged for having insecure products, with security holes and vulnerabilities. But Symantec, no friend of Microsoft, said in its latest research report that when it comes to widely-used operating systems, Microsoft is doing better overall than its leading commercial competitors.' Internetnews.com, 21 March 2007.
Read the article about Microsoft and security
I regularly present something called a Security Strategy Briefing. The purpose of these briefings is to close the gap between the perception that Microsoft is poor at security and the actual reality.
I wanted to take these next three newsletters to have a go at getting this out to a wider audience. It won't be easy, as these articles can't be too long, and there's a lot to cover. I'm going to use this first one to go over the basics (what we do for free) and explain where we are. In the next one, I'm going to work with one of my colleagues (Jordi), who's role is to position some of our paid-for security solutions. And then in the third and final article, I'm going to work with another colleague (Michael), who gets to implement them.
I don't want to teach you all to 'suck eggs', but it's worth covering off some of the security challenges we all face. It's not just viruses, spyware and worms anymore. We also care and worry about botnets, rootkits, phishing, fraud, regulatory compliance, identity management and access control, system configuration, policy enforcement and the risk of unmanaged PCs, not to mention deploying updates for all of the above and reporting on your success or otherwise. It's also worth mentioning that if there were no criminals in the world, we wouldn't have any security issues (the Internet lets you be anonymous, almost untraceable, and you don't even have to be in the country where you commit your crime).
Way back in 2000, Microsoft was working on something called Trustworthy Computing (TwC) - the idea being that your computing environments would 'just work' (the analogy we were working towards was the telephone system - there's always a dial tone). In 2002, we went public with the idea and started talking about TwC and its four pillars: security, privacy, reliability and business practices. In 2002, we were also getting 'hammered' for how well (or otherwise) we were doing around security, so that's where we put most of our efforts.
All our products had to be secure by design, secure by default and secure in deployment. Secure by design just means that security goes into the product design right at the beginning - developers have to think about how their product could be attacked, and understand threat models and the difference between good and bad code. Secure by default simply moved the focus from ease of use (everything just works - because it's all turned on and running as administrator) to almost the opposite (nothing is turned on by default, and it only runs with the rights it needs). Secure in deployment talks to the fact that once the product is in production, you're going to have to keep it up to date and maintain its security (this is the people, process and technology bit). This whole process is known as the Security Development Life Cycle (SDL), and all our products have to go through it and can't be released until they pass a final security review (FSR).
The first product we shipped (that had a chance to be affected by the SDL) was Windows Server 2003. We were already into the beta cycles by then (and therefore didn't get in really early in the design process), but the FSR delayed the ship date by around four months. The interesting thing to do then was to see if the investment in security had done anything. It had - at the last count, Windows 2003 had been out for 1,265 days and had had 77 'Important' and 'Critical' bulletins issued against it. The only comparison we could do was for 1,265 days after Windows 2000 shipped: it had 109 bulletins. Obviously this is a very good improvement, but it's still a large number of updates to have to apply to a server, and even if we do issue them on 'Patch Tuesday' - that's still twelve update cycles and twelve reboots. The web server in Windows Server 2003 (IIS 6.0) has only had one vulnerability, and it was in a feature that is not installed in a default web server).
We've shipped other products since then that have had the benefits of SDL right from the word go. SQL 2005 hasn't had any security updates (yet). Windows Vista was the last to ship - it's been out now for 90 days - and it's had one security update (MS07-010 that affects Windows Defender - our anti-malware tool).
Find out more about the Windows Vista 90-day Vulnerability Report
Information Communication Technology (ICT) is about people, process and technology - we're not there yet, but we are doing a good job with the quality of our products (and they can only get better). We also do an awful lot around the people and process side also. All our prescriptive guidance falls under the Microsoft Operations Framework (our implementation of ITIL) and covers everything you'll ever need to know about implementing Microsoft technology, including implementing and maintaining security. We also offer great tools to help you with your efforts. For updating systems, we have Microsoft Update (for automatic updating of consumer PCs), Windows Server Update Services (for medium and large enterprises) and Systems Management Server (for large enterprises). The Microsoft Baseline Security Analyser helps anyone find out how secure their systems are (not just missing updates, but basic configuration errors too).
For the developers among us, Visual Studio now includes both FxCop and PREfast (the tools we use to perform static code analysis for known security bad coding). We've also documented everything you need to know to write secure code and have published both the Writing Secure Code book and the Security Development Lifecycle book.
All our guidance explains something called 'Defence in Depth' - the idea being that if a hacker breaks through one barrier, they'll be stopped by another. We would weight each of these layers equally, and you need them all. They are: physical security (lock the computer room door, etc), security on the perimeter (firewalls, VPN solutions, etc), security on the internal network (virtual networks, IPSec, NIDS, etc), security on the host (update management, HIDS, OS hardening, authentication, etc), application security (application hardening, anti-virus, etc), data security (ACLs, encryption, etc) and, finally policies, procedures and awareness (this is all about user education, and if you don't do this, you needn't bother with the other ones - I've heard stories about receptionists letting complete strangers into the computer room and holding the door open for them while the servers were stolen and about managing directors giving the fake help desk assistant their username and password).
That's it for this week. As I said, the next instalment will cover a few of our products that we consider worth selling. They are: Internet Security and Acceleration Server (ISA), ForeFront (our anti-malware offerings), Whale (our SSL Application Gateway) and Hosted Exchange Services (off-site email filtering and archiving).
Dave
