Security Watch

The Microsoft Security Debate: The Final Chapter

Roberta responds to a readers' essay on what he views as Microsoft's poorly implemented security strategy.

• By Roberta Bragg
• 03/01/2004

Point 1. Microsoft doesn't understand that they should shut down services by default.

I think they understand this very well. I think they have trouble making an immediate shift from everything open to everything closed. I note the increased number of services shut down by default in Windows Server 2003 and the large efforts they have undertaken to provide admins information on what services do, and with tools to implement even greater reductions in default services running.

I do think they can do more, though. I'd like to see more. I know we will. But I'd also like to point out that you can shut down some services and you'll have less—not more—security. For example, if I want to use IPSec to secure communications between computers, all computers that need to participate had better have the appropriate IPSec service running. If I want to use Windows domains to centrally manage security, I'd better have the Kerberos Key Distribution Center (KDC) service running (among others). Many might argue that the Remote Registry service should be shut down by default, but I'd argue its necessary in order to run agentless vulnerability scanners remotely. It's a service I'd turn off on some systems and on for others. The best practice for what services should run by default is only those you need. The problem is, what do you need? As you point out later, security means different things for different people, and I'd agree. Microsoft should shut down most by default and allow administrators to turn on what they need by helping them understand that. Administrators need to know what their systems need to do.

2. There are too many Windows versions. There should be one Windows. Users should only use one Windows so they'll "sense" when something is wrong.

Huh? The same on the desktop as on the server? Are you saying there have been too many releases? Well, let's see: in the last 10 years there have been five versions of the desktop, averaging one every two years. There have been three versions of server products, coming at five-year, then three-year, intervals. Hardly one every year as you state. I agree that it's easier in the enterprise to manage fewer desktop types. That's why companies standardize on a specific version of the desktop, and one for servers. They generally have to have a compelling reason to upgrade. I'll agree, some companies don't do a very good job of it; they only upgrade by accident, when a computer dies. Let's face it—we want to be able to do more with less, and we want more security. If you buy it, they will make it. If you don't, they'll stop.

I do think users should take some responsibility for security, but I don't recommend they become so intimate with it that they can "sense" something is wrong. For most users a computer is a tool, like a car. They don't care how the combustion engine runs; they just want it to run. Nevertheless, they can learn common signs of trouble, and if they've been driving long enough they even may "sense" it. Remember, "sensing" something is wrong is akin to having a feeling but not knowing what.

I want users to react to increased sluggishness in their network connection. I want them to understand that they need a firewall and anti-virus products. "Sensing" is OK in love, but in computing users should know the warning signs and what to do when they see them.

3. Microsoft doesn't scale to the enterprise. There must be more artists than developers because the same problem exist but with a new interface.

Which problems are these? What does an old problem have to do with scaling to the enterprise? It's not that I think that the product is perfect, or that Microsoft has made every thing the way I'd like to see it. I don't think you change a system overnight but I do believe lots of progress has been made.

For examples of that progress, look at the use of industry standards such as IPSec and Kerberos instead of proprietary security algorithms. Other examples: IIS is no longer a default installation; using group policy, I can create a security policy and provide it to thousands of machines from a central location; there are free tools that allow the administrator to push security patches automatically, after she's tested them; there's automatic patching for the end user, and a free firewall; permissions on files and other objects are more secure by default; default groups have less privileges by default; code reviews are finding more coding errors and correcting them.

4. NTFS is the worst file system. You can get around it by booting to another OS. And You can't manage Windows from DOS anymore because of it.

Show me an operating system that protects data on the hard drive when it's not booted? There are multiple ways to compromise security on a computer if you have physical access to it. Booting to another OS, or another version of the OS is only one of them. NTFS is an OS feature. No OS, no feature.

So you can beat NTFS by booting to Linux, but you can't use simple built-in Windows tools to repair the system? I'm sorry your DOS tools can't be used when booting to DOS, or Linux tools from the Linux boot to administer Windows. When we opt for better security we may also have to use new tools. The old tools were built to operate where no security was in effect. The new ones have to understand what's there. Many DOS–like tools still exist, and if you have the proper permissions, you can use them. Many new tools are available to repair or recover a system as well.

You complain the NTFS is the default file system. Perhaps your OEM or your administrators told you that. But if you install from the Windows installation CD-ROM you can chose to use FAT or NTFS. If you build a default install, you can specify which you want, too. But I really don't get your complaint. Don't you want a file system that allows you to assign permissions? Don't you want to control who can read what file, execute which program? NTFS provides this; FAT doesn't. Do you leave your house unlocked simply because someone can use a tool to break the lock?

5. Microsoft is trying to enforce the GUI but still allows the use of DOS. You can use DOS to bypass security measures.

I think you're confused. Microsoft has both GUI and command-line utilities that can administer Windows. Where is it written that they want to enforce the use of the GUI? I see the opposite in fact, with more and more command-line tools and more documentation on how to use them. More help with writing scripts for administration, more sample scripts for doing so.

I'm especially confused when you say that you can use DOS to bypass a security measure. First, you tell me you can't use DOS tools to administer the system. Then here, you tell me you can use them to by pass a security measure. OK, I'll bite: what security measure can you bypass with a DOS command when the OS is running? If you mean that you can boot to DOS an use a DOS command on the FAT file system, see point four above. If you mean that you've hidden some utility in the GUI and can start it by running the command from a prompt, I don't think you've used DOS to go around a security measure. Hiding money under a mattress is only a good security measure if the burglar doesn't think to look under the mattress: it's better than putting your money in the front yard, but no one would consider it security. If you mean you have discovered some true exploit using DOS, let's hear it. Anyone can make accusations.