Looking for a single mouse click solution that ensures 100% system security? Give up the search. "I don't expect it ever to be that easy," said Russ Cooper, founder of the security newsletter NTBugtraq.
Rather than looking for a magic pill, Cooper advises IT managers to spend a few minutes doing basic security-boosting tasks, such as removing script mappings. These tasks are too often overlooked, but they can save hours of downtime, he said. In this article, Cooper shares some easy ways to improve security and discusses current Windows security problems.
| SWM: | What's the key to an overall secure Windows environment? |
| Cooper: | The single button click is what everybody wants to see. They want to be able to click this button that says: "I am now secure." It's like getting in a car and saying: "I've got a seatbelt on and therefore I am safe." That's not the case. It's the same with computers. So really user awareness is the thing we need to improve on to improve security. The solution to security is through user awareness. If people would just be more of aware of what they're doing when they're out on the Internet, they would be able to improve their security themselves without having to buy any software or hardware. |
| SWM: | What's the biggest security problem Windows users are encountering today? |
| Cooper: | Default installations are the biggest problem. Many computers today are installed using whatever the manufacturer supplied as the default, and, in many cases, that's an insecure set up. We saw that with Code Red and Nimda last year. Also, an awful lot of people don't know that they have things installed as part of a default installation. We had a bunch of people with Web servers installed on computers that they didn't even know they had Web servers on. That led to a lot of problems. |
| SWM: | What about patch management? |
| Cooper: | Patching is also a big problem. It's difficult to figure out what patches you need. It's all about getting the patches on. The other important aspect is that people don't apply patches when they're made available. If they would just take a minute or two and choose the configuration instead of just accepting the default, they could eliminate the need for a lot of the patches that are made available. Thereby, they avoid being vulnerable to things that will get patched in the future. |
| SWM: | Is there any particular vulnerability that exists that people just aren't patching, even though they may know the patch is available? |
| Cooper: | It's probably the installation of IIS and not taking the time to configure it. I always tell customers to remove all of the script mappings. These mappings allow the Web server to handle all different kinds of Web pages. We've had vulnerabilities in all the different types that are made available by default. Ninety percent of the people I deal with don't even need them. Simply going in and deleting these mappings, which doesn't take very much effort or skill, would be the single easiest way to avoid many of the problems with Web servers. |
| SWM: | What old Microsoft security problems are closer to getting fixed? |
| Cooper: | We've had a spade of vulnerabilities in Internet Explorer over that past 3-6 months that are concerning us greatly. That is a big problem because the only way to fix those is with patches. |
| SWM: | Due to the security issues in Microsoft's IIS in the past, do you think the company has lost customers? Do you think it will be able to regain the trust of those it might have lost? |
| Cooper: | I don't think Microsoft's customers have lost trust. Microsoft is considered trustworthy now and continues to be. The idea that there are more vulnerabilities in Microsoft products than there are in some other products is false, in my opinion. Even now Apache with its latest vulnerability, it's the one that's supposed to be the rock solid, very secure Web server, and yet it can still be made vulnerable. |
| SWM: | Do you think moving an IT infrastructure over to all open source is a viable alternative for those concerned about security with MS products? |
| Cooper: | It's viable for selected server implementations. I don't think it's viable on the desktop. There just isn't enough compatibility between it and what everybody else uses to interact with the rest of the world running Microsoft systems. It's the ease-of-use and interoperability that you don't get with the open source implementations. You have to make sure you got all the little bits and pieces because it doesn't come all in one package. |
FOR MORE INFORMATION
Security horror stories: True tales and expert advice
Join the conversationComment
Share
Comments
Results
Contribute to the conversation