Yes, I think the Trustworthy Computing Initiative is going well. The proof will be in the pudding when a new platform, like Yukon, comes out. If Yukon has a lot of bugs, then Trustworthy Computing has not done its job. Are there common mistakes that Windows administrators keep making, even though security tips for Windows are widely available?
Yes. The problem with Windows administrators is they don't administrate for security. There are only about 100,000 people who subscribe to Microsoft's [security] mailing lists, even though several million people administer Windows. People who buy Microsoft products buy them because they work out of the box fantastically well. You can start doing business right away. There is a small number of people who install the patches when they are delivered. We find that when we do an audit, we often find that NULL session access hasn't been removed. The information may be readily available but people don't have the time or inclination to do it. [A NULL session is an unauthenticated connection to a Windows machine. If an unfriendly hacker gains NULL session access he or she can call APIs and use remote procedure calls to get more information about users.] What is realistic for customers to expect in terms of what they will get from Microsoft's Trustworthy Computing Initiative?
Though people involved in security care about security, in the enterprise there are a large number of people who really don't care. They still run without service packs. They think the firewall is the solution to the problem. In the long run, the initiative will hopefully give them less to worry about at night. It will mean they have to apply fewer patches. What, then, should customers think when they see news about a new vulnerability nearly several times each week?
Microsoft is looking to remove vulnerabilities, and when it finds one, a patch is issued. This shows the effort is working. It would be good if we knew how many vulnerabilities are found internally by Microsoft and how many are discovered by outsiders. The fact that we are getting these patches at a high rate shows they are finding the vulnerabilities and patching them. The driver behind security vulnerability is the economy. In the old Unix days, there was something called the Finger Demon which could "finger" a user or computer and get information about a [person's] name and phone number. It's an ancient protocol that is not being extended. No one has ever required it to do more than lift basic information. People want much more from Web applications. With new development come security vulnerabilities. When vulnerabilities were found in the finger protocol, they were patched. Finger has no new development, so there is no economic drive to update. It's mature and safe. The World Wide Web is funding and driving development [of applications] and with that, come new vulnerabilities. Are some third-party security tools for Windows overrated?
It's not worth spending money on IDS [intrusion detection systems]. I don't think the return on investment is significant. Most IDS systems look for pattern matching. If you remodify even slightly, the attack is likely to get through. Another problem with IDS is if I'm attacking your system, I'll light up your logs like a Christmas tree and then I can attack where you are not looking. I can have 1,000 attacks and hide my real attack somewhere in that 1,000. Another problem [with IDS] is they cause administrators to be desensitized. If you are an IDS administrator, you are ready and waiting for the first attacks. You check it out, and maybe it's a false positive. It happens again and again, and eventually you start [tuning out]. The time you [tune out] could be the time of an attack. But if your system doesn't have a vulnerability, no one can't break in. So take the same money you would have spent on IDS, and use it to lock down your computers.
FOR MORE INFORMATION:
Article: New Microsoft service helps ease patch pains Are there any underused security features in Exchange or the other Windows platforms that IT administrators could be using more efficiently or at least be more aware?
Yes. And there is a lot of information that is accessible for free. [IT administrators] need to take the time to read and understand it and then take the time to apply the changes. You can also get free from Microsoft, URLScan [Security Tool], which locks down IIS. But it's just being made aware that these things are out there. Some can buy vulnerability assessment software, and they should be running these against their systems on a regular basis. [IT administrators] should be monitoring their logs. It's understanding what's happening to your system and making security decisions based on that information. The conversation goes back and forth about which platform is more secure. What do you think?
All products are pretty much insecure. Take OpenBSD. It's a strong operating system in terms of security. Linux, Solaris and Windows are insecure. But the point is not whether it's insecure but whether it can be secured. You are looking for the ability to secure the box. It's irrelevant which one is more secure than the other. If a customer says to me, 'should I dump Microsoft for Linux,' I say no. You can lock down Microsoft just as well.