The Microsoft Security Debate: The Final Chapter
Roberta responds to a readers' essay on what he views as Microsoft's poorly implemented security strategy.
- By Roberta Bragg
- March 01, 2004
You can read my last
Michael Slade's essay
, whose critique of Microsoft's security strategy
was This time, here's my response to Martin
Point 1. Microsoft doesn't understand that they should shut down
services by default.
I think they understand this very well. I think they have trouble making an
immediate shift from everything open to everything closed. I note the increased
number of services shut down by default in Windows Server 2003 and the large
efforts they have undertaken to provide admins information on what services
do, and with tools to implement even greater reductions in default services
I do think they can do more, though. I'd like to see more. I know we will.
But I'd also like to point out that you can shut down some services and you'll
have lessnot moresecurity. For example, if I want to use IPSec to
secure communications between computers, all computers that need to participate
had better have the appropriate IPSec service running. If I want to use Windows
domains to centrally manage security, I'd better have the Kerberos Key Distribution
Center (KDC) service running (among others). Many might argue that the Remote
Registry service should be shut down by default, but I'd argue its necessary
in order to run agentless vulnerability scanners remotely. It's a service I'd
turn off on some systems and on for others. The best practice for what services
should run by default is only those you need. The problem is, what do you need?
As you point out later, security means different things for different people,
and I'd agree. Microsoft should shut down most by default and allow administrators
to turn on what they need by helping them understand that. Administrators need
to know what their systems need to do.
2. There are too many Windows versions. There should be one Windows.
Users should only use one Windows so they'll "sense" when something
Huh? The same on the desktop as on the server? Are you saying there have been
too many releases? Well, let's see: in the last 10 years there have been five
versions of the desktop, averaging one every two years. There have been three
versions of server products, coming at five-year, then three-year, intervals.
Hardly one every year as you state. I agree that it's easier in the enterprise
to manage fewer desktop types. That's why companies standardize on a specific
version of the desktop, and one for servers. They generally have to have a compelling
reason to upgrade. I'll agree, some companies don't do a very good job of it;
they only upgrade by accident, when a computer dies. Let's face itwe want
to be able to do more with less, and we want more security. If you buy it, they
will make it. If you don't, they'll stop.
I do think users should take some responsibility for security, but I don't
recommend they become so intimate with it that they can "sense" something
is wrong. For most users a computer is a tool, like a car. They don't care how
the combustion engine runs; they just want it to run. Nevertheless, they can
learn common signs of trouble, and if they've been driving long enough they
even may "sense" it. Remember, "sensing" something is wrong
is akin to having a feeling but not knowing what.
I want users to react to increased sluggishness in their network connection.
I want them to understand that they need a firewall and anti-virus products.
"Sensing" is OK in love, but in computing users should know the warning
signs and what to do when they see them.
3. Microsoft doesn't scale to the enterprise. There must be more
artists than developers because the same problem exist but with a new interface.
Which problems are these? What does an old problem have to do with scaling
to the enterprise? It's not that I think that the product is perfect, or that
Microsoft has made every thing the way I'd like to see it. I don't think you
change a system overnight but I do believe lots of progress has been made.
For examples of that progress, look at the use of industry standards such as
IPSec and Kerberos instead of proprietary security algorithms. Other examples:
IIS is no longer a default installation; using group policy, I can create a
security policy and provide it to thousands of machines from a central location;
there are free tools that allow the administrator to push security patches automatically,
after she's tested them; there's automatic patching for the end user, and a
free firewall; permissions on files and other objects are more secure by default;
default groups have less privileges by default; code reviews are finding more
coding errors and correcting them.
4. NTFS is the worst file system. You can get around it by booting
to another OS. And You can't manage Windows from DOS anymore because of it.
Show me an operating system that protects data on the hard drive when it's
not booted? There are multiple ways to compromise security on a computer if
you have physical access to it. Booting to another OS, or another version of
the OS is only one of them. NTFS is an OS feature. No OS, no feature.
So you can beat NTFS by booting to Linux, but you can't use simple built-in
Windows tools to repair the system? I'm sorry your DOS tools can't be used when
booting to DOS, or Linux tools from the Linux boot to administer Windows. When
we opt for better security we may also have to use new tools. The old tools
were built to operate where no security was in effect. The new ones have to
understand what's there. Many DOSlike tools still exist, and if you have
the proper permissions, you can use them. Many new tools are available to repair
or recover a system as well.
You complain the NTFS is the default file system. Perhaps your OEM or your
administrators told you that. But if you install from the Windows installation
CD-ROM you can chose to use FAT or NTFS. If you build a default install, you
can specify which you want, too. But I really don't get your complaint. Don't
you want a file system that allows you to assign permissions? Don't you want
to control who can read what file, execute which program? NTFS provides this;
FAT doesn't. Do you leave your house unlocked simply because someone can use
a tool to break the lock?
5. Microsoft is trying to enforce the GUI but still allows the
use of DOS. You can use DOS to bypass security measures.
I think you're confused. Microsoft has both GUI and command-line utilities
that can administer Windows. Where is it written that they want to enforce the
use of the GUI? I see the opposite in fact, with more and more command-line
tools and more documentation on how to use them. More help with writing scripts
for administration, more sample scripts for doing so.
I'm especially confused when you say that you can use DOS to bypass a security
measure. First, you tell me you can't use DOS tools to administer the system.
Then here, you tell me you can use them to by pass a security measure. OK, I'll
bite: what security measure can you bypass with a DOS command when the OS is
running? If you mean that you can boot to DOS an use a DOS command on the FAT
file system, see point four above. If you mean that you've hidden some utility
in the GUI and can start it by running the command from a prompt, I don't think
you've used DOS to go around a security measure. Hiding money under a mattress
is only a good security measure if the burglar doesn't think to look under the
mattress: it's better than putting your money in the front yard, but no one
would consider it security. If you mean you have discovered some true exploit
using DOS, let's hear it. Anyone can make accusations.