[iwar] [fc:Microsoft.program.manager.discusses.company's.efforts.to.make.Windows.more.secure]

From: Fred Cohen (fc@all.net)
Date: 2001-09-25 07:09:35


Return-Path: <sentto-279987-2341-1001426983-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Tue, 25 Sep 2001 07:12:09 -0700 (PDT)
Received: (qmail 10241 invoked by uid 510); 25 Sep 2001 14:10:03 -0000
Received: from n28.groups.yahoo.com (216.115.96.78) by 204.181.12.215 with SMTP; 25 Sep 2001 14:10:03 -0000
X-eGroups-Return: sentto-279987-2341-1001426983-fc=all.net@returns.onelist.com
Received: from [10.1.4.54] by f19.egroups.com with NNFMP; 25 Sep 2001 14:09:43 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_3_2_2); 25 Sep 2001 14:09:43 -0000
Received: (qmail 7522 invoked from network); 25 Sep 2001 14:09:35 -0000
Received: from unknown (10.1.10.26) by l8.egroups.com with QMQP; 25 Sep 2001 14:09:35 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 25 Sep 2001 14:09:35 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id HAA26049 for iwar@onelist.com; Tue, 25 Sep 2001 07:09:35 -0700
Message-Id: <200109251409.HAA26049@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Tue, 25 Sep 2001 07:09:35 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Microsoft.program.manager.discusses.company's.efforts.to.make.Windows.more.secure]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Microsoft program manager discusses company's efforts to make Windows more secure

Robert L. Mitchell, Computerworld, 9/24/01
<a href="http://www.pcworld.com/news/article/0,aid,63323,00.asp">http://www.pcworld.com/news/article/0,aid,63323,00.asp>

Steve Lipner is the lead program manager of Windows security at
Microsoft.  He's responsible for Microsoft's Security Response Center,
and he's chief of the company's Secure Windows Initiative.  Under his
watch, Microsoft has begun a security review of its entire code base. 
Lipner spoke with Computerworld's Robert L.  Mitchell about the Code Red
worm, the state of the Windows code base, and Microsoft's efforts to
improve the security of its products. 

Computerworld: What role does the Secure Windows Initiative play at
Microsoft?

Lipner: The Secure Windows Initiative is an effort to improve the
security of all Microsoft products.  It encompasses everything Microsoft
ships.  We attempt to improve security by improving processes, by
providing training, by applying advanced tools, and by improving the
quality of our security testing. 

Considering Code Red and the publicized vulnerability statistics of
other viruses, Microsoft Web servers would seem to be more vulnerable to
attack than other products.  In terms of perception, I think a lot of
that is because we have a lot of systems out there and because when
there's a vulnerability, we shout it from the rooftops.  We knew that
[Code Red] was a serious vulnerability from the day it was reported to
us.  When we had the patch ready for that, we went out not only to our
customers, but also to the press to say this is a serious vulnerability. 

I think another factor is that because [Internet Information Server] and
Windows are so easy to use and because it's so easy to set up a Web
server on IIS, people may, in some cases, do that without realizing that
they have to worry about security, without realizing that there are
security steps or security configurations that they have to apply. 

CW: IIS doesn't install securely out of the box.  For a Web-facing
product, why not default to a more secure install?

Lipner: With products that install with defaults, you're always making a
trade-off in terms of what features are available and how they're
configured. 

That said, Internet Information Server 6 will walk you through a dialog
that will ask what services you want.  We expect that dialog will have
the effect of getting the configuration right and secure for most users. 

We also make available on the Web the IIS Lockdown [security
configuration] tool and check lists for securing Web servers. 

CW: Microsoft released a Code Red patch on June 18, yet a month later,
the worm infected more than 250,000 systems.  How could that happen? The
patch for Code Red was very likely the most heavily downloaded in our
history.  Why didn't more people install it?

Lipner: I think that it may be that people still don't subscribe to the
Security Notification Service.  They still don't go to [the] Windows
Update [Web page], and we want to get the word out that those services
are there. 

CW: Microsoft uses an internal program called Prefix to find
vulnerabilities in its code base.  What have the results been so far?

Lipner: [Prefix] runs a scan of an entire product's source-code base to
detect patterns of potential programming errors that experience tells us
are likely to be security-related and flags them for human review and
correction. 

Prefix takes a day or two to run across the entire Windows code base. 
It's run every couple of weeks throughout the [Windows .Net Server]
development cycle.  It started to be run after Windows 2000 shipped. 
.Net Server will be the first product that's had a development cycle of
benefit from Prefix. 

CW: How successful have you been at rooting out those infamous
buffer-overflow vulnerabilities?

Lipner: We've found and eliminated a lot.  That said, it's important to
stress that there are an infinite number of ways to run a program.  And
similarly, there are a vast number of ways that one can write a buffer
overflow.  [Prefix] is not a closed-form solution. 

CW: Last year, Microsoft released 100 security bulletins.  What are you
doing to make sorting through the bulletins easier?

Lipner: We're rolling out a severity rating system that will help
customers understand how serious issues are.  We're moving with Windows
XP and .Net Server to much more reliance on Windows Update and the
updating technology that will allow customers to install these patches
and get automated notification with less effort. 

HFNetChk is a command-line tool that lets an administrator look at a
system to see what patches are installed and to prepare that
configuration with the set of patches we've released for that system. 
It's a real-time tool in that it looks at an XML file we maintain on our
Web site.  We also released Microsoft Personal Security Advisor, which
is targeted to the individual user with NT 4 or Windows 2000. 

CW: Ultimately, many administrators would like to see fewer security
alerts and patches.  When do you see that happening?

Lipner: I think that we're running at a slower rate in 2001 than we were
in 2000, just in terms of bulletins by month, so that's a positive
thing.  It's our goal to continue to have the number of bulletins
decline, but it's not something that we can say with certainty, "This is
going to happen."

CW: What other security improvements will we see in future versions of
Windows?

Lipner: From a feature perspective, one of the key things will be better
integration and ease of use around Smart Cards, both in the client and
server product. 

CW: What are the most important things administrators should do today to
ensure the security of Windows servers?

Lipner: We encourage them to run the HSNetChk tool or Windows Update and
install the patches it advises you to install.  We also have the
Security Notification Service. 

In terms of important patches or hot fixes, we encourage customers to be
on the latest service pack: SP 2 for Windows 2000, SP 6a for NT 4. 

IIS patches are now being released as roll-ups, or cumulatives, so if
you apply a single IIS patch, it corrects all vulnerabilities going back
in history.  We encourage users to apply that in [bulletin] MS01-026 and
then additionally the Code Red Patch, which is MS01-033. 

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide!
http://us.click.yahoo.com/JNm9_D/33_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:49 PDT