I imagine it's obvious to most people by now that I don't like Microsoft. I have reasons for this aside from their illegal and immoral/unethical behaviours, and one of these is their approach to security.
So far, as a practictioner in the VM space (gah - now I've become infected with marketing-speak!) I don't see any practical difference in my day-to-day work as a result of this initiative. With the exception of XP SP2 of course, when people actually turn their firewall on. Which more people need to do, by the way, even though it will make our jobs harder. Nothing worthwhile comes easy.
Case in point: I'm currently (on my other monitor) looking at an instance of Windows Server 2003 Enterprise Edition running in VMWare. I've browsed through the menus to All Programs\Accesories\Entertainment...
Why is there even an 'Entertainment' menu section in a product described as 'Server' and 'Enterprise'?
Let's see what's in it... 'sound recorder', 'volume control' and
Why is there a Media Player in a product described as 'Server' and 'Enterprise'?
Windows Media Player, as I'm sure you know, has had it's fair share of exploits. Let's say an admin or contractor is working late one night and decides to stream some music on your w2k3 Enterprise Server - and that you have an attacker who's been patiently waiting for this, who hijacks or attacks it somehow leading to control of your system.
Furthermore, since internal threats are almost always more dangerous, let's say you have a user who has limited access to the system. They craft a music CD that seems innocuous (especially if they're also packing a CD player), very easy to get into the data centre, and proceed to play it on your server, except it's a specially engineered 'song' that crashes Windows Media Player and elevates their privlieges. Or skip the whole CD bit - instead they have specially crafted MP3s on that USB dongle they always wear...
You see where I'm going with this, right? I don't care how good you are with managing the lock down of desktops and user policies. Sometime you'll miss something somewhere, like the best of us do. And really, how often have you seen windows policies applied to servers and server desktops getting locked down? Admins, at least the most senior ones, *need* full unrestricted access to boxes to fix certain problems.
What other tons of crud are there on this box that don't need to be there? How many of these are active, or for that matter, latent exploitation vectors?
Microsoft certainly needs to revaluate their architecture (divorce your GUI from the OS, you fools) and coding methods, as everyone does, but you've got to wonder if they're even capable of getting themselves into the right headspace to address the problem on the deeper levels it requires.
Two of the most important rules of security have clearly been forgotten by Microsoft:
1. A server should do as few things as possible, preferably only one.
2. Nothing should exist on a server except for what is needed to perform the tasks it is assigned.
Sure some *nix boxen come loaded down with tons of crap you don't need. But you can uninstall it. If you want a decent example of small footprint size and minimal software installation, check out OpenBSD. And if that's not good enough for you, you can always roll your own *nix distro. Take it to an extreme, and remove any dangerous binaries to a USB key that you mount on the box when you need to work on it.
Comments (10)
If you hate MS, how DO you feel about Oracle? :-)
Posted by Anton Chuvakin | February 27, 2006 11:33 AM
Posted on February 27, 2006 11:33
What can I say? You're right that in an optimal situation there wouldn't be a media player installed on a server. However, using your logic, why would you allow an attack vector of untrusted code from a foreign device execute either? You need to turn off the USB ports. There are always going to be tradeoffs that need to be made for function. What makes sense to your corporate security policy may not make sense in mine.
Look, security is about risk mitigation, and not risk avoidance. If you aren't applying the proper information security principles and practices to your organization, it doesn't matter if media player is installed or not. The administrator shouldn't be playing music or browsing from a server period. And that is a weakness in the human factor, not the technology.
Although you cannot easily remove things like media player, you can just as easily prevent Media Player from running with restriction policies. This is a configuration issue, not an installation one. (I will conceed that media player shouldn't be installed at all on a server, but thats only a small point to a larger issue here)
I beg to differ that Microsoft's security initiative is a joke. You are commenting on an operating system that was written over 4/5 years ago (remember that Windows Server 2003 codebase was feature completed before 2003), before Microsoft really had a chance to apply security to their software development lifecycle. I've blogged about this before (http://silverstr.ufies.org/blog/archives/000808.html), but let me list a few of the initiatives they are doing that is helping to make for a safer computing environment for us all:
1. They have created better error-reporting software. They have found that the top 20% of their errors make up 80% of the problems. Knowing this and capitalizing allows Microsoft to significantly prioritize and reduce bugs that matter the most.
2. They have created better developer tools to help write more secure software, with release of tools like prefix, prefast, AppVerifier and FxCop.
3. They halted product development for a period of time and retrained their developers to code more securely. This is an ongoing initiative that helps everyone who touches the master sources.
4. They audited as much product source code as humanly possible and now have a dedicated lead security person for each component of the Windows source code to watch over code quality as it relates to security. Previously they had a clean up crew come in after the fact and try to sanitize the master sources.
5. Microsoft has begun to provide more secure defaults when shipping new product. As a clear example we have seen the launch of Windows Server 2003 with a lessened attack surface than previous versions of their server product.
6. Microsoft now provides better tools such as the Microsoft Baseline Security Analyzer to analyze and audit patch management as it relates to security bugs in a proactive manner.
7. After major security incidents (like MSBlaster and MyDoom) Microsoft has released tools to help respond and fix possible vulnerable and compromised machines. Although these are not timely enough (IMHO), it’s still good to see.
8. Microsoft has provided a more definitive patch management cycle to address "patch hell" until their newer products get released that have a significantly lessened attack surface, and have better code quality.
9. Microsoft provides better integrated firewalling with their Internet Connection Firewall (ICF), released with the latest service pack for XP. Ok this item isn't about secure coding... but more about "secure by default" mentality.
10. Microsoft is being more open about the entire security process. And not just for PR purposes. More articles, documentation and transparent communication are now available through MSDN, Microsoft employee blogs, and Microsoft's Security webcasts.
Microsoft is far from perfect. But they are making significant changes to address their lax posture over the last decade as it relates to security. And the lessons they are learning are now impacting 3rd party applications which goes even further to protect us all. In the security software engineering field, a LOT of Microsoft's experiences are making headway into designing more secure software. From threat modeling to least privilege token control, Microsoft is being open and letting people understand how to write more defensive code in the Windows world.
Vista is the first real product that we will see where these initiatives have been applied. It will be only then when we can really understand if their security initiatives are a joke or not. I already see things like the UAC subsystem that makes it much easier to run with least privilege in the system. Far nicer than how sudo works or the hacked sudo Apple uses in OSX. We are seeing redirectors and virtualization to transparently deal with non-compliant software. The inclusion of Windows Defender and a proper two way firewall goes a long way to battle hostile code and control network communications effectively.
It's easy to hate Microsoft. It's far more difficult to acknowledge the great work they ARE doing because its so easy to criticize their older work. Lets take the bias and hatred out and worry about protecting our clients. You know, the ones who are mostly using Windows, if we like it or not.
Posted by Dana Epp | February 27, 2006 12:22 PM
Posted on February 27, 2006 12:22
Great response, by the way. Thank you!
I sure hope Vista lives up to it's promises, but I can't help but wonder about the adoption rate. It's all good and whatnot to address security in the future, but what about the currently installed OS base? There's tons of people running Win2k out there. Still plenty of people running NT. What about embedded Windows devices?
I wish Microsoft had done this from the start. I think it might be too late now - I think PCs have plateaued in terms of bang-for-the-buck, and most people have everything they need out of what they got nowadays from their windows OS.
As much as people should upgrade for better security, What is going to make them? They're going to ask why they should spend more money for nothing that's really new to them.
If Microsoft were to do this right, they should fork a massive effort to backport their security work as far back as possible. And it should be free.
And who knows when Vista will actually hit the front? Will it have everything they promise, and will it even work well? I'd have more faith in Microsoft if I didn't half think their main motivation for Vista was to have another product to sell to make more money.
Posted by Byron Sonne | February 27, 2006 1:50 PM
Posted on February 27, 2006 13:50
Hehe Anton... Oracle is a whole other world of pain! they need a good schoolin' - thank god for people with the last name Litchfield :)
Posted by Byron Sonne | February 27, 2006 2:01 PM
Posted on February 27, 2006 14:01
"I'd have more faith in Microsoft if I didn't half think their main motivation for Vista was to have another product to sell to make more money."
Sorry, but that IS the point to a commercial enterprise. Of course the main motivation is to make more money. Why else would they continually create new software?
The marketplace has said "Hey, we want Security. You hear us? SECURITY!!!" and MS has responded. As Anton posted above, MS has instigated many programs and training to get Security to the level it needs to be -- an example of the "unseen hand" at work. We all wanted it, they provide it.
Now, will Vista be better? I don't know. I know that I have maybe one PC that will run it, but I know I won't see it at my job for a long time.
Posted by marty | February 27, 2006 5:30 PM
Posted on February 27, 2006 17:30
Argg.. My reference to Anton should instead be in reference to Dana. Sorry about that.
Posted by marty | February 27, 2006 5:37 PM
Posted on February 27, 2006 17:37
Of course I know the point of a commercial enterprise is to make money! I'm not that retardedly socialist :)
What I should have communicated more clearly is that I think Microsoft is only releasing Vista to improve their bottom line. I don't think they're introducing it to fix all the problems they've caused over the years, and I don't think they're doing it because people 'wanted security'. They needed a new product anyways.
IMO, they're talking up the security angle more than they're doing anything concrete, and doing this all for marketing reasons.
If Microsoft really cared about security, they would have done this years ago.
Posted by Byron Sonne | February 28, 2006 8:14 AM
Posted on February 28, 2006 08:14
"If Microsoft really cared about security, they would have done this years ago."
Umm, they DID started caring about this years ago, when it made sense to their bottom line. The time it takes from the introduction of new code to release isn't a few days, weeks, or months. It can take years. If you recall, Bill Gate's "Trusted Computing" memo was sent in January of 2002. That was 4 years ago.
As a business they have to weigh the cost of fixing bugs verses NOT fixing them. That includes security bugs. Remember a single change has the potential of having a huge impact to the Microsoft codebase. This is why it made sense to do it in Vista, when they we going to have to retest everything anyways.
I blogged about this at the end of last year in a post entitled "The Cost in Fixing Bugs and How Irresponsible Disclosure doesn't Help the Matter" (http://silverstr.ufies.org/blog/archives/000879.html)
You might consider checking that out to see what I mean.
The interesting byproduct of all this is that many in Microsoft "get" security now. And from the top down. Executive management have bought into making security part of the development lifecycle which means going forward, we will all benefit.
And thats a good thing (with apologies to Martha Stewart)
Posted by Dana Epp | February 28, 2006 8:36 AM
Posted on February 28, 2006 08:36
Hehe... "Why Windows Vista Will Suck" ;) http://www.desktoplinux.com/articles/AT8288296398.html
Posted by Byron Sonne | March 2, 2006 12:14 PM
Posted on March 2, 2006 12:14
And.... "Why Windows Vista Won't Suck" ;)
http://www.extremetech.com/article2/0,1697,1931946,00.asp
Posted by jrichards | March 2, 2006 4:21 PM
Posted on March 2, 2006 16:21