Ten

Steps Microsoft Should Take to Improve Security

The topic this month is no laughing matter.

• By Paul Desmond
• 07/01/2005

10. Educate the Masses
It's often said that security is more about process than products. John Pescatore, a vice president with Gartner Research, echoes that theme. "Microsoft should invest in a lot more user analysis and R&D work on safety: how to prevent naive users from having security problems." Besides helping consumers, he says such steps would help prevent hackers from using their PCs as launching pads for attacks on business systems.

9. Security by Obscurity
"Allowing users to easily change default ports of different services would prevent many attacks. You can do it now, but it takes a researched registry edit in most cases," says Roger Grimes, senior consultant with Banneret Computer Security, describing what he calls "security by obscurity." "Microsoft could do a better job by focusing its efforts on developing defenses that really work against automated malware. I mean OS blocks that work even when the malware gets past our initial defenses, which they always will."

8. Better Best Practices
Grimes also suggests Microsoft come out with more detailed best practice guides for security desktops and servers. As an example, he cites the security templates available from the Center for Internet (CIS) security (www.cisecurity.org). I like the CIS model, which is to create security benchmarks, based on input from its members, that specify in detail how best to configure computers for proper security.

7. Check Compliance
Yet another Grimes suggestion (yes, I know, I should've had him write this column): Microsoft should develop a better way to audit clients for group policy compliance. "GPOs are a great way to push security settings out, but how do we really know if the settings and changes were applied?" he asks. "Where did it fail? Why?" Vendors such as ScriptLogic, of course, will be happy to sell you tools that perform a function quite similar to what Grimes describes.

6. Launch Lawsuits
"Sue the vulnerability researchers," says Pete Lindstrom, research director at Spire Security. "Increase the bounty on worm and virus writers." I can see how you can make that case, at least when it comes to the irresponsible researchers who put out results before giving vendors a chance to write patches.

5. Enhance Auiting
Waleed Omar, senior network administrator with Mantrac Group, says Microsoft needs to enhance its auditing capabilities, so you can see who did what when. "The audit trails I can generate from a Windows server are nothing compared with other OSes," he says.

4. End Buffer Overflows
A number of readers expressed exasperation with the continued problem of buffer overflows. More careful coding—even at the expense of product delays—can correct the problem, they contend. "How long has the buffer overflow been around?" asks Mike Ste Marie, an information security analyst at a company he'd rather not name. "How many releases of IE have we had since then? You're telling me they couldn't have re-written IE and prevented that vulnerability?" No, Mike, I'm not going to tell you that.

3. Let IE Stand Alone
More than one reader had another IE-related suggestion. "If Microsoft were really serious about security it would create an IE that was totally standalone. No hooks into any [Microsoft] products or anyone else's," says Patrick Dooley, of the Wisconsin Department of Revenue. Michael Hubbard, infrastructure supervisor at Circle Seals Controls, Inc., was more succinct yet equally clear: "Separate IE from the OS!!!!"

2. Correlate, Correlate
"Microsoft should buy or create a vulnerability scanning tool that integrates into System Center 2005," says Shawn Conaway, who works in the IT services department at the Roundy's, Inc. supermarket chain. "System Center then should correlate SMS, MOM, ACS (Admission Control Service) and vulnerabilities." Correlation of security alarms and vulnerabilities—a little slice of security heaven.

1. All Is Well
Charles Kolodgy, research director for security products at IDC, came back with the most surprising response of anyone I heard from. "Sorry I don't have anything new to offer," he replied. "Microsoft has been doing well with many of its existing initiatives. The anti-spyware product works well. It has improved patching and code reviews, etc." I guess I lied when I said there'd be nothing funny in this column.