Steps Microsoft Should Take to Improve Security
The topic this month is no laughing matter.
- By Paul Desmond
You'll find nothing funny about this column, for the topic this month
is security—no laughing matter. Asked to submit ideas on steps Microsoft
should take to improve security in its products and networks, readers and analysts
had no shortage of ideas.
10. Educate the Masses
It's often said that security is more about process than products. John Pescatore,
a vice president with Gartner Research, echoes that theme. "Microsoft should
invest in a lot more user analysis and R&D work on safety: how to prevent naive
users from having security problems." Besides helping consumers, he says such
steps would help prevent hackers from using their PCs as launching pads for
attacks on business systems.
9. Security by Obscurity
"Allowing users to easily change default ports of different services would prevent
many attacks. You can do it now, but it takes a researched registry edit in
most cases," says Roger Grimes, senior consultant with Banneret Computer Security,
describing what he calls "security by obscurity." "Microsoft could do a better
job by focusing its efforts on developing defenses that really work against
automated malware. I mean OS blocks that work even when the malware gets past
our initial defenses, which they always will."
8. Better Best Practices
Grimes also suggests Microsoft come out with more detailed best practice guides
for security desktops and servers. As an example, he cites the security templates
available from the Center for Internet (CIS) security (www.cisecurity.org).
I like the CIS model, which is to create security benchmarks, based on input
from its members, that specify in detail how best to configure computers for
7. Check Compliance
Yet another Grimes suggestion (yes, I know, I should've had him write
this column): Microsoft should develop a better way to audit clients for group
policy compliance. "GPOs are a great way to push security settings out, but
how do we really know if the settings and changes were applied?" he asks. "Where
did it fail? Why?" Vendors such as ScriptLogic,
of course, will be happy to sell you tools that perform a function quite similar
to what Grimes describes.
6. Launch Lawsuits
"Sue the vulnerability researchers," says Pete Lindstrom, research director
at Spire Security. "Increase the bounty on worm and virus writers." I can see
how you can make that case, at least when it comes to the irresponsible researchers
who put out results before giving vendors a chance to write patches.
5. Enhance Auiting
Omar, senior network administrator with Mantrac Group, says Microsoft needs
to enhance its auditing capabilities, so you can see who did what when. "The
audit trails I can generate from a Windows server are nothing compared with
other OSes," he says.
4. End Buffer Overflows
A number of readers expressed exasperation with the continued problem of buffer
overflows. More careful coding—even at the expense of product delays—can correct
the problem, they contend. "How long has the buffer overflow been around?" asks
Mike Ste Marie, an information security analyst at a company he'd rather not
name. "How many releases of IE have we had since then? You're telling me they
couldn't have re-written IE and prevented that vulnerability?" No, Mike, I'm
not going to tell you that.
3. Let IE Stand Alone
More than one reader had another IE-related suggestion. "If Microsoft were really
serious about security it would create an IE that was totally standalone. No
hooks into any [Microsoft] products or anyone else's," says Patrick Dooley,
of the Wisconsin Department of Revenue. Michael Hubbard, infrastructure supervisor
at Circle Seals Controls, Inc., was more succinct yet equally clear: "Separate
IE from the OS!!!!"
2. Correlate, Correlate
"Microsoft should buy or create a vulnerability scanning tool that integrates
into System Center 2005," says Shawn Conaway, who works in the IT services department
at the Roundy's, Inc. supermarket chain. "System Center then should correlate
SMS, MOM, ACS (Admission Control Service) and vulnerabilities." Correlation
of security alarms and vulnerabilities—a little slice of security heaven.
1. All Is Well
Kolodgy, research director for security products at IDC, came back with the
most surprising response of anyone I heard from. "Sorry I don't have anything
new to offer," he replied. "Microsoft has been doing well with many of its existing
initiatives. The anti-spyware product works well. It has improved patching and
code reviews, etc." I guess I lied when I said there'd be nothing funny in this
Paul Desmond, the founding editor in chief of Redmond Channel Partner magazine, is president of the IT publishing firm PDEdit in Southborough, Mass. Reach him at firstname.lastname@example.org.