A More Secure Windows Server?
Always under criticism for the volume of Windows patches, Gates tried to make some headway in proving that his company has made significant strides in prevention of critical security holes. As it approaches day 300 since its release, Windows Server 2003 has had nine reported vulnerabilities that rank as either "high" or "critical," according to one slide, while, comparatively, Windows 2000 Server had 38 such vulnerabilities during the same stage of its lifecycle. Gates obviously wants us to believe not only that Windows 2003 Server is a much more secure product than its predecessor, but that Microsoft's security team has learned from the numerous attacks that exploited vulnerabilities in the Windows Server 2000 product.
Two types of attacks in particular shaped the more secure design of Windows 2003 Server:
- Those relying on 2000's default DLL search order
- Others exploiting its weak LMHash for passwords
One of the most notorious viruses in the first category was Nimda. One of its vectors dropped a DLL in any location in the file system where it found a Word document. So anytime a user double-clicked a Word document in that directory, the DLL would execute, propagating the virus further.
Nimda and similar viruses exploited the way the Windows OS has worked for the past 12 years, according to Microsoft Security Program Manager Jesper Johansson. During an RSA Conference session focused on hardening Windows 2003 Server, he explained that when a user launches an application on older versions of Windows, the OS looks for DLLs in a specific predefined sequence. First, it searches in memory, then in the application directory, then in the current work directory, and finally in the system directories.
Johansson acknowledged that Microsoft had to fix this mechanism, but making a fundamental change in the OS presented a formidable challenge. (An early Service Pack even broke SQL Server 2000.) But in light of the damage Nimda alone caused, Microsoft made the change. Windows 2003 Server switches the searching order around to protect the system DLL from spoofing. The current working directory moved behind the system directories. (This setting is turned on by default in Windows XP SP1 and will be available for Windows 2000 Server starting with SP3).
"That setting blocks an entire class of attacks," said Kurt Dillard, a Program manager for Microsoft Solutions for Security, who co-presented the session. "It would've defeated Code Red."
To address the password cracking type of attacks, Microsoft removed the LMHash method of password encryption from Windows Server 2003. The OS now uses only NTHash or Unicode Hash, which are one-way, MD4 hash functions. The LMHash, which Johansson quickly pointed out was not invented by Microsoft and was kept in its OS products only for backward compatibility with old Windows systems, uses a weak hashing function. In a nutshell, the process goes like this:
- It takes the password;
- pads it to 14 characters with nulls;
- uppercases all characters—eliminating 26 password characters (lowercase alphas);
- cuts it into two seven-byte chunks—effectively taking one strong, lengthy password and dividing it into two weaker, short ones;
- and finally, uses the result as a key in a DES encryption.
Hackers can easily crack this function and decipher the stored passwords. "Almost all of the password attacks today are based on hacking a machine and dumping out the password database, and then cracking it," said Johansson. "And almost all of them are based on cracking LMHashes. Why? Because it's much simpler than trying to crack NTHashes."
To emphasize the importance of password protection, he added: "Protocols don't matter if Ive got your password. Almost all security protocols at some point boil down to a password."
These two changes have played a large role in the improved out-of-the-box security from Windows 2000 Server to the 2003 version, but Dillard made clear that the responsibility for secure servers rests with the administrators as well as with Microsoft. "Windows Server 2003 is much more secure out of the box than Windows 2000 Server, but it's not perfect," he said, pointing out that each environment has its own requirements for how hardened or open it should be. Each administrator has to strike a balance when it comes to what the two presenters termed "the fundamental tradeoff" between security, usability, and cost.
RSA SecureID for Windows
RSA's major news falls right in line with better password protection on Windows. It announced a SecureID product that will let enterprises easily enable strong end user authentication for Windows log-ins. SecureID is two-factor authentication. It involves the use of a password, set by an end user, and appends to that password a time-sensitive numeric token. Analogous to a bank ATM card, which a customer uses in conjunction with a PIN number, the SecureID token number is provided to the end user via a fob (a keychain like device with a digital numeric display), a card, or even via wireless device. (RSA says there will be eight different form factors available for token retrieval.)
The concept of SecureID is not new: 14,000 enterprises and 12 million end users already use two-factor authentication today. But for the first time RSA makes it easily deployable to Windows shops that also use the RSA ACE/Server software.
Tokens are reset every 60 seconds, and are used both during online and offline log in. RSA was somewhat closed-lipped during a press and analyst conference Tuesday afternoon about the technology behind offline SecureID log in, which precaches tokens to the client. The extent of the precaching is set in advance by administrators, and can range from hours to weeks.
According to RSA, 40 percent of help desk calls are to reset Windows passwords, at an approximate cost of $50 per call. The company says SecureID will immediately make the Windows environment more trustworthy for the enterprise, while decreasing end user frustration caused by the need for frequent password changes.
SecureID can be used regardless of the type of client connection being used, including VPN and SSL VPN connections, Wireless LAN connections, direct dial remote access servers, and terminal services.
SecureID for Windows will be available in the upcoming 6.0 Advanced release of the ACE server, available in Q304, but will be available on a trial basis for 13 months to Base edition customers who have an active maintenance contract.