San Francisco—“Resiliency” seemed to be the catchword today at the 13th annual RSA Security conference—and not just the resiliency of networks and applications to withstand an increasingly fierce and malicious global computing environment, but the resiliency of companies, of economies, of an industry, and even, arguably, of Microsoft.
Despite an obvious and disquieting increase in disastrous security incidents recently, the conference mood—and the conference numbers—are heartening. RSA told media today that this year’s conference had year-over-year increase of 30 percent in attendance, with a robust show floor featuring 200 exhibitors.
As for Microsoft, far from a corporate darling of the security sub-industry, it would be fair to guess that it was not an easy choice to hand over the headline portion of Tuesday’s general session to Chairman Bill Gates. With recent critical IE security holes and an embarrassing and potentially damaging leak of portions of the Windows NT/2000 source code not even out of the headlines, Gates delivered a straightforward message that focused on the need for proactive system patching, offered up the three-armed security improvements coming in the SP2 release of Windows XP, and the should-be-but-isn’t-quite-reassuring promise of a $6 billion R&D budget that will fund the much-needed growth of a buffer to shield the world’s largest operating system (and the world’s largest operating system user base) against hackers, thieves, vandals, and spies.
However, with conference host RSA’s own major announcement revolving around more robust authentication for Windows users, and Microsoft entering the early stages of an era that will see major attrition to Linux, the choice makes sense, even if many security-savvy attendees cast a cynical eye toward Redmond.
Focus on Patch Management
For many years the security industry has concentrated on three “pillars” of protection: antivirus, intrusion detection, and firewalls. While these remain the foundation, a fourth area, patch management, is steadily growing into a full-fledged pillar of its own, and Microsoft, with help from its OEM partners, is the key instigator behind that growth.
Gates showed a bit of candor in explaining that patch management was one area where Microsoft hasn’t always gotten the job done. “Take for example the need to keep software up-to-date,” said Gates. “We did not make it absolutely clear to our customers that having and updating services to the latest version was particularly important for Internet-facing systems.” Today, he said, “making it very easy for [companies to keep systems up-to-date] is part of our mission.
“The responsibility comes back to us. Until we make it so virtually 100 percent of the customers find it attractive to have that updating in place for those Internet-facing systems, we haven’t done our job.”
At the lowest level: Free Windows Update. “Turn it on,” urges Gates. That’s fine for individual home broadband users, but enterprises need more complex tools to fully evaluate risk and manage deployment of system patches. Microsoft’s Systems Management Server (SMS) is a superset of Windows Update targeted at enterprises and “it’s had a very dramatic increase in deployment.”
SMS performs both crucial parts of the patch management process—assessment and deployment—while Microsoft Baseline Security Analyzer (MBSA) is a free tool that enterprises can use to do just the risk assessment portion. MBSA is primarily based on technology Redmond OEMs from Shavlik Technologies, which has a thriving standalone tool of its own, HFNetChk. Shavlik announced this week that it would expand the HFNetChk tool this year to also assess RedHat Linux systems (in Q2), Solaris (in Q3), and SuSE (in Q4).
Version 1.2 of MBSA does configuration checks of Windows systems and reports back on critical protection issues such as firewall configuration, and auto updating. It also performs scans for missing security patches, unnecessary open ports, and unneeded services left running, and reports on those issues..
Updating to SP2
Window XP SP2, Gates explained, is a release that is solely about security, explaining that the company took resources away from the upcoming Longhorn release of Windows to create an interim release of XP that will make it easier for companies and end users to keep Windows patched and prevent accidental exposure to malicious code. Gates characterized SP2 release as “very important and one that we’re going to encourage people to install very broadly.”
SP2 will have three basic feature enhancements:
- An improved Windows Firewall, enabled by default
- The Internet Explorer “gold bar”
- and Security Center
The Windows Firewall, a successor to Internet Connection Firewall, addresses problems that occur when certain types of applications fail to function properly behind an enabled firewall. The Windows Firewall detects applications that leave “listening” ports open on the network and prompts the user to give permission (exceptions) for these applications to run. When the application completes, the firewall dynamically closes those ports to prevent them from being exploited. Users and administrators can add such exceptions manually. Another mode, called “On with no exceptions,” prevents all potentially dangerous activity, which is particularly useful during wireless network operation.
The Internet Explorer “gold bar” is a toolbar-type GUI feature that gives end users a visual cue when pop-ups and ActiveX controls are trying to run. Users can configure, by author, whether Active X controls are trusted and can run automatically, whether to prompt for permission to run the controls, or whether to always block them.
The Security Center, embedded in the Windows toolbar, acts as a backup to users’ antivirus program, monitoring whether the A/V program is installed, whether it’s on, and whether it’s up-to-date. It also monitors for firewall protection and proactive patch management. The Security Center will notify and guide users to higher levels of protected use and offers administrators more management and configuration options; Both the Security Center and the Windows firewall, can be controlled either through Active Directory or via script in non-AD environments.
Spam and Whidbey
Spam was another key target of the Microsoft announcements; Gates discussed an initiative to reduce spam by improving filters, providing rich “safelisting” and reputation services, and the ability for legitimate bulk email providers to prove their legitimacy and prevent unwarranted blacklisting. Gates discussed a “caller ID for email” feature that will prevent domain spoofing. “Firewalls won’t just be looking at the ports being used but at who’s trying to use those ports,” Gates said. That feature will be turned on by default in the SP2 release of Windows XP.
Gates spent only a few minutes discussing tools built into Whidbey that will help developers write more secure, less exploit-friendly code from the ground up, specifically mentioning only the PREfast technology, an analysis tool that checks buffer sizes and ultimately produces more reliable code. However, he said that “quality of engineering” was an inherent part of Microsoft’s commitment to security and promised that there are “a lot of things happening in development tools that are going to get that application layer to be as secure as the other layers as they improve.”
A More Secure Windows Server?
Always under criticism for the volume of Windows patches, Gates tried to make some headway in proving that his company has made significant strides in prevention of critical security holes. As it approaches day 300 since its release, Windows Server 2003 has had nine reported vulnerabilities that rank as either “high” or “critical,” according to one slide, while, comparatively, Windows 2000 Server had 38 such vulnerabilities during the same stage of its lifecycle. Gates obviously wants us to believe not only that Windows 2003 Server is a much more secure product than its predecessor, but that Microsoft’s security team has learned from the numerous attacks that exploited vulnerabilities in the Windows Server 2000 product.
Two types of attacks in particular shaped the more secure design of Windows 2003 Server:
- Those relying on 2000’s default DLL search order
- Others exploiting its weak LMHash for passwords
One of the most notorious viruses in the first category was Nimda. One of its vectors dropped a DLL in any location in the file system where it found a Word document. So anytime a user double-clicked a Word document in that directory, the DLL would execute, propagating the virus further.
Nimda and similar viruses exploited the way the Windows OS has worked for the past 12 years, according to Microsoft Security Program Manager Jesper Johansson. During an RSA Conference session focused on hardening Windows 2003 Server, he explained that when a user launches an application on older versions of Windows, the OS looks for DLLs in a specific predefined sequence. First, it searches in memory, then in the application directory, then in the current work directory, and finally in the system directories.
Johansson acknowledged that Microsoft had to fix this mechanism, but making a fundamental change in the OS presented a formidable challenge. (An early Service Pack even broke SQL Server 2000.) But in light of the damage Nimda alone caused, Microsoft made the change. Windows 2003 Server switches the searching order around to protect the system DLL from spoofing. The current working directory moved behind the system directories. (This setting is turned on by default in Windows XP SP1 and will be available for Windows 2000 Server starting with SP3).
“That setting blocks an entire class of attacks,” said Kurt Dillard, a Program manager for Microsoft Solutions for Security, who co-presented the session. “It would’ve defeated Code Red.”
To address the password cracking type of attacks, Microsoft removed the LMHash method of password encryption from Windows Server 2003. The OS now uses only NTHash or Unicode Hash, which are one-way, MD4 hash functions. The LMHash, which Johansson quickly pointed out was not invented by Microsoft and was kept in its OS products only for backward compatibility with old Windows systems, uses a weak hashing function. In a nutshell, the process goes like this:
- It takes the password;
- pads it to 14 characters with nulls;
- uppercases all characters—eliminating 26 password characters (lowercase alphas);
- cuts it into two seven-byte chunks—effectively taking one strong, lengthy password and dividing it into two weaker, short ones;
- and finally, uses the result as a key in a DES encryption.
Hackers can easily crack this function and decipher the stored passwords. “Almost all of the password attacks today are based on hacking a machine and dumping out the password database, and then cracking it,” said Johansson. “And almost all of them are based on cracking LMHashes. Why? Because it’s much simpler than trying to crack NTHashes.”
To emphasize the importance of password protection, he added: “Protocols don’t matter if Ive got your password. Almost all security protocols at some point boil down to a password.”
These two changes have played a large role in the improved out-of-the-box security from Windows 2000 Server to the 2003 version, but Dillard made clear that the responsibility for secure servers rests with the administrators as well as with Microsoft. “Windows Server 2003 is much more secure out of the box than Windows 2000 Server, but it’s not perfect,” he said, pointing out that each environment has its own requirements for how hardened or open it should be. Each administrator has to strike a balance when it comes to what the two presenters termed “the fundamental tradeoff” between security, usability, and cost.
RSA SecureID for Windows
RSA’s major news falls right in line with better password protection on Windows. It announced a SecureID product that will let enterprises easily enable strong end user authentication for Windows log-ins. SecureID is two-factor authentication. It involves the use of a password, set by an end user, and appends to that password a time-sensitive numeric token. Analogous to a bank ATM card, which a customer uses in conjunction with a PIN number, the SecureID token number is provided to the end user via a fob (a keychain like device with a digital numeric display), a card, or even via wireless device. (RSA says there will be eight different form factors available for token retrieval.)
The concept of SecureID is not new: 14,000 enterprises and 12 million end users already use two-factor authentication today. But for the first time RSA makes it easily deployable to Windows shops that also use the RSA ACE/Server software.
Tokens are reset every 60 seconds, and are used both during online and offline log in. RSA was somewhat closed-lipped during a press and analyst conference Tuesday afternoon about the technology behind offline SecureID log in, which precaches tokens to the client. The extent of the precaching is set in advance by administrators, and can range from hours to weeks.
According to RSA, 40 percent of help desk calls are to reset Windows passwords, at an approximate cost of $50 per call. The company says SecureID will immediately make the Windows environment more trustworthy for the enterprise, while decreasing end user frustration caused by the need for frequent password changes.
SecureID can be used regardless of the type of client connection being used, including VPN and SSL VPN connections, Wireless LAN connections, direct dial remote access servers, and terminal services.
SecureID for Windows will be available in the upcoming 6.0 Advanced release of the ACE server, available in Q304, but will be available on a trial basis for 13 months to Base edition customers who have an active maintenance contract.