Microsoft Security

Security has been continually communicated as a top concern for products and technology from MicrosoftCorporation ever since Jan15, 2002 BillGates internal memo on TrustworthyComputing.

This page is created for sharing links and insights about the intersection of two very important IT keywords.

Note in a Jul04 article Bill is said to have revealed that a third of MicrosoftCorporation R&D budget is spent on security improvements.

(The other 2/3 is spent creating new holes :-)

{Title is a Grand Oxymoron}

I personally use this search link to keep informed of whats happening, at http://news.google.com/news?svnum=10&as_scoring=r&hl=en&edition=us&ie=UTF-8&q=Microsoft+security. If anyone has a better link please add your link below for comparison.

"Night and Day Difference" in security (in SP2 release of WindowsXp)

So said BillGates in Nov03 (see http://www.informationweek.com/story/showArticle.jhtml?articleID=16101330).

The WindowsXp SP2 is now released and can be found at GetItFirstFromHere. I am hoping we are changing into the day, from night. The reverse is unthinkable

SP2 may have arrived too late for older machines. See http://www.computerworld.com/securitytopics/security/story/0,10801,95513,00.html

See also EmailScam? on tips from MS to prevent being victimised by fake email based SocialEngineering schemes.

PalladiumDiscussion After MicrosoftPalladiumdemise

The original security solution, NextGenerationSecureComputingBase?, was code named Palladium and started with a partnership with Intel in 2002, as part of TrustworthyComputing initiative. In May04 it was confirmed the project is canned as WindowsXp has chosen a different hardware mechanism to improve security. See http://www.crn.com/sections/breakingnews/dailyarchives.jhtml?articleId=18841713&_requestid=224457

The above article said there will be announcements at end 2004 on what technologies from MicrosoftPalladium will be incorporated into WindowsLonghorn.

Note it appear at least some of MicrosoftPalladium work went into DigitalRightsManagement implementations, as at early 2005.

InformationSecurity related News

Jul05 "WindowsXp new WGA (Windows Genuine Advantage) security cracked". See http://polyphase.ca/archives/2005/08/02/windows-wsa-feature-exploited/
Jun05 "Windows Server Update Services" become a reality after delays. See http://www.informationweek.com/story/showArticle.jhtml?articleID=164301826
Mar05 MS Security SystemsDevelopmentLifeCycle published at http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp
Feb05 old 1999 crticism by BruceSchneier on weak encryption within MicrosoftOffice resurfaced. Only basic cryptography skills needed to crack code. See http://www.virusthreatcenter.com/article.aspx?articleId=381
Feb05 patch address a number of WindowsXp SP2 risk areas. Includes a "Server Message Block" vulnerability (MS05-011 for full details) which could be the focus for new attacks in 2005. See http://www.washingtonpost.com/ac2/wp-dyn/A8723-2005Feb8?language=printer
- list of patch did not include vulnerabilities in "data-execution protection and heap-overflow", reported by "Positive Technologies" (Russia). Other securities sources like Secunia recommended users to wait for MS to come out with a patch, instead of using one created by the firm that reported it
Baby steps towards Enterprise Security <- comment on Jan05 patch http://www.winnetmag.net/Windows/Article/ArticleID/45135/45135.html
- A "malicious software removal tool" (refreshed monthly) is available at http://www.microsoft.com/downloads/details.aspx?FamilyID=ad724ae0-e72d-4f54-9ab3-75b8eb148356&DisplayLang=en
SpyWare acquisition insights (Dec04) http://www.winsupersite.com/reviews/ms_antispyware_preview.asp
- Now available as a free beta at http://www.microsoft.com/athome/security/spyware/software/default.mspx
critical IFRAME patch (Dec04) GetItFirstFromHere. read http://techrepublic.com.com/5100-6264-5476845.html
security risk with Google Desktop Tool for Windows (Nov04) http://www.pcworld.com/news/article/0,aid,118667,00.asp
JPEG a security risk (Sep04) http://www.microsoft.com/security/bulletins/200409_jpeg.mspx
Flaws in SP2 (Aug04) http://enterprise-windows-it.newsfactor.com/story.xhtml?story_title=Security-Flaws-Found-in-SP-&story_id=26513
Next on MS agenda for Security (Aug04) http://www.microsoft-watch.com/article2/0,1995,1638468,00.asp
MS own view of progress in Security (Jul04) http://zdnet.com.com/2100-1105-5268965.html

Authentication Services

The Microsoft product is DotNetPassport, previously known as Passport or Hailstorm.

Tips to enhancing security in Microsoft environments

Stop ActiveX from running in InternetExplorer http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q240/7/97.asp&NoWebContent=1
- note WindowsXp SP2 has different and extra security provisions in regards to ActiveX. See http://www.microsoft.com/uk/windows/sp2/what-it-means.mspx#EHAA
Windows 2000 security operation guide download (get it before it is gone) http://www.microsoft.com/downloads/details.aspx?FamilyID=f0b7b4ee-201a-4b40-a0d2-cdd9775aeff8&displaylang=en

Anyone got experience in using the OpenSource product from BruceSchneier company at http://sourceforge.net/projects/passwordsafe/?

More on Activex security in a subsequent section

Company line (Microsofts)

BillGates Mar04 brief http://www.microsoft.com/mscorp/execmail/2004/03-31security.asp

SecurityManagement aspects

'Webcast from MS: Implementing Security in the Development Lifecycle (Level 200) at http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032270022&Culture=en-US

SecurityManagement guide 2004 at http://www.microsoft.com/technet/security/guidance/secrisk/default.mspx

Developer wiki (MicrosoftChannelNine) links to security for DotNet at http://channel9.msdn.com/wiki/default.aspx/Channel9.SecurityEngineering

Limited User account (LUA) howtos wiki with information for existing windows at http://nonadmin.editme.com/

Archives

Analysis on Trustworthy Computing announcement http://mcpmag.com/newsletter/article.asp?EditorialsID=86
Text of BillGates Jan15 memo http://www.informationweek.com/shared/printableArticle.jhtml?articleID=6500502, or http://www.computerbytesman.com/security/billsmemo.htm

Implementation aspects

Microsoft implements crytography mechanisms for SecureSocketsLayer in the MicrosoftWindows, subsequently when a flaw is found, all OS versions (e.g. WindowsTwoThousand) are affected. See http://www.computerworld.com/securitytopics/security/holes/story/0,10801,73507,00.html. In Jul04 SSL security flaws are still affecting companies that use SSL on MicrosoftWindowsServer

Microsoft Security Support Provider Interface (SSPI)

This is used ?only in KerberosProtocol

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/sspi_model.asp

ActivexTechnology and JavaScript security - more reading

Is it worth the risk? http://www.iseran.com/ActiveX/
Microsoft Guidelines http://msdn.microsoft.com/library/default.asp?url=/workshop/components/activex/safety.asp

Is it another way to push Microsoft users to using DotNet and newer OS on servers and clients? It has been mentioned that WindowsServerTwoThousandThree is supposed to be more secure than WindowsTwoThousand.

Anyone got specifics on significant security advantages of Windows 2003 over W2K, in manners that WindowsTwoThousand cannot be improved by using third party products.

There aren't too many of these. A major change in WIndows 2003 is that things are not installed or are turned off out of the box, so its default state is more secure.

Raw Socket debate

WindowsXp Service pack 2 included a block against use of raw sockets, which are heavily used by tools used by security people, as well as hackers with undetermined intent. A bypass was found, and then the "hole" was plugged again in Apr05 MS patch. It was claimed vendors of other OS did not find it necessary to take this drastic step.

MS appear to have suggested the patch did not apply to WindowsServerTwoThousandThree, and that while DOS attacks are still possible through kernel attachments (even with the patch), such increased sophisticated work causes more serious concerns than DOS attacks, and are challenging to create.

See source: http://www.zdnet.com.au/news/security/0,2000061744,39189587,00.htm

Significant critics to MicrosoftSecurity

Windows security is a CatastrophicSuccess. Seriously, is there any such thing as Windows security?

Responding to TrustworthyComputing, BruceSchneier repeated call for MS to withdraw the SoapProtocol offering, and affirmed his previous stance on problems.

original newsletter at http://www.schneier.com/crypto-gram-0006.html
at 2004 still find webpages on security linking to remarks by Bruce

NMap port scanner disabled by MS05-019 patch issued Apr05

NMap was deemed to be a highly important port scanning tool that rely on use of raw sockets. Since Apr05 patch (?even non SP2) MS PC users were stopped from using raw sockets. Some claimed without a tool like this, legitimate users have no means to get at the extra data.

See also a patch for the patch (problem is "host ignoring ICMP Destination") at http://support.microsoft.com/default.aspx?scid=898060

Tracing?

Does anybody know how to trace why a particular authentication fails? As things grow more complex and security grows in concern, there seems to be the need for a tool or technique that logs and describes why a particular authentication event failed. One needs to know the "rule that it bumped into". It's a bloody black box right now.

Resources

"Writing Secure Code" (ISBN 0735617228 ), won RSA Conference Award for Industry Innovation. Offered a MS perspective on ApplicationDevelopment

CategorySecurity, CategoryMicrosoft