Microsoft has long encouraged its employees to ‘RAS’ into the corporate network from home or from the road to access e-mail, shared files and applications. RAS, short for Remote Access Services, is an old Microsoft term for what most people now call a client VPN. Microsoft, of course, maintains valuable intellectual property on its internal network, including the source code to all its operating systems and applications. These are constant targets for hackers, and Microsoft tries to protect its most valuable assets with defenses in depth; they are behind firewalls and on networks segmented with IPsec. In addition, the entire network is monitored for suspicious activity, scanned for malware and so on.
I suppose they need it more than most, and fortunately, they have the expertise to configure and customise their software if they want. The vast majority, don’t.
I think they need to share their knowledge a little more with, oh I don’t know, the government where information sensitive to national security is being compromised thanks to their products. Also, I disagree with the whole concept that you have to pay exorbitant amounts of money to get that level of defense in depth. Great for Microsoft that they have not only the expertise, but the money to cover the infrastructure, licensing, and administrative costs. Not every individual or organization can afford it, and that is a shame to me.
I think they need to share their knowledge a little more with, oh I don’t know, the government where information sensitive to national security is being compromised thanks to their products.
There are several guides. whitepapers, etc., freely available that cover security best practices and how MS itself handles security (and other issues).
Government Security Guidance Center
http://www.microsoft.com/industry/government/security/default.mspx
How Microsoft Does IT: Security
http://www.microsoft.com/technet/itshowcase/security.mspx
TechNet Security Center
http://www.microsoft.com/technet/security/default.mspx
I don’t think the vast majority of MS customers are going to be facing that number of intrusions attempts every month.
With the standard firewall settings and a decent virus checker (or common sense if you don’t want to run a virus checker) then you should be safe.
“I don’t think the vast majority of MS customers are going to be facing that number of intrusions attempts every month.”
I don’t think the vast majority of MS customers can even tell. Lack of knowledge about intrusion is no proof for “no intrusion”. Because if it’s nature, MICROS~1 will be the #1 target; I agree that its customers won’t be affected that strong, but maybe if a leak is discovered, this could change. If industry espionage is made that easy…
“With the standard firewall settings and a decent virus checker (or common sense if you don’t want to run a virus checker) then you should be safe.”
I don’t know what exactly is meant by “the standard firewall settings”, maybe you can explain a bit?
As far as I know, even standard operations like ping or a portscan are treated as “intrusion attempt”, so ICMP echo requests are simply lost along the line and the firewall eats all packets others than TCP+UDP port 80.
Automatic procedures such as netprobes can only continue with possibly illegal actions as long as there’s a possibility for it. Proper port RESET answer packets etc. should be able to stop this, but regular operations like ping or portscan still are working.
Common sense is a good thing, but cannot be implied to be owned by average users (as well as corporate ones). It does protect against illegal operations that involve the user, but cannot protect against those that don’t, as mentioned above.
In Germany, whole corporate networks (Deutsche Bank, Deutsche Post) have been compromized to perform SPAM operations. And many home PCs do the same, its owners don’t know anything. One could say: “Hey, corporate customers have so much money to afford tons of MICROS~1 licenses, why can’t they afford a sysadmin who can configure the system properly?” The answer is easy and its reason is MICROS~1’s PR itself: “Because ‘Windows’ is so easy, it does everything by itself. You don’t need to know anything, it just does it for you. Every idiot can use it!” (Sorry, but that’s a general opinion at least here in Germany.)
I like to mention the upcoming experimental “health card” (Gesundheitskarte) that will be introduced in Germany in 2007. The underlying technology will be VPN. Security experts are concerning the “healt card” to be insecure. Personal and clinical data of the patients will be abused sooner or later if there’s no proper control (as UAC, hardware and software authentification). We’ll see what will happen. Can you imagine how interesting (and therefore profitable) it would be to steal large scale individual health data? “Um sorry, we can’t sell you a life insurance because you have the risk to get an apoplex.” or “We’d like to have you in our experimental clinical study for a new medicine because we know you’re suffering from Alzheimer disease.”
I bet the 100k attacks/month figure consists in say 95% of random drones probing the address range blindly.
Which basically poses 0 threats to an IPsec VPN.
The nuts and bolts overview is interesting. I’m curious, however, how Microsoft deals with the social engineering which generally are the cause of more “hacking” than out-right intrusion.
User education, I’m sure. Not only social engineering awareness, but policies and education of those policies can go a long way. Their use of two factor authentication goes far as well since it is rather hard to social engineer someone’s smart card away from them, especially if the user knows they can lose their job if they give it to someone.
It’s an interesting article, but it’s hardly specific to Microsoft. A lot of enterprises and institutions run with similarly comprehensive security infrastructures, in fact Sarbox and regulatory requirements such as PCI have been a big boost to the security industry.
I guess one advantage MS has over similar sized organizations is the ability to deploy their own software for much of that infrastructure, but this of course is tempered by the fact that no other enterprise organization would rely on MS for their security infrastructure regardless of cost.
That last statement is a little tongue-in-cheek of course, but the reality is that it would be simply bad design to single source both your application and security infrastructure from the same vendor. In fact, even MS uses outside suppliers to augment their own products for their security. It’s about a multi-layered approach, and reducing dependency on a single point-of-failure, whether vendor or product based.
Probably the two biggest mistakes organizations make when permitting remote access is to not deploy proper restrictions on what remote users can do (they’re often given the same privileges as if they were sitting on at their desk) and not using strong authentication.
That aside, the perimeter is fairly secure nowadays as long as you’ve got the right infrastructure in place with intelligent policies.
The big concern is what’s going on inside the network, and that’s an area where probably 90%+ companies today would be vulnerable. No doubt MS has that part locked down as well, but you can bet you’ll find many more non-MS products in that infrastructure than in their perimeter/remote access area.
Still, an interesting article from the standpoint of large-scale enterprise security but nothing really unique to MS.
Tim Holwerdi
Hi, My name is Tim Holwerdi.
I am gonna tell you my last dream…
I am an Aszzhole in search of Notoriety…
I work in a Website that offers news of IT and Open Source.
I pretend that I do it for the sake of love for IT, but the fact is that, I am expecting good revenues for the
future…
If not, why should I loose my time looking for IT news in other IT Web Sites that offer what I am not able to
offer… for the sake of these IT weirdos geeks and Open source-free computing fanboys…? c’mon…
I think I know more than the rest, of course… and I am always right!
Yes, I know more than anyone of you about Computers, and about anything else you can imagine! even If many people prove me the contrary, I am still right…
Me and my Mac go together everywhere, I even sleep with it, which is somehow problematic, cause as you can imagine, is not easy to have sexual relations tru an USB port, or a FireWire one… but I am in love anyway!…
Anything that is not Mac or commercial, is just wacko rubbish!
And, of course, is not going to offer me anything, because all these Open Source weirdos have no future, and are not gonna advertise in my site, or pay me money… I dont even talk about the FSF retarded hippies!
At best the big companies that now move to Linux, and pretend to be Open Source, worth a little bit, and may be a source of revenues in the future if the have some sucess…
Cheers…
P.S. Apple Rocks… Linux sucks… (MS is very good also, cause they have plenty of money, and are the pattern of our great western Businnes Economic and social system…)
…but they have not mentioned the one attacker that become an intruder and also the number of existent and not yet discovered intruders in their system. Maybe because they not yet been discovered? Just a guess…
I am happy to hear this!
Because this forces Microsoft to deal a lot with IT security aspects and may result in more secure versions of their software products. Although I am a FLOSS advocate, I am sure Microsoft and Windows will be around for a long time, and I think a better security of Windows is better for its users and for everyone.
But however I do believe the prevalent opinion of many IT security experts who state that a piece of software can only be secure per definition, if its source code is available to the public (which does not necessarily mean it is FLOSS).
But however I do believe the prevalent opinion of many IT security experts who state that a piece of software can only be secure per definition, if its source code is available to the public (which does not necessarily mean it is FLOSS).
I disagree with this. Few people in the general public would be qualified to understand the source just from a language comprehension perspective, and only a subset of those would bother looking at it at all. Of that subset, even fewer people would know how to identify security issues, and some of those people will be the bad guys. This isn’t an argument against general availability of code, but about the notion that a product is secure simply because the code is available.
In the specific case of Windows, the code is shared with security firms, governments, universities, and some other businesses and individuals. Much of Windows CE’s code is viewable by anyone.
Few people in the general public would be qualified to understand the source just from a language comprehension perspective
Well. It has to be a well-documented source code — which is unfortunately not always the case. But there are many people out there who do know how to write and read source code, just to mention the many computer scientists.
Of that subset, even fewer people would know how to identify security issues, and some of those people will be the bad guys.
It depends on how you define “bad guys”. Do you know for sure who cooperates with the company selling your cryptography software? Maybe they have implemented a backdoor for them? For example, for the regime you want to be protected of!? Security means that the “good users” have the ability to decide who the bad guys are and not the vendor of the security-software. And in addition, the “real bad guys” will 1.) always be able to use cryptography for any purpose anyhow and 2.) they will be able to detect security holes anyhow. They only question is when the “good guys” detect them.
That is why the majority of experts doing research in the field of security believe that only an open method and software can be secure. See the answer to the question “Doesn’t closed source help protect against crack attacks?” in http://www.opensource.org/advocacy/faq.php. Somewhere in here http://dud.inf.tu-dresden.de/~pfitza/SecCryptI_II.pdf, for example, it is argued from a scientific point of view in much a better way than I am able to do it (here).
In the specific case of Windows, the code is shared with security firms, governments, universities, and some other businesses and individuals. Much of Windows CE’s code is viewable by anyone.
As already mentioned above, the diffrence to a public code software is that the vendor — in this case Microsoft — decides who gets access to the source code and who does not. It might be paranoid, but can I trust that Microsoft does not spy on me — even only for statistical commercial analysis? If you have a public code software, you can decide who checks the code for you.
This isn’t an argument against general availability of code, but about the notion that a product is secure simply because the code is available.
I did not state that a software with source code available to the public per definition is secure but that a closed source software per definition is insecure.
If you put it that dramatically, this is, of course, not true. Of course, also a closed source software can be secure to a certain degree and, depending on the specific software, can be more secure than a specific software with a source code available to everyone. What I mean is that the upper boundary of security you can achieve with a software, whichs source code is available to the public, is much higher than that one of a closed source solution.
I disagree with this. Few people in the general public would be qualified to understand the source just from a language comprehension perspective
You know, considering the size of the open source community and the people involved in it, as well as the huge areas in academia around cryptography and security (much of which Microsoft uses and has had to catch up with – SSL anyone?), I’m absolutely astonished that anyone holds this view any longer – because it’s rubbish.
It’s a view that Microsoft still seems to hold when it comes to source code ;-).
Open source code and public scrutiny works, OK? Get used to it.
In the specific case of Windows, the code is shared with security firms, governments, universities, and some other businesses and individuals.
The problem with that code is that you can do absolutely nothing with it. You yourself said that opening the code doesn’t mean a secure piece of software, and Microsoft is a prime example.
Opening source code means that people are able to do something with the code. You’re able to modify it, compile it, try it out and find out how it works. You can do none of those things with Microsoft’s source code. For those with access to it, it’s meaningless.
Open source code and public scrutiny works, OK? Get used to it.
Only if there are people actually looking at the code that can competently analyse it. Code availability alone does not guarantee this.
The problem with that code is that you can do absolutely nothing with it. You yourself said that opening the code doesn’t mean a secure piece of software, and Microsoft is a prime example.
Opening source code means that people are able to do something with the code. You’re able to modify it, compile it, try it out and find out how it works.
There’s a vast difference between those who would compile and modify the code and those who would perform security reviews. Not everyone who uses an open source product examines the source code, and not everyone who develops derivative software with the code is looking for code that may be exploited.
You can do none of those things with Microsoft’s source code. For those with access to it, it’s meaningless.
Depends on who you are and/or the product in question. There are source access programs from MS that do allow code modification.
Edited 2006-12-20 00:43
Only if there are people actually looking at the code that can competently analyse it.
They can and they do.
Code availability alone does not guarantee this.
As I pointed out. Just ask Microsoft.
There’s a vast difference between those who would compile and modify the code and those who would perform security reviews.
No. Being able to use the source code implies trying things out, working out what it does and trying a fix to see if something solves the problem or if it’s more serious than first thought.
Like you said. Source availability doesn’t guarantee anything.
There are source access programs from MS that do allow code modification.
I’ll refer you to your own comment. Source availability doesn’t mean anything.
It does seem odd that Microsoft would admit to all of the additional effort they have to go through to make their own product infrastructure somewhat secure.
I would be impressed if, and only if, Microsoft used no firewalls, no attempts at hiding boxes, and did no extra effort, out-of-box, to provide security.
That would mean that their claims of making ‘secure’ software.. well.. more believable, if still not true.
One answer would be to not allow user-land apps to crash the kernel ( i.e. winlogon w/ stop c000021a, etc…), and instead the kernel maintain the ability to repair the last modification, on its own, in the event of failure, and just say.. ‘The driver/software, <Software Name>, <Installed Date/Time>, does not appear to be compatible with your current configuration. Windows has disabled this software to protect system integrity.’
I might actually believe that they had some brains running the operation, rather than a bunch of non-developer managers, who have to manage a development process they don’t understand.
Of course, if you look into how Windows Vista was developed, from the mouths of MS employees no less, then you will understand a peice of the idiocy that is Microsoft’s internal layout, and that curses corporations in general.
The idea that more manpower will fix everything, and that control and management must be enforced at every tiny level.
If Windows Vista was developed by 100 developers ( instead of thousands ), and those developers able to direct certain tasks to other groups, and remove almost all management in between the groups, I would even probably end up buying Vista, because it would be an OS worth using. The thought patterns would be at least marginally similar, and the core 100 devs will have control over the feel of the system.
Removing top-down integrations, such as Internet Explorer and Windows Media Player, from the core Windows system would be REQUIRED to make a decent operating system. I mean, there is a LOT of work in just trying to create a single menu for Windows. Often enough because the menu must be created in the Internet Explorer tree, pushed up their stupid build system ( read into it.. it is STUPID.. logical, yes, practical, no ).
Creating a file menu, these days. should be a VERY simple thing. There are only so many tasks that are to be grouped, and what is in there seems like it should be fairly logical. Instead, a year gets wasted debating the exact order of the lines of code, even if the contents and behaviour of that menu had been decided upon. Then, you get a note from the IE team, informing you that they change a private hook call to fix a bug ( interfaces (API) should always be designed to minimize the occurence of bugs and unhandled errors, this is called engineering ( which Microsoft does not much do for times when they should, and does when they need not to.. you don’t really need a dozen people to add a single menu item that will be named ‘Open’ which will open the Internet Explorer-provided “Open File” window by saying, explrr->OpenFilePane())
Is Microsoft alone in this stupidity? No, all corporations have some form of these same problems. It stems from when the companies are smaller ( and, supposedly, need less organization ) when the founders failed to properly plan to PREVENT future idiots from making decisions that will hamper the advantages the company ONCE had.
Some corporations have no problem getting out of these ruts. They file bankruptcy. I wish Microsoft would save us all and do the same, and some ports are ‘accidently’ left open between 7000 and 7050 with a muscle server running on a non-Windows machine with ssh running and full-access guest login enabled.. all on accident, of course, so that we may fix Windows by removing the ‘Microsoft’ from Windows.
Google Windows would be very sweet indeed…
–The loon