Last spring, I was talking with Senior Contributing Editor Mark Russinovich about rootkits—a topic that nobody else seemed to be taking seriously. In fact, some people joined our conversation to insist that rootkits had been around for decades in the UNIX world and were nothing to worry about. After working with Mark for nearly 10 years, I know that nobody in our industry is smarter than he. If he takes something seriously, I take it seriously. So I asked Mark to explain rootkits and why they're incredibly scary. The result was Mark's June 2005 article, "Unearthing Root Kits" (InstantDoc ID 46266). Then, last fall, Mark became a media celebrity, appearing on everything from National Public Radio to The Today Show because he discovered that Sony music CDs were insidiously installing rootkits under the guise of Digital Rights Management (DRM).
The Sony debacle might serve as a wake-up call for IT by spotlighting a serious threat to network security. Everybody in IT is concerned about spyware, but at least you can identify and fairly easily eliminate ordinary spyware from desktop machines on your network. As Mark pointed out, "The scary thing about rootkits is that unless you stumble on them, you don't realize they're there."
Antispyware products don't catch rootkits. Worse yet, you can't cleanse an infected drive simply by deleting files. The only cure is to wipe the drive. And don't think the problem won't affect your network: Rootkits are popping up more and more frequently. In fact, I have it on good authority that at least two Microsoft employees have found rootkits on their systems, and Microsoft's Customer Support Service (CSS) is handling more and more calls about rootkits.
Your best defense is prevention. Mark says, "You need to secure your computers from inside your network as well as outside. Most people focus on perimeter security and don't put as much emphasis on internal security— on malicious code that end users are bringing into the network. Users are running as local admins and that allows them to innocently introduce powerful malware."
With Vista, Microsoft is trying to address the vulnerability inherent in letting end users run under administrator accounts. Vista's User Account Protection (UAP) feature lets you keep users from running as administrators and prompts for an administrator password when a user tries to perform an action requiring administrator authority. UAP is a good step. But suppose users have the local administrator password and want to install some interesting-looking program (e.g., an online gambling applet that contains malware)? Users will simply supply their password and defeat UAP.
I predict that rootkits will be the biggest security threat in 2006. You'll see products come to market this year that will shield computers from infection, and that's a good thing. But Mark tells me there won't be products that can cleanse rootkits from an infected system anytime soon.
What should you do? First, read "Unearthing Root Kits." Then, take local administrator privileges away from your users and lock down executable content. If you're a person who makes New Year's resolutions, preventing rootkits is a good one to make!
Name Resolution and New Year's Resolutions
Rootkits are a great reminder that you can never become complacent in IT. Re-examining IT fundamentals is never a bad idea—whether those fundamentals concern security or networking.
DNS is an example. It can wreak havoc with your network and leave you puzzled about what the problem could be, as demonstrated by the fact that DNS is a top call generator for Microsoft support. As Douglas Toombs relates in "Deconstructing DNS," page 32, "DNS is easy to forget when it's working like it's supposed to," which makes it easy to let your problem-solving skills get rusty. Doug recounts a recent DNS problem he resolved and reviews the intricacies of DNS troubleshooting.
Ben Smith provides another example of how important fundamentals can be in "4 IT Resolutions for the New Year," page 61. Ben formulates resolutions emphasizing that a great IT organization stays focused on basics.
Here's to You!
Let me take this opportunity to wish you a happy and successful New Year. 2006 will be filled with excitement as Longhorn Server starts taking shape and Microsoft launches Vista, Office 12, and Exchange 12. We here at Windows IT Pro look forward to exploring it all with you.
Karen Forster (firstname.lastname@example.org) is editorial and strategy director for Windows IT Pro and former director of Windows Server User Assistance at Microsoft.