Understanding the latest security features and functionality to come out of Redmond
A couple years ago, the industry finally got Microsoft's attention with regard to security and quality, and Redmond responded with its much-touted Trustworthy Computing initiative. At the time, we wondered whether the initiative would ever amount to much beyond its hype, but I have to admit that Microsoft has since made substantial investments in security across the board. In particular, Microsoft is making strong progress with its overall patch strategy and is leading the industry with a predictable, monthly patch schedule. In addition, Microsoft has purchased several security software companies with the intention of integrating those companies' technologies into the Windows platform.
All these efforts have produced an array of tools and resources for enterprises, small businesses, and consumers to help with various security processes. In this article, I give you an overview of what's available now and what Microsoft promises for the near future—some of which might be released by the time you read this article. I discuss patch management tools—including Windows Server Update Services (WSUS), Microsoft Baseline Security Analyzer (MBSA), the Enterprise Update Scan Tool—and other resources, such as Windows AntiSpyware, the Malicious Software Removal Tool (MSRT), Windows Server 2003 Service Pack 1 (SP1) and Release 2 (R2), and Audit Collection Services (ACS).
To help bring some order to the previously chaotic and unpredictable world of security patching, Microsoft has adopted a monthly schedule in which it releases security updates on the second Tuesday of the month. (Extremely serious updates are still released outside the normal schedule.) Microsoft publishes a best-effort preview of what to expect several days before "patch Tuesday" so that you can start your impact analysis and planning.
The two most laborious patching activities are patch deployment and the follow-up process of scanning systems for missing patches. Scanning for missing patches is crucial in environments that don't have a comprehensive patch-deployment process that covers all systems. Even in tightly controlled environments, scanning is an important best practice for providing positive confirmation that patch deployments are succeeding and reaching all applicable systems.
To help automate those two processes, you can choose from four free Microsoft services and programs. For patch deployment, you can use Microsoft Update (an enhanced version of the former Windows Update service targeted at consumers and very small businesses), WSUS, and the Systems Management Server (SMS) Inventory Tool for Microsoft Updates (designed for large enterprises that use SMS, a purchased product). For scanning and reporting on patch status, you can use the standalone MBSA 2.0 tool or exploit WSUS's or the SMS inventory tool's new reporting capabilities.
WSUS (http://www.microsoft.com/ windowsserversystem/updateservices/ default.mspx) is an important Software Update Services (SUS) follow-up targeted at small-to-midsized networks. WSUS offers enhanced control and management of the patch process across the board. Whereas SUS supports only Windows and a few related server applications, WSUS unifies patch deployment for Microsoft's most common server, OS, and client products, including Windows 2003, Windows XP, Windows 2000, SQL Server, MSDE, Exchange Server, and Office. WSUS also addresses important SUS design limitations that prevented you from using one SUS server to deploy updates to test and production environments—a limitation that required you to maintain an additional SUS server for pushing out patches to test systems.
WSUS scales well from small to large networks, but if you manage a very small number of systems or need to manage patches for a large enterprise, you have some additional options for patch deployment. Larger enterprises that already have SMS can use the SMS Inventory Tool for Microsoft Updates, a version of WSUS adapted for integration with SMS for more control and enterprise flexibility. Networks with only a handful of systems can take advantage of the more consumer-oriented Microsoft Update feature in Win2K and later, in which each system independently downloads updates directly from Microsoft's site. Although each system installs updates independently, if you have Active Directory (AD), you can use Group Policy to centrally enable Microsoft Update and control how the system handles restarts and when it installs updates.
Microsoft Update's advantage over WSUS is that it requires no ongoing administrative attention because Windows installs all updates as they're released. Also, you don't have to set up a WSUS server. For that simplification, you give up control of the process. You can't specify which patches are deployed to which systems, delay patching until you have a chance to test them, or centrally uninstall patches. And there's no built-in way to monitor patch deployment—although you can use MBSA to scan for missing patches. Microsoft Update also uses more bandwidth because each system must download the update from Microsoft. In contrast, WSUS downloads the update from the Internet only once, then distributes it to applicable systems over the local network.
If you're a small to midsized business (SMB), you can use MBSA 2.0 (http://www.microsoft.comtechnet/security/tools/mbsahome.mspx) to scan systems for missing patches. MBSA is a standalone program that scans multiple computers on the network for common misconfigurations, vulnerabilities, and missing patches. Previous versions of MBSA couldn't remotely scan for Office updates, but MBSA 2.0 can. However, that functionality comes at a price: MBSA 2.0 requires Windows Update Agent 2.0 and Windows Installer 3.1 on any computer it scans.
You can use MBSA 2.0 independently or in conjunction with WSUS. If your systems are managed by WSUS, you can tell MBSA to limit analysis to patches approved in WSUS so that MBSA doesn't clutter the report with patches that have been deemed unnecessary for various groups of systems on your network. Although WSUS now provides its own reporting, you can use MBSA in a number of situations. MBSA supports more products than WSUS currently does, and for non-WSUS networks, MBSA is obviously valuable for assessing the status of patches deployed through other means. Also, information-security folks who aren't responsible for installing patches and therefore don't have access to WSUS might still need to assess the patch status of the company's systems. If different administrators manage several WSUS servers, MBSA 2.0 lets the information-security officer correlate the results across the entire organization and identify gaps in patch management. MBSA can also report computers that aren't subscribed to a WSUS server. You must still have local administrator authority on each computer you scan with MBSA 2.0, and you might need to open or change some port numbers if you have personal firewalls enabled or firewalls between MBSA and the scanned computers.
Microsoft made a wise decision when it bought Giant Company Software last year and turned Giant AntiSpyware into Windows AntiSpyware (http://www .microsoft.com/athome/security/spy ware/software/about.mspx). At the time of writing, Windows AntiSpyware is a free consumer-targeted product in beta that's very effective. However, as a consumer product, Windows Anti-Spyware lacks enterprise deployment and management features that midsized to large organizations require. Microsoft has expressed intentions to develop an enterprise version of the product, which won't be free. Windows AntiSpyware uses both of Giant's signature- and behavior-based detection technologies, and both technologies are as sophisticated as they come.
The signature-based detection engine is unique because it leverages Spynet, a global, volunteer-based community approach to collecting new spyware from the wild. Volunteers can submit potential spyware to Spynet to help keep the signature database as up-to-date as possible.
Although Windows AntiSpyware's core technology is impressive, it currently relies on end users to make decisions that IT shops might want to control according to company policy. It will be interesting to see how the enterprise version of the product develops and how much it costs.
Evidently, Microsoft has decided that it needs to do more to help keep users safe from the most common malware threats, such as viruses, Trojan horses, and worms—even users that fail to install antivirus software. This is a good idea, because Microsoft is constantly targeted for the many available vectors of infection that Windows, IE, and Office seem to offer to malware writers.
Microsoft updates MSRT (http://www.microsoft.com/downloads/details.aspx?familyid=AD724AE0-E72D-4F54- 9AB3-75B8EB148356&displaylang=en) each month so that it detects a few of the most common threats. MSRT isn't a proactive technology, and it's far from a replacement for full-blown antivirus solutions. MSRT merely looks for the most prevalent malware and removes it from already-infected computers. That being said, MSRT has value in IT shops, mostly as a way to add another layer to your defense-in-depth strategy. There's always the possibility that your antivirus solution might fail to detect an update, or a PC might not have antivirus software installed or might not receive a crucial signature database update. MSRT lets you scan computers for the most common malware independent from your primary antivirus solution, thereby providing the added layer of protection that defines the defense-in-depth concept.
If you've decided to give up on workstation-based anitvirus software because of cost, complication, and performance concerns and instead rely on server- and gateway-based antivirus controls, MSRT might be particularly useful to you.
WINDOWS XP SP2
Microsoft continues to enhance the security of its core OSs, Windows Server 2003 and Window XP. In particular, XP XP SP2 offers several new security features designed to address workstation-specific risks. Most important, SP2 installs the new Windows Firewall, which offers much protection against worms and active network-based attacks against workstations, whether connected to the internal LAN, at a hotel room, or in a coffee shop.
WINDOWS 2003 SP1
The first Windows 2003 service pack (http://www.microsoft.com/windowsserver2003/downloads/servicepacks/sp1/default.mspx) brings Windows Firewall to the Windows server OS, as well as a host of other security features. Whereas XP SP2 enables Windows Firewall by default, Windows 2003 SP1 doesn't. Windows 2003 SP1 brings Data Execution Prevention (DEP) to Windows—a new way to prevent nasty buffer overflows that have plagued Windows and Linux over the past several years. DEP integrates with features in Intel and AMD CPUs to prevent malicious code from loading into memory that's allocated to an application for storing data (heaps, stacks, and memory pools).
Windows 2003 SP1 reduces Windows' attack surface with security enhancements to DCOM and RPC services, which are two ways to access server applications from over the network but are also potential attack vectors. SP1 strengthens the authentication requirements of both services, letting you disable incoming requests to activate DCOM objects and imposing computer-wide restrictions on remote access to COM servers on the system. Many applications expose their functionality through COM servers but require little if any authentication or access control. On a typical system, more than 150 COM objects are installed by Windows alone.
Beyond Windows 2003 SP1, Release 2 (R2) looms on the horizon and is in beta at the time of writing. Microsoft says R2 will be free to Security Assurance (SA) and Enterprise Agreement customers. R2 was originally intended to include all the feature packs and other Windows 2003 add-ons that have come out since the OSs release, but now R2 is slated to contain all previous service packs and some of the post–Windows 2003 feature packs. More important, R2 will introduce a bevy of new features to Windows. Most of R2's new features are related to storage and management, but you'll also find some notable security features, such as Active Directory Federation Services (ADFS), which provides a single sign-on (SSO) experience to users who access multiple Web applications during one session. R2 also simplifies security integration between Windows and UNIX.
Still in beta at the time of this writing, ACS is Microsoft's attempt to address a longstanding Windows deficiency. UNIX has long had its Syslog technology for handling the problem of collecting log data from multiple systems into one place for centralized monitoring, reporting, and archiving, but the value of the Windows security event log has always been hampered by its isolation and cryptic codes. ACS is an agent/collector-based technology that securely streams security events to a central security-log collector, where the events are then inserted into a specially designed Microsoft SQL Server database (ACS is expected to support Microsoft Data Engine—MSDE.) You'll be able to perform real-time monitoring through WMI scripts and reporting through SQL queries. It remains to be seen how ACS will be licensed and how much built-in reporting and monitoring ACS will have.
THE UPSHOT OF ITERATION
Microsoft is taking a tactical, iterative approach to security, offering increasing functionality with each product release. The advantage to an iterative approach is that you get core functionality sooner, which is important to both Microsoft and its customers, given the pressures of security today. However, the approach also means that you must wait for certain features.
In general, Microsoft seems to be pushing the enterprise-deployment and management features into the second and third product iterations. In my opnion, Microsoft could be putting forth a little more effort and packaging tools such as Windows AntiSpyware into an MSI file that lets administrators deploy it automatically through Group Policy. Nevertheless, all these new security developments are positive for the Windows community and worth looking into for your environment.