Like Windows XP service pack 2 (SP2), released last August, SP1 is primarily a security patch, providing new functionality to address known security vulnerabilities and to prepare for future security threats with new technologies including:
Security configuration wizard. Customers can more easily reduce attack surface area with the new Security Configuration Wizard. The tool reduces the attack surface by gathering information about specific server roles, then automatically blocking all services and ports not needed to perform those roles.
Windows firewall. Originally released with Windows XP SP2, Windows Firewall is now available for the Windows Server System platform and serves as a host (software) firewall around each client and server computer, which may be controlled locally or via group policy.
Post-setup security updates (PSSU). As systems are vulnerable during the time between their installation and application of the latest security updates, SP1 blocks all inbound connections to the server after installation until Windows Update has delivered the latest security updates to the new computer.
Other SP1 features that offer a more robust security defence include Internet Information Services (IIS) 6.0 metabase auditing, which allows administrators to identify potential malicious users should the store become corrupted, stronger defaults and privilege reduction on services to establish a minimum security threshold for applications, and the addition of network access quarantine control components.
According to Microsoft:
“Install Microsoft Windows Server 2003 Service Pack 1 (SP1) to help secure your server and to better defend against hackers. Windows Server 2003 SP1 enhances security infrastructure by providing new security tools such as Security Configuration Wizard, which helps secure your server for role-based operations, improves defense-in-depth with Data Execution Protection, and provides a safe and secure first-boot scenario with Post-setup Security Update Wizard. Windows Server 2003 SP1 assists IT professionals in securing their server infrastructure and provides enhanced manageability and control for Windows Server 2003 users.”
There is no doubt that malicious software (malware) is on the increase. We have learnt how to deal with the ever increasing number of viruses, worms and Trojan horses, but spyware is now a major problem too.
Whilst many corporates will specificly ban consultants and other suppliers from connecting non-managed PCs to their network, some don’t – and in any case that is still only half the issue – what about the user who takes their laptop on the train or to the airport and connects to a wireless hotspot, or even to a less-regulated business partner’s network, then returns to the “safe” corporate LAN with who-knows-what malware on their PC? It may sound paranoid, but when I started to use anti-spyware products a couple of years back I was amazed how much rubbish had infected my work PC and I am just one user on a large network.
According to IT Week, in a survey of 500 European IT Managers commissioned by Websense, 60% said that their company does not have systems in place to guard against internal threats with 35% unable to deal with spyware (and 62% unable to block phishing attacks).
Protecting the network edge is all very well, but the guiding security principle of defence in depth needs to be applied. Networks need to be segregated, with firewalls (or at the very least separate VLANs) restricting traffic between segments but the real answer to the mobile user issue is remediation.
The principle behind remediation is that on returning to the corporate network, users will not be granted full access until their device has been scanned for operating system patches, anti-virus and anti-spyware signatures and any application patches required. Only once all of these have been installed, will the user be granted full access to the network. Of course, as Dave Bailey recently commented in his article will you pass the access test? which appeared in IT Week recently, there will be occasions when patches fail to apply, or when returning users simply have too many updates to be applied and it impacts on their legitimate business operations (but not half as much as a full-blown network attack could impact on their business).
Both Microsoft and Cisco are preparing their remediation technology offerings. Cisco has it’s network admission control (NAC) technology, whilst Microsoft’s approach is network access protection (NAP) (when will they learn to read their acronyms phonetically – first WUS and now NAP). Unfortunately, NAP has been dropped from forthcoming ISA Server 2004 service/feature packs and instead will be held over for Longhorn (although Windows Server 2003 does offer network access quarantine control for users connecting via a VPN).
Keni Barwick replied with an alternative to lock the workstation (%windir%\system32\rundll32.exe user32.dll, LockWorkStation) and when I said “What about Win+L – oh yes, forgot, two fingers required ;-)” he fiendishly replied “But itâ€™s great if you want to use no fingersâ€¦ i.e. the bluetooth auto lock Iâ€™m developing :-)” – sounds a bit like a TV B-Gone for PCs to me…
I can’t find the reference which started me off with this, but a few weeks ago I came across a tip for creating a shortcut to hibernate a Windows XP PC (for people who find that 5 clicks is just too much). How people find these obscure features I’ll never know (I guess its straightforward for a developer to find all the calls to a DLL?), but here it is anyway – just create a shortcut with a target of %windir%\system32\rundll32.exe PowrProf.dll, SetSuspendState.
It’s probably well-known by many people, but I just stumbled across Microsoft’s MSN Sandbox. It’s a bit like Google Labs (Google’s “technology playground”), featuring what Microsoft calls “incubation experiments” which may or may not “represent any particular strategy or policy”.
Most of the tools in the MSN Sandbox are well-known – some were even purchased as part of a company acquisition and just haven’t found their way to a release product yet (e.g. the Lookout e-mail search tool). Strangely, the site that referred me to the MSN Sandbox doesn’t have a reciprocal link – that was start.com – Microsoft’s new experimental site for RSS aggregation via the web, which I think I will be giving a spin over the coming weeks and will blog about some more if it turns out to be useful.
There is much talk in the IT press about how we can no longer rely on single factor identification (e.g. user name and password) and about how biometric security could be at least part of the answer; but for an alternative take on just how dangerous an over-reliance on biometric security may be, Alistair Dabbs’ recent will biometric security harm users? article in IT Week provides an interesting, if a touch alarmist, view on how this could all end up as an identity fraud victim’s worst nightmare.
Phishing worries me. In fact, identity theft in general is one of my major concerns (and is the reason I refuse to do any more business with Halifax Bank of Scotland, one of the UK’s largest banks, who will not respond to letters or e-mails requesting that they remove my online access even though I have closed all of my accounts with them).
“The anti-phishing working group (APWG), which comprises security vendors, ISPs and financial institutions, has been serving as a clearing-house for information on attacks and trends for more than a year [and has] reported a 24% increase in phishing each month from August to December ”.
Now a group of leading IT companies, including Microsoft and eBay (two companies which have themselves been affected by high-profile phishing attacks), along with electronic payment specialist Visa and security solution provider WholeSecurity have joined forces to create an early warning network for new attacks called the Phish Report Network.
Another Internet security and payment specialist, Verisign, has warned, in its fifth Internet security intelligence briefing, that phishing attacks are the biggest threat to online business, with just over 40% of phishing sites hosted in the US but further sites identified in a total of 37 countries. According to IT Week, Verisign added that effective action against phishing would require international co-operation between Internet service providers (ISPs) and law enforcement agencies.
The problem of identity theft is broader than phishing. Since my mother’s credit card details were used fraudulently a couple of years back (identified, to their credit, by the same bank that I criticised at the head of this post), all of my family have been very careful about how we dispose of sensitive information, but that doesn’t stop me from having my card copied in a restaurant (in the UK, cards are rarely swiped using a mobile card payment terminal, as they would be in many countries – instead, they are taken away and returned with a slip for a signature a few minutes later, although this is changing with the introduction of chip and PIN technology). In his recent article, hook, line and stinkers, which appeared in IT Week, David Neal notes that:
“Identity theft, enabled by a lackadaisical approach to filing and a loose relationship with paper-shredding machines, is big business these days. In fact incidents of stolen identities have rocketed from shoulder-shrugging insignificance in 1999 to a 10 on the ‘Holy Moly’ scale this year”.
One of the most common cases of identity theft is credit card fraud, which cost UK banks Â£160 million last year and someone has to pay for this (you guessed it – ultimately it is us, the consumers), and the UK is ranked second for the number of fraudulent transactions (whist online trade grew by 88% in Q4 2004, compared with the same quarter in 2003).
Whilst secure and accountable systems are a must, some gullible users will always fall foul of the type of fraud which most of us delete from our inbox without reading. The IT industry is taking action, with anti-phishing capabilities promised for a new Netscape browser and Microsoft promising anti-phishing tools in Internet Explorer 7. Meanwhile, legislation is also being considered, with the US Senate debating its proposed Anti-Phishing Act and the UK is considering its own legislation, with early draft regulations as possibility as early as the end of this year.
The financial services companies which I transact online with (First Direct and Egg) will not correspond with me by e-mail about anything which requires personal information (i.e. only marketing information) – instead they have a private messaging system embedded within their secure websites. It’s a pain in the backside as I like to keep copies of my correspondence within my e-mail client long after my relationship with a company (and hopefully its secure website – take note HBoS) ends. Now other companies such as eBay are following the same path, but as Ken Young pointed out recently in IT Week:
“The power of email, after all, is that it arrives in your lap. How many of us would trundle down to the Post Office on the off-chance [that there may be some mail waiting there for us]? And therein lies the big problem with private e-mail services – it is a far more restricted form of the real thing. It’s safer, but much less useful.”
Young also notes that such systems represent a challenge to fraudsters who are likely to send out e-mails to entice users to fake inbox sites (with the intention of harvesting personal information), or to use keystroke logging software to gain access to users inboxes.
Whatever happens, its clear that this issue will not disappear overnight. What is needed is consumer education, legal protection and increased use of multi-factor identification – for example extending chip and PIN to the home PC.
The application compatibility toolkit contains tools and documentation to evaluate and mitigate application compatibility issues including the latest versions of the Microsoft Application Analyzer that simplifies application inventory and compatibility reporting, the Internet Explorer Compatibility Evaluator that assists testers in locating compatibility issues with Internet Explorer on Windows XP SP2, and the Compatibility Administrator that provides access to the necessary compatibility fixes to support legacy applications in Windows.
I’m yet to be convinced of the business benefits of instant messaging (IM). My current employer doesn’t prohibit IM – in fact it is encouraged – I use Microsoft’s MSN Messenger service, as do many of my colleagues. I suspect the reason we that we haven’t implemented a corporate IM solution is cost.
According to IT Week, research conducted by Telewest business has found that due to security concerns only a third of UK companies allow staff access to IM. Many other companies are still deciding what their corporate messaging policy should be, but with the rising incidence of spam over IM (spim), ignorance of IM is no longer an option.
For those large enterprises that do allow IM, using the free services from Microsoft, Yahoo!, AOL and others are simply not an option (in fact they are a liability) and if IM is to become a business tool, a corporate IM infrastructure needs to be provided. For many years, Microsoft has produced a variety of chat-like products under the Exchange Server banner, but they were removed from Exchange Server 2003 and replaced with a new product – Microsoft Office Live Communications Server (LCS) 2005, which provides corporates with IM and presence capabilities.
Earlier this month, Microsoft revealed their vision for collaboration with a new product on the horizon – Microsoft Office Communicator 2005 (previously codenamed Istanbul) – supporting all of the current IM capabilities plus PC-to-phone integration and “rich presence awareness” (the ability to route calls by the most appropriate medium – fixed-line, mobile or IP voice, IM, e-mail, video or web conferencing). Microsoft will back up Office Communicator with a service pack for LCS due later this month and including enhancements such as IM spam (spim) controls, auditing (to address regulatory concerns), compatibility with Microsoft Operations Manager (MOM), HTTPS access (removing the need for VPN connections) and public IM connectivity (the ability to communicate with MSN Messenger, Yahoo! Messenger and AOL Instant Messenger clients). Alongside all of this, is Microsoft Office Live Meeting 2005, an upgrade to Microsoft’s web conferencing service, offering call controls for audio conference service providers and the ability to conduct live meeting sessions within Microsoft Office (in the UK this made available as a hosted service from BT, with per-minute, named user or per-seat tariffs – there is a Flash-based demonstration on the BT website).