Jan 23 2007
By Ric Steinberger, CISSP, CISM
The new year has brought security professionals a mixed blessing: the first new operating system from Microsoft in over half a decade. There’s one thing we can be sure of: Over the next few years, thousands of articles will be published on the general topic of “Securing Vista”. This in spite of the fact that Microsoft has issued countless assurances that Vista is their most secure operating system to date (as if that is supposed to allow us to issue a sigh of relief).
Vista security is something that can indeed be managed, but not primarily by some combination of geeky registry tweaks and “new for Vista” software packages. What we, as security professionals, need to do is to maintain our perspective are remember the following: There are three basic ways that bad guys gain control and damage end-user computers:
- Taking advantage of unpatched vulnerabilities in the operating system
- Taking advantage of unpatched vulnerabilities in installed applications
- Taking advantage of “mistakes” that end users accidentally, or unknowingly make, or can be tricked into making.
Microsoft has helped matters somewhat by doing something that Unix, Linux and Mac have long required: With Vista, a user has to type in an administrative password before software can be installed with elevated privileges. This change reduces, but hardly eliminates, the likelihood of serious and potentially long-term damage occurring on a Vista system. If a user is not issued an administrative password, they won’t be able to (in theory) allow software, dangerous or safe, to be installed. Therefore, preventing corporate end-users from knowing administrative passwords can serve as one bulwark in a defense in depth strategy. [There are some downsides to this approach: some power users will complain, so be prepared for that. More technical users may even boot a Live Linux CD disk and attempt to bypass various restrictions on their capabilities. Be prepared for this too.]
So what should security professionals do, given that most organizations will start buying Vista within the next year? The short answer is to do what we have always done: Be conservative; don’t buy the latest whiz-bang security products in hopes of a “preemptive strike”; recognize that Windows XP and Vista will both be on corporate networks for several years; balance costs against benefits, and stay focused on high-level business objectives (e.g., protecting Intellectual Property and sensitive data, following compliance requirements, working to keep information security as a “low friction”, enabling technology).
Here are some suggestions:
- Whatever patching strategy you have in place for updating Windows XP: If you’re satisfied that it’s working in an optimal manner, look into expanding it to handle Vista. Keep the process as automated as possible, and make sure your system can detect and respond to unpatched systems. This might be an ideal time to review, or develop, your Network Admission Control (NAC) policy.
- If you have additional strategies in place for patching end-user applications: These should continue to work on Vista with minimal or no modifications.
- Devote more effort to security awareness. It’s virtually impossible to keep all staff from “doing stupid things” (like sharing passwords, using the same passwords for business and personal applications, failing to enable a screen lock, failing to protect a laptop while traveling, forwarding confidential business information outside the corporate environment [e.g., by sending to one’s personal email account, or copying to a USB memory stick], downloading spyware or other malware). While there are commercial products and/or technical approaches to prevent and/or detect many of these “mistakes” that users make, the best approach would seem to be an “educated” staff that is well-trained on security policies and how to practice safe computing.
- Remember the triad: Prevent, Detect and Respond. Vista is going to present us with new challenges. We need to be looking for opportunities to improve existing strategies of preventing attacks, detecting them when they occur, and responding as necessary. You have an Intrusion Response Plan, right?
- Remember that Vista is “just an operating system”. We have years of experience of taking vendor-provided OSes, making them more secure, and deploying them throughout our organizations in a controlled manner. Try to ignore the hype from Microsoft and the security vendors. Focus on what’s worked in the past - chances are good that the same approaches will work with Vista.
- Keep scanning your networks for OS and application level vulnerabilities - and promptly fix the more serious ones. Even the most thorough patching strategies cannot guarantee 100% effectiveness, so it’s best if periodic, “hygienic” sweeps are done to uncover potential exploit opportunities. Like Windows XP, Vista is likely going to require monthly (or more frequent) security patching for years to come.
Continue to improve your perimeter and zone defenses. Keep firewalls, IDSes, and Anti-Virus/Anti-SPAM gateways up to date. The more attacks and malware you block at the perimeters, the less likely any of your end-user Windows systems will encounter them, much less need to repel them.
Vista is a new operating system. It’s hardly revolutionary (Microsoft PR notwithstanding), and it shouldn’t require major “rethinks” of security policies or strategies. In its first couple years, it will, like all new OSes, have a significant number of security vulnerabilities (as well as just plain bugs). If we act patiently and conservatively, this won’t be such a rough a ride as we might have first thought.
Related posts:
Posted by ricst on Tuesday, January 23rd, 2007, at 8:52 pm, and filed under Articles.
Follow any responses to this entry with the RSS 2.0 feed.
You can post a comment, or trackback from your site.
Post a Comment