Monday, January 14, 2008

Windows Security Features, Securing Microsoft Products

Microsoft has become very security conscientious since that whole Code Red / Nimda business back in 2001. They've added features like Mandatory Integrity Control, Windows Service Hardening, User Account Control, BitLocker, Windows Firewall, Data Execution Prevention (DEP), ASLR (Address Space Layout Randomization), Signed Binaries and LKM (Loadable kernel modules), Windows Defender, Malicious Software Removal Tool, Microsoft Baseline Security Analyzer, Windows File Protection - WFP - and System File Checker - sfc.exe (just run sfc /scannow or /scanboot etc. to check and fix broken system files), Security Configuration Wizzard (scw) in Windows Server, etc.

Features that can easily compete with similar products in UNIX and *NIX systems, like chroots, jails (Windows Service Hardening), RBAC / su / sudo (UAC, MIC), GELI/GBDE GEOM classes on FreeBSD , crypto-loom/dmcrypt on Linux (BitLocker), IPF/IPFW/PF/IPTABLES (Windows Firewall Advanced Security -> wf.msc / WFAV in mmc), OpenBSD W^X, SSP, Linux PaX / Exec Shield (ASLR, DEP), IPSEC, Signed Binaries / LKMs, chkrootkit/RootKitHunder (Windows Defender, RootKitRevealer, StriderGhostBuster), Bastille (a UNIX hardening tool like Security Configuration Wizzard - SCW on Windows Server. Available for Linux, HP-UX, etc) and so on.

Even with development tools, GCC has ProPolice / SSP, Visual Studio has the /GS switch to protect against buffer overruns.

It's pretty clear, the security features are there, it's up to LAYER 8 (you!) to put it in practice.

The key idea here is *mitigation*. Don't abuse the Administrative accounts, read and apply those security guides and above all, use common sense. After all, Microsoft runs Windows on their servers (they even run 2008 while it's still in release candidate stage), and they're one of the biggest targets for abuse. There goes the argument that you "can't secure Windows".

Here's some links (they try to point to the more technical guides):

They have also started releasing some very good hardening guides:
Microsoft has also started it's own line of security products, with:

Internet explorer vs. Firefox shows it's not that peachy "on the other side" either. And the response time from both is fair.

What about the whole "open source" - many eyes concept?
Doesn't this mean Microsoft is horribly insecure? What about 3rd party code reviews?

That whole concept is highly overrated. 99% of open source users never seen a line of code in their lives. Simple as that. Just because you can install Ubuntu doesn't make you a kernel developer. Don't get me wrong, I love Open Source software, I'm just not rushing to make any claims about how the opens source development model adds security (remember, you can have a whole lot more malicious people look at the code then developers).

Anyway, Enterprise customers can still get access to Windows and other Microsoft sources through various Shared Source programs:

Enterprise Source Licensing Program (ESLP)

"The ESLP allows eligible enterprise customers access to Microsoft Windows source code for internal development and support purposes, including debugging. This enables customers to develop and support their internally deployed applications and solutions that run on Windows."