Microsoft has become very security conscientious since that whole Code Red / Nimda business back in 2001. They've added features like Mandatory Integrity Control, Windows Service Hardening, User Account Control, BitLocker, Windows Firewall, Data Execution Prevention (DEP), ASLR (Address Space Layout Randomization), Signed Binaries and LKM (Loadable kernel modules), Windows Defender, Malicious Software Removal Tool, Microsoft Baseline Security Analyzer, Windows File Protection - WFP - and System File Checker - sfc.exe (just run sfc /scannow or /scanboot etc. to check and fix broken system files), Security Configuration Wizzard (scw) in Windows Server, etc.
Features that can easily compete with similar products in UNIX and *NIX systems, like chroots, jails (Windows Service Hardening), RBAC / su / sudo (UAC, MIC), GELI/GBDE GEOM classes on FreeBSD , crypto-loom/dmcrypt on Linux (BitLocker), IPF/IPFW/PF/IPTABLES (Windows Firewall Advanced Security -> wf.msc / WFAV in mmc), OpenBSD W^X, SSP, Linux PaX / Exec Shield (ASLR, DEP), IPSEC, Signed Binaries / LKMs, chkrootkit/RootKitHunder (Windows Defender, RootKitRevealer, StriderGhostBuster), Bastille (a UNIX hardening tool like Security Configuration Wizzard - SCW on Windows Server. Available for Linux, HP-UX, etc) and so on.
Even with development tools, GCC has ProPolice / SSP, Visual Studio has the /GS switch to protect against buffer overruns.
It's pretty clear, the security features are there, it's up to LAYER 8 (you!) to put it in practice.
The key idea here is *mitigation*. Don't abuse the Administrative accounts, read and apply those security guides and above all, use common sense. After all, Microsoft runs Windows on their servers (they even run 2008 while it's still in release candidate stage), and they're one of the biggest targets for abuse. There goes the argument that you "can't secure Windows".
Here's some links (they try to point to the more technical guides):
- Here's an overview of Vista security features, at a glance.
- Windows Vista Integrity Mechanism Technical Reference
- Windows Vista Security and Data Protection Improvements
- Microsoft Security Center
- Microsoft Security Development Center
- Microsoft Security Research Group
- Microsoft TechNet Security Center
- WSUS - Microsoft Windows Server Update Services
- Windows XP Security Guide
- Windows Vista Security Guide
- Microsoft Office 2007 Security Guide
- Windows Server 2003 Security Guide
- Windows Server 2008 Security Guide
- Microsoft Exchange Server 2003 Security Hardening Guide
- Microsoft Exchange Server 2003 Message Security Guide
- Microsoft Operations Manager 2005 Security Guide
- Microsoft Operations Manager 2007 Security Guide
- Microsoft Forefront - Client / Server / Edge - security (Antivirus)
- Microsoft Antigen - E-Mail (Exchange or SMTP gateway) Antivirus / Antispam, Sharepoint security
- Microsoft One LiveCare - Antivirus /Antispyware
- ISA - Internet Security and Acceleration Server
Internet explorer vs. Firefox shows it's not that peachy "on the other side" either. And the response time from both is fair.
What about the whole "open source" - many eyes concept? Doesn't this mean Microsoft is horribly insecure? What about 3rd party code reviews?
That whole concept is highly overrated. 99% of open source users never seen a line of code in their lives. Simple as that. Just because you can install Ubuntu doesn't make you a kernel developer. Don't get me wrong, I love Open Source software, I'm just not rushing to make any claims about how the opens source development model adds security (remember, you can have a whole lot more malicious people look at the code then developers).
Anyway, Enterprise customers can still get access to Windows and other Microsoft sources through various Shared Source programs:
•Enterprise Source Licensing Program (ESLP)
"The ESLP allows eligible enterprise customers access to Microsoft Windows source code for internal development and support purposes, including debugging. This enables customers to develop and support their internally deployed applications and solutions that run on Windows."
0 comments:
Post a Comment