Fight the cause, not the symptom

Worms and viruses plaguing users worldwide are symptoms of weak security in Windows and other programs. But so far, vendors are doing more to combat the disease’s symptoms than its root cause.

Worms and viruses plaguing users worldwide are symptoms of weak security in Windows and other programs. But so far, vendors are doing more to combat the disease’s symptoms than its root cause.

Microsoft in particular has addressed its vulnerabilities by focusing on patch management and network attachment controls. New service packs for Windows Server 2003 and XP will enable better automated patching and let administrators quarantine PCs that do not have the appropriate patches, personal firewalls and anti-virus software installed.

Yet these protection measures are only marginally successful as worm and virus builders improve their skills. New worms, such as Sasser, are developed just days after vulnerabilities are published. Even with automated patch management, customers need time to properly test and install the patches.

Microsoft also has touted its improved security configuration management. The Internet Information Server (IIS) is not installed by default anymore, for example, and when it is installed, dangerous features such as dynamic content are turned off. Microsoft also supplies prescriptive guidance for further locking down the server.

Locking down settings reduces the so-called “attack surface” but leaves vulnerabilities under the surface. Privileged users can toggle the settings back on, and they will. Malicious programs also might toggle security settings on or off.

Problems arise because Microsoft has bundled a great quantity of complex functionality into just a few Windows operating systems packages comprising an estimated 60 million lines of complex, interdependent code. “Integration” has been the marketing mantra and design goal.

On a domain controller it is possible to install IIS or even invoke ActiveX – a prime vehicle for Trojan horse programs – within Internet Explorer. This bundling works for small businesses that need to run everything on one server, but it makes no sense for large companies that use domain controllers for single sign-on to huge forests of resources. In such environments, the domain controller holds the keys to the kingdom and Microsoft should – at a minimum – create a stripped-down system for the domain controller role.

Wrapper defenses – which run the gamut from network firewalls, to host firewalls, to host-based intrusion detection and response software – can prevent worms or viruses from entering the network or from taking control of infected hosts. Unfortunately, many wrappers rely on signature-based detection, generate false positives, or are cumbersome to manage. Because wrappers also can interfere with legitimate applications, flexible policy-based control is key. Customers also should evaluate newer and better software products claiming the ability to stop memory-based attacks that worms use, such as buffer overflows.

But until Microsoft and other vendors address the root causes of vulnerability by creating smaller, more modular packages to perform different roles, heightened attention to wrappers and strong system administration will be customers’ best defense.