Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


September 2005

Microsoft Security Enhancements

Understanding the latest security features and functionality to come out of Redmond
From the September 2005 Edition
of Windows IT Pro
Randy Franklin Smith
Feature
InstantDoc #48004
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

A couple years ago, the industry finally got Microsoft's attention with regard to security and quality, and Redmond responded with its much-touted Trustworthy Computing initiative. At the time, we wondered whether the initiative would ever amount to much beyond its hype, but I have to admit that Microsoft has since made substantial investments in security across the board. In particular, Microsoft is making strong progress with its overall patch strategy and is leading the industry with a predictable, monthly patch schedule. In addition, Microsoft has purchased several security software companies with the intention of integrating those companies' technologies into the Windows platform.

All these efforts have produced an array of tools and resources for enterprises, small businesses, and consumers to help with various security processes. In this article, I give you an overview of what's available now and what Microsoft promises for the near future—some of which might be released by the time you read this article. I discuss patch management tools—including Windows Server Update Services (WSUS), Microsoft Baseline Security Analyzer (MBSA), the Enterprise Update Scan Tool—and other resources, such as Windows AntiSpyware, the Malicious Software Removal Tool (MSRT), Windows Server 2003 Service Pack 1 (SP1) and Release 2 (R2), and Audit Collection Services (ACS).

PATCH MANAGEMENT
To help bring some order to the previously chaotic and unpredictable world of security patching, Microsoft has adopted a monthly schedule in which it releases security updates on the second Tuesday of the month. (Extremely serious updates are still released outside the normal schedule.) Microsoft publishes a best-effort preview of what to expect several days before "patch Tuesday" so that you can start your impact analysis and planning.

The two most laborious patching activities are patch deployment and the follow-up process of scanning systems for missing patches. Scanning for missing patches is crucial in environments that don't have a comprehensive patch-deployment process that covers all systems. Even in tightly controlled environments, scanning is an important best practice for providing positive confirmation that patch deployments are succeeding and reaching all applicable systems.

To help automate those two processes, you can choose from four free Microsoft services and programs. For patch deployment, you can use Microsoft Update (an enhanced version of the former Windows Update service targeted at consumers and very small businesses), WSUS, and the Systems Management Server (SMS) Inventory Tool for Microsoft Updates (designed for large enterprises that use SMS, a purchased product). For scanning and reporting on patch status, you can use the standalone MBSA 2.0 tool or exploit WSUS's or the SMS inventory tool's new reporting capabilities.

WSUS
WSUS (http://www.microsoft.com/ windowsserversystem/updateservices/ default.mspx) is an important Software Update Services (SUS) follow-up targeted at small-to-midsized networks. WSUS offers enhanced control and management of the patch process across the board. Whereas SUS supports only Windows and a few related server applications, WSUS unifies patch deployment for Microsoft's most common server, OS, and client products, including Windows 2003, Windows XP, Windows 2000, SQL Server, MSDE, Exchange Server, and Office. WSUS also addresses important SUS design limitations that prevented you from using one SUS server to deploy updates to test and production environments—a limitation that required you to maintain an additional SUS server for pushing out patches to test systems.

WSUS scales well from small to large networks, but if you manage a very small number of systems or need to manage patches for a large enterprise, you have some additional options for patch deployment. Larger enterprises that already have SMS can use the SMS Inventory Tool for Microsoft Updates, a version of WSUS adapted for integration with SMS for more control and enterprise flexibility. Networks with only a handful of systems can take advantage of the more consumer-oriented Microsoft Update feature in Win2K and later, in which each system independently downloads updates directly from Microsoft's site. Although each system installs updates independently, if you have Active Directory (AD), you can use Group Policy to centrally enable Microsoft Update and control how the system handles restarts and when it installs updates.

Microsoft Update's advantage over WSUS is that it requires no ongoing administrative attention because Windows installs all updates as they're released. Also, you don't have to set up a WSUS server. For that simplification, you give up control of the process. You can't specify which patches are deployed to which systems, delay patching until you have a chance to test them, or centrally uninstall patches. And there's no built-in way to monitor patch deployment—although you can use MBSA to scan for missing patches. Microsoft Update also uses more bandwidth because each system must download the update from Microsoft. In contrast, WSUS downloads the update from the Internet only once, then distributes it to applicable systems over the local network.

MBSA 2.0
If you're a small to midsized business (SMB), you can use MBSA 2.0 (http://www.microsoft.comtechnet/security/tools/mbsahome.mspx) to scan systems for missing patches. MBSA is a standalone program that scans multiple computers on the network for common misconfigurations, vulnerabilities, and missing patches. Previous versions of MBSA couldn't remotely scan for Office updates, but MBSA 2.0 can. However, that functionality comes at a price: MBSA 2.0 requires Windows Update Agent 2.0 and Windows Installer 3.1 on any computer it scans.

You can use MBSA 2.0 independently or in conjunction with WSUS. If your systems are managed by WSUS, you can tell MBSA to limit analysis to patches approved in WSUS so that MBSA doesn't clutter the report with patches that have been deemed unnecessary for various groups of systems on your network. Although WSUS now provides its own reporting, you can use MBSA in a number of situations. MBSA supports more products than WSUS currently does, and for non-WSUS networks, MBSA is obviously valuable for assessing the status of patches deployed through other means. Also, information-security folks who aren't responsible for installing patches and therefore don't have access to WSUS might still need to assess the patch status of the company's systems. If different administrators manage several WSUS servers, MBSA 2.0 lets the information-security officer correlate the results across the entire organization and identify gaps in patch management. MBSA can also report computers that aren't subscribed to a WSUS server. You must still have local administrator authority on each computer you scan with MBSA 2.0, and you might need to open or change some port numbers if you have personal firewalls enabled or firewalls between MBSA and the scanned computers.

WINDOWS ANTISPYWARE
Microsoft made a wise decision when it bought Giant Company Software last year and turned Giant AntiSpyware into Windows AntiSpyware (http://www .microsoft.com/athome/security/spy ware/software/about.mspx). At the time of writing, Windows AntiSpyware is a free consumer-targeted product in beta that's very effective. However, as a consumer product, Windows Anti-Spyware lacks enterprise deployment and management features that midsized to large organizations require. Microsoft has expressed intentions to develop an enterprise version of the product, which won't be free. Windows AntiSpyware uses both of Giant's signature- and behavior-based detection technologies, and both technologies are as sophisticated as they come.

The signature-based detection engine is unique because it leverages Spynet, a global, volunteer-based community approach to collecting new spyware from the wild. Volunteers can submit potential spyware to Spynet to help keep the signature database as up-to-date as possible.

Although Windows AntiSpyware's core technology is impressive, it currently relies on end users to make decisions that IT shops might want to control according to company policy. It will be interesting to see how the enterprise version of the product develops and how much it costs.

MSRT
Evidently, Microsoft has decided that it needs to do more to help keep users safe from the most common malware threats, such as viruses, Trojan horses, and worms—even users that fail to install antivirus software. This is a good idea, because Microsoft is constantly targeted for the many available vectors of infection that Windows, IE, and Office seem to offer to malware writers.

Microsoft updates MSRT (http://www.microsoft.com/downloads/details.aspx?familyid=AD724AE0-E72D-4F54- 9AB3-75B8EB148356&displaylang=en) each month so that it detects a few of the most common threats. MSRT isn't a proactive technology, and it's far from a replacement for full-blown antivirus solutions. MSRT merely looks for the most prevalent malware and removes it from already-infected computers. That being said, MSRT has value in IT shops, mostly as a way to add another layer to your defense-in-depth strategy. There's always the possibility that your antivirus solution might fail to detect an update, or a PC might not have antivirus software installed or might not receive a crucial signature database update. MSRT lets you scan computers for the most common malware independent from your primary antivirus solution, thereby providing the added layer of protection that defines the defense-in-depth concept.

If you've decided to give up on workstation-based anitvirus software because of cost, complication, and performance concerns and instead rely on server- and gateway-based antivirus controls, MSRT might be particularly useful to you.

WINDOWS XP SP2
Microsoft continues to enhance the security of its core OSs, Windows Server 2003 and Window XP. In particular, XP XP SP2 offers several new security features designed to address workstation-specific risks. Most important, SP2 installs the new Windows Firewall, which offers much protection against worms and active network-based attacks against workstations, whether connected to the internal LAN, at a hotel room, or in a coffee shop.

WINDOWS 2003 SP1
The first Windows 2003 service pack (http://www.microsoft.com/windowsserver2003/downloads/servicepacks/sp1/default.mspx) brings Windows Firewall to the Windows server OS, as well as a host of other security features. Whereas XP SP2 enables Windows Firewall by default, Windows 2003 SP1 doesn't. Windows 2003 SP1 brings Data Execution Prevention (DEP) to Windows—a new way to prevent nasty buffer overflows that have plagued Windows and Linux over the past several years. DEP integrates with features in Intel and AMD CPUs to prevent malicious code from loading into memory that's allocated to an application for storing data (heaps, stacks, and memory pools).

Windows 2003 SP1 reduces Windows' attack surface with security enhancements to DCOM and RPC services, which are two ways to access server applications from over the network but are also potential attack vectors. SP1 strengthens the authentication requirements of both services, letting you disable incoming requests to activate DCOM objects and imposing computer-wide restrictions on remote access to COM servers on the system. Many applications expose their functionality through COM servers but require little if any authentication or access control. On a typical system, more than 150 COM objects are installed by Windows alone.

RELEASE 2
Beyond Windows 2003 SP1, Release 2 (R2) looms on the horizon and is in beta at the time of writing. Microsoft says R2 will be free to Security Assurance (SA) and Enterprise Agreement customers. R2 was originally intended to include all the feature packs and other Windows 2003 add-ons that have come out since the OSs release, but now R2 is slated to contain all previous service packs and some of the post–Windows 2003 feature packs. More important, R2 will introduce a bevy of new features to Windows. Most of R2's new features are related to storage and management, but you'll also find some notable security features, such as Active Directory Federation Services (ADFS), which provides a single sign-on (SSO) experience to users who access multiple Web applications during one session. R2 also simplifies security integration between Windows and UNIX.

ACS
Still in beta at the time of this writing, ACS is Microsoft's attempt to address a longstanding Windows deficiency. UNIX has long had its Syslog technology for handling the problem of collecting log data from multiple systems into one place for centralized monitoring, reporting, and archiving, but the value of the Windows security event log has always been hampered by its isolation and cryptic codes. ACS is an agent/collector-based technology that securely streams security events to a central security-log collector, where the events are then inserted into a specially designed Microsoft SQL Server database (ACS is expected to support Microsoft Data Engine—MSDE.) You'll be able to perform real-time monitoring through WMI scripts and reporting through SQL queries. It remains to be seen how ACS will be licensed and how much built-in reporting and monitoring ACS will have.

THE UPSHOT OF ITERATION
Microsoft is taking a tactical, iterative approach to security, offering increasing functionality with each product release. The advantage to an iterative approach is that you get core functionality sooner, which is important to both Microsoft and its customers, given the pressures of security today. However, the approach also means that you must wait for certain features.

In general, Microsoft seems to be pushing the enterprise-deployment and management features into the second and third product iterations. In my opnion, Microsoft could be putting forth a little more effort and packaging tools such as Windows AntiSpyware into an MSI file that lets administrators deploy it automatically through Group Policy. Nevertheless, all these new security developments are positive for the Windows community and worth looking into for your environment.

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

Escape From Yesterworld

Kevin points you to the funniest SQL Server website ever! ...
Security Whitepapers Anti-Virus Is Dead: The Advent of the Graylist Approach to Computer Protection

Getting the Job Done: Comparing Approaches for Desktop Software Lockdown

Instant Messaging, VoIP, P2P, and games in the workplace: How to take back control
Related Events Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Maximize your SharePoint Investment – 8 Cities
Discover best practices and tips for both architecting and administering SharePoint. Early Bird Price of $99 through Sept 15th.

Find a new job now on the all new IT Job Hound!
Search jobs, post your resume, and set up job e-mail alerts!

Master SharePoint with 3 eLearning Seminars
Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!

Top Tools for Virtualization Disaster Recovery & Replication
View this web seminar on August 14th to learn about two tools that will result in faster backup and restore with P2V disaster recovery.

SharePointConnections Conference Fall 2008
Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).

VMworld 2008 - Sign Up Today!
Join your peers on September 15-18 at The Venetian Hotel in Las Vegas as VMware hosts VMworld 2008, the leading Virtualization event.



Entrust Unified Communications Certs
Secure Exchange 2007 and save 20%. Now through Sept. 2008.

Increase Application Performance
Free White Paper by Editor's Best winner, Texas Memory Systems.

Need to convert between XML, DBs, EDI, and Excel? Try MapForce free!
Drag & drop to transform between popular data formats – get results instantly or generate code.

Microsoft® Tech•Ed EMEA 2008 IT Professionals
Advance your thinking with new ideas and practical real-world solutions at Microsoft’s FIVE day technical infrastructure conference 3-7 Nov., 2008. Register before 26 September 2008 to save €300.

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Are You Really Compliant with Software Regulations?
View this web seminar that will help you with compliance best practices and check out a management solution to assure that you won’t be in jeopardy of an audit.

Virtualization Congress Oct. 14-16 in London
Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technical Resources Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing