Trustworthy Computing
Published: August 18, 2003
Please note: Portions of this transcript have been edited for clarity
Hosts:
- Steve Lipner, Director of security engineering strategy in Microsoft’s Security Business Unit
- John Hazen, Group program manager Windows Sustained Engineering Team
- Zachary Gutt, Technical product manager on the ISA Server team in the Security Business Unit
- Robert Hensing, PSS Security Team
- Jeff Cooperstein, Security representative from Visual Studio.NET and the .NET Frameworks
- Sanjay Puri, Product manager in the Security Business Unit
- Mark Miller, PSS Security Team
- Jerry Bryant, PSS Community Program Manager for Security
Moderator: Jerry (Microsoft)
Welcome to today's Chat. Our topic is Trustworthy Computing. Questions, comments, and suggestions are welcome. As discussed last month Mike was scheduled to be out of the office today and has asked Steve Lipner to fill in for him.
We can address your questions regarding the Blaster Worm but if you have not done so already, please check the following URL for the latest information: http://www.microsoft.com/security/incident/blast.mspx
Let's introduce our hosts for today.
Host: Steve Lipner (Microsoft)
Hello. I’m Steve Lipner, the director of security engineering strategy in Microsoft’s Security Business Unit. During month’s chat, Mike Nash announced that he’d be on vacation this month and that I’d be filling in for him. Thank you for joining us.
Host: John Hazen (Microsoft)
Hello, I am John Hazen with the Windows Sustained Engineering Team.
Moderator: Jerry (Microsoft)
Hi, I'm Jerry Bryant, the Community PM for Security. Thanks for joining today.
Host: Zachary Gutt (Microsoft)
Hi, I'm Zachary Gutt. I'm a technical product manager on the ISA Server team in the Security Business Unit. Thanks for coming everyone!
Host: Rob Hensing (Microsoft)
Hi, I'm Robert Hensing, PSS Security Team. I support customers with security incidents and issues.
Host: Jeff Cooperstein (Microsoft)
Hi.. I’m Jeff Cooperstein, the security representative from Visual Studio.NET and the .NET Frameworks
Host:Sanjay Puri(Microsoft)
Hello, I’m Sanjay Puri and I’m a product manager in the Security Business Unit
*START OF CHAT*
Host: Rob Hensing (Microsoft)
Q: What’s PSS?
A:Product Support Services - We support our customers
Host: Zachary Gutt (Microsoft)
Q: It seems there are also other methods on filtering ports. do you have a clear reason to choose TCP/IP filtering?
A:Could you clarify your question? What other methods are you considering?
Host: John Hazen (Microsoft)
Q: Not about the worm, but still on security. Are there any plans to release a SRP update for Windows XP SP1 as the Microsoft lifecycle site shows we are not expecting Service Pack 2 until the later half of next year?
A:We do not currently have plans to create a Security Rollup Package for Windows XP, but are exploring ways to make these fixes more readily available and easier to install together.
Host: Jeff Cooperstein (Microsoft)
Q: Does Trustworthy remove DCOM in “longhorn”?
A:We are seriously looking at major design changes to DCOM that will greatly reduce the exposed attack surface area.
Moderator: Jerry (Microsoft)
Q: As a small business - what is the timeframe that I should be reviewing patches from MS? Once a day, once a week, only when the Homeland security tells me to… once a month?
A:Our standard release schedule is every Wednesday if there is a patch to release. We may however release them on off days if they are critical enough or we are seeing a zero day exploit.
Host: Steve Lipner (Microsoft)
Q: Does Trustworthy change the way that MS patches OS/Apps?
A:As Mike announced at RSA back in April, we’re putting a lot of work into patch management. The next versions of Windows Update, SUS, MBSA, and SMS will use common patch databases and detection. We are also working on consolidating our patch installers, on continuous improvement of our processes for testing and releasing quality patches, and on providing customers with better and more complete information about patches.
Host: John Hazen (Microsoft)
Q: MS states that Windows installer 3.0 is the silver bullet for patches, is this still correct and when will it RTM?
A:MSI 3.0 is expected early next year. Moving forward Microsoft will rely to two basic installers. MSI for applications which are deployed using MSI, and Update.exe for the operating system, and for applications which are not installed using MSI. Both of these installers will use a common set of command line switches, will register patches in the same fashion, and will each be supported by SUS and SMS.
Moderator: Jerry (Microsoft)
Q: Does Trustworthy change the way that MS patches OS/Apps?
A:We are working to narrow our installers down to two from eight. One for apps and one for OS's. Windows Update will become Microsoft update and you will be able to get patches for all of our products there.
Host: Steve Lipner (Microsoft)
Q: How much of Trustworthy is in W2k SP4?
A: W2K SP4 incorporates a great many security fixes that were found during the Windows security push that was directed at Windows Server 2003. We definitely suggest W2K customers get on SP4 as soon as they can.
Moderator: Jerry (Microsoft)
Q: As a small business - what is the timeframe that I should be reviewing patches from MS? Once a day, once a week, only when the Homeland security tells me to… once a month?
A:You should also subscribe to the security bulletin notification service: http://www.microsoft.com/technet/security/bulletin/notify.mspx
Host: John Hazen (Microsoft)
Q: Since W2k SP4 is crashing systems - when will SP4a be released?
A:There are no plans for SP4a. Can you clarify the problem you are encountering with your system?
Host: Zachary Gutt (Microsoft)
Q: I mean RRAS and IPSec as "other methods". I think there are ways easier to verify, with RRAS and IPSec. So that is why I have asked that at first.
A:These other methods (RRAS and IPsec packet filters) would work just as well. TCP/IP filtering is chosen because it is common to the OS'es that don't have ICF (both Windows 2000 and Windows NT4.0). (for example, the IPsec policy editor is only in Windows 2000+).
Host: Steve Lipner (Microsoft)
Q: Will Microsoft improve the way they offer their patches to their customers, ie., sending e-mail messages (signed with PKI) warning them of critical updates?
A:At the time we started signing the security bulletin mailers, PGP was widely accepted as a the way to sign messages. I’d like to hear feedback from this group about whether we should be switching to S/MIME.
Additional Response: Someone pointed out to me that badpotatoes’ question was about other messages being signed. We are taking steps going forward to ensure that customers can verify the authenticity of any mail from Microsoft about a security topic.
Host:Sanjay Puri(Microsoft)
Q: is there a way to retrieve patches by their issue date instead of searching for them in the KB?
A:We will be releasing a new security bulletin search tool on Microsoft TechNet (<http://www.microsoft.com/technet>) in the next few weeks. The tool will allow you to search by severities and release dates. Stay tuned.
Host: John Hazen (Microsoft)
Q: I've heard that computers will be shipped with firewalls enabled, but will 03-026 be installed by the OEMs? I think waiting for XP sp2 is too long to wait for that patch to be included in a default system.
A:As with all Security Bulletins, we have made the MS03-026 Security Patches available to OEMs for preinstall, and have encouraged them to include this in all future shipments.
Host: Zachary Gutt (Microsoft)
Q: Is it okay to use ports 135-139 in the Internet?
A:In general, no. Unless you have a business need for having 135 open, it should definitely be closed. There are firewalls (like ISA Server), that are capable of inspecting RPC traffic at the application-layer and discerning between the 'types' of traffic on port 135. I would also suggest a device capable of inspection like this.
Host: Steve Lipner (Microsoft)
Q: is the solution to these security problems to install Linux
A:I assume you’re joking, but security really is an industry-wide challenge. Did you see the news last week about the GNU site being hacked and open source distributions potentially trojaned for a period of several months.
Moderator: Jerry (Microsoft)
Q: Autocad has indicated that http://support.microsoft.com/default.aspx?scid=kb;en-us;824136 is needed to stop sp4 from corrupting files, currently we have to call to get this...will there be a way to get this sort of "fix files" in an easier fashion?
A:The fix in the KB you are referring to is only for customers who are experiencing the issue described in the article so the only way to get the fix is to call for it. The phone call and the fix are free: 1-866-PCSafety
Host: John Hazen (Microsoft)
Q: is there a way to retrieve patches by their issue date instead of searching for them in the KB?
A:Yes. The Windows Update Catalog allows you to search for updates by date, for instance 'all fixes released in the last week'. Details on accessing the Windows Update Catalog at at: http://support.microsoft.com/default.aspx?scid=kb;en-us;323166
Host: John Hazen (Microsoft)
Q: Tom : Is it true that there is going to me a "mini" service pack because of this worm?
A:We are exploring all our options for making Security Patches more widely available, and more easy to deploy. We have not committed to a "mini" Service Pack.
Host: Steve Lipner (Microsoft)
Q: does MS think the wide publicity & lots of info made any difference to the infection rates & subsequently the level of DDOS on Winupdate?
A:We do believe that many customers - though obviously not enough - installed the MS03-026 patch in response to the outreach we did. We are focused on doing more to get the word out and make it easier for customers to get patches installed and keep their systems secure - and we think this will help reduce the incidence and severity of future worms.
Moderator: Jerry (Microsoft)
Q: Is there any other ways than Windows Update for distributing patches?
A:You know, not all of our customers are living with the broad-band. there are people with narrow band, whose only method to connect to the Internet is phone line. Most patches (but not all) can be downloaded from the Microsoft download center: http://www.microsoft.com/downloads/ or via the Windows Update Catalog which you can access via Windows Update by clicking “Personalize Windows Update”
Host: Jeff Cooperstein (Microsoft)
Q: Will MS lock down later versions of Windows(Longhorn) like they have done with Win2k3 Server?
A:Absolutely. Since it is a client release, the specifics will change, but the principle of secure by default will prevail.
Host: Steve Lipner (Microsoft)
Q: Steve: Linux has its own challenges - switching to Linux would require starting on a new learning curve. The best security measure is an informed and capable system administrator, regardless of platform.
A:Agree - but we can also make it easier for the administrator to operate his system securely, and we are committed to doing that
Moderator: Jerry (Microsoft)
Q: What is the cheapest and easiest way to do deploy patches AND service packs in a large corporate environment? Are we forced to buy advanced patch management software just to deal with the security issues on a weekly basis?
A:We have a free tool available to all customers: Microsoft Software Update Services. You can download it here: http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp
Host: Rob Hensing (Microsoft)
Q: A new worm on the internet has been discovered today. W32.Welchia isn't any ordinary worm since it helps its 'victims' exterminate the W32.Blaster worm.
A:Check out this url: http://xforce.iss.net/xforce/alerts/id/150
Host: Zachary Gutt (Microsoft)
Q: When will the next SUS package be released to the public?
A: The next version of SUS is scheduled to be in beta by the end of this year, and is scheduled for release in the 1st quarter of 2004.
Host: John Hazen (Microsoft)
Q: Does not the publicized release schedule for service packs state a 12 month cycle for SP or roll-ups ? Should this not be changed then ?
A:Many customer have communicated that a 12 month cycle is too fast, and we have now moved to publication of our anticipated release schedule in the form of a roadmap for our releases. This roadmap is found at: http://www.microsoft.com/windows/lifecycle/servicepacks.mspx
Host: John Hazen (Microsoft)
Q: is it true that SP2 won’t arrive till late 2004/5, how does ms plan for end users to keep up to date with the many, many patches, especially in light of recent events
A:In terms of interim solutions, we encourage people to make use of the currently tools (AU, SUS, etc) to keep their systems current. We are also exploring several options to make these fixes smaller, and more easily combined for deployment.
Host: Steve Lipner (Microsoft)
Q: How does Microsoft plan for end users to keep up to date with the many, many patches, especially in lite of recent events, i think you'll find its called being able to use a PC
A:We understand the difficulty of keeping systems up to date and protected and are working on making this easier. The page at <http://www.microsoft.com/security/incident/blast.mspx > provides some good general steps that end users can use to keep their systems up to date and protected.
Host: Zachary Gutt (Microsoft)
Q: Do I still need ISA if I replace current W2K server with 2003 server?
A:Yes, I would continue to run ISA Server. ISA Server is all about protecting the network that is sitting *behind* the firewall. Windows Server 2003 is not designed to do that on its own. By the way, there is a great write up on how ISA Server stops Blaster at http://www.microsoft.com/isaserver/default.mspx
Host: Steve Lipner (Microsoft)
Q: What is MS doing to prevent this sort of thing from happening again?
A:Microsoft has had a multi-pronged strategy to address such security issues. This strategy, called SD3C is secure by design, secure by default, secure when deployed and communicated. Secure by design implies building systems that are built bottoms-up with secure coding practices. Secure by default means turning off all non-essential services and options on products so system administrators know exactly what they need and enable. Secure in deployment implies creating a predictable patch experience for customers. Communications implies raising the awareness of secure computing practices and providing appropriate information to customers.
Moderator: Jerry (Microsoft)
Q: How does SUS work?
A:SUS is like running your own Windows Update. See this URL for details: http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp
Host: Rob Hensing (Microsoft)
Q: Will Microsoft post tools / scripts for configuring IPSec to help administrators and home users?
A:I wrote a KB article during slammer. 813878 How to Block Specific Network Protocols and Ports by Using IPSec. http://support.microsoft.com/?id=813878. It helps users understand how to use IPSec to stop worms. The same could be done for Blaster but RPC ports are used by a lot more and this would break more things (so this worm isn't as easy to stop without impacting production unfortunately.
Host: John Hazen (Microsoft)
Q: Will next SUS that scheduled for release in 1st Q of 2004 support other ASIAN language than Japanese?
A:SUS 2.0 will supports clients of all languages, but the SUS Server software will not released for all Asian languages.
Host: Mark Miller (Microsoft)
Q: Do you have a check tool for the blaster worm that will work on other language versions than English?
A:While the UI and interface of the tool is English the tool will scan all languages.
Host: John Hazen (Microsoft)
Q: would MS consider creating a more friendly Slipstream guide to help end users intergrate the many patches in to a new CD?
A:We include a deployment guide with the service pack that describes how to do slipstreaming. We will revisit this with end-users in mind, rather than the corporate IT user we had in mind.
Host: Steve Lipner (Microsoft)
Q: Will blaster have an effect on longhorn alpha/beta releases, and is it a good learning experience in development of the next OS?
A:We had already been focusing on security as a top priority for Longhorn. When something like Blaster - and the DCOM vulnerability - happen, we do treat that as a learning experience and adapt our processes to avoid making the same mistakes.
Host: Zachary Gutt (Microsoft)
Q: When will sus 2 be released ?
A: The next version of SUS is scheduled to be in beta by the end of this year, and is scheduled for release in the 1st quarter of 2004.
Host: Steve Lipner (Microsoft)
Q: I've noticed that quite a number of security updates is due to buffer overrun bugs. What steps will Microsoft take to reduce these from happening?
A:We have a multifaceted attack on buffer overruns including automated tools and developer training. There are a lot of different kinds of buffer overruns that so one detection method does not solve all problems - but we are definitely pushing to find and
Host: Steve Lipner (Microsoft)
Q: considering the scope of this vulnerability, it's been around a long time. Why didn't the code review pick it up last year?
A:The fact that the vulnerability was missed in the security push was do to a process error - we’ve done a detailed review of why and how, and are making the appropriate changes
*END OF CHAT*
Host: Steve Lipner (Microsoft)
Thank you all for coming. We'll see you in September
Moderator: Jerry (Microsoft)
Just a reminder, we will have another security chat in September, add it to your calendars today: http://www.microsoft.com
Please post follow up questions in the Microsoft.public.security newsgroup: News://msnews.microsoft.com/microsoft.public.security
Host: John Hazen (Microsoft)
Thanks everyone. Lots of good questions and issues raised. Sorry we have not been able to answer each question.
Host: Zachary Gutt (Microsoft)
Thanks for coming, everyone...this was a great turnout.
Host: Rob Hensing (Microsoft)
It was . . . interesting chatting with you all. ;-) Great questions!
Moderator: Jerry (Microsoft)
Thanks everyone.
For further information on this topic please visit the following:
Newsgroup: http://www.microsoft.com/technet/community/newsgroups/security/default.mspx
Security Transcripts: Read the archive
Website: Visit the TechNet Security Website
Website: Visit the MSDN Security Dev Center
Website: Visit the Microsoft Security Homepage