Security in Microsoft Products with Mike Nash
Published: May 14, 2004
Please note: Portions of this transcript have been edited for clarity
Introduction
Moderator: Jerry (Microsoft)
Welcome to today's Chat. Our topic is Security in Microsoft Products, with Mike Nash. Questions, comments, and suggestions are welcome.
Host: Mike Nash (Microsoft)
Hello everyone and welcome to our monthly security web chat. My name is Mike Nash and I am the Corporate VP of the Security Business Unit at Microsoft. I am joined here in Redmond by a crack team of security experts who will help me make sure we answer your questions. Please feel free to ask any question you may have about security or the security of Microsoft Products.
Start of Chat
Host: Mike Nash (Microsoft)
Q: Is MSFT going to certify third-party software that correctly only requires user level privileges? Instead of Power user or administrator?
A: This is a goal for Longhorn, called LUA, Limited User Account. For more info, read this: http://msdn.microsoft.com/longhorn/default.aspx?pull=/library/en-us/dnlong/html/leastprivlh.asp. Great question and thanks.
Host: Mike Nash (Microsoft)
Q: Will the Service Pack 2 Security Model implement any changes into the .NET Framework, like new security libraries?
A: The .NET Framework v1.0 and v1.1 will have Service Packs released at the same time as XPSP2, but they do not contain new features. We are providing new security libraries as well as many other new features in Whidbey. The Beta for Whidbey will be released soon
Host: Mike Nash (Microsoft)
Q: Are you guys using Whidbey for developing Service Pack 2? Even though VS.NET 2005 is still in beta?
A: Great question Derek! We most certainly are! Most importantly, we’re using the new, updated –GS (stack based buffer overrun detection) flag. You can read more about this here http://blogs.gotdotnet.com/branbray/PermaLink.aspx/79185d10-58e7-4429-a1da-08aadb407c19
Host: Mike Nash (Microsoft)
Q: Can we connect through RAS to have MSVPN certificate download to computer
A: You need to let the person connect with a non-certificate authentication method (i.e. – PPTP) then run a post connect script to plumb down the certificate. This can be done using Connection Manager and post connect scripting. If Connection Manager is not an option, the user can sign in with a non-certificate auth protocol, and DNS hijack the user to an internal web site that will provision them. Once the certificate is plumbed down to the client, you can have the script force a reconnect and then use L2TP/IPsec and EAP-TLS for the authentication protocol.
Host: Mike Nash (Microsoft)
Q: Has MSFT given any thought to developing "security" templates for the home user, similar to the ones you have on your website for businesses?
A: This is a hard problem in that it’s not clear that home users would use them. Our plan is to provide simple to follow guidance, augmented by automation tools like we have on /protect. We will be further building out a consumer guidance site.
Host: Mike Nash (Microsoft)
Q: Can you talk about whether or not Microsoft will release a patch for XP & Windows Server 2003 that will allow an application (at runtime) to verify that IPSec is up and running.
A: Right now there are no plans to do this, can you please send details of the problem you’re trying to solve to Michael Howard, mikehow@microsoft.com.
Host: Mike Nash (Microsoft)
Q: Any plans to integrate tools like PREFast, PREFix and SLAM in VS.NET?
A: We absolutely believe that tools like this are important for us to provide to developers. Whidbey, the next release of VS, is already scheduled to make PREfast available and FxCop will be integrated into the tools for managed code. Great question
Host: Mike Nash (Microsoft)
Q: I've installed the preview of SP2. Now, I've noticed that if I turn off any of the features in the new Secity Center, it always shows an icon and a balloon tip. Will it be possible to turn those off?
A: Great question. There is no plan to make it possible to turn the balloon. The one exception is that if you have AV that isn't detected, you can tell WSC that you are using a non-detected product and then we won't bug you.
Host: Mike Nash (Microsoft)
Q: Are there plans for a lockdown tool similar to LIDS (sorry the competition)? The IIS lockdown tool only turns off services, it does not prevent file edits/deletes and such.
A: Right now there are no plans to build a LIDS like product. If you have ideas for something here, please mail mhoward@microsoft.com so we can understand your input.
Host: Mike Nash (Microsoft)
Q: Are (or will) all MSFT applications currently usable with just "user" level privileges under Win XP?
A: Most Microsoft apps do run with “user” level privileges today, in fact, Michael Howard tells me his next article on MSDN “Code Secure” will focus on creating limited user applications, how to debug them, and how to operate in this much safer, lower pri
Host: Mike Nash (Microsoft)
Q: Is the patch situation projected to get better, same or worse with regards to amount, severity and complexity?
A: This is a great question. There are really three things we are doing to make this easier. The first is our focus on quality. New products like Windows Server 2003 have gone through a lot of engineering changes to reduce the change of there being a vulnerability, the second issue is that we are working hard to improve the updating process. For consumers this is about improving windows update, but also creating a second tool like WU but that covers the rest of the Microsoft platform. This is called Microsoft Update. For enterprises, we are creating a second service LIKE Microsoft update but for enterprises. Today we have a tool called Software Update services, but later this year we will enhance this with the ability to handle a broader set of Microsoft Products. This will be called Windows Update Services
Host: Mike Nash (Microsoft)
Q: I read that using of PREFast and PREFix during W2K3 helped to detect about 17% errors. I wonder if you plan integrating that tool (PREFast, PREFix and SLAM) in VS.NET?
A: We do plan on integrating some of our internal code analysis tools into future versions of VS.NET, the timeframe for this is still in flux, but it’s a big goal of ours to let developers build more secure code on the Windows platform. Also, PREfix is available today in the Windows Server 2003 Device Driver Kit.
Host: Mike Nash (Microsoft)
Q: Will some of the Longhorn's security features be included in the SP2 ?
A: This is an interesting question. some of the concepts in SP2 were originally planned for Longhorn. One great example is the firewall.
Host: Mike Nash (Microsoft)
Q: Well here is my question. Why oh why are there so many un-needed services with SYSTEM privileges running by default? Is the planning in SP2 to turn them off? With Windows Server 2003 we move ~25 services off by default.
A: With Windows XP SP2 we looked at this work, the impact to application compatibility it had and made some informed indecisions for SP2. With SP2, we did a few of the 25 we did for server (Alerter, Messenger) & also changed a few to run w\ least \ reduced w\ least \ reduced privilege. We will continue this work for Longhorn & future service packs.
Host: Mike Nash (Microsoft)
Q: SP2 is great but what are you planning for previous Windows versions. What exactly are your plans for Win2k etc?
A: Great question and a hard problem. We are focusing very much on getting Windows XP SP 2 done. We understand that many customers are still using previous versions of Windows. While there are no plans to make these features available, we do recommend that for machines that face the internet directly and laptops that customers move to Windows Server 2003 and XP SP2 respectively.
Host: Mike Nash (Microsoft)
Q: Forgive how OFTEN this question is asked on the newsgroups ..But WHEN will our AntiVirus Products be recognized by SP2?! Derek : I've tried Norton 2004, and Panda, and McAfee
A: Derek, Norton and McAfee recognition have been added to RC2. Here is the list for AV in RC2: AhnlabAV (presence only), ETrustAV, KasperskyAV, McAfeeAV, NortonAV (presence only), PandaAV, SophosAV, TrendAV. The present only ones are areas where we are still working closely with the vendors to iron out remaining issues. If your vendor’s product is not supported, let us know and let THEM know. Great question
Host: Mike Nash (Microsoft)
Q: Are there any plans to build integrated biometric security controls into Windows in the future?
A: We already support Extensible Authentication Protocol (EAP) in our Internet Authentication Service (IAS) running in RADIUS mode. EAP is the industry standard protocol for biometric authentication operations, as well as any other two-factor auth controls, that all vendors work with. EAP is fully supported on Windows XP clients and therefore we support biometric operations out of the box. Any vendors you are working with should support EAP and then you should be all set.
Host: Mike Nash (Microsoft)
Q: When will WUS be in a state where enterprises can test the product?
A: WUS is currently in beta with about 400 customers. Later this summer, we will provide an open evaluation for more customers to participate in it.
Host: Mike Nash (Microsoft)
Q: Will the future of WUS include a test to see if the patch has been deployed (a la baseline analyzer) and also reporting to see which patches were deployed to whom?
A: WUS will provide a way for you to figure out whether a patch has been deployed and to whom. You can get more details on the functionality at http://www.microsoft.com/wus
Host: Mike Nash (Microsoft)
Q: Will future versions of windows provide stronger protection for password storage?
A: Yes, we are investing in & working on stronger password protection for Longhorn.
Host: Mike Nash (Microsoft)
Q: What is the time frame for Windows Update 5.0, I've been looking forward to have integrated patching across my Microsoft products for the last 2 years, in regard to this what kind of changes will SP2 bring to Windows Update?
A: Windows Update 5.0 will still contain only Windows updates. Later this year, we will release a Microsoft Update service that will provide patching across all Microsoft products. For SP2, the Windows Update site and Automatic Updates functionality will provide better support for dial-up users by leveraging delta compression technologies, a simpler way to quickly get the critical updates and an integrated download experience between. With Automatic Updates, there is new functionality to install updates at shutdown so scheduled install times do not get missed.
Host: Mike Nash (Microsoft)
Q: Is it anyway we can save today's question and answer
A: Yes, the transcript will be published on TechNet within 10 days: http://www.microsoft.com/technet/community/chats/trans/default.mspx
Host: Mike Nash (Microsoft)
Q: Mike, would you comment on an article posted on SlashDot, about Longhorn system requirements? Like 2GB of ram and a 4GHz processor?
A: Sorry Hmemcpy.....it’s too early to talk about system requirements for Longhorn.
Host: Mike Nash (Microsoft)
Q: Any plans for Home Edition to make more advanced security features? They even cannot protect the files on the disk. Default user - administrator! It's a big security hole
A: Home Edition and Pro are built on the same technology, but in Home Edition we hide some of the security dialogs because most home users shy away from complex dialogs. In short, if you want access to low-level security settings I would highly recommend you use pro.
Host: Mike Nash (Microsoft)
Q: Will Longhorn rock, rock on?
A: Derek, was there really ever a question. :)
Host: Mike Nash (Microsoft)
Q: Any plans of supporting ElGamal and Eliptic Curve in System.Security.Cryptogoraphy?
A: No plans right now. Out of interest, what is it that interests you about these algorithms? We’re always open to adding functionality to help solve customer issues!
Host: Mike Nash (Microsoft)
Q: Has MS ever considered use of double pwd for Admin accts? Dave Cutler invoked this in VMS and I don't see why it wouldn't be beneficial with Server and Admin accts?
A: Absolutely – it’s called smart card authentication and it is fully supported with EAP protocol. Admins should not only have to supply a username/password, they should also be required to supply a physical smartcard and PIN to access it, thus enabling two-factor authentication for all admins. This ensures that the person is who they say they are because in order to log in they need to have the physical card AND the PIN # to access the card AND their personal password. Smartcards work off of EAP protocol and therefore the same methodology works with biometric authentication as well.
Host: Mike Nash (Microsoft)
Q: Does MSFT have a list of both its and ISV's applications that correctly run with only "user" level privileges? If not, that would be a great resource to "shame" people into better design.
A: Our Application Experience team continually test a broad set of applications for each release & milestone. For XP SP2, user vs. admin privilege is not something today we actively monitor or report. Rather focusing on compatibility relative to XP RTM \ SP1. However, for Longhorn this is an area we are investing in (i.e. having users run with “Least User Access” & “Protected Admin”).
Host: Mike Nash (Microsoft)
Q: Where can we get more details on how EFS actually works?
A: The architecture of EFS is described here http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/WinNETSrvr-EncryptedFileSystem.asp
Host: Mike Nash (Microsoft)
Q: What is Microsoft doing to educate end users so they don't get nailed by these worms like Sasser?
A: Great question Jim. Microsoft has published guidance on www.microsoft.com/protect. There are three big steps:
1.) Install a personal Firewall
2.) Set your pc to receive automatic updates
3.) Get an AV solution and keep it up to date.
Host: Mike Nash (Microsoft)
Q: Has any further thought been given to the idea of "SUS-on-a-disk", as we've been calling it? Where an admin could either maintain a multi-session CD, or an updated ISO that he could use to install on machines located away from WAN?
A: Yes. We provide a way to take content from one SUS server onto media and transfer to another SUS server. See the deployment guide. We do not provide a way to create media for installation from the client.
Host: Mike Nash (Microsoft)
Q: If I create a thread with a restricted token, couldn't the thread just revert itself back to the process token to gain elevated privilege?
A: Absolutely true – assuming the code path has a call to RevertToSelf(), this is why we added the SE_PRIVILEGED_REMOVED flag to AdjustTokenPrivileges() in Windows Server 2003 and Windows XPSP2.
Host: Mike Nash (Microsoft)
Q: Thanks Mike. But how is Microsoft getting the message out to those end users? It does not seem like they are getting it
A: It’s a fair point Jim. I can't quote numbers, but a few things worthy of note. The number of people using WU is up a lot. We need it to be higher but the numbers are better. Overall, firewalls are being used more. The result is more customers having a good experience in worm events like Sasser. That said, getting people to install SP2 will be a very important opportunity for customers to be safer. We are going to be working hard to get as many people as possible to move to SP2. There have also been quite a few questions about SP2 on pirated machines. We will require a customer to have a legitimate copy of XP in order to install SP2.
Host: Mike Nash (Microsoft)
Now I would like to ask you all some questions.
Host: Mike Nash (Microsoft)
Question from Mike: How much impact did Sasser have on your environments
Response from Customers:
1.) None, because I take care of my system.
2.) None
3.) My home environment -- zero. My wife's work -- again zero.
4.) None...corporate firewall and SUS took care of that
5.) Many many people are running firewalls now and frequently patch their system...
6.) None - as I patched - however at the Tech conference I went to vendor machines were nailed all over the Conference floor
7.) I'm in Boston, and when sasser hit, it was all hands on deck, Bentley College, Boston University, and Boston College all got hit hard, I was at all 3 patching systems, every system was rebooting because of the lazy admins not patching.
8.) None impact of sasser. all systems behind firewall and patched windows systems
9.) Sasser didn't hit me. Or my neighbors, or my family (as I'd just stomped out a nasty CWSShredder infection on several of their systems)
10.) If it wouldn't be for the blaster worm, there would not be such improvement in security today
11.) I didn't notice Sasser at all
Host: Mike Nash (Microsoft)
So it sounds like you all followed the guidance we had.
Host: Mike Nash (Microsoft)
Question from Mike: What did you all think about the arrest of the Sasser guy? Do you think this will deter others from writing worms?
Response from Customers:
1.) The arrest of the sasser guy does little, I haven't seen a picture of him or a video of his arrest, the Linux guys claim he's just some shlep Microsoft nabbed, the Linux guys claim its the wrong guy, they would only believe it if they saw how MS tracked
2.) It'll make them more careful. If I was to write a worm and boast about it, you can be sure the only way I'd do that is after I run my connection through 10+ machines around the world. Of course, if a reward is at stake, it could make things harder for people, since they need to be more careful.
3.) Mike: Not really, many get big $ job offers after they do their time. Thus, big incentive to "make the big time".
4.) Yes. People don't care unless there is something in it for them.
5.) On the Sasser arrest, I think it's "a good thing". Pay his friends off, and make a big deal about the fact that you've done so (don't publicize their names if they don't need it). But of course, the flip-side is that I've already heard people say that now that the Sasser guy's been arrested, they don't need to worry so much about putting the patch in place.
6.) they will keep their mouth shut about it but will still do it
7.) think of the RIAA suing people: Has that stopped file sharing?
8.) being arrested has never deterred any other criminals....
9.) As long as hacking remains as exhilarating as it does today, it'll never stop.
10.) I don't think the arrest of one guy stops others from writing viruses
11.) Yes & No. I think it will deter the odd little guy, but the serious people who are creating zombie networks won't be deterred
Host: Mike Nash (Microsoft)
Great feedback
Host: Mike Nash (Microsoft)
Well we are about out of time. I want to thank you all for the time. Please join me next month for the next Chat. Again, thanks for your great questions and input.
Moderator: Jerry (Microsoft)
Here's Mike's landing page for his future chat: http://www.microsoft.com/communities/chats/security/default.mspx
Moderator: Jerry (Microsoft)
Please post follow up questions in the Microsoft.public.security newsgroup: News://msnews.microsoft.com/microsoft.public.security
For further information on this topic please visit the following:
| • | Security Transcripts: Read the archive |