Trustworthy Computing with Microsoft Vice President, Mike Nash

Published: February 17, 2004

Please note: Portions of this transcript have been edited for clarity

Introduction

Moderator: Jana (Microsoft)
Welcome to today's Chat. Our topic is Trustworthy Computing with Mike Nash. Questions, comments, and suggestions are welcome.

Host: Mike Nash (Microsoft)
Good morning (or afternoon or evening depending on where you are) and welcome to the monthly security chat. My name is Mike Nash and I am the corporate vice president of the Security Business Unit here at Microsoft. I am joined today by a crack team of security experts here at the Microsoft campus in Redmond in case you have questions that require their help. In today's chat, please feel free to ask any question you have about computer security, security of Microsoft products or Microsoft security technology.

Start of Chat

Host: Mike Nash (Microsoft)
Q: Florian: Not exactly a question but I guess also welcome . Wanted to say that I think security did improve quite a bit from w2k to w2k3. keep up the good work
A: Thanks for the feed back Florian. Its great to see you using the new products and having that great of an experience. What has been the best thing about Windows Server 2003 security for you?

Host: Mike Nash (Microsoft)
Q: Florian: Most welcome was the fact that it is locked down in the beginning and you have to enable features yourself
A: Great feedback Florian. Secure by default is something we worked hard on. We actually have learned a lot from that experience. Its one of the things we are focusing on for Windows XP SP2

Host: Mike Nash (Microsoft)
Q: Is Mydoom a big danger for Microsoft?
A: Great question. Overall, we have been watching Mydoom very closely. Certainly we want to do what ever we can to help customers be protected. We released a Mydoom cleaner tool last week which was designed to make it easy to detect Mydoom on your system and if its there, make it go away. In terms of Microsoft itself, the concern had been Mydoom potentially attacking Microsoft.com, but we have been able to take protective measures to make sure that Microsoft.com is not affected by Mydoom.

Host: Mike Nash (Microsoft)
Question from Mike: Do people like that we have now moved to monthly security bulletins instead of weekly?

Response from Customers:

Monthly security updates: some people say they don't like to reboot their servers even on a monthly basis. Eliminating reboot requirements is also important for home users, as this would enable automatic installation of security updates in the background, without prompting

I only administrate a small network (~20 workstations/ 7 servers) so I can't speak for other admins but I liked the weekly updates more

Host: Mike Nash (Microsoft)
There were several comments about monthly updates
A: Our move to go to predictable monthly Security Bulletins, as opposed to potentially weekly, was largely driven by a majority of our customers. We recognized that any change would be non-preferred for some customers, so we talked to a lot of customers, consulted our customer advisory councils and similar forums to vet our proposed changes. Since implementing in October, the vast majority feedback has been positive bout the change to the monthly schedule, so we feel like this was a good change. We certainly hear and understand the feedback about reboots and are working to eliminate reboots wherever possible.

Host: Mike Nash (Microsoft)
Q: How do you best describe the automated code checking feature? will you implement something new about it in the new releases?
A: Great question. We have a number of tools we use internally, most notable PREfix and PREfast -the tools work by compiling the code, and analyzing data flow through the Abstract Symbol Table (AST), this can determine code defects based on specific data conditions. We "teach" the tools new coding defects regularly, and then use the tools to analyze code. PREfast is available today in the Windows Server 2003 DDK. Also, there's a tool we use for managed code, called FxCop, available for public use at www.gotdotnet.com <http://www.gotdotnet.com>. You should use this tool on all your managed code applications.

Host: Mike Nash (Microsoft)
Q: Great question. We are certainly looking at and working on new ways to provide protection for our products.
A: One great example is the work we are doing in Windows XP SP2. In the case of Windows XP SP2, we really were inspired by what the firewall was able to do in the Blaster timeframe. In this case, customers who never installed MS03-026 were protected when they used a firewall, such as ICF in Windows XP. As a result, our focus was to not just look at the potential vulnerabilities (which we continue to focus on), but also at the vector through which malicious code come into a system. There were four vectors that we looked at with Windows XP SP2. 1. Network port attacks, 2. Email and IM attachments 3. Webdownloads 4. buffer over runs. For network attacks, the key thing we did was to improve ICF (now renamed Windows Firewall) to make it work in a broader set of scenarios. Our goal was to make sure that there was never a good reason for a customer to turn it off. We have also enhanced it to make it manageable using Group Policy (AD). The second vector is email and IM attachments. There is really nothing wrong with attachments per se, but the issue is when attachments have code. So for Windows XP SP2 we have made enhancement to stop execution of attachments that have code in them. This is how Mydoom, sobig, etc got into systems. Web downloads is the third vector. In this case we waned to make it easier for customers to block untrusted code from running on their systems. As part of this we also blocked popups by default in IE. The cool thing here is that you can enable popups for sites that use them that you trust. Finally, buffer overruns are an area of focus. To deal with this, we have enhanced the BO checking for stack overruns using some new compiler technology called /GS. For head overruns, we are taking advantage of emerging microprocessor technology called "no execute" (or the NX flag) available on new CPUs from Intel and AMD. While there is only a small installed base of NX capable systems today, as it grows the software will be ready to take advantage of it. We are also looking at other investments around protection that we will be talking abotu in the future.

Host: Mike Nash (Microsoft)
Q: so be default SP2 is blocking me active X component, and also Flash animations, it was planed that way or just because the early beta release?
A: In light of the increased threat landscape we are re-evaluating the default security settings in Windows XP SP2, including Internet Explorer. For a complete list of what's currently implemented, look at "Changes to Functionality in Microsoft Windows XP Service Pack 2" at http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx

Host: Mike Nash (Microsoft)
Q: Has Mydoom made it more likely for MS to release a virus scanner, or build one in (of course depending on terms of antitrust)
A: We take the broad threat of malicious code seriously, and are considering a number of options to help make customers safer and more security. The work in Windows XP SP2 is really all about that. The idea here is to block infection in the first place with an active approach. As you know we also have created a cleaner tool to detect and remove MyDoom but are also working with partners to make sure that their tools are effective at prevention and removal as well.

Host: Mike Nash (Microsoft)
Q: On Windows 2003, the SeDebug privelidge can be used to patch running processes, such as lsass.exe, correct? Why don't the patches assign this privilege on the fly instead of making admins do it?
A: The Debug privilege is an incredibly powerful privilege, as you correctly assert, and by default only admins have the priv. Patching requires having more than this privilege however, as you may need to update portions of the file system or the registry protected by strong ACLs. Unfortunately, simply granting the priv on the fly won't allow a user to patch the system.

Host: Mike Nash (Microsoft)
Q: How does XP SP2 block code in attachments? Is it just the Outlook-esque extension blocking?
A: There is an API in Windows called "filehascode" that is called when an attachment is opened. There are two things going on here. 1. We are enhancing the API to be more effective at detecting code. 2. We are calling the API in more of the appropriate places include Outlook express, IE and IM. Of course the api is also available to third party applications that want to provide this same protection.

Host: Mike Nash (Microsoft)
Q: Mr. Nash c++ compiler generate an error that's too big exe split your program into dlls is that mean that's a mathematical equation between .exe&.dll as standard
A: Elko, what compiler and OS are you using and what's the error you're seeing?

Host: Mike Nash (Microsoft)
Q: I plan to deploy an ISA server in our company. We have nat via RRAs services already. Do I have any advantage when I put the ISA server between the net and the rras service or does it make more sense to install it directly on the RRAS/NAT
A: Great question Florian...actually I think you are asking two questions. In answer to your first question, ISA Server 2000 NATs traffic itself. Because of this, there is no advantage at all to running in this config: Internet ß> ISA Server ß> RRAS ß> internal network, and having both RRAS and ISA Server natting traffic. For your second question, you'll have problems if you install ISA Server on the same machine that has RRAS NAT enabled (disable RRAS NAT because the ISA Server NAT engine must be used). The story changes with ISA Server 2004, because you can turn off NAT and route traffic. Then a configuration like you suggest would be possible, but not necessary.

Host: Mike Nash (Microsoft)
Q: Will security-related people and their teams start blogging a bit more about internal processes so that customers could gain more insight into many of the issues surrounding security in MSFT products?
A: Great question Michael. We have several.
Michael Howard - http://blogs.msdn.com/michael_howard/
Brian Johnson - http://blogs.msdn.com/brianjo/
Jerry Bryant – http://www.msmvps.com/secure/
Eric Lippert - http://weblogs.asp.net/ericlippert/
Ivan Medvedev - http://blogs.dotnetthis.com/Ivan/

Host: Mike Nash (Microsoft)
Q: Would MS consider a new executable extension that applies only to managed code? In the interim until evidence is stuck to executables, that'd be a nice way to deploy code that always runs in a sandbox
A: Today we can reliably determine if you are working with a managed executable by looking at the internal PE header, and we use this when you browse to managed EXEs on the web which we will run in a sandbox. With Whidbey, the next release of the .NET Framework, we are already taking steps to move towards a manifest based definition of an application with "Click Once". This uses a different extension (such as .deploy), and will be used to run applications in the sandbox or to inform the user of the consequences if the manifest is asking for permissions outside of the sandbox. Thanks for the question.

Host: Mike Nash (Microsoft)
Q: The elimination of reboots would be one step closer to the fully automated home would it not, I mean who wants there front door to reboot while they're out and find themselves coming home and they're front door still not booted up thus locking them out, lol
A: Great point. As I said, our goal is to eliminate reboots where we can. The current Autoupdate tool does do the reboot automatically for home users. We spent a lot of time thinking through the issues here and decided that getting the user up to date is the best answer.

Host: Mike Nash (Microsoft)
Q: Will such delays as : Experts are fuming over the lengthy delay -- 200 days -- between when Microsoft Corp. was first notified of a critical vulnerability affecting all supported versions of Windows and when it released a patch. happen again?
A: Great question Jaz. The key goal here is making sure that we ship quality patches. With responsible disclosure, the key thing that you must understand is that the vulnerability is not public. Given the number of customers who use our software, we must include quality in the equation otherwise people might prioritize compatibility over security and not deploy the patch. We really appreciate the responsible behavour or researchers who tell us about these issues confidentially. When they are not public, the risk to the customer is low.

Moderator: Jana (Microsoft)
Mike, thanks so much for joining us today.

Host: Mike Nash (Microsoft)
I want to thank everyone for the great questions today. I look forward to chatting with you again next month (visit for upcoming chats: http://www.microsoft.com/communities/chats/default.mspx)

Moderator: Jana (Microsoft)
Thanks to all of you for joining us today.

Moderator: Jana (Microsoft)
If you have additional questions on security, we welcome you to post them in the newsgroups.

Moderator: Jana (Microsoft)
Bye all!

For further information on this topic please visit the following: