Security in Operation (4/4): Managing Security

Security Management

By Jeffrey R. Jones
Director, Microsoft Security Business and Technology Unit

See other Security Management columns.

As part of my work for Microsoft, I have spent a lot of time analyzing OS security, customer feedback, metrics for progress, and where those three things intersect. I’ve discovered that there is quite a large gap between the theoretical idea of security and the practical security concerns of customers. This article is the final in a series where I’ve examined customer concerns and raised questions to think about with respect to using either a Microsoft Windows–based or a Linux-based operating system.

This month, I look at common management tasks for security within an IT operation. Security event management is sometimes referred to as “security management,” but I’m referring to the day-to-day operational security aspects that IT deals with.

Software Management Is a Security Issue

Zone-H recently published a report (along with data) that analyzed more than 740,000 successful Web server attacks since 2002. Zone-H found that the single largest factor in successful attacks was administrator misconfiguration, cited in 33 percent of the attacks; the second largest factor was unpatched vulnerabilities, cited in 25 percent.

These findings are echoed by Gartner Group analysts who have estimated that 65 percent of all security breaches come from misconfiguration of systems, and who emphasize the importance of good management tools to the security of systems and networks.

Keeping Systems Patched

Recently, Wipro surveyed 90 customers managing between 5,000 and 20,000 systems that included both Windows and Linux. The survey found that the total cost of security patch management on a per-event basis was 14 percent less for Windows-based systems (see the full study). Note that customer answers incorporated whatever real-life tools the customers used and ranged from manual tools and processes to broadly deployed patch management tools.

These findings are particularly interesting when combined with studies by Forrester (Is Linux More Secure Than Windows?) and Security Innovation (Web Server Role and Database Server Role) showing that Linux-based solutions have had significantly more vulnerabilities to patch over the past couple of years. Although these findings are counter to common “perception,” they are based upon a repeatable methodology, so they’re worth taking a look at.

At Tech•Ed this year, Microsoft announced the Microsoft Update service, a new generation of updating infrastructure that expands on Windows Update and Automatic Updates to include updating of Office, SQL Server, and other application products. Microsoft Update accompanies updates to the free update staging server (SUS, now Windows Update Services) and will drive an update for Systems Management Server 2003 this year, significantly improving update tools and infrastructure for customers.

PKI-enabled Security and Privacy

One of the most common security management tasks is establishing the electronic credentials for new employees so that they can have access to the network, e-mail, wireless access, remote access, and access to common resources like printers and file servers. Perhaps even more important is the ability to take away that access when employees leave.

Throughout the 1990s, companies struggled to deploy Public Key Infrastructure (PKI) to enable certificate and encryption-based technology within their enterprise. Microsoft changed that by delivering integrated Certificate Services in Windows Server 2003 and introducing key manageability features.

Integrated Certificate Services with Role-based Management
Removing the need to buy costly PKI software services, Microsoft has integrated rich Certificate Services into Windows Server 2003, making PKI feasible and manageable for customers. The role-based administration feature can be used to separate responsibilities for managing and maintaining the Certificate Authority (CA) into different roles, making it more difficult for any one person to breach security.

Autoenrollment Capability
Autoenrollment allows for certificates to be issued automatically to computers or users for purposes specified by the administrator. This allows more control than with manual enrollment, and the process is easier and more transparent for the user. No awareness of the process is required on the part of the user. You can also configure the system to prompt the user during the enrollment process (for instance, to enter a PIN for smart card certificates).

Active Directory – Group Policy, Metadirectory, and Single Sign-On
Active Directory is the secret spice in the integrated innovation, providing multiple capabilities supporting PKI and security management in general.

In the open source world, OpenLDAP has more limited capabilities, so Novell offers its own eDirectory server, and Red Hat has just introduced its own directory server.

As a component of the PKI infrastructure, Active Directory stores and serves the X.509 certificates and, in combination with Microsoft Identity Integration Server, becomes a metadirectory not only for Microsoft applications, but also for enabling single-sign on to the most common third-party applications. By enabling one-step provisioning and deprovisioning and user credentials, and supporting the industry standards and the widest set of security tokens and smart cards, Active Directory helps create a key advantage for Microsoft that has yet to be matched by an open source offering.

Policy and Configuration
Active Directory is also the repository for Group Policy, carrying central policy and configuration settings -- including over 600 new security configuration settings added to Windows XP Service Pack 2 -- to servers and clients throughout the enterprise.

Linux Management Solutions

Novell and Red Hat, the two leaders for Enterprise Linux, are diverging when it comes to management, making it harder to talk about “Linux” as a generic solution. Novell is moving to integrate with its legacy closed-source products to enable migration through eDirectory and integration with ZENworks.

On the other hand, Red Hat has just introduced its own directory, and what was previously the management tool, Ximian Red Carpet, was acquired by Novell and is being integrated into ZENworks. The future is not clear for central management of Red Hat.

Conclusions

Before security became a central theme three years ago, Microsoft had already established a reputation for taking hard or complicated IT tasks and enabling a broader set of IT professionals through interface and management usage improvements. While focusing on fighting the big, flashy battles against malware, Microsoft also has quietly been extending the manageability of security tasks, so that even nonexperts have a better ability to manage security effectively.

Building on the mature capabilities of Active Directory and embedding security expertise into tools like the Security Configuration Wizard are significant indicators of what companies can expect from the next generation of Microsoft products and technologies.

As with any comparative security discussion like this, I advise you to explore this topic further and draw your own conclusions. In this article, I’ve provided several references for you to follow and presented some scenarios that you might want to discuss with your own software vendor.

If you have an opinion about any article or you want to suggest topics you’d like me to investigate, please send me feedback and I’ll be happy to respond.

Best regards,
Jeffrey R. Jones
Director, Microsoft Security Business and Technology Unit