Saturday, February 07, 2009

What Microsoft seems not to understand about security

Back in the Microsoft Dark Ages, when Windows 9x roamed free, Microsoft Bob was still a fond memory to those on its project team and security was a word Microsoft had not yet truly learned the meaning of, we didn't expect them to release anything that was designed with security as a primary concern. After all, they didn't really understand what it was.

Scroll forward to 2009 - a totally different era in the computing world. Vendors such as Quicken are (amazingly) starting to realise that their clients want to run their desktops securely (kinda sorta - there's big issues with the QuickBooks PDF engine if UAC is enabled in Windows 7 Beta 1), the average user is starting to understand that running as a local administrator means they act as a magnet to filth like AntiVirus 2008, AntiVirus 2009 or whatever other moniker it goes by this week, the average sysadmin is starting to understand that having everyone's computer in the company running with all users as local administrators isn't sane, business owners are starting to realise that the value of the data on their notebooks often far outweighs the value of the notebooks themselves and the owners of some small businesses realise that without any real security for their network and data, they have no real chance of surviving. Does Microsoft understand this? Apparently not.

I recently blogged my thoughts on the state of affairs regarding the Windows 7 Firewall default configuration (here) and referenced the issues I had with the Windows Vista Firewall default settings (here and here) and received (in part) this reply from Scott Roberts, the Lead Program Manager for Windows Network Security:

You might not be aware that we have added a number of new, on by default, items to the Windows Operational Logs. This avoids overloading the base logs.

You can view them by using the following paths:
Firewall : Event viewer -> Applications and Services Logs-> Microsoft -> Windows -> Windows Firewall with Advanced Security -> Firewall
Connection Security: Event viewer -> Applications and Services Logs-> Microsoft -> Windows -> Windows Firewall with Advanced Security -> Connection Security

There are also, other, non-default verbose versions of these logs that can be enabled in the WFAS MMC.

We were not able to justify the security benefit, management overhead, and usability impact to enable, by default, the outbound firewall’s ability to block all traffic not already permitted. It is fairly simple to enable for corporate administrators and IT Pros. You can enable this in a handful (~6) clicks from the start menu. Simply right click the node ‘Windows Firewall with Advanced Security’ properties once you launch the tool, click properties, and then select Outbound Connections ‘Block’.

While I understand that this doesn’t address your feedback about making this the default I can share with you that we reviewed this issue in great detail. The realities of the OEM channel somewhat mitigate the impact of this in the consumer space and our GP controls mitigate it the managed space.

First, let me say that I do appreciate Scott taking the time to read my blog and reply on this point, I'm not sure that I can see much sense in his answer in today's environment (as compared to the Microsoft Dark Ages, where it would have been the expected answer). Whilst Scott and his team may not have been able to justify the overhead, security impact and usability impact by enabling outbound filtering in the Windows Firewall, many, many home users and pretty much every single business user can justify it.

One of the things that we've done where possible is to not only block outbound smtp traffic at the gateway firewall from all IPs except the on-premise Exchange (or other) mail server, but to block outbound traffic to ports other than 20 and 21 (ftp), 22 (ssh), 80 (http), 443 (https), 444 (CompanyWeb-2003), 873 (rsync) and 4125 (RWW-2003) so that rogue applications are extremely limited in what they can do to send confidential data outside the network.

In addition to this outbound filtering, some of the other steps we take are:

  • configuring user accounts as "Limited User" not "Local Administrator" (where possible)
  • run a decent AntiVirus product on all desktops and servers
  • externally filter emails to reduce inbound spam and malware issues
  • use Group Policy to configure the users' Windows Firewall and other security settings
  • keep the desktops and servers regularly updated
  • ensure the staff at our client sites understand that if an email arrives with an attachment they are not expecting - *any* executable, anything that *feels* vaguely weird, or anything that comes from someone they don't know, they are not to open it but let us know or just delete the file and ask the original sender if they meant to send it (and if so, send it again, still contacting us if they feel it may be fishy)

Probably the main reason (if not the only reason) that Windows XP users ran a non-Microsoft firewall on their desktop was that the Windows XP Firewall provided no outbound blocking whatsoever. So, Microsoft claimed they learned from this and released the Windows Vista Firewall with outbound blocking. or so they claimed. As I mentioned previously, oubound filtering was disabled by default and *far* from easy for the home user to work out how to enable. So many users keps up with their third party firewall application because it provided security that was simply not built in nor easily configurable in the operating system (where it most definitely belongs).

So I bring this issue to people's attention so that we can all learn from this. We can learn that Microsoft still doesn't take desktop security all that seriously and Microsoft can learn that we want them to take desktop security seriously.

Then they release Windows 7 Beta 1 and have the same default security (or rather insecurity) settings - no outbound filtering enabled by default. They claim that this is because they couldn't justify the security it added compared to the usability it removed. Seriously - how many people want a bucketload of non-standard (ie, mainly those I listed above) ports open on their desktops? Obviously, this is easy to address - just as Microsoft addressed the "Automatic Updates" issue with Windows XP SP2 - put up a screen suggesting that although the default is to allow all traffic outbound to every destination on all ports, Microsoft recommends that users enable outbound blocking, and clicking on "this" button will do that for all non-standard traffic. This would allow ftp, http, https, pop3, networking, home groups and all other *standard* protocols and ports to work as expected yet block all other ports. There would obvioualy need to be a Control Panel applet to configure this - unlike the Advanced Firewall applet that isn't available through the Control Panel.

Really, how hard could that be?

And whilst I'm going on about Microsoft not understanding desktop security, I remember speaking to Michael Risse (Vice President, Worldwide Small and Midmarket Business Group) and Robbie Upcroft (Product Manager - SMB Servers, Australia) at WPC in July 2008 in Houston and also emailing Steve Ballmer (and being totally ignored, might I add) during his Keynote address when he was espousing the value BitLocker can add to an organization's security, about the lack of BitLocker in Windows Vista Business. I know a number of other people have bought this up as being a serious oversight. The issue is that SMB owners cannot see any real value in buying SA for a desktop OS as when their machine dies or is replaced at the end of its viable lifetime (usually 3 - 4 years), they need (as in are required) to buy another OEM OS anyway - which will be whatever's current. So SA is pretty much useless as they will be *extremely* unlikely to upgrade their OS without upgrading their desktops. SA provides BitLocker via Vista Enterprise. Vista Ultimate (the home user's "big boy" Vista also provides BitLocker. Vista Business - the OS that would be specified and installed on more Business laptops than any other version of Vista (yet less than the number of XP copies installed on business laptops) fails to include BitLocker.

Oversight? Massive. Planned oversight? No doubt. How else will they be able to justify (sic) selling SA on desktop OS licenses?

Now with Windows 7 on the horizon, Microsoft has made the same planned oversight - to not include BitLocker in Windows 7 Professional - the Windows 7 version that will most likely be installed on SMB laptops. This means that SMB laptops will need either SA (not likely at all) or Windows 7 Ultimate (aka a home user OS) to get BitLocker security for their files.

Can anyone see any sense in this at all? Anyone?

What is Microsoft thinking? Back in March 2005 they released The Trustworthy Computing Security Development Lifecycle which detailed their much trumpeted "SD3+C" ideology of "Secure by Design, Secure by Default, Secure in Deployment, and Communications". Not allowing Vista Business nor Windows 7 Professional users - the majority of business users - to have access to BitLocker achieves *NONE* of these goals and actively works against all of them.

Are we going to sit back and let this happen or are we going to let Microsoft know that treating SMB clients' security with this disrespect is unacceptable?


The Outspoken Wookie

1 comment:

Nick said...

Great post Hilton. I've asked our local PAL (Vijay) to raise the lack of Bitlocker in Win7 in their Q3 PAL Conf Call which is coming up soon.