Ask Microsoft's Security VP 543
There's always lots of discussion on Slashdot about Microsoft's security problems, and whether Windows is or isn't more secure than other popular operating systems. In a "Let's clear the air" move, Mike Nash, Microsoft Corporate Vice President, Security Technology Unit, has agreed to answer 12 of the highest-moderated questions you submit here. (You can skip the "Microsoft and security in the same sentence?" comments we've all heard 1000 times, and ask actual questions, since Mike is answering for himself instead of having PR do it for him.) We'll post his answers next week.
What has changed? (Score:5, Interesting)
From what I've heard, even though most of Vista is being rewritten from the ground up with more scrutiny on what code goes into it, it will still have major flaws generated by the way Microsoft works internally as a company.
Differences Between Windows & Other Employers? (Score:5, Interesting)
Most regretted design decision (Score:5, Interesting)
Patch Release Cycle (Score:5, Interesting)
Security versus Quantity? (Score:5, Interesting)
Has Microsoft tracked the "security bug" to user ratio on their products and found that products with fewer users seem to have fewer bugs? If that is the case, I wonder if it is the normal process of higher supply leading to more people spending time looking for bugs.
It is like the population:innovation ratio -- as a population goes up, the amount of innovators being born goes up, too, leading to more innovations.
Vista (Score:2, Interesting)
Security/user friendly tradeoff (Score:5, Interesting)
For example, file and printer sharing defaulting to off prevents people from unknowingly sharing their resources, but requires non-technical users who do wish to set up a small network to know more about the process than in previous versions.
Top priority for security in 2006 (Score:5, Interesting)
Patch Schedule (Score:3, Interesting)
Speed factor (Score:2, Interesting)
As an aside, great job Roblimo! What a catch for an interviewee! Not going through a PR person, either. Can't wait to see his replies.
Outside influences on security (Score:5, Interesting)
What is the basic approach to Microsoft security? (Score:5, Interesting)
I know the easy answer is to say "both, of course" but a 50/50 split is unlikely. So, does testing take the backseat, or does the code?
SP vs Vista (Score:2, Interesting)
Let's Rephrase That (Score:2, Interesting)
Pre-installed (Score:3, Interesting)
I know when I bought my Gateway laptop it came with a default login as Administrator and to identify itself on the network, it used the OEM key as its name. I knew enough to change these options and many others myself, but many users do not.
Why is it that Windows offered pre-installed on machines doesnt at least come with some sort of brochure or pamphlet explaining the least a user can do to add any level of security?
Legacy Security Issues (Score:2, Interesting)
Audit of Software (Score:5, Interesting)
Home vs Pro (Score:4, Interesting)
Comment removed (Score:5, Interesting)
Security vs. Useability (Score:1, Interesting)
Windows updates to unregistered machines? (Score:5, Interesting)
I know a person who doesn't have his copy of Windows registered. His PC got infested by spyware, so my deduction is that his computer was probably used to send SPAM, spread viruses and whatnot. When He called me for tech support, I told him to download the Microsoft Anti-spyware from Windows update, but his answer was that it required a registered copy.
My question is this: If Windows updates make the Internet SAFER from hackers, spyware and viruses, why limit them to registered copies of Windows? (IMHO this is analogous to not giving the vaccine of the bird flu to illegal aliens)
What do you plan to do about this?
Did MS culture change as promised in 2002? (Score:5, Interesting)
In your opinion, has Microsoft succeeded in changing its culture so that every developer now considers security first, features second?
WSUS Release Dates (Score:5, Interesting)
With the current advances in smart viruses and malware, that release schedule seems unrealistic. OS security threats have been addressed with emergency patches, but that does not seem like a sustainable methodology.
What is Microsoft's long-range vision on OS patches to ensure that our Server and Workstation Operating Systems are secure, safe, and patched in a timely manner?
Rewriting Internet Explorer (Score:5, Interesting)
Application software (Score:5, Interesting)
Beyond Bugs: User Interface? (Score:4, Interesting)
However, even when a security system doesn't have any bugs, it can still be very insecure. We can define "security" in a more general sense as "the extent to which a system is doing what the owner or user expects". The problem is not that the system is capable of malice so much as that the system is capable of malice of which the user is unaware.
How is Microsoft in the future going to design their systems so that users know what is really going on?
How do we inform users? (Score:1, Interesting)
strncpy()/memcpy() & buffer overflows (Score:1, Interesting)
How hard would it be to replace each and every one with a strncpy()?
Surely, you must have done this by now?
As a coward, I don't expect you'll ever see this, but I felt that I should ask anyway.
Spyware (Score:5, Interesting)
In regards to spyware MS has already taken some steps to try and stem the flow (asking about running exe files, the Spyware Removal Tool, etc), however as a consultant I find many of my clients are still infested with the stuff. From my perspective it appears that many users are affected still by these programs and that they are either unaware of how to prevent them in the first place, or how to get rid of them. Many times it is significantly faster and easier (and in some cases, safer) to just format the machine in question and start from a clean slate. Does MS feel that spyware is still a major problem, and if so, what new measures MS doing in order to combat it?
Regards,
Petyr Rahl
Marketplace (Score:2, Interesting)
Security decisions are usually dominated by economic and business considerations; it's often been said that Microsoft will stop making insecure software shortly after customers stop buying it.
Let's say I'm a shareholder, explain to me why you should be spending money on security. Where and how much is the return on investment?
You will also have to balance many considerations when determining what security to implement. What are the major security tradeoffs/decisions you anticipate making this year?
User privileges (Score:5, Interesting)
Industry best-practice out-of-the-box? (Score:5, Interesting)
There are a number of industry best-practices that any system administrator will tell you are vital for proper security. I will not claim to provide a complete list, but the two that seem to have the most frequent effect on an OS's percieved security are:
Windows has been steadily improving on the first point, but the second point has long been a problem for administrators; there is no generally-used near-transparent way for a program to request higher privileges, for instance.
Worse, many third-party (and, for that matter, some Microsoft) programs will fail silently or with obtuse errors if you run them as less-privileged users because they demand the ability to, say, write to system areas - often without warning - and require heroic gymnastics by administrators to resolve (if a resolution is even possible).
Is this issue of least-privilige being difficult to acheive being addressed in future versions of Windows? What changes can we expect to come down the line soon and in the near future?
Re:WMF bug in Vista (Score:4, Interesting)
My biggest concerns about MS today surround this process, which is completely invisible to the world, but which we rely on for having greater confidence in MS products. Understanding how MS approaches these reviews might make us feel better (or might depress us beyond reason).
Tim
Inhouse security auditing and patching (Score:3, Interesting)
Bug submission policy (Score:5, Interesting)
And why does the phone number on this "report a bug" page:
http://support.microsoft.com/gp/contactbug [microsoft.com]
call a generic technical support & sales line, which ultimately will tell you that you must either open (and pay for) a support case, or submit your bug by snail mail to 1 Microsoft Way?
Is it Microsoft's stance that the inability of its users to report bugs makes its OS more secure?
-Tommy
XP's firewall (Score:5, Interesting)
VISTA users must still be administrators? (Score:5, Interesting)
Kerberos in Active Directory (Score:2, Interesting)
Shake a Legacy and move into the 1990s (Score:5, Interesting)
When will we have actual symbolic links?
When will you ship with everything possible disabled until needed or manually enabled?
When will defragging a disk or some obscure network function not lock up every task?
When will you not install by default two thousand modem or other
When will you not keep asking to insert a driver disk when the files are already in c:\windows\system32\ (and will "install" if I just point the directory there)?
When will you disable autoplay features by default, or at least make them prominent in a security area (instead of editing obscure system setting panels)?
When will you get rid of, split, or otherwise do something reasonable with the trash "heap" otherwise known as the registry?
Are you ever going to allow me to change my hardware and do autoconfiguration (Both MacOS and Linux will let me boot from a disk in another system, a CD, etc. and manage to find all the necessary and most of the exotic hardware)?
Windows Security For Rootkits Infecions (Score:2, Interesting)
Home Vs Business Security (Score:3, Interesting)
Business PC's usually live in live in administrated, controlled networks, which hopefully have someone in charge of security on those networks. They also live behind firewalls, proxies and have shrinkwrapped as well as in house answers to security threats. Users have much reduced privilages, security policies are in effect and companies backup data and can even use imaging to secure against vunerabilities.
Contrast with Home PCs which live in small, largely unadministored networks. Many are still directly connected to the internet. These PCs may have no anti-malware technology at all. On top of that, users are uneducated and often do not even realise they have been the victims of security breaches. Typically, security involves extensive suites of specialist software that gobble ever more resources.
There are also intermediate security enviornments. Small to medium sized businesses may have sizeable networks, but fail to implement any real security policy due to time and budget constraints. Home users can also have sizable networks, with a multitude of internet capable devices in the one home becoming more commonplace.
Typically, Microsoft has offered essentially the same software framework for both Home and Business computers. Will Microsoft offer a one size fits all security framework also?
Why add DRM? Also, why not decouple IE? (Score:5, Interesting)
Also, I think you could dramatically improve security by decoupling Internet Explorer from Windows. Have it be a separate program similar to Opera, FireFox, Safari, etc... Is there really a valid reason that Windows Explorer has to be driven by Internet Explorer?
Four questions from a long time Windows user (Score:2, Interesting)
2 - Why is Internet Explorer used for Windows Update, rather than use a robust, spicific use application?
3 - Will Vista offer an option to install in a secured, locked-down mode, with most services turned off (in a BSD-like fashion)?
4 - Shouldn't Internet Explorer default Active-X use to "ask"? Why not?
Legacy Code (Score:4, Interesting)
-Charles
Re:Security versus Quantity? (Score:5, Interesting)
users and auditing (Score:5, Interesting)
Despite whatever SU-like features you have, on XP I still can't reliably install, or in some cases even run(!), programs under restricted user accounts, forcing me to give most of my clients admin accounts and just hoping for the best. How seriously do you treat this issue and what work is being done towards getting an OS that can be used in the real world with restricted user rights?
Auditing - finding, say, if user X has any write rights anywhere on a server, who has done what on the system in the past day, what files were modified by a program's install, etc. all these things are do-able but not easily, and not using just MS supplied tools. How about a toolset for administrators that give us (especially the part-time admins like myself who don't just live and breath security) easy access to the reporting, auditing, and security tweaking we need to do our jobs well. And no, configuring and interpreting the security logs in the event viewer doesn't count as an easy to use auditing tool.
Digital Rights Management Framework and (Score:1, Interesting)
What OS do you consider the most secure? (Score:5, Interesting)
Please name a specific answer for both questions, and please don't name something useless like DOS. Your answer must be something that a sane network administrator might choose for an internet-connected server and desktop deployment.
Separately, do you think that Mac OS X is a more secure _desktop_ operating system than Windows XP? Obviously there have been far fewer worms, trojans, and viruses for OS X than Windows. Is that really solely due to OS X's lesser popularity, or is it truly a fundamentally more secure system?
If you think Windows XP is more secure, why? What security features does it have that OS X doesn't?
Why no AES in SSL yet? (Score:5, Interesting)
(OpenSSL - including the Mozilla browsers - and Java SSL have all had AES support for a while. Most SSH implementations have also had it for a while.)
Will Compatibility ever be rejected for Security? (Score:4, Interesting)
Next big thing? (Score:5, Interesting)
SSH? (Score:1, Interesting)
Why hasn't Microsoft shipped an SSH client and server with Windows?
Linux (Score:2, Interesting)
Re:Why not improve the default permissions? (Score:3, Interesting)
Also, it seems to me that Windows' dual focus on consumer machines and business deployments holds it back. For example, while backward compatibility with old apps is important for enterprises, it is not nearly as important for consumers, yet backward compatibility is one reason why the default XP file permissions have not changed. Has MS ever considered splitting Windows into separate versions--one for businesses and one for consumers--that would address the specific needs of each market? From what I can tell, XP Media Center Edition, XP Home, and XP Pro are not truly "separate versions" for the purposes I'm discussing here. For example, the future "Home" version could have even tighter security than the "Pro" version, on the assumption that the "Pro" machine is administered by pros. The "Home" version might break existing non-compliant apps, but that would be the price to pay for more security.
Culture and Security (Score:4, Interesting)
I would like to think that Microsoft has finally "got the religion" about reliable code, unit testing, defensive programming, etc. (it seems that many historic decisions were made on disputable performance grounds instead of a long-term view of security implications, and now Microsoft is paying the price).
Is this the case (do you even agree with the premise) and if not, what is Microsoft's strategy for evangelizing safe and robust programming practices (as well as overall architecture) *inside* Microsoft? It seems that the best laid plans of kernel and system architects can be ruined by some guy working on the shell that is getty pressured by marketing to Hurry Up and implement that gee-whiz feature that will "impress" the customer.
(extra cheat question: Raymond Chen has recently posted about "decoy" windows and other hacks that MS has implemented to compensate for badly written application code - as a user, this does not seem to serve my interests. Instead of quiety accepting the misbehavior, I would like Microsoft to make these sorts of problems apparent in some manner to make the user aware of their software and demand better behavoir from developers of the software they purchase, and also to shame software developers into behaving well. Continually accommodating intentionally bad software seems to be a bad long-term strategy. Any comment on that?)
2008 expiry of WinXP Home updates (Score:3, Interesting)
I understand that MS has recently decided to extend the deadline to abandon official support of Windows XP Home to 2008. While many applaud this 1-year extension, others feel this deadline is insufficient. Considering this is the most popular operating system in the history of personal computing, will MS take responsibility for any damages caused by this deadline? (e.g., unpatched vulnerabilities resulting in spam and DDoS zombies, virus proliferation, identity theft, etc.) Is MS willing to reconsider this deadline?
The separation of code and data (Score:3, Interesting)
Does Microsoft have any regrets regarding its historical strategy of designing software that mixes code in with data (E.g., ActiveX, IE, VB Office, etc.) to make life easier for developers, despite the security implications and risks of such a strategy?
DRM (Score:3, Interesting)
Security & Education (Score:3, Interesting)
However, to me, this seems only half of the real battle when it comes to spyware (and other security issues). The other half, in my experience (And in GI Joe's, apparently), is knowledge. Education. I have noted that some systems, even heavily used systems, without tools like MSAntiSpyware, AdAware, and Spybot installed can have very little spyware, whereas even some systems with such tools can become heavily infested.
So my question is this: especially given that many of the users of Windows are less tech savvy than would be preferable, are there any plans to address the other side of the equation in Vista (or elsewhere), for security issues like spyware? A Security Tour, recommendations, help features, tutorials, etc?
Moving all unwanted code back to User Mode (Score:2, Interesting)
I understand you moved Video drivers into Kernel mode in NT 4.0 for performance reasons on slow machines of that day.
Now that machines are much faster than ever before, are you moving back all Video Drivers/stuff back to user Mode so that Windows Vista can be MORE secure?
Secure right out of the box (Score:2, Interesting)
What do you see your company doing to make PC's running Windows products more secure right out of the box and to keep them secure with little or no input from the user?
Security for Morons (Score:3, Interesting)
Slashdot bites? (Score:3, Interesting)
realtedly: Do you believe the anti-Microsoft bias of Slashdot is peculiar to this forum or does it reflect a general antipathy in tech circles? Why do you care what the community at Slashdot thinks?
Is the new limited privileges IE mode vulnerable? (Score:3, Interesting)
One of the most important innovations in Vista regarding security is the revised user/privileges system, including the new "limited" mode IE (and potentially other web apps) will run in.
The basic goal is that even if IE has a flaw which allows malicious code to run from the browser, that it will not have the privileges to read/write/execute code, with the exception of writing in the IE temp files folder (the cache).
However to allow the IE plugins and IE itself to go on its business (such as download files to where the user wants), special 'broker' processes were introduced IE to talk to.
Apparently those processes have higher privileges. So if IE can command them to download code, doesn't it render the point about the privileges protection moot. If not why.
And another such concern. I suppose the limited IE mode applies only when the mshtml engine is launched from within the "official" IE shell.
However many apps use that shell, and since the malicious code retains the ability to write to the Temp Files, won't it be possible the reuse of "infected" cache via embeded IE to raise the privileges for execution and infect the system anyway.
Thanks.
Re:What has changed? (Score:5, Interesting)
What are you doing to prevent buffer overflow and similar attacks in the future?
Re:WMF bug in Vista (Score:2, Interesting)
This is not a trivial question, and everything in Microsoft's new "security push" is open to question until they respond in a more intelligent way than Stephen Toulouse's mind-numbingly ambiguous non-response.
Disagree with me if you want, but do so openly. Not like a mod-points-laden coward.
Tim
Why are known issues not fixed? (Score:3, Interesting)
Re:Top priority for security in 2006 (Score:5, Interesting)
Re:Why no AES in SSL yet? (Score:2, Interesting)
Quelques questions (Score:2, Interesting)
Re:What has changed? (Score:5, Interesting)
What is Microsoft's plan for eliminating this problem? How will Vista address the tasks that require higher levels of privileges? What restrictions does this place on normal users? How do focus group users respond to these restrictions? Has there been communication with applications vendors to ensure that they are making the necessary changes?
Re:What has changed? (Score:5, Interesting)
Most of the most glaring Windows XP security problems (being in the Admininstrators group by default, being allowed to write anywhere by default, having the firewall off [pre-SP2] by default) were there to preserve compatibility with previous versions of Windows.
Will Vista comprimise on security, or compatibility?
Solution to Security and Backwards Compatibility (Score:2, Interesting)
Mr. Nash,
Microsoft seems to be uniquely capable of solving the security problems with their older product line and maintaining backwards compatibility. Why not simply run older programs under a virtualiztion technology and completely change the foundation of Vista? Microsoft owns the I.P. involved with the OS and already owns Virtual PC. This would allow older products to perform without changes.
Individual users would run as non-administrators and a few other core changes could be put in place. If a developer wanted to release a product that ran directly on Vista the libraries would be similar so all he needed to do is re-compile and link and ensure his product worked with the new security settings.
On the other hand, older Windows programs could install transparently into a virtual "instance" owned by the current user and she'd never know any difference. Backwards compatibility would be ensured by the fact that they were in fact running under a "Virtual Instance" of Windows XP. It might even be possible to get some money out of businesses holding out with DOS/Win 3.x/Win95 etc. by offering "plugins" for virtualization with this technology.
Why doesn't microsoft do something like this?
Jonathan Jeffus