'''Security has been continually communicated as a top concern for products and technology from MicrosoftCorporation ever since Jan15, 2002 BillGates internal memo on TrustworthyComputing.''' This page is created for sharing links and insights about the intersection of two very important IT keywords. ''Note in a Jul04 article Bill is said to have revealed that a third of MicrosoftCorporation R&D budget is spent on security improvements.'' (The other 2/3 is spent creating new holes :-) {Title is a Grand Oxymoron} ---- I personally use this search link to keep informed of whats happening, at http://news.google.com/news?svnum=10&as_scoring=r&hl=en&edition=us&ie=UTF-8&q=Microsoft+security. If anyone has a better link please add your link below for comparison. ---- '''"Night and Day Difference" in security (in SP2 release of WindowsXp)''' So said BillGates in Nov03 (see http://www.informationweek.com/story/showArticle.jhtml?articleID=16101330). The ''WindowsXp SP2'' is now released and can be found at GetItFirstFromHere. I am hoping we are changing into the day, from night. The reverse is unthinkable * SP2 may have arrived too late for older machines. See http://www.computerworld.com/securitytopics/security/story/0,10801,95513,00.html See also EmailScam on tips from MS to prevent being victimised by fake email based SocialEngineering schemes. ---- '''PalladiumDiscussion After MicrosoftPalladium''''''demise ''' The original security solution, NextGenerationSecureComputingBase, was code named Palladium and started with a partnership with Intel in 2002, as part of TrustworthyComputing initiative. In May04 it was confirmed the project is canned as WindowsXp has chosen a different hardware mechanism to improve security. See http://www.crn.com/sections/breakingnews/dailyarchives.jhtml?articleId=18841713&_requestid=224457 The above article said there will be announcements at end 2004 on what technologies from MicrosoftPalladium will be incorporated into WindowsLonghorn. ''Note it appear at least some of MicrosoftPalladium work went into DigitalRightsManagement implementations, as at early 2005''. ---- '''InformationSecurity related News''' * Jul05 "WindowsXp new WGA (Windows Genuine Advantage) security cracked". See http://polyphase.ca/archives/2005/08/02/windows-wsa-feature-exploited/ * Jun05 "Windows Server Update Services" become a reality after delays. See http://www.informationweek.com/story/showArticle.jhtml?articleID=164301826 * Mar05 MS Security SystemsDevelopmentLifeCycle published at http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp * Feb05 old 1999 crticism by BruceSchneier on weak encryption within MicrosoftOffice resurfaced. Only basic cryptography skills needed to crack code. See http://www.virusthreatcenter.com/article.aspx?articleId=381 * Feb05 patch address a number of WindowsXp SP2 risk areas. Includes a "Server Message Block" vulnerability (MS05-011 for full details) which could be the focus for new attacks in 2005. See http://www.washingtonpost.com/ac2/wp-dyn/A8723-2005Feb8?language=printer ** list of patch did not include vulnerabilities in "data-execution protection and heap-overflow", reported by "Positive Technologies" (Russia). Other securities sources like Secunia recommended users to wait for MS to come out with a patch, instead of using one created by the firm that reported it * ''Baby steps towards Enterprise Security'' <- comment on Jan05 patch http://www.winnetmag.net/Windows/Article/ArticleID/45135/45135.html ** A "malicious software removal tool" (refreshed monthly) is available at http://www.microsoft.com/downloads/details.aspx?FamilyID=ad724ae0-e72d-4f54-9ab3-75b8eb148356&DisplayLang=en * ''SpyWare acquisition insights (Dec04)'' http://www.winsupersite.com/reviews/ms_antispyware_preview.asp ** Now available as a free beta at http://www.microsoft.com/athome/security/spyware/software/default.mspx * ''critical IFRAME patch'' (Dec04) GetItFirstFromHere. read http://techrepublic.com.com/5100-6264-5476845.html * ''security risk with Google Desktop Tool for Windows (Nov04)'' http://www.pcworld.com/news/article/0,aid,118667,00.asp * ''JPEG a security risk'' (Sep04) http://www.microsoft.com/security/bulletins/200409_jpeg.mspx * ''Flaws in SP2'' (Aug04) http://enterprise-windows-it.newsfactor.com/story.xhtml?story_title=Security-Flaws-Found-in-SP-&story_id=26513 * ''Next on MS agenda for Security'' (Aug04) http://www.microsoft-watch.com/article2/0,1995,1638468,00.asp * ''MS own view of progress in Security'' (Jul04) http://zdnet.com.com/2100-1105-5268965.html ---- '''Authentication Services''' The Microsoft product is DotNetPassport, previously known as Passport or Hailstorm. ---- '''Tips to enhancing security in Microsoft environments''' * Stop ActiveX from running in InternetExplorer http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q240/7/97.asp&NoWebContent=1 ** note WindowsXp SP2 has different and extra security provisions in regards to ActiveX. See http://www.microsoft.com/uk/windows/sp2/what-it-means.mspx#EHAA * Windows 2000 security operation guide download (get it before it is gone) http://www.microsoft.com/downloads/details.aspx?FamilyID=f0b7b4ee-201a-4b40-a0d2-cdd9775aeff8&displaylang=en Anyone got experience in using the OpenSource product from BruceSchneier company at http://sourceforge.net/projects/passwordsafe/? ''More on Activex security in a subsequent section '' ---- '''Company line (Microsofts)''' * BillGates Mar04 brief http://www.microsoft.com/mscorp/execmail/2004/03-31security.asp ---- '''SecurityManagement aspects''' '''Webcast from MS: Implementing Security in the Development Lifecycle (Level 200)'' at http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032270022&Culture=en-US ''SecurityManagement guide 2004 '' at http://www.microsoft.com/technet/security/guidance/secrisk/default.mspx ''Developer wiki (MicrosoftChannelNine) links to security for DotNet'' at http://channel9.msdn.com/wiki/default.aspx/Channel9.SecurityEngineering ''Limited User account (LUA) howtos wiki with information for existing windows'' at http://nonadmin.editme.com/ ---- '''Archives''' * Analysis on Trustworthy Computing announcement http://mcpmag.com/newsletter/article.asp?EditorialsID=86 * Text of BillGates Jan15 memo http://www.informationweek.com/shared/printableArticle.jhtml?articleID=6500502, or http://www.computerbytesman.com/security/billsmemo.htm ---- '''Implementation aspects''' Microsoft implements crytography mechanisms for SecureSocketsLayer in the MicrosoftWindows, subsequently when a flaw is found, all OS versions (e.g. WindowsTwoThousand) are affected. See http://www.computerworld.com/securitytopics/security/holes/story/0,10801,73507,00.html. In Jul04 SSL security flaws are still affecting companies that use SSL on MicrosoftWindowsServer ''Microsoft Security Support Provider Interface (SSPI)'' This is used ?only in KerberosProtocol * http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/sspi_model.asp ---- ''ActivexTechnology and JavaScript security - more reading '' * ''Is it worth the risk?'' http://www.iseran.com/ActiveX/ * ''Microsoft Guidelines'' http://msdn.microsoft.com/library/default.asp?url=/workshop/components/activex/safety.asp ---- ''Is it another way to push Microsoft users to using DotNet and newer OS on servers and clients? It has been mentioned that WindowsServerTwoThousandThree is supposed to be more secure than WindowsTwoThousand.'' ''Anyone got specifics on significant security advantages of Windows 2003 over W2K, in manners that WindowsTwoThousand cannot be improved by using third party products.'' There aren't too many of these. A major change in WIndows 2003 is that things are not installed or are turned off out of the box, so its default state is more secure. ---- '''Raw Socket debate''' WindowsXp Service pack 2 included a block against use of raw sockets, which are heavily used by tools used by security people, as well as hackers with undetermined intent. A bypass was found, and then the "hole" was plugged again in Apr05 MS patch. It was claimed vendors of other OS did not find it necessary to take this drastic step. MS appear to have suggested the patch did not apply to WindowsServerTwoThousandThree, and that while DOS attacks are still possible through kernel attachments (even with the patch), such increased sophisticated work causes more serious concerns than DOS attacks, and are challenging to create. See source: http://www.zdnet.com.au/news/security/0,2000061744,39189587,00.htm ---- '''Significant critics to MicrosoftSecurity''' ''Windows security is a CatastrophicSuccess. Seriously, is there any such thing as Windows security?'' Responding to TrustworthyComputing, BruceSchneier repeated call for MS to withdraw the SoapProtocol offering, and affirmed his previous stance on problems. * original newsletter at http://www.schneier.com/crypto-gram-0006.html * at 2004 still find webpages on security linking to remarks by Bruce ''NMap port scanner disabled by MS05-019 patch issued Apr05'' NMap was deemed to be a highly important port scanning tool that rely on use of raw sockets. Since Apr05 patch (?even non SP2) MS PC users were stopped from using raw sockets. Some claimed without a tool like this, legitimate users have no means to get at the extra data. See also a patch for the patch (problem is "host ignoring ICMP Destination") at http://support.microsoft.com/default.aspx?scid=898060 -------- '''Tracing?''' Does anybody know how to trace why a particular authentication fails? As things grow more complex and security grows in concern, there seems to be the need for a tool or technique that logs and describes why a particular authentication event failed. One needs to know the "rule that it bumped into". It's a bloody '''black box''' right now. ---- '''Resources''' "Writing Secure Code" (ISBN: 0735617228), won RSA Conference Award for Industry Innovation. Offered a MS perspective on ApplicationDevelopment ---- CategorySecurity, CategoryMicrosoft