Due out in March, there are many system administrators who cannot wait to get their hands on "a tool that will make life so much simpler." The pursuit of a single, integrated security product designed to simplify security at first blush seems like a positive. However, the truth is that it creates many challenges that cause security experts to question whether or not it is a good thing.
The Microsoft Baseline Security Advisor (MBSA) will reportedly check the security configuration of Windows systems, including weak passwords and missing security patches for applications and the operating system. Reports indicate that the product will even include online security. Unfortunately, many administrators may adopt it as their sole source for security management. . They will update MBSA on a regular basis - hopefully this will be automatic - and run it against their systems. They will apply the patches that MBSA says need to be applied and change some of their configuration settings to be more secure. (I am intentionally ignoring the fact that administrators should first test the fixes before installing on any critical servers, as more than one patch has either been ineffective or shown to be fatal to other applications. This is a topic for a completely different article.)
Assuming that MBSA is accurate and thorough in assessing security vulnerabilities, MSBA is a very good first step for administrators who want to fortify their security. But it cannot be the last. Busy administrators are likely to rely on this one security tool for too much of their security. They may forget about keeping up with security mailing lists and other sources of security information. What if they forget about updating their firewalls, routers, virtual private networks, non-Microsoft applications, etc.? Microsoft software is only one area of vulnerability.
Some security experts are questioning Microsoft's motivation for providing the product at this time. They say it is "another public relations ploy" designed to change the public perception of their insecure product line. Others argue it will make hackers even more embolden in their efforts to thwart Microsoft's efforts. Another move that has experts skeptical is Microsoft chairman, Bill Gates' announcement that security is Microsoft's highest priority and 9,000 Microsoft software developers were trained on secure coding practices in the recent weeks. Software developers are questioning the value or quality of that training considering how quickly it occurred.
Since the tool has yet to be released, one can only speculate on its effectiveness. What is certain is that it will not check every non-Microsoft application on the system, and quite possibly will be unable to check every Microsoft application. The selective scope of the MSBA, and other tools like it, creates a dilemma for administrators. In order to get a true security baseline, should administrators rely on a tool from every vendor? Every vendor doesn't have a security tool. Or, if they have chosen other products because of Microsoft's security track record (or any other reason for that matter), will they now reconsider because of a 'free' security tool? Unlikely. And what about the free applications many home and business users take advantage of daily, such as the multitude of instant messaging programs?
Microsoft has their version, and it may be checked by MBSA. But will the AOL version be checked? It's an important consideration. AOL's instant messaging application for the Windows operation system recently had a bug that would allow a crafty hacker to execute code on a remote Microsoft based machine, while other operating systems were immune. And what about other email programs? It is expected that MBSA will check the security configuration of Outlook and Outlook Express. Will it check Netscape's email application, or Qualcomm's Eudora? What about programs that are frequently downloaded and used in conjunction with Internet Explorer, such as RealPlayer, WinZip or WinAmp? There are a multitude of non-Microsoft applications used by millions of users that are beyond the scope of the MBSA. The security gaps created by non-Microsoft products running on a Microsoft operating system will not be addressed by MBSA.
While something is better than nothing, many executives and some Microsoft administrators will make the mistake of believing that the MBSA is a cure-all for their security needs. Instead, a tool like this should be only a piece of an overall security program that includes security policies, virus protection, access control and authentication among other things. Layered security approaches are considered 'best practices' and provide the best defense against intrusion. Starting with an organization's most critical assets, security should be applied in a layered approach, starting with the hardware, operating systems, applications, network and infrastructure.
Finally, like any vulnerability scanner or secure configuration-checking tool, it will take time before MBSA will be able to protect against new vulnerabilities. Historically, Microsoft has had its ups and downs when it comes to responding to vulnerabilities in their products. IIS was a security disaster for Microsoft. Many companies migrated from IIS to other web servers because of the numerous security problems. Just as Microsoft issued a fix for the latest problem, a new and bigger security problem arose. Time after time web sites were defaced and information stolen because of flaws in the Microsoft web server.
In September 2001, Gartner Group released a public statement indicating that "enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving web applications to web server software from other vendors." (see http://www3.gartner.com/DisplayDocument?doc_cd=101034) The point made by the Gartner article was that there isn't enough time to patch systems. There is too long a delay between the time a new vulnerability is discovered and the fix information released. To make matters worse, Microsoft is using its political and financial horse power by taking part in a consortium of vendors lobbying to have national regulations [in the U.S.] put in place that would make it illegal to release vulnerability information without giving the vendor 30 days to correct the problem. Anyone, or any company that does not heed the direction of this consortium will be labeled as a "black hat" hacker.
However, security experts agree that the time between the release of a new vulnerability and the development of a fix is too long. And it is possible that with MBSA, the integration of new security fixes will either cause further delay in the release of the fix, or MBSA will often be behind in its ability to apply the latest security fixes. It leads to a "chicken or egg" dilemma for Microsoft. Do they let you know you are vulnerable as the hacker already knows, or do they wait until they develop a patch? Will they be the one who decides what you know and when ... or will you be?
While something is better than nothing and I applaud Microsoft's efforts to help IT professionals monitor security vulnerabilities, there is no quick fix for security. Security is much like the hydra-headed monster of Greek mythology - when one head was cut off two more ferocious ones appeared in its place. Security professionals realize there is no such thing as 'one size fits all' when it comes to security solutions. The best security practices are those that use a layered approach that focuses on an organization's business requirements and most critical assets first.
David J. Thomason, vice president of SecureInfo Corporation (www.secureinfo.com), has more than 16 years of security experience.