Tightening The Security Screws In Windows

 
 
By Larry Seltzer  |  Posted 2003-08-21 Email Print this article Print
 
 
 
 
 
 
 

Is now the time to make On the default setting in Automatic Updates? Security Supersite Editor Larry Seltzer offers that it's clear people won't do the right thing.

Everyone agrees, even me, that education is crucial to make our computer systems more secure. But recent experiences dont paint an optimistic picture. Either were not educating people or education is not working: Too many users still fail to take simple precautions to protect themselves, and many engage in dangerous practices that perpetuate attacks.

The incidents of the past couple of weeks are both illustrative. The Blaster worm succeeded in spite of a massive publicity campaign on the danger of the relevant flaw in Windows and the existence of a patch.
Worse, in monitoring several security mailing lists I saw many users looking for any excuse not to apply the patch. According to conservative estimates, some 500,000 systems were infected with Blaster, and Ive seen much higher estimates. For example, Satellite ISP DirecWay just sent out an e-mail to their customers stating that "approximately 10 to 20 percent of DIRECWAY end-users are infected with the Blaster virus."
Meanwhile, based on the hundreds of Sobig.F e-mails I received in the first 24 hours of this weeks outbreak, clearly users have left themselves wide open to it as well.

Has education failed? Short of making computer hygiene mandatory like drivers education with tests, something on the order of John Dvoraks idea to license computer users, I cant see public education campaigns having any better results than we found with Blaster. And that was completely unacceptable.

If users wont take care of their computers, the unfortunate answer (depending on your point of view) is to do it for them. This is what Microsoft is considering, according to a recent Washington Post article. It states that Microsoft is considering having Windows download and apply security patches automatically.


Check out Microsoft Watchs rundown on and the changes due with the forthcoming Microsoft Installer 3.0 technology.
Currently available in Windows XP and Windows 2000 SP3+, this updating capability is called Automatic Updates and is accessible through the Control Panel System applet. It is turned off by default. (For Windows 2000 Server, Automatic Updates is only aware of patches for the OS, not for important server applications like SQL Server or IIS). The applet has 3 options if you turn Automatic Updates on:
  • Notify the user that updates are available;
  • Download any updates that are available and notify the user, but dont install them; and
  • Download any updates that are available and install them according to a schedule specified by the user. So, it sounds as if Microsoft is considering making the third option the default behavior, at least with respect to certain very critical updates, such as the one that prevented the Blaster worm.

    Believe it or not, even some experienced admins are unaware of this feature in its current state. A recent eWEEK.com article quotes a network administrator critical of Microsoft for not providing essentially what Automatic Updates provides, especially in conjunction with Microsofts Software Update Services, which basically allows an administrator to set up an internal update server for clients to use instead of the Windows Update site. This administrator said: "The only way its going to happen is automation...Microsoft should provide this free." Hello. They do.

    Just turning patch installation on by default in Windows wont solve every problem, and it could cause more if it were handled badly. For instance, a corporate network wouldnt want end user systems applying these patches themselves. Yet Im sure there will be group policies to turn it off. Such networks have SUS as an alternative. But even many of these sites hadnt applied the Blaster patch after about 4 weeks of urgent warnings, so perhaps they need to be compelled as well.

    Another serious problem is dial-up users. Setting up their systems to connect and download megabytes of updates automatically could easily cause serious problems, and yet at the same time these users are part of the problem. Its difficult to see know how the dial-up problem can be solved effectively and reasonably.

    Still, as the Washington Post article makes clear, the consensus among experts is changing. The article quotes Bruce Schneier, co-founder and CTO of Counterpane Internet Security Inc. and no friend of Microsoft, as being enthusiastic about the idea. Others are also open now to it, and a representative of the Electronic Frontier Foundation (EFF) is cautious but not opposed. Prior to our recent experience with Blaster, I am certain all these people would have been aghast at the possibility of Microsoft installing patches on users systems without their explicit permission. Blaster has been a watershed event in computer security.

    Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

    More from Larry Seltzer
  •  
     
     
     
    Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

    He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

    For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

    In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

    Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
     
     
     
     
     
     
     

    Submit a Comment

    Loading Comments...
     
    Manage your Newsletters: Login   Register My Newsletters























     
     
     
     
     
     
     
     
     
     
     
    Close
    Thanks for your registration, follow us on our social networks to keep up-to-date
    Rocket Fuel