EDITORIAL–Like the coming of winter, the arrival of Microsofts Windows XP seems inevitable. But while most of us know how to prepare for the coming season, not many IT professionals stand a chance of being ready for XP and the security challenges that it entails.
Do we need more reminders of the problems with security in Microsofts products than the latest worm, Nimda, which exploits not one but four Microsoft network holes? We can scream about users being diligent and patching systems, but the fact remains that its Microsofts intrinsically insecure platforms that are being exploited, and little is being done to stop the attacks. Gartner has gone so far as to recommend to its enterprise sites to remove the IIS server, which was targeted by Nimda, until it can be rewritten and made safe from worms.
A few changes in XP will help a little. The IIS server is not installed on XP Professional by default, and XP does feature support for 802.1x wireless encryption, including dynamic encryption keys and central administration. In addition, the NTFS encrypting file system is a plus but only as long as users run as normal users and not as Administrator—and Administrator is the default setting.
But other changes, or lack thereof, leave XP as vulnerable as any other Microsoft product. For instance, the new firewall can block incoming traffic not sent in response to outgoing traffic, but no outgoing traffic is blocked—a feature that is standard with software firewalls from Zone Labs or Symantec. Outbound blocking would go a long way toward stopping distributed denial-of-service attacks. Also, the platform is still chock-full of many always-on, Internet-needy programs, including Internet Explorer, Outlook Express, Windows Messenger and Windows Media Player, each waiting for its turn to be sniffed out by the next Nimda.
XP is certainly a much stronger option than the Windows 9x line, but it offers little to users of Windows NT or Windows 2000, other than the convenience of having the many security patches for these operating systems preapplied. Other than for preinstallations, we think few IT managers will make the move.
Microsoft needs to reconsider its products from the ground up and should consider building its operating system platforms around a trusted operating system, along the lines of Argus Systems Groups PitBull.
Microsoft wants to stay on schedule with XP so it can have the system on all new PCs purchased for the holiday season. It needs to forget about shipping XP to help the OEMs and, supposedly, the American economy. The company has bigger problems to worry about. It needs to fix XP first.