Microsoft Works to Lock Down .Net

In an effort to improve its battered security reputation, Microsoft is subjecting elements of its loosely defined .Net Framework to unprecedented levels of scrutiny.

In an effort to improve its battered security reputation, Microsoft Corp. is subjecting elements of its loosely defined .Net Framework to unprecedented levels of scrutiny.

While early indications are that the Redmond, Wash., software maker is moving in the right direction, the code review and other radical elements of the companys new security strategy are not winning over skeptics.

Although Microsofts security strategy for its .Net platform is still evolving, a key ingredient down the road could be a version of the Windows Update service that would find new patches and alert administrators when theyre available. Although unpatched systems have led to some of the biggest security problems to hit the Internet this year, Microsoft officials say the service will not utilize "push" technology, but will instead rely on administrators to test and install the patches.

"There is no way we would adopt a push technology for updates," said Paul Schmehl, supervisor of support services at the University of Texas at Dallas, which is a major Microsoft customer. "No admin worth their salt is ever going to roll out changes to a production environment without first testing them to see what impact they would have."

"The answer [as to whether we would use the patch service] is most probably no," said a security specialist at a large East Coast financial services company. "Basically it would be automatically connecting through our firewall, which is a major security breach. It would have to have a listening port open."

While Microsoft officials understand such concerns, the company has been battered over the past year or so by security problems in its software, including several holes in its IIS (Internet Information Services) Web server, which enabled the Code Red and Nimda worms to spread rapidly.

At the time of those attacks, however, patches for the IIS holes had been available for several months, a fact that frustrated and angered Microsoft security staffers who bore the brunt of the blame for the worms.

As a result, the software maker is trying everything it can to get patches into administrators hands as quickly as possible, officials said.

"A lot of the problems [such as Code Red and Nimda] were situations where the patch was available, and were trying to work with administrators," said Mike Kass, product manager for the .Net Framework.

That attitude has not won Microsoft many fans in the security world.

"[That statement] would have to include Microsoft admins, since theyve been bitten by the same bugs that everyone else has," UTDs Schmehl said. "The vast majority of admins are conscientious and are working hard to stay current on patches."

Under the hood of .Net, Microsoft has included several other security components. One element is the so-called code access security, an enforcement engine that prevents assembly code from exceeding its granted permissions.

.Net also relies heavily on role-based security methods, including Passport authentication, Windows authentication, and file and URL authorization.

Microsoft can ill afford to miss the mark with its security plan for .Net. Company officials have made it clear that Web services are the future of the software industry, and CEO Steve Ballmer and Chairman Bill Gates have said .Net is a "bet-the-company" move.

"[Microsoft] has gotten so much bad publicity from worms and viruses that theyve decided to go the other direction completely," said one systems administrator who requested anonymity. "Theyre going to be criticized for whatever they do, but I dont think what theyre doing will be enough."

To help minimize security vulnerabilities in .Net, Microsoft over the past year has submitted the .Net code to an intensive security review by Foundstone Inc., a company based in Irvine, Calif., that is known for penetration and application testing.

Foundstones staff did have some success compromising .Net as well as some of the reference applications they tested, but the company gave Microsoft high marks for the overall security of the code.

The few areas where Foundstone found potential problems with .Nets security involve the platforms interaction with outside applications. For example, the company warns developers to avoid "unmanaged code," or code that runs outside of .Net Common Language Runtime, because it operates outside of the platforms security framework.

Despite Microsofts assurances that it has made security an integral part of the .Net development process, some potential users say it is clear from the companys actions that that is not the case. "Rather than make security a design point at the beginning, Microsoft is trying to add it in as an afterthought," said David Moskowitz, CTO of Productivity Solutions Inc. in Bala Cynwyd, Pa. "That is somewhat like trying to retrofit cars made in 1987 with airbags--possible to do, but they will not function with anything near the reliability of cars that come with airbags. From the outside looking in, evidence that Microsoft started with this fundamental approach [of integrated security] is lacking."