The New Microsoft STPP: Is It Enough?

You've no doubt heard the news by now: Microsoft launched the Strategic Technology Protection Program (STPP) to help companies get secure and stay secure. STPP consists of five offerings in consulting services and software that companies can use to change how they handle network security. The software helps lock down systems and services and helps automate patch installation. The consulting services help users deal with design, planning, and serious security threats, such as the Nimda worm, which affects multiple products. You can learn more about STPP by reading the related news item on our Security Administrator Web site.

STPP is a good step forward for Microsoft and its customers, but is it enough? The STPP announcement comes after Gartner Group issued its stern statements 2 weeks ago. Gartner recommends that users who've been affected by security intrusions due to Microsoft IIS bugs should consider migrating to another Web server platform, such as iPlanet or Apache. You can read about Gartner's comments in Paul Thurrott's related news story on our Web site.

Gartner's comments stem from the number of exploitable vulnerabilities in the IIS source code. For example, as of October 9, 2001, the Microsoft security Web site lists 22 bulletins about Internet Information Services (IIS) 5.0 security vulnerabilities and 36 bulletins about Internet Information Server (IIS) 4.0 security vulnerabilities. STPP will help Microsoft guard against security vulnerabilities, but the fact that users need so many patches clearly indicates a deeper problem: faulty coding practices.

Granted, Microsoft released URLScan, which is a fantastic way to prevent unknown bugs from becoming exploitable security risks, but even so, many people view URLScan as just another patch. As you'll learn by reading our news story about STPP, Microsoft designed new analysis tools to use when developing Windows XP code—tools that help find bugs that can become security risks. Microsoft is also using those tools to analyze Windows 2000 patches and service pack code. So we can expect IIS 5.0 to become more secure as Microsoft releases new service packs, and IIS 6.0 should be more secure than its predecessors. URLScan will be built into IIS 6.0

Before you take Gartner's advice, you might give Microsoft a chance to show how its new code analysis provides increased security in IIS 6.0. Of course, to use IIS 6.0, you must move to XP, in which case you might be interested to learn that Microsoft has again postponed its controversial new licensing program. Read about it in Paul Thurrott's new story on our WinInformant Web site.

I asked Scott Culp, manager of Microsoft's Security Response Center, if IIS 6.0 is stronger code than its predecessors. As you know, IIS 5.1 ships with XP, and Culp said Microsoft believes that the quality of the code in IIS 5.1 is in fact better than what is in IIS 5.0.

IIS 5.1 was built using the processes and tools that were developed as part of the Secure Windows Initiative \[SWI\], and we're seeing dramatic improvements in products built under SWI, across the board. Fewer coding errors means fewer vulnerabilities, which should mean better security. But as you know, security is about more than just code quality," Culp said. "That's where IIS 6.0 (which will be part of Windows .Net Server) comes in. The primary difference between IIS 5.1 and IIS 5.0 is the code quality—most other aspects of the product are the same or only changed in minor ways. In contrast, IIS 6.0 contains code quality improvements, but also includes significant architectural changes as well. For instance, IIS 6.0 won't install by default. When you do install it, the setup wizard will interview you to find out what you're planning to do with the server, and only enable the services you'll need. The net is that IIS 5.1 should be more secure than its predecessors because of the code quality improvements. But IIS 6.0 will encompass code changes, architectural improvements, and new features. As a result, the security improvements there should be much more dramatic."

Nevertheless, if you're considering a move away from IIS, you'll be interested to know that Sun Microsystems lowered the cost of iPlanet to woo IIS customers. Formerly, iPlanet cost $1495 per CPU; however, Sun now offers the platform for $940 per CPU to any customer who moves from a competing platform. See the news story on our Security Administrator Web site.

According to Netcraft's September Web survey results, 49.6 percent of all Web systems polled run a Microsoft OS and probably IIS. Results also show that many of those systems exhibit known security risks. As of September 1, 8.5 percent of the systems Netcraft surveyed still have the root.exe program, which is a backdoor associated with the Code Red worm, installed; 37.14 percent still have the IIS-related WebDAV functionality overly exposed; and 17.14 percent have their administration Web pages open to the public and are vulnerable to known URL-encoding exploits and known bugs in IIS-related sample pages and scripts. Overall, one out of every five IIS servers is vulnerable to attack. You can read Netcraft's survey results on its Web site.

Speaking of surveys, be sure to stop by our Security Administrator home page to take our new poll concerning Gartner's comments. Are you planning to switch Web server platforms? We're interested to know how Gartner's comments might affect your decisions.

Last week, I mentioned the Eraser tool, which helps users prevent unauthorized recovery of deleted files. Norman Samuelson wrote to remind me that to keep data safe, users should be aware that some disk-defragmentation software can inadvertently expose some or all of your sensitive data. This scenario might occur when you move sensitive files during a defragmentation process and the software doesn't wipe the data sufficiently clean from the disk's formerly occupied sectors. It's a good idea either to mark your sensitive data files as unmovable within your defragmentation software or to configure the defragmentation software to wipe disk data after moving files, if your software offers such functionality. Otherwise, use a disk-wiping tool that wipes all unused disk sectors after you've completed the defragmentation process. Eraser can do that on demand or based on your defined schedule.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.