Driven by a need to reduce the chance of another Code Red or Nimda,
release candidate 1 of Windows.net promises to flesh out
Microsoft's trustworthy computing strategy
The Code Red and Nimda virus attacks last year marked a turning
point in Microsoft's product strategy. The company claimed it would
no longer prioritise features over security.
There are a number of radical changes in Internet Information
Server 6.0, the new release of the Microsoft Web server that
shipped with Windows.Net.
First, it does not install by default, which means administrators
install IIS only when they wish to run a Web server.
Second, under Windows .net, the IIS server runs as a network
service, which lowers its level of security. According to
Microsoft, if the server is compromised, the low level of security
reduces the chance of an attacker gaining access to the company's
networks.
Microsoft has admitted this tighter focus on security may break
some applications, which assume IIS is either installed by default
on a server system, or runs at a higher level of system
security.
Ovum analyst Graham Titterington said enabling high security by
default was an important step in securing enterprise systems.
"Most security issues can be resolved by simplifying system admin
workloads," he added. Thus, if security is switched on by default,
administrators have one less thing to think about when they install
the software.
"It's particularly important in smaller businesses," Titterington
explained, "as many of these companies are not in a position to
tweak the out-of-box settings within a product like IIS to make it
secure."
Microsoft also admitted it made some mistakes in previous versions
of IIS which, it said, have now been corrected. Among these is the
Help system, which in IIS 4.0, was written using Microsoft's ISAPI,
programming interface for the IIS web server. If the Help system
had a bug, an attacker could gain access to the whole system.
However, in IIS 6.0, users are unable to run applications or the
help system from the IIS directory.
In a bid to reduce the chance of buffer overflow errors from
appearing in IIS, Microsoft said it had created a single "string
handling routine" which would be used throughout the product. This
function is used by the software within IIS to input data typed in
by a user. The data is stored in a buffer.
A common exploit involves sending a mass of data to the
application, which overloads the buffer. If the data sent is a
program the attacker can gain access to the machine.
By using a single-string function, Microsoft said it would be
possible to correct any buffer overflow bugs far quicker. Any fixes
would apply to every use of the string handling function in IIS.
Another tactic the company has used is to reduce the size of the
buffer that stores the data input by the user. In previous versions
of IIS this was 128 KB; it is now down to 16 KB. The smaller size
makes it more difficult to craft a buffer overflow hacking program,
according to Microsoft engineers.
The third piece of armour in Microsoft's war against buffer
overflow attacks is the dynamic buffer overflow checking feature in
the company's Visual C development tool which puts a marker in the
computer's memory and checks if it has been overwritten. If it has
then it is likely a buffer overflow has occurred.
But users should not get overexcited about this tighter level of
security. Andrew Cushing, IIS group manager at Microsoft, said the
marker technique was unable to identify the risk that led to the
Code Red exploit, one of the biggest viruses last year.
Nor, he added, would it entirely eradicate the buffer overflow
problems Microsoft has suffered. "We have worked to reduce buffer
overflows," he said.
The real breakthrough is promised as and when Microsoft ships
Palladium, a secure PC environment based on hardware encryption and
digital certificate technology. According to a Gartner paper, the
Palladium environment "could be secure against almost all software
attacks".