We're nearing the end of another year and it's time to think of where we've gone and where we're going in the next 12 months. I'm sure there's a boardroom somewhere in Redmond where a conversation about Windows flaws is currently happening. What are the biggest flaws to fix? Where might we go from here? Here's my take on the three most-needed fixes for Windows.
1. A complete overhaul of Internet Explorer
Internet Explorer is the Achilles' heel of Windows clients, and it's unfortunate that the browser is the de-facto standard for Web surfing in so many business environments. While Windows XP Service Pack 2 has done a lot to improve some of the glaring holes in the latest version of IE, Microsoft has publicly stated many times that they are unable or unwilling to port the set of fixes for IE to previous versions of Windows, including Windows 2000 -- a business client OS that is still seeing significant use in enterprises around the world. This is a disturbing trend that is on one hand disappointing but on the other, more reasonable hand, understandable.
What can you do to mitigate this risk? A few things spring to mind: Of course you can mass-upgrade your clients to Windows XP. (Remember when buying new systems you can specify an XP license with a Microsoft volume licensing agreement, but with it you get down-level rights to run Windows 2000 as long as you need it. So the cost of upgrade licenses has already been borne.) Also, investigate deploying Mozilla's browser suite or the minimalist Firefox, as both are more secure browsers.
2. The reduction or elimination of RPC dependency
RPC is a relic of days gone by: It is a protocol meant to be used on a network where all participating hosts are trusted. How many decades has it been since that was the case? RPC essentially has no means to protect itself from even the simplest protocol-based transmission attacks, and the hosts on either end of an RPC transaction are often not hardened enough to withstand penetration. Of course, efforts have been made in the latest releases of Exchange and ISA Server to provide a more secure means to "enclose" RPC within other protocols. While deploying Exchange 2003 and ISA Server 2004 are good ways to decrease the risk of RPC on the Internet, such systems are simply treating the symptoms and not the problem. We need to throw RPC out -- it's simply not suitable. It's a Beta tape in a world of DVDs. Find another way to transmit packets from machine to machine.
3. More secure password hash generation
LAN Manager hashes, or LM hashes for short, are perhaps the single greatest weakness of the Windows password system itself. To make a long story short, any password with 14 characters or less is by default encrypted with a hashing algorithm that has been broken and thus is simple to penetrate. This vulnerability, although reduced, is present in Windows Server 2003 -- supposedly the secure operating system. This was a mistake on Microsoft's part, and while one can't expect the LAN Manager product itself to anticipate computing power enhancements 15 to 20 years down the line, the company, with all its great minds and powerful thinkers, should have come up with a better way by default.
The quickest ways to mitigate this risk are to either disable these hashes using Group Policy or mandate 15 character or longer passwords. Obviously the latter choice has many benefits.
What do you think are the most significant, inherent flaws in Windows? What are the best workarounds you've found? Sound Off and you will be eligible to win a free copy of Jonathan Hassell's book Hardening Windows.
About the author
Jonathan Hassell is author of Hardening Windows, published by Apress. He is a systems administrator and IT consultant residing in Raleigh, NC, with extensive experience in networking technologies and Internet connectivity. He currently runs his own Web-hosting business, Enable Hosting, based out of both Raleigh and Charlotte, NC. Jonathan's previous published work includes RADIUS, published by O'Reilly and Associates, which serves as a detailed guide to the RADIUS authentication protocol and offers suggestions for implementing RADIUS and overall network security. You can e-mail Jonathan at firstname.lastname@example.org.