Windows .net adds meat to Microsoft security skeleton

Driven by a need to reduce the chance of another Code Red or Nimda, release candidate 1 of promises to flesh out...

Driven by a need to reduce the chance of another Code Red or Nimda, release candidate 1 of promises to flesh out Microsoft's trustworthy computing strategy

The Code Red and Nimda virus attacks last year marked a turning point in Microsoft's product strategy. The company claimed it would no longer prioritise features over security.

There are a number of radical changes in Internet Information Server 6.0, the new release of the Microsoft Web server that shipped with Windows.Net.

First, it does not install by default, which means administrators install IIS only when they wish to run a Web server.

Second, under Windows .net, the IIS server runs as a network service, which lowers its level of security. According to Microsoft, if the server is compromised, the low level of security reduces the chance of an attacker gaining access to the company's networks.

Microsoft has admitted this tighter focus on security may break some applications, which assume IIS is either installed by default on a server system, or runs at a higher level of system security.

Ovum analyst Graham Titterington said enabling high security by default was an important step in securing enterprise systems.

"Most security issues can be resolved by simplifying system admin workloads," he added. Thus, if security is switched on by default, administrators have one less thing to think about when they install the software.

"It's particularly important in smaller businesses," Titterington explained, "as many of these companies are not in a position to tweak the out-of-box settings within a product like IIS to make it secure."

Microsoft also admitted it made some mistakes in previous versions of IIS which, it said, have now been corrected. Among these is the Help system, which in IIS 4.0, was written using Microsoft's ISAPI, programming interface for the IIS web server. If the Help system had a bug, an attacker could gain access to the whole system. However, in IIS 6.0, users are unable to run applications or the help system from the IIS directory.

In a bid to reduce the chance of buffer overflow errors from appearing in IIS, Microsoft said it had created a single "string handling routine" which would be used throughout the product. This function is used by the software within IIS to input data typed in by a user. The data is stored in a buffer.

A common exploit involves sending a mass of data to the application, which overloads the buffer. If the data sent is a program the attacker can gain access to the machine.

By using a single-string function, Microsoft said it would be possible to correct any buffer overflow bugs far quicker. Any fixes would apply to every use of the string handling function in IIS.

Another tactic the company has used is to reduce the size of the buffer that stores the data input by the user. In previous versions of IIS this was 128 KB; it is now down to 16 KB. The smaller size makes it more difficult to craft a buffer overflow hacking program, according to Microsoft engineers.

The third piece of armour in Microsoft's war against buffer overflow attacks is the dynamic buffer overflow checking feature in the company's Visual C development tool which puts a marker in the computer's memory and checks if it has been overwritten. If it has then it is likely a buffer overflow has occurred.

But users should not get overexcited about this tighter level of security. Andrew Cushing, IIS group manager at Microsoft, said the marker technique was unable to identify the risk that led to the Code Red exploit, one of the biggest viruses last year.

Nor, he added, would it entirely eradicate the buffer overflow problems Microsoft has suffered. "We have worked to reduce buffer overflows," he said.

The real breakthrough is promised as and when Microsoft ships Palladium, a secure PC environment based on hardware encryption and digital certificate technology. According to a Gartner paper, the Palladium environment "could be secure against almost all software attacks".

Read more on Antivirus, firewall and IDS products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.