Introduction


Overview

A lot of people believe that Microsoft Windows security sucks and that Microsoft is by far the worst of all software vendors! Many of them back this up with anecdotal evidence from the late 1990s. Most of them have simply refused to believe that the company could actually have changed.

The truth is that the state of almost all software security is very poor. In comparison with most software development organizations, Microsoft is actually doing a pretty good job. In the first 90 days after its release, there were five announced vulnerabilities in Windows Vista, whereof one had been fixed. (These figures are from Jeff Jones, a director at Microsoft, who, in spite of his employment, tends to be quite objective. Read his entire report at http://www.blogs.csoonline.com/windows_vista_90_day_vulnerability_report.) Five vulnerabilities in 90 days may not sound so good, but compare that to Windows XP. Windows XP had 18 announced vulnerabilities and 14 fixes in the first 90 days. Clearly, Windows Vista is an improvement. How about other vendors though? Well, there were 11 patches for 36 vulnerabilities in Red Hat Enterprise Linux 5 on the day it shipped. As of the time of this writing, it had not been out for 90 days yet so it is hard to say whether that trend is better than Red Hat Enterprise Linux 4, which had 181 fixes and an additional 85 unpatched vulnerabilities in the first 90 days. Apple fared far better, as it is quick to point out. In the first 90 days of Mac OS X 10.4 there were 20 vulnerabilities fixed and an additional 17 without a fix. Imagine that, on a pure vulnerability count, Windows Vista is actually the best of the bunch and even Windows XP beat Mac OS X.

However, vulnerability counts are clearly not the best measure of security. The easiest way to decrease vulnerability counts is to remove functionality. One of our favorite operating systems is OpenBSD. It has had extremely few vulnerabilities, but it doesn't have near the amount of functionality that Windows has. By design, OpenBSD provides a very small percentage of the services that Windows provides. OpenBSD is a great operating system for technical computer users who value security over functionality to an intractable degree, but it is too hard to install and configure for the average computer user. The harder security challenge is to appropriately secure a widely functional system while not making it incredibly difficult to use. In spite of what the competition may claim, Windows Vista actually has a wide-ranging set of security features, and if you understand how to use them, they work extremely well. In Windows Vista, security is by and large enabled by default, making it all that much more important to read this book to learn how to use it.

The truth is that any OS, Windows or not, can be secure or insecure. Follow the vendor's instructions, keep it patched, don't click on things you shouldn't, and you will be fairly well protected. But always, if I can get you to click on my untrusted executable, it's always game over no matter what OS you are using.

Microsoft, as a for-profit company, has aimed to make a sufficiently secure operating system that even your average grandmother can install and use, and that provides a great platform for third-party software. And regarding that objective, the authors feel it does a pretty good job. To be secure doesn't take rocket-science, or even an anti-malware product, IDS, or host-based firewall. The basics of computer security, which apply to any OS, including Windows Vista, are these:

  • Keep the OS and all applications fully patched.

  • Don't be logged in with elevated privileges when not needed.

  • Use long passwords (eight characters or longer).

  • Don't click on file attachments or links that you should not click on, and don't visit Web sites you shouldn't.

  • Remove unnecessary software and services, and don't install untrusted software.

  • Implement the appropriate permissions and privileges.

  • Practice risk analysis.

  • Have a healthy sense of paranoia and question the legitimacy of things you are presented with.

Yes, there are dozens of other good security tips, but these eight are the most important. If you and your company follow these eight simple security rules, you will be better protected than 99 percent of the companies out there.

Perplexingly, instead of clients asking us how to implement these simple principles, the authors are often asked to help set up complex security systems (such as PKI, identity management systems, security automation, and so on), while the clients requesting the help don't do the basics properly. It's like asking for a castle surrounded by a moat, and then putting a motion sensor on the outside of the drawbridge, storing the crown jewels in the courtyard, and keeping the gate open on purpose.

People don't want to do the basics. It is too difficult to learn about how things work. People want the big blue "secure me now" button. Unfortunately, that button does not exist. Trust us-if it did, Microsoft would already be selling it! In the quest for the big blue button, people spend money on antivirus software, firewalls, IDSs, and lots of other security technologies and then wonder why they keep on failing, why none of them protect against attacks that fundamentally target humans, not computers. It's befuddling to know and recommend the real solutions for over two decades, only to have people ignore the basics. In reality, what is needed is a good understanding of how the technology works and a critical mind to apply to the question of how, or whether, to use it.

That is why the authors decided to write this book: to impart as much of this information as possible to you. Windows Vista will be hacked, just like all its competition. Windows Vista will be more secure than previous versions of Windows, but it will still be subject to myriad user attacks, probably a few browser vulnerabilities, and more than a few other attacks scattered throughout. But, if you understand how Windows Vista works and how to use it, it will be better than any comparable OS that has come before it because it was designed to meet threats that will occur in the next two to five years, not those that were relevant in 1999. And, in spite of the fact that it often feels like Microsoft treats security as a marketing issue, at least it does not demonstrate a fundamental lack of awareness of the problem by claiming that security is only a problem for someone else (http://www.news.com.com/2061-11199_3-6127343.html). Whatever you want to say, a lot of people at Microsoft take security very seriously, and the fruits of their labors are described in this book.

Readers can read this book to learn about the new security features in Windows Vista (we cover more than 1,000 changes), plus learn more about the basics and how to implement them, and read the collective security advice from two of the world's most knowledgeable Windows security experts. After reading this book, readers will have the knowledge and practical tools to secure any environment including Windows Vista.



Windows Vista Security. Securing Vista Against Malicious Attacks
Windows Vista Security. Securing Vista Against Malicious Attacks
ISBN: 470101555
EAN: N/A
Year: 2004
Pages: 163

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net