In a previous article, I outlined some technical vulnerabilities affecting Windows environments. These flaws have...
basically remained the same over the years, and I don't suspect that will change much anytime soon.
So given all of the visibility, tools, and simple fixes available, why are we still seeing these same old Windows server issues year after year? In a nutshell, it's a result of complex people problems. Here's how I see it.
First off, there's a general lack of standards adoption in most Windows shops. Rather than basing Windows server configurations on well-known standards, many people just set a strong password, ensure the latest patches are installed, and throw it into the mix. After all, "it's just a server inside the firewall anyway" – what's there to worry about?
There's also a general lack of delegation in terms responsibility. Windows administrators are supposedly in charge of all Windows systems, but this is often not the case in all but the smallest organizations. There's almost always someone else with his or her hands in the pie.
Developers and QA staff often do their own thing in their own environments. Ditto for physical security folks. Even other, less obvious departments like sales and training often put up and take down their own Windows servers. The result? Scenarios where someone says, "I didn't know about that server…I guess that's why it's not patched."
Overall, there's a disconnect among the various parties that should otherwise be working in a coordinated fashion. This is not only how Windows servers become vulnerable, but how compliance gaps surface and security breaches come to a head as well.
Furthermore, there's often a lack of security oversight. It's the classic fox guarding the henhouse situation:
Management: "Are our Windows server secure?"
Windows admin: "Yes, of course."
While the servers might actually be secure, you'll never know until you can demonstrate where things stand using good vulnerability scanners and ethical hacking techniques to uncover what the bad guys can exploit.
I also see the wrong people writing security policies and trying to enforce them. It's never a good idea for network administrators to be the judge, jury, and executioner. It's not effective and can create greater liabilities than it mitigates. A small, nimble security committee of the right people (legal, executive management, HR, compliance, security, and operations) needs to make those decisions.
I've noticed a general sense of disorganization among IT shops as well, with folks not knowing what's where at any given time. This can be attributed to more than just outdated system inventories and network diagrams. Many administrators simply have too much going on without the proper time management and goal setting skills to help them compensate. Goofing off on the job aside, you can see how Windows server security problems take on a life of their own.
There's also too much focus on basic compliance. Compliance - as we know it - is lame. Anyone can claim "we're compliant with whatever law or regulation," but if you have a non-technical compliance officer or auditor who works via checklist with no real insight or validation, security holes get overlooked and build up over time.
In addition, there's often a lack of follow-through and accountability for the security testing that does get done. I can't tell you how many times I've seen people spend good money on a security assessment only to let the report and recommendations sit there for years on end until someone realizes they need to perform a new assessment since so many things have changed.
Network administrators are also not getting the ongoing training they need. Attending shows like RSA, CSI, or the TechTarget seminars on a periodic and consistent basis are not only valuable, they're imperative. No matter how sharp you are, you absolutely have to step away from your day-to-day grind and learn about the latest issues and attacks. It's the only way to stay on top of information security. The common excuses of "We don't have it in the budget" and "I don't have enough time" are, well, inexcusable.
Finally, the biggest underlying issue that contributes to all of the above is the fact that business managers still have their heads in the sand when it comes to information security and what it really takes to run IT effectively. It all goes back to people not having their priorities in line. It's just like the uninsured driver cruising around without his seatbelt on. He may feel invincible but one day he finds out the hard way that he's not and several hard lessons are learned as a result of it. All you managers out there: don't be that guy.
ABOUT THE AUTHOR: Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.