News Stay informed about the latest enterprise technology news and product updates.

NTBugtraq founder's top security tips

What's wrong with Windows security? How can you right those wrongs? Security expert Russ Cooper offers his insights and tips.

Looking for a single mouse click solution that ensures 100% system security? Give up the search. "I don't expect it ever to be that easy," said Russ Cooper, founder of the security newsletter NTBugtraq.

Rather than looking for a magic pill, Cooper advises IT managers to spend a few minutes doing basic security-boosting tasks, such as removing script mappings. These tasks are too often overlooked, but they can save hours of downtime, he said. In this article, Cooper shares some easy ways to improve security and discusses current Windows security problems.

SWM: What's the key to an overall secure Windows environment?

The single button click is what everybody wants to see. They want to be able to click this button that says: "I am now secure." It's like getting in a car and saying: "I've got a seatbelt on and therefore I am safe." That's not the case. It's the same with computers. So really user awareness is the thing we need to improve on to improve security. The solution to security is through user awareness. If people would just be more of aware of what they're doing when they're out on the Internet, they would be able to improve their security themselves without having to buy any software or hardware.

SWM: What's the biggest security problem Windows users are encountering today?

Default installations are the biggest problem. Many computers today are installed using whatever the manufacturer supplied as the default, and, in many cases, that's an insecure set up. We saw that with Code Red and Nimda last year. Also, an awful lot of people don't know that they have things installed as part of a default installation. We had a bunch of people with Web servers installed on computers that they didn't even know they had Web servers on. That led to a lot of problems.

SWM: What about patch management?

Patching is also a big problem. It's difficult to figure out what patches you need. It's all about getting the patches on. The other important aspect is that people don't apply patches when they're made available. If they would just take a minute or two and choose the configuration instead of just accepting the default, they could eliminate the need for a lot of the patches that are made available. Thereby, they avoid being vulnerable to things that will get patched in the future.

SWM: Is there any particular vulnerability that exists that people just aren't patching, even though they may know the patch is available?

It's probably the installation of IIS and not taking the time to configure it. I always tell customers to remove all of the script mappings. These mappings allow the Web server to handle all different kinds of Web pages. We've had vulnerabilities in all the different types that are made available by default. Ninety percent of the people I deal with don't even need them. Simply going in and deleting these mappings, which doesn't take very much effort or skill, would be the single easiest way to avoid many of the problems with Web servers.

SWM: What old Microsoft security problems are closer to getting fixed?

We've had a spade of vulnerabilities in Internet Explorer over that past 3-6 months that are concerning us greatly. That is a big problem because the only way to fix those is with patches.

The other is chunked encoding. Chunked encoding is a method of talking between a client and Web server. Right now, there are vulnerabilities related to chunked encoding in both IIS and Apache. Together, IIS and Apache represent 90% of the Web servers on the Internet potentially being vulnerable to an attack involving chunked encoding. My fear is that a worm of some sort will be created that attempts to exploit either, and, as such, has a huge target base to attack. In the past, everything's been specific to one Web server implementation to another. Here, the bad guys have an opportunity to do something that affects both.

SWM: Due to the security issues in Microsoft's IIS in the past, do you think the company has lost customers? Do you think it will be able to regain the trust of those it might have lost?

I don't think Microsoft's customers have lost trust. Microsoft is considered trustworthy now and continues to be. The idea that there are more vulnerabilities in Microsoft products than there are in some other products is false, in my opinion. Even now Apache with its latest vulnerability, it's the one that's supposed to be the rock solid, very secure Web server, and yet it can still be made vulnerable.

SWM: Do you think moving an IT infrastructure over to all open source is a viable alternative for those concerned about security with MS products?

It's viable for selected server implementations. I don't think it's viable on the desktop. There just isn't enough compatibility between it and what everybody else uses to interact with the rest of the world running Microsoft systems. It's the ease-of-use and interoperability that you don't get with the open source implementations. You have to make sure you got all the little bits and pieces because it doesn't come all in one package.


Top 10 security headaches

Security horror stories: True tales and expert advice

Dig Deeper on Windows client management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.