Windows Server Security Best Practices
More on Windows Server Security
"Go out and practice incident response!"When it comes to Windows server security, it's all about reaction time.
As rallying cries go, it may not be quite as catchy and inspiring as Nike's "Just do it!" but it does the job of encapsulating security consultant Dr. Anton Chuvakin's pragmatic philosophy for keeping organizations as safe as possible. Essentially, he believes that since your enterprise operating systems will never be totally secure, you'd better be good at dealing with hackers when they strike.
"I freak out when I hear people talk about being proactive. You need to focus on being quickly reactive," is his bottom line security advice.
And it's advice that resonates with Microsoft. That's because the company responsible for roughly one-third of all server operating systems (in revenue terms, at any rate) in the data center and almost 100 percent of desktop enterprise operating systems has a huge problem when it comes to security.
Windows machines can of course be hacked in an almost infinite variety of ways, but security breaches caused by malware -- viruses, Trojans, keyloggers and so on -- are a problem pretty much unique to Windows. Research carried out by German security firm G-Data found that a staggering 99.4 percent of all new malware written in the first half of this year was targeted at Microsoft's Windows desktop and server operating systems.
To get an idea of the scale of the problem, G-Data reckons hackers around the world release four new Windows malware works every minute. At the current rate of production, 2010 will be the first year in history in which more than 2 million new viruses and other examples of malware appear.
Now let's be quite clear about this: G-Data sells anti-virus products for Windows machines, so it's not going to underestimate the scale of the problem. But you can't help but think that it is shooting itself in the foot somewhat. If four new pieces of malware are written every minute, how on earth can G-Data -- or Symantec, McAfee, ESET or any other anti-virus vendor -- possibly hope to get the upper hand against the authors of this evil software? Even with heuristics and any other clever ways the AV companies cook up to recognize new malware before they have a specific signature for the threat, they are never going to catch everything. If they offered signature updates four times a minute that still wouldn't be enough. (In fact research from Cyveillance found anti-virus products catch an average of just 19 percent of malware threats, and ESET, the most successful, catches only 38 percent.)
Given Microsoft has launched initiative after initiative to make its desktop and server operating systems secure with very little to show for it, what more can the company do? That's where Dr. Chuvakin comes into the equation. His philosophy, remember, is that since you can't prevent threats you must get very good at extinguishing them as quickly as you can whenever they appear.
And that is precisely what Microsoft seems to be starting to do. The company has used the courts and a little used civil procedure known in legal circles as "ex parte" (which means "from one side," for those of you not forced to endure Latin lessons as a child) to take down the Waledac spam botnet by gaining control of the domains used by the botnet's herders to issue commands to infected Windows machines.
As the company says on its official blog, "The Waledac takedown is the first undertaking in a larger Microsoft-led initiative called Project MARS (Microsoft Active Response for Security), which is a joint effort between Microsoft's Digital Crimes Unit, the Microsoft Malware Protection Center (MMPC), Microsoft Support and the Trustworthy Computing team to annihilate botnets and help make the Internet safer for everyone."
Of course making "the Internet safer for everyone" basically means "everyone who uses Windows," since only 0.6 percent of malware is directed at Unix, Linux and other operating system users. But the important point is that Microsoft is getting realistic about the degree to which it can make Windows operating systems secure.
The truth is no Windows operating system can be made very secure -- you know it, I know it, and Microsoft knows it. Prevention may be better than cure, but prevention simply isn't an option when it comes to Windows malware. And that means Microsoft's only option is to follow the Chuvakin doctrine: Go out and practice incident response.
The quicker it gets quicker at it, the better for Windows shops everywhere.
Paul Rubens is a journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.