Microsoft's Web server program is starting to look like a pair of jeans on a Deadhead -- all holes and patches.
Security experts -- run ragged by the Code Red worm -- have had a hard time keeping up with all the patches. In a post last Friday to a popular security mailing list for Windows NT, security expert and list editor Russ Cooper complained that he found inconsistent information about security threats on different Microsoft websites and had trouble figuring out exactly what he needed to do to secure a server running Windows NT 4.0 from the dreaded Code Red.
"It's no wonder there's so many insecure machines and so many people that can't keep up," said Cooper, an analyst with TrueSecure, in the message post. "What's a person to do when there's so many differing suggestions being made by Microsoft and none of them are complete?"
There are many different places to find security patches on Microsoft's website. The problem is, there may be too many.
The general Download Center and the Windows Update pages both provide access to patches. These are the two sites that the Code Red security bulletin recommends for information about other patches.
But Steve Lipner, the manager at Microsoft's security response center, doesn't recommend these sites. He says the single best place to find out about patches and threats is the security bulletin search page.
Another site, for Windows NT 4.0 users, offers a Security Rollup Package. An SRP has all the patches needed for the NT wrapped up into one nifty download --including the Code Red patch -- except for the two most recent ones. To get those, you have to find the latest update to the SRP, posted July 26. But none of this will do much good without Service Pack 6a.
Confused yet? So was Cooper. Rather than taking any chances, he went to every site and downloaded the bulletin lists, then read each bulletin -- 78 in all -- just to be sure he had them all. He eliminated the ones that were redundant or outdated (some patches negate earlier patches).
Cooper made securing his server a lot more complicated than was necessary, wrote a Microsoft security center employee in a response to Cooper's post on the NTBugTraq mailing list. While it's true Cooper may have gone a little overboard for dramatic effect, the MS employee's response seemed to reinforce Cooper's point more than refute it.
"I don't think things are nearly as bad as you are making them out to be," the employee wrote. "Following the instructions, it boils down to installing the latest software for three packages, installing the SRP, following six workarounds and applying three patches."
Microsoft's Internet Information Service Web server and Windows 2000 server operating systems are designed for less sophisticated users. They come loaded with features designed to work "out of the box," requiring little setup or technical background to activate.
Customers may love that, but experts say the convenience comes with a hidden cost: weaker security. Ric Steinberger, a security analyst with Atomic Tangerine, said the extra features and services give hackers more places to look for vulnerabilities.
"There's everything in there but the kitchen sink," Steinberger said, "and it's pretty much all enabled by default. The more that's running and accessible, the more that can go wrong."
A lot already has gone wrong. Code Red slipped into IIS systems through the index server feature. An index server recognizes common search requests. It's a powerful gadget but not something most customers really use or need, according to Steinberger.
"It's a perfect example of bundling something in there that's only going to be needed by a few people," Steinberger said.
Last May, Microsoft put out a patch needed to plug a serious security hole in the portion of the Web server that handles print commands. Not many people use their Web server to print stuff out. In fact, many may not even realize they can do so with Windows 2000 IIS.
Crackers, however, could have found the feature handy. Luckily, no major viruses exploited the hole before it was discovered.
The steady stream of patches needed to keep networked systems running MS software secure -- and the fear of what will happen if a hole isn't closed -- have turned some customers away from IIS.
John Stotler, the systems manager at an e-learning company called Quelsys, has some servers running on IIS but he won't use them for functions that website customers rely on.
"We're an ASP, so our entire business is our website," Stotler said. "Trusting a business to IIS is a scary proposition. My company wouldn't do it, and we were an all-MS shop when I came on here."
Now, Quelsys uses an Apache server running Linux for its website. Stotler said he hasn't needed a patch for two years and hasn't had any security problems. The servers that he has running Microsoft software are only used to allow employees to check their e-mail from home.
Although Cooper was critical of how Microsoft organized its bulletins, he didn't think their products were necessarily less secure.
"The IIS product is securable," Cooper said. "If it's installed correctly and managed reasonably, I don't see it as any more vulnerable than other products."
Lipner, the MS security manager, said there is an easy way to secure IIS, using something called the hotfix checking tool. This little program automatically checks to make sure all the latest patches are installed.
The tool wouldn't have helped Cooper, though. It only works on machines running Windows 2000, not NT 4.0. Also, it doesn't check the operating system itself, just IIS -- which is a separate program. Microsoft is working on a similar tool for checking Windows 2000 itself, Cooper said.
