Windows

Who's responsible for building a secure network?

Does security start with the corporate IT staff or with the hardware and software manufacturers? The answer lies somewhere in the middle. This Landgrave's View explores the reason each group should play a part in creating a secure network.

By Tim Landgrave

I was working on-site at a Fortune 500 company recently when I asked one of the senior managers if he could help me get outside Internet access to download a document I needed from a server in my office. He informed me that the company’s security policy didn’t allow visitors to use its network. To get network access, even basic Internet access, I would have to apply for a network ID, sign a security policy document, and have a corporate sponsor. This process would take five to 10 business days; then, I’d be able to access the same Internet sites to which their own employees have access. This would include only sites that don't use cookies and that don’t have any offensive words (which are automatically blocked by the company's filtering software). And, they didn’t allow the use of any Instant Messaging clients because these pose a huge security (and productivity) threat to the corporation.

When I discussed this experience with some of my other corporate contacts, they assured me that this was not the exception, but the norm. In fact, most corporations are looking for ways to create and maintain secure networks without increasing the burden on their already-overtaxed network support and installation teams. A big part of that equation is installing and maintaining secure Windows desktops. Now more than ever, securing Windows desktops is becoming a joint venture among hardware vendors, software developers, and corporations.

Hardware vendors
For hardware vendors, one of the most important measures of profitability is the time it takes to build a base hard disk installation for the models they sell. Any change to this configuration (especially if it requires more disk space) takes money from the bottom line because it requires additional and costly engineering changes. This is why most hardware vendors ship their machines with the original versions of system and application software. The time it would take to update the image with the latest service packs and software updates would eat into their already slim margins.

The net effect of this phenomenon is that corporations end up either reinstalling software on the machines they receive or adding their own suite of security updates before deploying them. It adds time and effort to an already time-consuming deployment process.

But some hardware vendors have recognized that they may be able to charge more for PCs that have already been “hardened” with the latest security releases. For example, at a recent technical workshop hosted by the Federal Trade Commission, Dell announced that it would begin allowing customers to order PCs with a hardened Windows 2000 configuration. This configuration was recommended by the Center for Internet Security, a nonprofit association of public- and private-sector technology users based in Pennsylvania. Given that most attacks on workstations succeed because the machines are improperly configured or lack the latest updates, this goes a long way toward making the default configuration much more secure.

Moreover, last fall the National Security Agency released a study showing that 95.5 percent of the known vulnerabilities in Windows 2000 Professional edition could be eliminated by using the CIS recommended security settings. By responding to the corporate need for more secure configurations by default, Dell and other hardware vendors hope to use security services like these to generate additional service revenues and minimize the time between machine delivery and deployment for corporations.

Software manufacturers
The need for more secure default configurations is not lost on Microsoft. This is one of the key goals of the software giant’s Trustworthy Computing initiative. For example, the recently released Windows Server 2003 product comes with more secure default settings and fewer services installed by default. You must specifically install IIS 6.0 and then turn on the application server features to take advantage of them. Future products will have similar security measures. But for current products, Microsoft is relying on a combination of education and automatic updating. Microsoft’s TechNet site includes guides for hardening client operating systems such as Windows 2000 and Windows XP, as well as servers based on Windows 2000. Microsoft.com has a wealth of guidance and tools that allow network administrators to lock down the desktop and other key services such as Internet Information Services 5.0 on servers.

To facilitate automatic updating, Microsoft provides Windows Update for end users and small businesses and the corporate version of Windows Update called Software Update Services (SUS). SUS allows corporate administrators to download and test the patches, service packs, drivers, and other software updates from the Microsoft Windows Update site. When fully tested, the updates can be deployed from internal servers rather than requiring the internal machines to be connected to the Internet to receive the updates from the Windows Update site.

This facility works well for updating the base operating systems—as long as you’ve standardized on Windows 2000 or Windows XP. But it doesn’t include any client-side patches for products, such as Microsoft Office, or for any of the client access code for any of Microsoft’s key servers, such as SQL Server or Exchange. At Microsoft’s recent Tech Ed Show, a senior executive admitted that Microsoft now has 18 tools for updating its applications but is also committed to reducing that to two by the end of the year.

Corporations
Ultimately, the responsibility for selecting more secure hardware configurations or learning and applying Microsoft guidance and tools still rests on the shoulders of the corporate IT staff. But with the information available, there’s no reason companies can’t create secure networks and maintain them. The bottom line for most corporations is whether the cost to maintain the security is greater than the cost to cure a breach. With Microsoft and its hardware OEMs focused on reducing those security maintenance costs, companies will be able to provide more secure networks for a much lower cost.

Editor's Picks