By Tim Landgrave
When I discussed this experience with some of my other corporate contacts, they assured me that this was not the exception, but the norm. In fact, most corporations are looking for ways to create and maintain secure networks without increasing the burden on their already-overtaxed network support and installation teams. A big part of that equation is installing and maintaining secure Windows desktops. Now more than ever, securing Windows desktops is becoming a joint venture among hardware vendors, software developers, and corporations.
For hardware vendors, one of the most important measures of profitability is the time it takes to build a base hard disk installation for the models they sell. Any change to this configuration (especially if it requires more disk space) takes money from the bottom line because it requires additional and costly engineering changes. This is why most hardware vendors ship their machines with the original versions of system and application software. The time it would take to update the image with the latest service packs and software updates would eat into their already slim margins.
The net effect of this phenomenon is that corporations end up either reinstalling software on the machines they receive or adding their own suite of security updates before deploying them. It adds time and effort to an already time-consuming deployment process.
But some hardware vendors have recognized that they may be able to charge more for PCs that have already been “hardened” with the latest security releases. For example, at a recent technical workshop hosted by the Federal Trade Commission, Dell announced that it would begin allowing customers to order PCs with a hardened Windows 2000 configuration. This configuration was recommended by the Center for Internet Security, a nonprofit association of public- and private-sector technology users based in Pennsylvania. Given that most attacks on workstations succeed because the machines are improperly configured or lack the latest updates, this goes a long way toward making the default configuration much more secure.
Moreover, last fall the National Security Agency released a study showing that 95.5 percent of the known vulnerabilities in Windows 2000 Professional edition could be eliminated by using the CIS recommended security settings. By responding to the corporate need for more secure configurations by default, Dell and other hardware vendors hope to use security services like these to generate additional service revenues and minimize the time between machine delivery and deployment for corporations.
The need for more secure default configurations is not lost on Microsoft. This is one of the key goals of the software giant’s Trustworthy Computing initiative. For example, the recently released Windows Server 2003 product comes with more secure default settings and fewer services installed by default. You must specifically install IIS 6.0 and then turn on the application server features to take advantage of them. Future products will have similar security measures. But for current products, Microsoft is relying on a combination of education and automatic updating. Microsoft’s TechNet site includes guides for hardening client operating systems such as Windows 2000 and Windows XP, as well as servers based on Windows 2000. Microsoft.com has a wealth of guidance and tools that allow network administrators to lock down the desktop and other key services such as Internet Information Services 5.0 on servers.
To facilitate automatic updating, Microsoft provides Windows Update for end users and small businesses and the corporate version of Windows Update called Software Update Services (SUS). SUS allows corporate administrators to download and test the patches, service packs, drivers, and other software updates from the Microsoft Windows Update site. When fully tested, the updates can be deployed from internal servers rather than requiring the internal machines to be connected to the Internet to receive the updates from the Windows Update site.
This facility works well for updating the base operating systems—as long as you’ve standardized on Windows 2000 or Windows XP. But it doesn’t include any client-side patches for products, such as Microsoft Office, or for any of the client access code for any of Microsoft’s key servers, such as SQL Server or Exchange. At Microsoft’s recent Tech Ed Show, a senior executive admitted that Microsoft now has 18 tools for updating its applications but is also committed to reducing that to two by the end of the year.
Ultimately, the responsibility for selecting more secure hardware configurations or learning and applying Microsoft guidance and tools still rests on the shoulders of the corporate IT staff. But with the information available, there’s no reason companies can’t create secure networks and maintain them. The bottom line for most corporations is whether the cost to maintain the security is greater than the cost to cure a breach. With Microsoft and its hardware OEMs focused on reducing those security maintenance costs, companies will be able to provide more secure networks for a much lower cost.