Windows Security: A Year of Progress?

Microsoft's OS continues to suffer from flaws and exploits, but the software giant is working to secure it. Here are our expert's tips on how to make the most of Microsoft's efforts.

Michael Desmond

Michael Desmond is editor-at-large of Redmond Magazine, which covers Microsoft technology and issues for IT professionals.

Connect an unprotected Windows-based PC to the Internet and it will, on average, attract some form of unwelcome advance within 23 minutes. That figure, published this month by the SANS Institute's Internet Storm Center, reveals a troubling issue. In less time than it takes to download and install all the various fixes and patches to secure Windows, your PC can fall victim to a malicious worm, virus, or other form of malware. It's an Internet-era Catch-22.

There's little doubt Microsoft has the biggest target on its back. Its ubiquitous software is an easy target for hackers. Just ask the folks at the Mozilla Foundation who created the Firefox browser what it's like to be popular. Even as downloads of the open-source browser skyrocketed, developers have been forced to issue patches to fix security vulnerabilities. Earlier this month, security experts disclosed an exploit of a serious Firefox flaw, and Mozilla issued a temporary fix.

Still, Microsoft makes the software that a majority of computer users run. Has it made strides in protecting its flagship operating system against what seems to be an unending parade of attacks? For the average user, the answer is a conditional yes, but there's still a way to go.

Effective Measures

In August 2004--little more than a year ago--Microsoft took a huge step toward securing Windows when it released Service Pack 2 for Windows XP. Unlike other service packs, which added features, fixed bugs, and tweaked functionality, SP2 focused primarily on security. But it did so at a cost, rendering some applications and utilities inoperable. Matt Neely, a security consultant who has worked with financial and government institutions, says Microsoft passed a key test when it pushed Windows XP SP2 out to customers.

"The good thing is Microsoft chose security over compatibility in that update. We have had, in the past, vulnerabilities that have been around since Windows NT 3.1," Neely says.

Many old holes may be fixed, but hard-working malware writers continue to cook up ways to threaten systems. In August of this year, Microsoft released six security updates--including three addressing critical flaws in Internet Explorer and embedded Windows services. One of those flaws gave an opening to the Zotob exploit, which ranks as one of the worst malware attacks of 2005. At first it was thought the attack was limited to Windows 2000, but Microsoft eventually said Windows XP users were also vulnerable.

Still, SP2 is the first thing savvy users will install when they set up a new Windows XP machine. Not only does SP2 harden the foundation of the operating system, it arms end users with some powerful tools for fighting off infection.

The Microsoft Windows Firewall built into SP2 is perhaps the most important piece, at least from an end-user perspective. While less robust than the freely available ZoneAlarm, Windows Firewall offers good baseline security and hides your PC from attackers on the Internet. Best of all, it's activated by default, which means millions of Windows XP-based PCs became much harder to crack the instant they were updated to SP2.

More recently, Microsoft released Windows AntiSpyware, a free utility that sniffs out spyware threats ranging from aggressive cookies to key logging software. It compares favorably to popular third-party solutions such as Lavasoft's Ad-Aware.

There's also the Microsoft Malicious Software Removal tool, which you can either run from the Microsoft Web site or download to your PC. It only works if you're running XP or Windows 2000, but it scans your system for worms such as Zotob, Bobax, Mydoom, and others. Microsoft updates the tool on the second Tuesday of every month, that day commonly known as Patch Tuesday because it's the day Microsoft sends out updates to fix flaws in its software.

Windows XP SP2 pulled these and other security capabilities under a single umbrella, a utility called the Security Center. The Security Center offers big, color-coded status readouts on firewall, antivirus, and Windows Update protection. It even recognizes the status of third-party packages, like ZoneAlarm and the free AVG Anti-Virus program. You can launch the control panel by clicking Start, Programs, Accessories, System Tools and then clicking Security Center.

Neely says the integration overcomes concerns about watered-down feature sets. "The third-party tools definitely offer a lot more capability and power. But they also offer a lot more in terms of what needs to be configured," Neely explains. "But if somebody wants to get more technical and take that plunge, great."

Windows Security: Act 2

The next version of Windows, to be called Vista, should take security even further. For instance, an improved Windows Firewall will offer application-aware outbound filtering, so you can see and control the applications attempting to forge connections over the network. An underlying technology called Windows Service Hardening should also help limit the potential reach of malicious code.

Another key feature is User Account Protection, which employs a flexible user- rights model to help limit the damage caused by nefarious software. UAP encourages users to log on to their systems with limited rights, while still allowing them to make Administrator-level changes by entering an Administrator ID and password. The new setup also hides the Administrator account at logon, helping dissuade users from running as an Administrator all the time--a key vulnerability with many Windows systems. The question is, will users take to the new scheme, or will they simply end-run around it and continue to log on with the all-powerful Administrator-level settings?

Expected to ship toward the end of next year, Microsoft says Windows Vista will also include a feature called Secure Startup, which uses an on-board chip to prevent hackers from accessing data on a machine that has been stolen or physically compromised. The chip, called the Trusted Platform Module, stores encryption keys, passwords, and digital certificates that allow for encrypted data and system integrity monitoring prior to booting up. Not all computers come with TPM, so its unclear how effective this measure will be.

Getting the Message

Microsoft has clearly gotten the message: Security in an always-networked world must be an absolute priority. The problem is, Windows is so vast that securing the operating system is taking years.

In the meantime, the onus lies on end users and IT managers to ensure their systems remain safe and secure. Microsoft is trying admirably to help. Its Security Home Page is a gateway to tons of information for keeping the bad guys out. The company even offers a free, 24-hour support line for security-related questions (866-727-2338).

It's easy to bash Microsoft for the flaws in its software. And over the years the company has deserved much of the criticism it's endured. But the fact of the matter is, Windows has grown better and more secure in the past 12 months, even if it's still not perfect. We can only hope Gates & Co. stay the course.