There is one more step I've been wanting to take and that is to enable the Hyper-V role and convert my fileserver over to just one virtual machine on the box, so I can set up other VMs on the same box.  Today, I was excited to see Microsoft Releases Hyper-V on CNET.  Here is a summary of the key links (note that it is only available for the 64-bit versions of WS2008):

• Update for Windows Server 2008 x64 Edition (KB950050)

• Hyper-V FAQ

• How to Install Hyper-V

Check back with my and I'll let you know how things go and share any tips I have for what to do or not do, as well as my review of how easy/hard it is.

Regards ~ Jeff

• UrlScan 3.0 Beta (see Wade Hilmo's blog for more), a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, the UrlScan helps prevent potentially harmful requests.
• Microsoft Source Code Analyzer for SQL Injection (MSCASI) CTP (see the SQL Security blog for more), a tool that can be used to detect ASP code susceptible to SQL injection attacks.
• Scrawlr (see HP's security blog for more), a free scanner, developed by HP Web Security Research Group in conjunction with Microsoft, which will allow customers to identify whether their Web sites might be susceptible to SQL injection.

There are already a lot of resources out there available already for these tools.  Let me point you to a few of them:

• The new Microsoft Security Advisory 954462 announcing the tools, with guidance
• Finding SQL Injection with Scrawlr at the HP Security Center
• URLScan Tool 3.0 Beta page, including download links & docs
• MSCASI download and reference kb: Microsoft Knowledge Base Article 954476
• A good discussion of Injection Attacks by Michael Howard on the SDL Blog
• Security Vulnerability Research & Defense Blog on SQL Injection Attack
• SDL blog post on the new tools: SQL Injection Defense Tools 

and some best practice guidance for developers:

• How To: Protect from SQL Injection in ASP.NET
• Preventing SQL Injections in ASP, by Bala Neerumalla
• Coding Techniques for protecting against SQL Injection in ASP.NET
• Filtering SQL Injection from Classic ASP

Best regards ~ Jeff

I wanted to mention to folks that a new Security Development Lifecycle (SDL) web site went up earlier this month on microsoft.com.  Amazingly, you can navigate to it via http://www.microsoft.com/sdl, instead of some long name you'd never remember.

Of course, once you navigate to that URL, you get redirected to a long url that you'll never remember that is on the MSDN subsite, which is encouraging when you think about it.

I have it on reasonably good authority (aka the site owner), that there are plans for the site content to grow this year and that this will be one of the main starting points to learn more about Microsoft efforts to improve developer's ability to write code that is less prone to security problems.

While I'm on this topic, I may as well provide some other pointers to related content, lifted from the SDL Home page:

Considering the large amount of customer software that is developed in-house at large companies, I think SDL-like processes are becoming a critical need beyond vendor-developed software.  If your company hasn't started this process already, these resource might provide a good starting point.

Regards ~ Jeff

Share this post :

Server Core is a “minimal install” option of Windows Server that excludes much of the GUI and many applications – such as Internet Explorer and Windows Media Player – that would be present in a default installation.

In this very short report (download the full report), I perform a brief analysis how much smaller the software footprint is for Windows Server 2008 Server Core and examine a theoretical Server Core version of Windows Server 2003 over the past two years to gauge how much Server Core might convey in terms of reducing security updates.

As shown in the chart, looking at the Windows Server Security Bulletins over the past two years, 40% of them would not have applied to a theoretical Server Core build. The results of the analysis are encouraging in terms of security progress.  Check back in a few weeks and I'll publish my 90 day vulnerability study for Windows Server and we'll look at how this potential is being fulfilled...

I'll be covering this general outline:

• SDL work on Windows Server 2008
• Architectural security enhancements
• Security features and capabilities
• Looking at the security track record for the first 90 days

Without a doubt, Windows Server 2008 is my favorite product that we've released over the past few years in general, but also specifically in terms of security improvement - and I'll go into detail why I think some of the less-mentioned changes may be the most important ones beyond the security capabilities themselves.

Of course, that last section of the talk will be my favorite, as I will be sharing some of my 90 Day analysis for the first time outside of the team.  With the security progress we made back on Windows Server 2003, do you wonder how Windows Server 2008 compares?  I'll share some tidbits on that.

Wonder how it compares with the latest Red Hat Enterprise Linux 5?  I'll briefly discuss that as well.  In doing my analysis, I was surprised to find that Red Hat has made some changes that take it in the opposite direction from ones we've made in Windows Server - hint - it has to do with the default installation options.

I'll see you there!

Jeff

• Microsoft Windows Vista
• Microsoft Windows XP SP2
• Red Hat Enterprise Linux Desktop (v. 5 client)
• Red Hat Enterprise Linux WS (V. 4)
• Ubuntu 6.06 LTS Desktop
• Apple Mac OS X 10.5 (Leopard)
• Apple Mac OS X 10.4 (Tiger)

For January through March of 2008, Mac OS X users experienced the highest number of vulnerabilities as well as the highest number of High severity vulnerabilities while Windows Vista users experienced the fewest and the fewest High severity vulnerabilities.

Here is the chart breaking down all of the OSes by NVD severity ratings:

Download the attached paper for full details.

Share this post :

This short paper is a compilation of vulnerability data for Microsoft Windows Vista and Microsoft Windows XP SP2 for calendar year 2007 and a brief analysis to see if any benefit is apparent for users of one OS over the other.

I found that Windows Vista offers benefit over Windows XP SP2 in the following ways for 2007:

• Windows Vista had 30% fewer Security Bulletins than Windows XP
• Windows Vista had 20% fewer vulnerabilities than Windows XP
• Windows Vista had 28% fewer Critical and Important vulnerabilities than Windows XP
• 26 vulnerabilities on Windows Vista are less severe for any users running as standard user.

Here is the chart breaking down the vulnerabilities by Microsoft severity ratings

Download the short paper attached to this post for full details.

Share this post :

I was excited when Dr. Crispin Cowan joined the company a while back - what security person wouldn't be!  As one of the key drivers behind StackGuard, Linux Security Modules and co-founder of Immunix, which produced AppArmor - few people are as qualified as Dr. Cowan to talk about security features and security boundaries.

So, when he asks "Is UAC a convenience feature, or a security feature?", I would say it is worth reading at least twice.  And if my recommendation is not good enough for you, let me share this quote that might entice you to go read the whole thing:

It is correct to say that UAC’s features are convenience features, in that it is much more convenient to respond to a UAC prompt than it is to have to switch to a separate desktop, log in as an administrator to do the administrative tasks, log out and then return to your standard user session. Whether one views a UAC prompt as a convenience or a nuisance depends on whether you compare it against running as a Standard User, or against running as a full Administrator: vs. running as Standard User UAC is a convenience feature that compromises security, but vs. running as an Administrator as was the default in XP UAC is a security enhancement.

But does that mean that UAC is not a security feature? No. UAC, in all of its forms, including Silent Mode, provides some obstacles to attacks, and so so it is always a security feature. UAC in operation does nothing other than to say “no” to some access requests, and so it cannot be anything but a security feature.

Of course, it is always nice when someone shares your own opinion.  As I've said in the past, security features do not have to be perfect in order to provide security value.  UAC definitely falls into that category.  And, as is my wont, I'm now going to go off and see if I can find some (imperfect, most likely) way to measure that value...

Regards ~ Jeff

Late Friday night, I was one of the millions of weekend viewers that help make Iron Man the second-best premiere ever.  I am surprised by those results, but only because Iron Man isn't so well-known as other Comic Book heroes like Superman or Batman.

Yes, I liked it and was pretty sure I would even before I wnt.  However, Robert Downey Jr. really did an excellent job as Tony Stark and the movie was faithful to the Origin Story, though it was updated to modern times.  I love to see the casting of good actors to make these characters into movies.

I had heard that there was an extra clip after the credits (which were super long, btw), so I stayed around until they were over and then snapped the picture to the left of the final scene and thought I'd share it with you.

And the cameo dialog seems to mean there will be a follow-up movie of some sort from Marvel, though maybe not Iron Man 2:"... I'm here to talk to you about the Avengers Initiative."

Yesterday, Microsoft published the new Security Intelligence Report for the 2nd half of 2007. (home page is http://www.microsoft.com/sir, and the download page is here).

As one of the contributors for the report, I'd like to highlight the findings summary for the Industry vuln trends:

• Vulnerability disclosures decreased by about 5 percent in 2007, reversing a multiyear trend of increasing disclosures. Almost all of this decrease was observed in the second half of the year, which had the fewest disclosures since 2H05.
  
• Despite the decrease, the number of new disclosures across the industry remains in the thousands, with the number of disclosures in 2007 surpassing that of every other year in the study except 2006.
  
• The Common Vulnerability Scoring System (CVSS) used to score vulnerabilities in the NVD was revised in 2007 to increase its accuracy, consistency, and applicability. Retroactively applying the new formula to vulnerabilities disclosed in previous years classifies a much higher percentage of vulnerabilities as High-severity than was previously
  the case. The vulnerabilities disclosed in 2007 continue this trend, with High-severity vulnerabilities accounting for about half of the total number of vulnerabilities.
  
• Vulnerabilities requiring a Low-level of complexity in order to exploit accounted for
  about half of all vulnerabilities disclosed in 2H07. Although this number is relatively
  large, the number has declined significantly from earlier periods.

Here is the high level trend chart from the report:

Regards ~ Jeff