Simple security for MS

Every method of attack for the latest scourge of the Web, the Nimda worm, was identified long ago and fixes were provided by Microsoft. My own system was barraged by the new worm today but I wasn't infected at all, because I keep my system up to date. In this case, I wouldn't have had to be completely up to date.

Current service packs and the Outlook Security Update (which is over a year old) would have prevented infection. I wouldn't even have needed to run antivirus software (of course, I'm not stupid, so I do run it).

Incidentally, Outlook XP includes this prevention, so no Outlook XP users were vulnerable to the e-mail attacks. In the case of Code Red, Microsoft had released a fix well before the virus hit and publicized the problem and fixes heavily, and still people didn't apply them.

So, the big question in my mind: Why do so many users choose not to apply security updates that are free and that prevent serious threats?

I asked around about this, and got answers that I mostly found discouraging. Vincent Weafer, Senior Director of Symantec Security Response, feels that many home users don't know about such patches or how to get them. As someone deeply involved in the computer industry I had to consider this a little while before I could accept this, but it is true.

The mainstream press reports bugs such as Nimda and will sometimes say that you should have antivirus software running, but never do they say that a free fix for the problem has been available for a year. I don't expect them to. Even the trade press, us included, almost never mentions these fixes.

Believe it or not, Windows XP will do a lot to help this situation through its automatic update feature, which checks the Windows Update Web site periodically and (depending on the user's configuration) either automatically updates the system or offers to install the updates. Most new antivirus packages, including Symantec's new Norton Antivirus 2002, also automatically check for new virus definitions.

But most home users don't run updated antivirus software, and it will be a long time before they run Windows XP. That's one reason why I'm discouraged. What's even worse, though, is the number of system administrators that don't apply crucial patches. One of the big issues here is that Windows NT Server and Windows 2000 Server both install IIS by default, and many administrators didn't even know they were running it, at least not on all the servers they thought.

When you think about it, keeping up with security patches should be a very important job, but there must be an awful lot of servers that get no such maintenance on the old "if it ain't broke don't fix it" theory. I wonder about the security of several Web sites I run on various hosting services, where it's someone else's job to keep up with the patching. But do they? I have to wonder, especially since many of the patches would require rebooting servers that host hundreds of Web sites.

Scott Culp, Manager of Microsoft's Security Response Center, says that Microsoft has done a good job of providing and publicizing fixes and information about them, and I have to agree that they've done what they could do. Go to Microsoft's TechNet Security page and you'll find lots of tools and information. You can sign up for a mailing list to receive notification of new vulnerabilities and fixes; on this list I found out about the Code Red vulnerabilities and fixes at least a month before Code Red hit. But Culp agrees that Microsoft needs to provide better tools. The easier they can make keeping up with patches, the more people will take advantage of them.

In the case of Nimda, it's hard to know what more they could have done. Windows NT 4 Service Pack 6a, Windows 2000 Service Pack 2, and Service Pack 2 for Internet Explorer 5.01 and 5.5 (or 6) would have blocked avenues of infection. All of these have been out for a while. (Interestingly, the Microsoft Web site says that there is no fix for IE4 and it sounds like they have no intention of testing IE4. (If you're running IE4, upgrade fast.)

There are two new tools you absolutely should run. Microsoft's Personal Security Advisor analyzes your desktop system and tells you what vulnerabilities you have and how to fix them. It can overreact in some cases; for example, if you've got an open file share you will receive a dire warning about it, but access to that share may be blocked by an external firewall. You'll need to analyze the results based on your own circumstances.

Less flashy but far cooler is HFNetChk. This is a command-line tool that downloads a list of patches from Microsoft's site and compares it to what's installed on your system. It then lists the Microsoft Knowledge Base codes for any patches not installed on your system. Best of all, you can run it from a central location and scan the patch status for all systems on a network. It checks NT4, Win2K, all Win2K services (such as IIS), SQL Server, and IE5 and above.

But for all that HFNetChk does, you immediately see all the things it doesn't do. It tells you that you have a problem, but it doesn't do much to help you fix it. If it were to give you an interface from which to download and install the missing patches, that would be very cool. I'm sure Microsoft is working on it, but this is important and I certainly hope it's a top priority there. In the meantime, it would help if they made more interim rollup patches which are bundles of all patches released since the last service pack that make the patching process more convenient. Perhaps the patches themselves should call HFNetChk so that you know what work is left to do. In general, anything that makes it easier to apply patches is a good thing.

Another thing Microsoft needs to do is to find better solutions for modem users. Some of these patches are very large, and I can see why a 28.8 user would get discouraged. Perhaps they should make "tune-up" disks with all the current patches and send them out through all the usual channels.

The sad truth is that security deserves greater importance than most people are willing to give it. It's also a multi-layered problem: Antivirus apps and firewalls and OS patches are all important. Even though all of these can prevent some security problems, having one solution doesn't eliminate the need for the others. But at the very least, use the free tools and fixes that Microsoft provides to protect yourself against known problems.

Larry has written software and computer articles since 1983. He has worked for software companies and IT departments, and has managed test labs at National Software Testing Labs, PC Week, and PC Magazine.