Tuesday, June 19, 2007

Microsoft - Security Opinion

I am not 100% in agreement with this person. He claims he would "never blame Microsoft" because many apps are not written by Microsoft.

http://www.networkworld.com/community/?q=node/16266&nlhtsec=0618securityalert1&

I disagree. There is a certain level of security that needs to be provided at the operating system level that is beyond the application itself, and in some cases the people who own the system did not even intend to install the software, or the software is doing something other than it's intended purpose. My point here is the operating system has certain "responsibilities" shall we say to manage all these applications and it should prevent some rogue activity and provide appropriate monitoring of things it will not necessarily block so users can easily see what is happening on their system.

Additionally Microsoft does write some of these programs and has responsibility to ensure they are secure and fix any new security breaches. This is not necessarily blaming - it is a fact, however.

Additionally Microsoft needs to delve deeply into the security of things that allow communication across servers such as RPC and DCOM. I have had someone hacking on my server using these technologies - I don't even use them. Microsoft needs to ensure these cannot be used unless the server owner specifically requests to open up these channels in and out of their servers or provide some huge warning if they are open and available.

These are the areas where I would blame Microsoft if there is a security breach, or at least where they can improve and help ensure security.

Microsoft actually can have a competitive advantage over other operating systems that are open source because they have the resources, if they so choose, to pour into security on systems and provide a more cohesive solution than an open source software platform. However some people will always choose open source due the cost issue and the ability to reprogram parts of the OS if needed.