CSI: For security's sake, Microsoft turning features off by default

Microsoft chief security strategist Scott Charney outlined the company's new vision of delivering products with services shut off by default today at CSI.

CHICAGO –- The days of having all software functionality ready by default upon installation are numbered, Microsoft's chief security strategist, Scott Charney, said this morning during his keynote address at the Computer Security Institute's annual Computer Security Conference and Exhibition.

FOR MORE INFORMATION:
SearchSecurity.com news exclusive: "SANS, FBI identify top 20 Windows, Unix vulnerabilities"

SearchSecurity.com news exclusive: "Configuration errors at the root of most security woes"

SearchSecurity.com news exclusive: "Common security mistakes still haunt enterprises"


Feedback on this story? Send your comments to News Editor Edward Hurley

Microsoft is making a big push to release its software with features turned off by default. Previous versions were released with all the bells and whistles on. While the latter approach made compatibility with existing applications easier, from a security perspective, it was flawed, Charney said.

For example, many users trying the beta of IIS version 6, which comes with all services turned off by default, had problems with applications that relied on traditionally turned-on services. "We got a lot of calls that the new version broke their applications," Charney said.

Yet the no-services-by-default approach is one that security experts have been suggesting for years. Security is improved when users are forced to turn on the services they need "and everything else is off by default," Charney said.

Recently, the SANS Institute and the FBI released their list of the Top 20 Internet vulnerabilities, many of which involved services that users shouldn't be running unless they need them.

Microsoft isn't the only company that has released software with services turned on by default. Now, the company is getting better at releasing software with services turned off by default. "It's actually sad in a way. It is cool being able to get down to business right away," said David Litchfield, a well-known vulnerability finder and co-founder of Next Generation Security Software Ltd., which is based in Sutton, England.

Many popular Unix flavors have services switched on by default. With such systems, it's been assumed that users would know enough to turn off the things they don't need, Tim Mullen, CIO and chief software architect for AnchorIS.com, a developer of secure, enterprise-based accounting software, has said.

Charney admits there are some tradeoffs that need to be made when balancing functionality and security. Issues such as backward compatibility can be hampered by security. There can also be downtime when a new version conflicts with an existing application. "We can't assume the demand for functionality has gone down [as more attention is paid to security]," Charney said.

One reason for the tension between functionality and security is that executives understand the worth of functions much more. If an application can do more things or do things better, it's good for the business. Security, on the other hand, is seen more as a bottomless pit that sucks money out of the budget without producing anything per se.

Yet companies don't think twice about buying fire alarms and sprinklers, even if they never have fires, Charney said. Granted, some of these are required by building codes, but executives can understand what a fire could do to their business. The compromise or outright theft of digital assets is much harder to understand or even to detect than when a concrete asset is swiped.

"If you car got stolen, you could tell because your car was missing," he said.

Dig deeper on Windows Security: Alerts, Updates and Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close