Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:51 AM
Connect Directly

The Vista-Forefront Security Two-Step

Legacy apps - Microsoft and non-Microsoft - may not get Forefront and Vista security, security experts say

Vista deployment is still at least a year out for most enterprise deployments, but it's not too early to consider what to do if Microsoft's new Vista operating system and Forefront security family don't support your legacy Microsoft and non-Microsoft applications.

Organizations that can't change out legacy apps such as Microsoft SQL Server 2000 due to the custom code they wrote for it could find themselves left out in the cold security-wise with Vista and Forefront, experts say. Although Microsoft hasn't officially revealed just which older apps will not work with Vista and Forefront yet -- or to what extent -- security experts don't expect Microsoft to include older products such as SQL 2000 and ISA Server 2000, for instance, under the new generation of products.

"Forefront is not likely to be compatible with Windows 95/98/ME and may not run on NT 3.5, 4.0, or 2000 with some Service Packs," says Randy Abrams, director of technical education for Eset, and the former operations manager for Microsoft's Global Infrastructure Alliance for Internet Safety. "It is possible that the code will run on older systems, but very unlikely that MS will support it if it does."

Organizations that have customized their older Microsoft apps, for instance –- especially the SQL database product, which is often used for accounting and other custom financial apps -- can't necessarily replace it, even if they are going with Vista, says Chris Schwartzbauer, vice president of worldwide field operations for Shavlik Technologies. "There's no reason to change my SQL license because I wrote custom code around the app and it's unlikely I'll [be able] to stop such a critical process," he says.

That means organizations running these older apps will have to use security tools from third-party vendors instead.

William Bell, manager of security operations for CWIE, says his company will wait for Vista Service Pack 1 (SP1) before it even starts testing the new OS. "In general, no one is going to trust Vista out of the box," Bell says. "No major company is going to roll out Vista day one."

But Bell, who runs Windows Server 2004 as well as XP workstations throughout his organization, says securing the Windows OS is an important step. "If we can secure the base OS as much as possible, we can stop a lot of the problems we see today with XP or 2000," he says.

Microsoft wouldn't provide details on which apps Vista and Forefront won't support. A Microsoft spokesperson instead reiterated Vista's defense-in-depth approach: "Windows Vista contains numerous security features that working together help prevent malware from installing and help find and remove it if it has already been installed," the spokesperson says. "It's important to note that with Windows Vista, we're taking a defense-in-depth approach to helping protect users from malware, which includes features such as user account control, Windows service hardening, ASLR, and kernel patch protection."

One of the biggest hurdles will be managing the controls Vista has in place, such as its built-in firewall and user account settings. "It's not about breaking the OS, but exploiting a misconfigured app, or taking advantage of a vulnerability that exists because the user didn't run the patch or a service isn't turned on and being used as a launching-point into the enterprise," Shavlik's Schwartzbauer says.

CWIE's Bell agrees it won't be easy. "It's hard to centrally manage controls," he says. "It's going to be a big hurdle for companies."

But a more chilling question, security experts say, is whether or not Forefront will use common dynamic link libraries (DLLs), which could provide attackers with potential holes in the security software to launch their exploits. DLLs are essentially files of system controls and drivers. "If Forefront were to use common DLLs, such as those used for manipulating cabinet files, then a vulnerability that may now affect Windows Explorer could theoretically also affect the security software as well," Eset's Abrams says.

To avoid any compatibility surprises, enterprises should start by testing Forefront and/or Vista before deploying the products. "Vista in particular is vastly different than XP was in terms of security capability, and it can be crippled if deployed incorrectly," says Rob Enderle, principal analyst with the Enderle Group. "Part of what should occur here is revisiting where legacy applications run and whether you even need them anymore. Many can now be hosted and doing so will not only result in lower operating costs, but better uptime and less employee aggravation."

The Gartner Group recommends that enterprises running or considering security tools such as host-based intrusion detection or content-monitoring tools that are not compatible with the 64-bit Vista (and "for which no suitable alternative exists"), should forego Vista initially. They won't get full Vista functionality otherwise, according to the consulting firm.

Still, having Microsoft's Forefront and Vista in general really won't change much in how enterprises approach security, Eset's Abrams says. "Enterprises [still] need to configure their OSes as safely as they are able, and to choose security software based upon how well it will allow them to productively secure their environment," he says. Now they will just have another option with Microsoft, he reckons.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • ESET
  • Shavlik Technologies

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    For Cybersecurity to Be Proactive, Terrains Must Be Mapped
    Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
    A Realistic Threat Model for the Masses
    Lysa Myers, Security Researcher, ESET,  10/9/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-14
    JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
    PUBLISHED: 2019-10-14
    There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
    PUBLISHED: 2019-10-14
    There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
    PUBLISHED: 2019-10-14
    A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
    PUBLISHED: 2019-10-14
    The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.