Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:51 AM
Connect Directly

The Vista-Forefront Security Two-Step

Legacy apps - Microsoft and non-Microsoft - may not get Forefront and Vista security, security experts say

Vista deployment is still at least a year out for most enterprise deployments, but it's not too early to consider what to do if Microsoft's new Vista operating system and Forefront security family don't support your legacy Microsoft and non-Microsoft applications.

Organizations that can't change out legacy apps such as Microsoft SQL Server 2000 due to the custom code they wrote for it could find themselves left out in the cold security-wise with Vista and Forefront, experts say. Although Microsoft hasn't officially revealed just which older apps will not work with Vista and Forefront yet -- or to what extent -- security experts don't expect Microsoft to include older products such as SQL 2000 and ISA Server 2000, for instance, under the new generation of products.

"Forefront is not likely to be compatible with Windows 95/98/ME and may not run on NT 3.5, 4.0, or 2000 with some Service Packs," says Randy Abrams, director of technical education for Eset, and the former operations manager for Microsoft's Global Infrastructure Alliance for Internet Safety. "It is possible that the code will run on older systems, but very unlikely that MS will support it if it does."

Organizations that have customized their older Microsoft apps, for instance –- especially the SQL database product, which is often used for accounting and other custom financial apps -- can't necessarily replace it, even if they are going with Vista, says Chris Schwartzbauer, vice president of worldwide field operations for Shavlik Technologies. "There's no reason to change my SQL license because I wrote custom code around the app and it's unlikely I'll [be able] to stop such a critical process," he says.

That means organizations running these older apps will have to use security tools from third-party vendors instead.

William Bell, manager of security operations for CWIE, says his company will wait for Vista Service Pack 1 (SP1) before it even starts testing the new OS. "In general, no one is going to trust Vista out of the box," Bell says. "No major company is going to roll out Vista day one."

But Bell, who runs Windows Server 2004 as well as XP workstations throughout his organization, says securing the Windows OS is an important step. "If we can secure the base OS as much as possible, we can stop a lot of the problems we see today with XP or 2000," he says.

Microsoft wouldn't provide details on which apps Vista and Forefront won't support. A Microsoft spokesperson instead reiterated Vista's defense-in-depth approach: "Windows Vista contains numerous security features that working together help prevent malware from installing and help find and remove it if it has already been installed," the spokesperson says. "It's important to note that with Windows Vista, we're taking a defense-in-depth approach to helping protect users from malware, which includes features such as user account control, Windows service hardening, ASLR, and kernel patch protection."

One of the biggest hurdles will be managing the controls Vista has in place, such as its built-in firewall and user account settings. "It's not about breaking the OS, but exploiting a misconfigured app, or taking advantage of a vulnerability that exists because the user didn't run the patch or a service isn't turned on and being used as a launching-point into the enterprise," Shavlik's Schwartzbauer says.

CWIE's Bell agrees it won't be easy. "It's hard to centrally manage controls," he says. "It's going to be a big hurdle for companies."

But a more chilling question, security experts say, is whether or not Forefront will use common dynamic link libraries (DLLs), which could provide attackers with potential holes in the security software to launch their exploits. DLLs are essentially files of system controls and drivers. "If Forefront were to use common DLLs, such as those used for manipulating cabinet files, then a vulnerability that may now affect Windows Explorer could theoretically also affect the security software as well," Eset's Abrams says.

To avoid any compatibility surprises, enterprises should start by testing Forefront and/or Vista before deploying the products. "Vista in particular is vastly different than XP was in terms of security capability, and it can be crippled if deployed incorrectly," says Rob Enderle, principal analyst with the Enderle Group. "Part of what should occur here is revisiting where legacy applications run and whether you even need them anymore. Many can now be hosted and doing so will not only result in lower operating costs, but better uptime and less employee aggravation."

The Gartner Group recommends that enterprises running or considering security tools such as host-based intrusion detection or content-monitoring tools that are not compatible with the 64-bit Vista (and "for which no suitable alternative exists"), should forego Vista initially. They won't get full Vista functionality otherwise, according to the consulting firm.

Still, having Microsoft's Forefront and Vista in general really won't change much in how enterprises approach security, Eset's Abrams says. "Enterprises [still] need to configure their OSes as safely as they are able, and to choose security software based upon how well it will allow them to productively secure their environment," he says. Now they will just have another option with Microsoft, he reckons.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • ESET
  • Shavlik Technologies

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    44% of Security Threats Start in the Cloud
    Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
    Zero-Factor Authentication: Owning Our Data
    Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-02-25
    An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore...
    PUBLISHED: 2020-02-25
    An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass ...
    PUBLISHED: 2020-02-25
    A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
    PUBLISHED: 2020-02-24
    An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
    PUBLISHED: 2020-02-24
    When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...