{"id":18058,"date":"2022-02-02T10:48:18","date_gmt":"2022-02-02T18:48:18","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11791\/"},"modified":"2022-02-02T10:48:18","modified_gmt":"2022-02-02T18:48:18","slug":"news-11791","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11791\/","title":{"rendered":"20 years after Gates\u2019 call for trustworthy computing, we\u2019re still not there"},"content":{"rendered":"

<\/p>\n

Credit to Author: Susan Bradley| Date: Mon, 17 Jan 2022 03:42:00 -0800<\/strong><\/p>\n

Do you feel more secure? Is your computing experience more trustworthy these days?<\/p>\n

Seriously \u2014 you\u2019re reading this article on a computer or phone, connecting to this site on an internet shared with your Grandma as well as Russian hackers, North Korean attackers, and lots of teenagers \u00a0looking at TikTok videos. It\u2019s been 20 years since then-Microsoft CEO Bill Gates wrote his Trustworthy Computing memo<\/a> where he emphasized security in the company\u2019s products.<\/p>\n

So are we actually more secure now?<\/p>\n

I\u2019m going to keep in mind the side effects from last week\u2019s Patch Tuesday security updates and consider them in my answer. First, the good news: I don\u2019t see major side effects occurring on PCs not connected to active directory domains (and I haven\u2019t seen any showstoppers in testing my hardware at home). I can still print to my local HP and Brother printers. I can surf and access files. So, while I\u2019m not ready yet to give an all-clear to install the January updates, when I do, I doubt you\u2019ll see side effects.<\/p>\n

But for businesses, this month\u2019s updates deliver a confusing and murky story. Microsoft has not exactly been a good trustworthy computing partner this month. Rather taking the past two decades to develop \u00a0bullet-proof, resilient systems, we get servers going into boot loops and admins having to boot into DOS \u00a0mode and run commands to uninstall updates.<\/p>\n

This isn\u2019t where we were supposed to be at this point.<\/p>\n

As Gates said 20 years ago: \u201cAvailability: Our products should always be available when our customers need them. System outages should become a thing of the past because of a software architecture that supports redundancy and automatic recovery. Self-management should allow for service resumption without user intervention in almost every case.\u201d<\/p>\n

And yet, I\u2019m still delaying updates on my computer systems because the latest updates, in particular, have shown that servers may have recovery issues. Case in point: \u201cWindows Servers domain controllers might restart unexpectedly.\u201d That cropped up after last week\u2019s security patches on all supported Windows server platforms. As noted in the known-issue write-up<\/a>, this occurs after using Microsoft\u2019s own recommended guidance for Active Directory hardening, which included using Shadow Principals in Enhanced Security Admin Environment (ESAE) or environments with Privileged Identity Management (PIM). The systems affected include Windows Server 2022 (KB5009555<\/a>); Windows Server, version 20H2 (KB5009543<\/a>); Windows Server 2019 (KB5009557<\/a>); Windows Server 2016 (KB5009546<\/a>); Windows Server 2012 R2 (KB5009624<\/a>) Windows Server 2012 (KB5009586<\/a>). \u00a0<\/p>\n

I\u2019ve also seen reports that following the Active Directory security hardening guidance (created after the November security releases<\/a>) will trigger the reboot problem if you\u2019ve set the PACRequestorEnforcement\u00a0value to 2<\/a>.<\/p>\n

Even with cloud services, the issues around availability remain unsolved. For example, Microsoft 365 has a Twitter account<\/a> whose entire focus is communicating on availability issues with the service. Rarely a week goes by that I don\u2019t get an alert about some service issue. Cloud services are hardened, but I don\u2019t see a lot of progress either with local servers or cloud services. Instead of planning on automatic recovery, we have to make sure we have alternative services and alternative ways to communicate should our systems be hit either by patching or by ransomware.<\/p>\n

More from Gates: \u201cSecurity: The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways. Security models should be easy for developers to understand and build into their applications.\u201d<\/p>\n

And yet, last week\u2019s security releases included confusing communication regarding a potentially wormable flaw. The https bug in the form of CVE-2022-21907 is\u00a0not clear on which versions are vulnerable<\/a>. Clarification and analysis had to come from external sources before we could figure out Windows 10 version 1809 and Server 2019 are not vulnerable<\/a>\u00a0by default \u2014 unless the HKLM:SystemCurrentControlSetServicesHTTPParameterEnableTrailerSupport registry key is set to 1. Versions of Windows 10 after 1809 are<\/em> vulnerable by default. I\u2019d argue that 20 years after the release of the trustworthy computing memo, our security models \u2014 and just as importantly, our security communication \u2014 still aren\u2019t easy to understand.<\/p>\n

We\u2019re also tracking issues with HyperV servers on Server 2012R2<\/a>\u00a0(and, it appears, only that platform) where virtual machines fail to start after applying KB5009624 on devices using UEFI. If you have any virtual servers hosted on Server 2012R2, hold back on installing updates on those platforms.<\/p>\n

And users of Windows 10 workstations that rely on Virtual Private Networks for remote access are having to uninstall the January updates due to a side effect that breaks VPN access on Windows 10 or Windows 11 systems. For those who rely on L2TP VPN or IPsec VPN, you will fail to connect using VPN<\/a>\u00a0after installing the updates.<\/p>\n

Gates closed out his memo with this: \u201cGoing forward, we must develop technologies and policies that help businesses better manage ever larger networks of PCs, servers and other intelligent devices, knowing that their critical business systems are safe from harm. Systems will have to become self-managing and inherently resilient. We need to prepare now for the kind of software that will make this happen, and we must be the kind of company that people can rely on to deliver it.\u201d\u00a0<\/p>\n

So how did that work out? We\u2019re in the same place we were 20 years ago; we still have to rely on ourselves to decide on the right time to install updates.<\/p>\n

So how do you really feel about security? Join the discussion in the AskWoody forums<\/a>!<\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Susan Bradley| Date: Mon, 17 Jan 2022 03:42:00 -0800<\/strong><\/p>\n

\n
\n

Do you feel more secure? Is your computing experience more trustworthy these days?<\/p>\n

Seriously \u2014 you\u2019re reading this article on a computer or phone, connecting to this site on an internet shared with your Grandma as well as Russian hackers, North Korean attackers, and lots of teenagers \u00a0looking at TikTok videos. It\u2019s been 20 years since then-Microsoft CEO Bill Gates wrote his Trustworthy Computing memo<\/a> where he emphasized security in the company\u2019s products.<\/p>\n

So are we actually more secure now?<\/p>\n

I\u2019m going to keep in mind the side effects from last week\u2019s Patch Tuesday security updates and consider them in my answer. First, the good news: I don\u2019t see major side effects occurring on PCs not connected to active directory domains (and I haven\u2019t seen any showstoppers in testing my hardware at home). I can still print to my local HP and Brother printers. I can surf and access files. So, while I\u2019m not ready yet to give an all-clear to install the January updates, when I do, I doubt you\u2019ll see side effects.<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10516,714,24580,10525,10761],"class_list":["post-18058","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-microsoft","tag-security","tag-small-and-medium-business","tag-windows","tag-windows-10"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18058","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18058"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18058\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18058"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18058"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18058"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}