Jiri’s Notepad

Today I have been on a meeting with Microsoft security people re our customers’ issues and requirements. Seting aside the obvious priority of secure defaults and making their products “more secure”, following things IMHO could improve detection side of Windows security.

Cryptographic file integrity checking. Currently when I inadverently install Back Orifice or other cleverly launched trojan horse, I have no means to find out that the config of my box has in fact changed. Simple tool that would allow to save the checksum of important directories, files, registry subtrees and keys would help here. This would help home users as well as corporations. Should then MS go and buy TripWire?

Logging facilities. Windows logging facilities are weak on the side of large scale log auditing. The facilties do not support secure consolidation of logs well and there are no tools to sift throu piles of data generated. IMHO some data mining tools enabling security administrator to follow trends would be more useful than building in signature host-based IDS.

Evidence generation. This is another twist on logging. Windows do not natively have facilities to build a secure logging server, that would sit behind a separate firewall, and where security relevant events would be forwarded from production servers. Support for writing the logs to read-only media would further improve evidential weight of the logs in case they would be used for formal investigation.