| 156 |
| Rein in Windows certificate trust |
| Windows 2000 and other Windows platforms follow a security chain when evaluating and allowing |
| or denying certain actions associated with security certificates. For example, Windows File |
| Protection, which determines whether a driver can be installed based on its digital signature, trusts |
| any certificate whose certification chain has its root at any of the Certificate Authorities (CAs) |
| listed in the system's Trusted Root Certification Authorities branch. |
| This chain of trust, combined with the existence of countless certificates that don't have valid |
| constraints, leads to the potential danger for malicious code to operate on a system. For example, a |
| driver might replace code that was previously patched against a vulnerability. The result is that the |
| system, which was protected against the code, is now vulnerable again. |
| Preventing this potential security breach in Windows 2000 isn't a quick or painless process. |
| Removing all certificates from the Trusted Root Certificate Authorities branch is one step you can |
| take to improve security. You can also improve security by upgrading to Windows XP or Windows |
| .NET Server 2003, which enables you to take advantage of software restriction policies that define |
| the applications allowed to run on a system. |
| For details on more suggested courses of action and additional information about why Windows' |
| certificate trust is inadequate to prevent malicious code, check out this article on the SecurityFocus |
| http://www.securityfocus.com/archive/1/304480 |
First Previous Next Last |