Experts urge prep for Microsoft's cert-blocking update

Scan networks for too-short keys, audit systems, test Oct. update before it rolls out, urge security pros

By , Computerworld |  Security, Microsoft

Kandek recommended IT administrators scan their networks for digital certificate keys shorter than 1,204 bits. "For internal sites and other services that use certificates such as mail servers and VPNs, we recommend using a scanning tool with SSL support, which all major scanners include," Kandek said.

"The audit is going to be the big thing," said Miller. "But it's the amount of time to fix [and uncovered problems] that could be drastic."

Most experts expected some fallout from next month's key-crippling update, but were cautiously optimistic that disruptions would impact a small number of firms and websites.

"I don't think there will be a lot of companies that are negatively affected," predicted Miller, "but some will be crippled."

Kandek and Sarwate of Qualys concurred.

"There are very few [affected] keys out there, for a number of reasons," argued Kandek. "Certificate authorities have been giving out these keys [longer then 1,204 bits] for a while now. Basically, it they will be very old certificates obtained some time ago."

Certificates are generally valid for just one or two years, said Kandek, although there are exceptions. During Qualys' survey of website certificates, for example, the company found some keys that were valid for either three or five years.

"Embedded devices might be at risk," explained Sarwate. "Kiosks running an embedded version of Windows, for example, might not be updated with new certificates very often."

The most likely enterprise problem areas, added Miller, include VPN, or "virtual private network," gateways that workers use to establish a secure offsite connection with the company's network. Another potential trouble spot: Email servers.

"We recommend installing [Microsoft's update] on a limited number of internal machines in your organization this month to gather feedback on potential impacts," Kandek said.

IT administrators can, of course, back out the update if they later uncover problems they can't solve before Oct. 9. "You can remove that security update if necessary, and redeploy it later," said Miller.

Windows 8, which reached RTM (release to manufacturing) last month, and has been handed to enterprises for deployment, has the shorter-certificate blocking already in place.

"If anything, the most important thing is to get the word out," said Miller. "Microsoft has been talking about this since June, but I recently talked to two [IT administrators] and they had no idea that this was coming."

Microsoft will distribute the certificate key update on Oct. 9 through Windows Update and WSUS (Windows Server Update Services). Enterprise IT administrators can use WSUS or other patch management consoles, to block the update from reaching some or all PCs and servers.

Originally published on Computerworld |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question