Newsletters   Subscriptions  Forums  Store   Career  Media Kit  About Us  Contact  Search   Home 
two
Volume 2, Number 8 -- February 23, 2005

Microsoft Says It Is Making Strides in Boosting Security


by Alex Woodie

Despite today's constantly evolving security threats, progress is being made at Microsoft to boost the security in Windows, as well as third-party programs, Microsoft chairman and chief software architect Bill Gates said at the RSA Security Conference 2005 event in San Francisco last week. In addition to providing an update on the Trustworthy Computing initiative, Gates outlined new security features in the upcoming releases of Windows Server 2003 SP1 and R2, Internet Explorer 7.0, and Microsoft Update.

A lot has changed since Gates announced Microsoft's Trustworthy Computing initiative almost three years ago. Spam was just beginning its amazing run-up, vulnerabilities often existed unexploited for months, and "phishing" wasn't even in the popular lexicon. Moreover, few people who knew about security thought that Microsoft was up to the task of leading the IT world to better security. While security is harder to come by today, progress is being made, Gates assured his audience during his keynote address from the RSA conference.

Microsoft has made sizable investments in its R&D processes to keep up to date on rapidly changing security threats, Gates said. "We spend over $6 billion a year on research and development. I'd say that over a third of that is directly security-focused, and the other two-thirds all tie in and relate to that security work," he said. "[Security] is the top priority for Microsoft, the top priority in terms of our R&D."


In terms of changes Microsoft has made internally, Gates pointed to the "automatic checking tools" that can pinpoint errors, integration problems, and vulnerabilities in the code that Microsoft programmers write. Microsoft has also invested heavily in training, and employs a team of "black hat" hackers. "We've had to create a new type of tester that has the mind of a malicious attacker," he said.

Microsoft also pays people to look for emerging threats through its Security Response Center, where experts use threat monitoring and modeling tools to gain a better picture of rapidly evolving threats. Much of this security monitoring has been automated, Gates said, and Microsoft customers benefit through the security patches the company issues, which became a monthly process as a result of the start of the Trustworthy Computing initiative in 2002.

Now that Microsoft has boosted its internal security processes, Microsoft is looking to offer the came capabilities to third-party application developers. Gates said this is especially important considering that three-quarters of security vulnerabilities occur at the application level (that statistic courtesy of Garter), as opposed to the operating system level.

Visual Studio 2005, the next release of Microsoft integrated development environment, will contain new security tools that enable developers to write applications that are more secure. "We've put those out in beta, things like the FXCop, PREfast, gsSwitch, AppVerifier," he said, "and now with the [next] release of Visual Studio, those get incorporated in so you've got a very simple user interface."

Four Security Challenges

Gates outlined four areas that Microsoft is working on to improve security: keeping software up-to-date; isolation; authentication; and social engineering.

The Internet has been instrumental in helping Microsoft to keep its customers' software up-to-date. The challenge for Microsoft is "making sure that operates faster than the ability of the Internet to propagate problems," Gates said. This is most important for services that must be open to the Internet, such as e-mail and Web servers, especially considering that the window of relative safety--the time between when a vulnerability is first reported and when its incorporated into exploit code--has shrunk from a matter of months two or three years ago to days or weeks today, Gates said.

Gates also talked about the upcoming beta release of Microsoft Update, which will function as a superset of Windows Update, and will provide a single place for consumers and small businesses to find, download, and install patches and updates for a variety of Microsoft products, including Windows XP, Windows 2000, Windows Server 2003, Office 2003, and Exchange Server 2003. "We did have a different approach for different products," Gates said. "What we're announcing now is that we're bringing all of this together, so there's just one update center, one scanner, totally consistent across the different products." The beta of Microsoft Update will debut in March, Gates said.

However, different customers still require different updating tools. "As your business gets larger, then you would use the free Windows capability called Windows Update Service [formerly Software Update Services], where you get to have a little bit more control and it connects to many machines. If you want really deep and rich control, you connect up through SMS, our Software Management Server that does the very rich updating."

The second security-related focus area is isolation, which can take many forms, such as a network firewall. Another form of isolation mentioned by Gates is machine-level isolation to prevent malicious code from running. Gates pointed to a new VPN quarantine capability in Windows Server 2003 Service Pack 1 (SP1), which went into beta two weeks ago, that will provide better isolation. This new quarantine capability will limit access to the server via VPN until certain checks have been performed on the remote user's machine.

Preventing malware from running on a client will be one of the main focuses of the new Internet Explorer release, IE 7.0, which Gates also discussed in his keynote. "Some of the advances include things focused on phishing, where people use URLs that appear to come from another location, things related to malware," he said. "We will be able to put this into beta by early in the summer."

Authentication is the third area of security that Gates talked about in his keynote. "As we strengthen other elements of the system, the weak link often becomes the ability to guess at people's passwords because they use the same password in many places," he said. "So we have to strengthen this and strengthen the administrative tools around it." (RSA Security, the host of the conference, used the show to announce two new USB-based key fobs that can be used to manage passwords.)

Microsoft will deliver improved authentication tools with Windows Server 2003 SP1, Gates said. The new digital identity management capability in that release will allow the user to easily roam certificates across different machines, Gates said. "It makes it easy to have high reliability with adding servers in without administrative overhead," he said.

Gates also talked about new federated identity management capabilities that will debut with the follow-on release to Windows Server 2003 SP1, called Windows Server 2003 R2. That release will allow users to centrally manage their account policies and authentication data for Windows and a range of applications, including the Sharepoint Portal Server and others, Gates said. "Federation is a very, very important thing," Gates said. "The only way we're going to get all of these trust connections to work well is to have federation. It can't just be a point-to-point thing."

The fourth security focus area for Microsoft doesn't have much to do with technology at all: fighting spam, phishing, and other vulnerabilities that take advantage of people's natural fear and curiosity, or social engineering. "These are cases where, from a technical point of view, there's no exploit or anything, they've simply taken the privilege of the user and fooled them into running code that they don't want to run," he said. "We need significant advances to make sure that that category doesn't keep expanding the way it did this year."

Although phishing is not necessarily a technology problem, Gates said Microsoft can use technology to fight it. "There are many tricks that involve making a URL look like something it is not. That means that at the software level we can block those tricks," he said. The fight against phishing could also borrow a page from the fight against spyware and employ a centralized database that tracks phishing scams and protects people from them. Using certificates to separate legitimate Web sites from sites set up by phishing scammers could also help reduce the damage.

Gates also said that Microsoft has made "substantial progress" in the war on spam. "For example, today, Hotmail sites, using the IP address blocking and the content filtering approaches, are intercepting well over 90 percent of the spam and deleting that automatically," he said. The Sender ID program, which identifies legitimate e-mail senders, will further reduce the spam problem, Gates said. "I wouldn't say that we're at the end of spam. There's still a lot to be done. But we're past the peak, and we have the techniques rolling out which will bring this to be less of a problem than it has been."

Sponsored By
THAWTE CONSULTING

thawte offers a complete range of digital certificates to secure online business:

· SGC SuperCerts
· Web Server Certificates
· SSL123 Certificates
· Code Signing Certificates

Visit our site for more information on these products and details of the SPKI Program for those companies that require bulk certificates.

Test SSL on your site today with our 21 Day Evaluation Version
Editor: Alex Woodie
Managing Editor: Shannon Pastore
Contributing Editors: Dan Burger, Joe Hertvik, Shannon O'Donnell,
Timothy Prickett Morgan, Victor Rozek, Kevin Vandever, Hesh Wiener
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

THIS ISSUE
SPONSORED BY:

Thawte Consulting
Micro Focus
Geekcorps
Stalker Software
Hewlett-Packard


BACK ISSUES

TABLE OF
CONTENTS
Microsoft Says It Is Making Strides in Boosting Security

IBM Plans X3 "Hurricane" Chipset for Xeon Servers

Egenera Adds Opterons, Upgrades BladeFrame

Intel, AMD Launch New X86 Chips

But Wait, There's More


The Four Hundred
iSeries Resellers Weigh In on the State of the Box

OS/400 PASE Is Not Dead

IBM Focuses on Usability with HATS 6.0

The Linux Beacon
Linux Gets Down to Business, and This Is Good

Red Hat Bashes Sun As It Launches Enterprise Linux 4

Everybody Loves Xen

The Unix Guardian
Judge Scolds SCO but Keeps Lawsuit Alive

Intel, AMD Launch New X86 Chips

Egenera Adds Opterons, Upgrades BladeFrame


Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc. (formerly Midrange Server), 50 Park Terrace East, Suite 8F, New York, NY 10034
Privacy Statement