Microsoft Thursday outlined the next phase of its Trustworthy Computing initiative – one that includes a more “prescriptive” approach.
The Redmond, Wash.-based company said new products going forward, such as its long awaited Windows Server 2003, would include “push” technologies to minimize security problems with its software.
Microsoft chairman Bill Gates issued a 1,500-word e-mail saying “new security risks have emerged on a scale that few in our industry fully anticipated.” The memo supported future investments in “smart cards” calling passwords “the weak link.”
Gates’ request for customers is that they, “stay up to date on patches, use anti-virus software and keep it up to date with the latest signatures, and use firewalls.”
The e-mail comes one year to the day that Gates told employees that they must now make security in Microsoft’s products their first priority.
“Actually, we consider security priority ‘zero’ since we are trying to give customers a platform that they can depend on,” said Microsoft Security Business Unit corporate vice president Mike Nash.
Unfortunately, the promise of near-flawless security has yet to materialize. Thursday, Microsoft issued its first buffer overrun flaw of the New Year, which could impact its three most current Windows servers.
Nash said customer feedback over the past year helped put Microsoft in the mindset to take 10 weeks and $200 million to “make a change in culture with our employees, developers and partners.” Among other things, Microsoft trained some 11,000 engineers, reviewed its old source code, built threat modeling scenarios, staged external 3rd party “white hat” hackers attacks and focused on fixing the buffer overrun detection in compile process.
The company said the loudest complaints about security practically begged Microsoft to make sure its software was secure starting at the code level.
“Another one of the biggest things we heard from people is to reduce the number of vulnerabilities before they ship, which is why we are taking our time with Windows Server 2003,” Nash told internetnews.com.
The company said it is also working on proactively fixing security issues after the product ships, but before the customer encounters the problems; shipping timely patches in response to holes; simplifying patch deployment; and creating better building tools.
Microsoft has already addressed the “Trusted” process in its toolbox with its Visual Studio .NET platform. Nash says the expectation is to extend the security makeovers to all Microsoft products including Office, SQL, Xbox and even its Smartphone OS. But the company said it is realizing even more of its security aspects with Windows Server 2003.
Due out in April, the server is expected to include Internet Information Services (IIS) 6.0, IPsec, MBSA, SUS, WU, SMS Value pack and Common Language Runtime to get the ball rolling. Microsoft said it would also turn off many of its macros off in the default setting and prohibit sample code from being there in the first place. The company is even minimizing the capabilities of its Internet Explorer in Windows Server 2003 it says to reduce the risk of using the browser as a launch pad for bad code.
The company says password security has been strengthened so that users cannot log on remotely using any account with a blank password.
Windows Server 2003 is also adding PKI and its alternative PEAP (Protected Extensible Authentication Protocol) to protect in IPSCC-based VPN and network communications, wireless authentication using 802.1x, smartcard logon, encrypted file system, and other services.
Also scheduled for this summer will be the Secure Configuration Wizard, an add-on technology for Windows Server 2003 that will automate the configuration of servers based on their server roles.
Microsoft said it would also be more diligent about keeping its customers informed about security risks. In addition to its Microsoft Security Response Center, the company has established call centers to contact customers proactively. The company said it was committed to issuing regular security updates to its software on a specific day of the week (e.g. Wednesday) except in extreme emergency.
The company also said it is encouraging its customers to keep abreast of trends by referencing books, online classes or webcasts.
“We realized we have work to do and we have a responsibility as a member of the industry to share what we’ve learned,” Nash said.