News

Viewpoint: Windows Server 2003 Security

• By Scott Bekker
• 04/29/2003

Microsoft's patch factory was running at full production last week at the same time that the company's formidable marketing arm was publicly launching a new operating system designed to reduce the frequency of security bugs. This apparent contradiction isn't proof that Trustworthy Computing is failing; instead, it's evidence that the initiative is critically necessary. Even though Windows Server 2003 is more secure than any previous Microsoft operating system, there will be no let up in patching for several years.

As he launched Windows Server 2003 on Thursday in San Francisco, Microsoft CEO Steve Ballmer emphasized Microsoft's $200 million Trustworthy Computing investment designed to fuse security into the very joints of the newly released operating system. Microsoft turned off dozens of features and services by default, most notably in IIS 6.0; reviewed the code of the operating system line-by-line; and plans to release tools and documentation to help administrators lock down servers by role. The end result should be fewer critical security patches for the Windows-based servers that are working their way further and further into mission-critical roles.

These are all welcome improvements. But Ballmer struck a realistic tone in shaping expectations about the security of an operating system with 50 million lines of code. "Will there never be another [security] issue?" Ballmer asked rhetorically. "I can’t say that. We have built better processes to respond and help you respond to any issues that come about."

I'll take Ballmer's comment one step further. The operating system is generally available now, and pre-release deployment has been rapid, according to Microsoft. Nonetheless, the vast, vast majority of the installed base of Windows systems is older software developed under Microsoft's pre-Trustworthy Computing product development philosophy –- liberally paraphrased here as, "pack it with as many new features as possible and enable most of them by default." It will be several years before Trustworthy Computing-inspired server operating systems account for even half of the installed base, and a few years longer on the client side. And that's assuming Microsoft continues, as I believe they will, to prioritize security over features for the long term.

Which means we can look forward to frequent security patches for years to come. Ample evidence arrived this week. Laboring in the less secure morass of the current installed base, Microsoft's security teams pumped out two new critical security bulletins and reissued a previous bulletin the night before the Windows Server 2003 launch. The day after the launch, Microsoft's security teams acknowledged a quality control problem with another critical security patch from earlier this month and promised to post a new version shortly.

In case you missed the patches:

Microsoft Security Bulletin MS03-015 patched Internet Explorer against three critical new vulnerabilities and a fourth vulnerability of moderate threat.

Microsoft Security Bulletin MS03-014 contains a cumulative patch for Outlook Express. It fixes a critical vulnerability that could allow an attacker to run code on a target machine.

Microsoft Security Bulletin MS03-007, from March 17, is updated to include a patch for Windows NT 4.0. While Microsoft considered the patch critical for Windows 2000, the company designates it with the lower "important" priority for NT 4.0.

Microsoft Security Bulletin MS03-013 is updated to confirm that the Windows XP version of the patch causes problems with XP Service Pack 1 systems. Microsoft is working on a new patch.

The heightened activity out of Microsoft's security team shouldn't detract from Microsoft's accomplishment of shipping Windows 2003. The new server operating system truly represents a security landmark for Microsoft and the industry. Just remember that Trustworthy Computing is forward-focused. The patches of last week serve as a reminder that the flaws in the old Windows design won't magically disappear just because of the launch of Windows 2003, the first full Trustworthy Computing product release. Given the software we're all running now and for the next several years, any reduction in the volume of patches won't appear any time soon. The patches are dead. Long live the patches.