Security Tops Priorities at Microsoft Partner Conference
Microsoft CEO Steve Ballmer addresses security, promises new tools to combat growing problems.
Stung by relentless viruses and hacker attacks, and
a patch cycle that is spinning completely out of control, Microsoft on Thursday
unveiled a wide-ranging plan to mitigate, but unfortunately not eliminate, the
The approach includes:
- A new rev of Software Update Services
- More consistent patching
- Higher quality patches and patch rollback to resolve conflicts
- More secure versions of XP and Windows Server 2003 delivered via service
packs next year
- More security defaults for desktop and server OSes
- Laptop and remote PC security inspection technologies
The new strategy was announced in bombastic fashion by feisty Microsoft CEO
Steve Ballmer at the Microsoft Worldwide Partner Conference 2003 (click
here), a gathering of 5,400 partners from over 100 countries, all chaperoned
by some 1,500 Microsoft employees clad in a colorful array of Microsoft-logoed
Ballmer believes the security problem must be beaten back before IT can have
confidence to truly embrace new technologies. “Our whole industry is in some
sense threatened by people’s fear to do new things because of these security
issues,” Ballmer argued.
But perhaps the biggest impetus is customer complaints, and an unrelenting
river of bad press. “There come times in any industry when you have to step
back and hear what people are saying, and take that as defining moments to galvanize
you into action,” a more subtle way of describing the public flogging Microsoft
has withstood due to security breaches.
The first phase of the Microsoft counterattack is Software Update Services,
a free but barely used tool that downloads patches from Microsoft Update to
a corporate server, and distributes them based on IT policies.
Due in the first half of next year, SUS 2.0 will manage patches for Windows,
Office, Exchange, and SQL Server. In announcing the rev, Ballmer asked for a
show of hands from those that use SUS 1.0. The paltry number of hands is part
of the problem. Many do not implement security tools, even when they are free
and designed to ease a burden such as installing a neverending supply of patches.
The next rev of Systems Management Server will be a superset of SUS 2.0.
But SUS 2.0 can’t solve the patch problem on its own. Microsoft plans to reduce
the size of patches through delta patching by 30 percent to 80 percent, and
reduce the need to reboot by up to 30 percent. Also, non-emergency patches will
be issued no more than once a month, while emergency patches will still be sent
out immediately. Currently, Microsoft sends out non-emergency patches on Wednesdays.
While recent viruses attacked Windows XP and ignored Windows 9.x, the most
vulnerable systems are often older computers. To address this, Microsoft is
extending security support until June 2004 for Windows 2000 SP2 and Windows
NT Workstation SP 6a. However, Ballmer strongly suggested that desktops migrate
to Windows XP, an operating system that will be upgraded next year with a host
of security tweaks.
The patch problem is as complex as Ballmer’s proposed solution. There are too
many holes in today’s software products. IT doesn’t have time to handle patches,
the patches are too large, and their release is inconsistent. Also, patch quality
More importantly, it takes less and less time for hackers to pore through the
patches, and write code that exploits unpatched systems. For instance, it took
321 days to write Nimda, but only 25 days to do Blaster. The industry will watch
closely to see if Microsoft efforts can help seal up our systems.
Microsoft isn’t just focused on patches, but hopes to protect systems by building
a kind of perimeter around PCs and servers. An upgrade to Windows XP, in beta
later this year, will include some of these features. Windows XP SP2 will include
protections against e-mail and malicious Web code attacks, port-based attacks,
and buffer overruns.
Windows XP SP2 will have its Internet Connection Firewall on by default, and
these firewalls can be centrally managed. More security defaults will be created,
such as requiring a user to explicitly trust a Web site before running ActiveX
controls. There is also an improved memory model to guard against stack overruns.
An upgrade of Windows Server 2003, SP1, will be able to inspect laptops and
PCs that connect via VPN, and determine if there are any security risks before
allowing them on the network. “From a corporate level, VPN from home or users
bringing in infected laptops are top sources of infection,” Ballmer explained.
Windows Server 2003 will follow shortly after the release of Windows XP SP2.
Education will also improve. There will be a new Global education program,
TechNet security seminars, monthly security web casts and a Professional Developers
Conference seminar on writing secure code. Ballmer hopes to train over 500,000
people over the next 12 months. The company also launched Microsoft.com/security,
an online security zone for IT professionals.
Finally, Ballmer left attendees with some basic advice, as ignoring the basics
is what got us into this mess in the first place.
- Do a security audit
- Build a security plan
- Create a patch management plan
- Move desktops to Windows XP
- Move Internet-facing servers to the more secure Windows Server 2003
In classic Microsoft fashion, Ballmer refused to suffer his critics gladly.
He blamed security researchers for publicly disclosing holes before they were
plugged. “It would be best for the world if these people would just be quiet,”
he said, adding that Microsoft is working closely with many researchers to
close holes before they’re disclosed.
He pointed to Red Hat Linux with its dozens of vulnerabilities, and cracked
wise about the innumerable versions of Linux. And he took a pot shot at the
recent report that suggested Microsoft’s sheer dominance creates an overall
vulnerability. “There are those that say, ‘the best thing I can do for security
is to walk away from Microsoft, that a monoculture is bad for security.’ That
is hogwash. There is no port in this security storm that is safer than this
port,” he claimed.
The crowd applauded at several points, but one attendee thought the overall
approach was reactive, not proactive. “Hackers are terrorists and it is time
to declare war on hackers. Everything you’ve (Ballmer) described addresses
fixing it after it happens,” said the attendee, who then suggested a pool
of reward money doled out to those that hunt down hackers. “It is time to
attack the root.”
Ballmer agreed with all of the gentleman’s points, and hinted that Microsoft
might be interested in the bounty approach, though he emphasized that such
a program would have to run in cooperation with law enforcement. “We won’t
be shy about using money.”
Microsoft revenues continue to rise, despite the high-tech malaise, leading
the Microsoft CEO toward optimism. “Is IT done for, past its glory days? All
of that is such hogwash; I am so excited about the next ten years. We have the
chance to change the world, to do innovative work.” Ballmer attested to Microsoft’s
bullishness by pointing this year’s budget of $6.8 billion for R&D. “We have
so much confidence. We have the pedal to the metal.” Hot areas of innovation
include real-time communications, reading and annotation, collaboration, business
applications, integration, mobility and business intelligence.
[Editor's Note: This news article also appears on ENTmag.com at http://entmag.com/news/article.asp?EditorialsID=5983.
Doug Barney is editor in chief of Redmond magazine and the VP, editorial director of Redmond Media Group.