At its annual Worldwide Partner Conference in New Orleans last week, Microsoft executives described changes to the company's security strategy, including a new "Secure the Perimeter" process that's part of its wider Trustworthy Computing initiative. Does Microsoft finally get security?
During his keynote address at the conference, Microsoft CEO Steve Ballmer described the security problems facing Microsoft, its partners, and its customers. The problems fall into four areas:
- Microsoft's patching process is low quality and inconsistent.
- Microsoft's partners and customers need to know the best way to run an enterprise that uses Microsoft software, from a security perspective.
- Microsoft releases new security patches too frequently, and customers can't keep up with them.
- Microsoft products still have too many vulnerabilities.


Windows & .NET Magazine UPDATE readers are familiar with these topics, and we've discussed the company's plans for fixing the patch-management problem ("Security, Patch Management, and the Future" and "One Last Follow-up: The Future of Patch Management"--URLs pointing to these articles are provided below). But it's interesting to see how the company has honed its strategy since midsummer. According to Ballmer, the number of security vulnerabilities is rising, but a bigger problem is that the sophistication of the exploits is rising as well. Microsoft needs to do a better job of prioritizing its security patches so that customers can more effectively determine which patches to install first. But no one thing the company does will stem the tide of security vulnerabilities.
"There is no silver bullet," he noted. "People say, 'Well, can't you just fix all the vulnerabilities?' Even if all the vulnerabilities were fixed tomorrow morning in all of the products, there's still 600 million computers, many of them downlevel, many of them on funny versions that wouldn't have all of these vulnerabilities patched, fixed, and up-to-date." With that in mind, the company is taking some concrete steps to "end the pain." These steps include the following:
- Simplifying the patching experience. For Windows 2000 and later systems, including Windows Server 2003, Windows XP, and Microsoft SQL Server 2000, Microsoft will reduce the number of internal patching systems from 68 to 1 and have a new patch-management infrastructure in place by May 2004. This new patching system will cover "Windows and all the application products, including Microsoft Office," Ballmer said.
- Reducing the risks in patch deployment. This change means raising the quality of Microsoft's patches so that customers no longer need to worry about installing them. Customers have long memories: I still talk to people who reference the Windows NT 4.0 Service Pack 2 (SP2) debacle, for example, as rationale for not installing hotfixes. Microsoft will include rollback capabilities in all patches, so customers can return to the previous state if problems occur after installing the patch.
- Reducing the size of patches. Using new "delta patching technology," Microsoft will reduce the average patch size by 30 to 80 percent.
- Reducing the number of reboots. Many customers don't install patches because they require you to reboot the system. Ballmer said the company can reduce the number of reboots by about 30 percent on the server, where reboots are particularly problematic. This reduction isn't as high as I had hoped and isn't what I recall hearing from the company back in June. Any reduction in reboots is appreciated, but surely Microsoft can improve this aspect of patch management.
- Improving automation. Microsoft will release Software Update Services (SUS) 2.0, a free patch-management tool, and System Management Server (SMS) 2003 in the days ahead, improving the automation of patch deployment for small, medium, and large businesses. Ballmer acknowledged that SUS is one of the best products Microsoft has released (for free) that no one has ever heard of, and the company will push the new version aggressively. SUS is already an excellent product, and I'll review version 2.0 in Windows & .NET Magazine UPDATE as soon as possible.
- Addressing legacy systems. Patch management will soon be much easier for modern Windows versions and applications, but what about the millions of legacy systems out there? Microsoft's answer is somewhat predictable: The company can't infinitely support out-of-date and aging systems, but it will extend the support life cycles for Win2K SP2 and Windows NT 4.0 SP6a to June 2004. This extension will give customers time to plan for the future and, perhaps, upgrade to newer Microsoft products.
- Providing predictable patch schedules. Microsoft is moving to monthly patch releases and will provide only emergency patches more frequently. Indeed, some months the company might release no patches. "If we don't need them monthly, we won't have them," Ballmer said.
- Providing security guidance. In addition to the security best-practices documentation the company already provides in the form of books, CD-ROMs, and online articles, Microsoft will soon issue a report about how the company secures its own enterprises, including the strategies, technologies, and products it uses for intrusion detection, VPN, and firewalls.

Ballmer then launched into an explanation of the company's new "Securing the Perimeter" drive and other actions the company is taking to improve security. I'm out of space, so I'll look at these topics next week and discuss the amazing feedback I received to last week's commentary about Microsoft being held liable for its security vulnerabilities. Thanks for reading.

Links

"Security, Patch Management, and the Future"
http://www.winnetmag.com/articles/index.cfm?articleid=39383

"One Last Follow-up: The Future of Patch Management"
http://www.winnetmag.com/articles/index.cfm?articleid=39545