In hopes of helping customers secure their systems against viruses, worms, and other vulnerabilities, Microsoft has announced a two-phase initiative dubbed the Strategic Technology Protection Program (STPP). During the initiative's first phase, Get Secure, the company will provide a series of short-term fixes to current and evolving security problems. During the longer-term second phase, Stay Secure, Microsoft will rewrite much of its key software to be as secure and resilient as possible.
"As an industry leader, Microsoft recognizes it has a special obligation to help ensure the security of the Internet and our customers' data," said Brian Valentine, senior vice president of the company's Windows division. "Effective immediately, we are stepping up our efforts with the singular focus of ensuring the security of our customers' networks and businesses. We will not rest until all our customers have what they need to get secure and stay secure." Microsoft's customers say the move can't come quickly enough.
During the Get Secure phase, Microsoft is releasing a slew of fixes, information, and software designed to plug holes in its existing products. For example, the new Microsoft Security Tool Kit provides a security lockdown tool for Windows 2000 Server, Windows NT 4.0, Microsoft Internet Explorer (IE), and Microsoft IIS, which has been a prime target of recent attacks. I spoke with Steve Lipner, who manages the Microsoft Security Response Center, about the toolkit and Microsoft's other security plans.
"We're providing what enterprises need to operate safely on the Internet," Lipner told me. "This includes service packs, patches, and tools—including the IIS Lockdown Tool and \[IIS 5.0 and post-NT 4.0 Service Pack 5 (SP5) IIS 4.0\] security rollup. People tend to focus on the need for updated technology, but customers need to understand the value of currently available tools as well. If you configured IIS in a paranoid fashion but applied no hotfixes, you'd still be protected from all problems that have happened so far."
Going forward, Microsoft will work with customers to help ensure the security of their installed Windows applications and servers. The company is offering free telephone support to any customer with security concerns. At the time of this writing, the company says it will have shipped comprehensive Win2K and NT 4.0 security rollup packages through Windows Update by the end of 2001 and that regularly released security packages will follow. These packages can be installed in only one step and require only one reboot. And a new version of Microsoft's AutoUpdate client, aimed at businesses, will provide corporations with automatic security fixes on the fly.
As part of the Stay Secure phase, Microsoft will evaluate and, if necessary, rewrite its software to increase software security. The next version of IIS, for example, will ship in lockdown mode, thus setting security features to the highest levels by default. Microsoft says it's also working with key industry and government groups to heighten Internet security.
Early this year, Microsoft also will give enterprises the ability to install local Windows Update servers, something customers have been asking about for more than a year. "\[The new local Windows Update servers\] will work with the Windows XP AutoUpdate client that we're moving to Windows 2000," Lipner said. "In its default configuration, this new technology will detect when you're connected, go up to a Windows Update site, and determine whether there are any security or critical patches. Then it will download them at a slow rate, so as not to disrupt the user, and prompt for install. We'll provide the capability to auto-install important patches as well, based on security severity levels. Eventually ... enterprises will be able to host their own Windows Update sites internally." For more information about the STPP, see Mark Joseph Edwards, "Microsoft Announces Major Changes to Security Practices," http://www.secadministrator.com, InstantDoc ID 22751.