Microsoft details security initiative
Posted by configure on 09 October 2003 - 02:56 · 14 comments & 1817 views
About the Author
Full name: Unknown
Forum name:
configure
Contact: via forum PM
Submissions: Normal · Headline
Full name: Unknown
Forum name:
configureContact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
(2 replies)
#1 Posted by Jon on 09 Oct 2003 - 10:43
- Sounds good, the interesting part is the comment regarding ICF and blaster.
You all spend your time slagging ICF off, but fail to realise that it is FAR better than a personal firewall. Personal Firewalls make the assumption that the user knows what to block and what to allow. Blaster proved that most dont (yes that includes 75% of neowinians at a guess).
If you did any research you'd realise that the rule set enabled (block all in unless related) is essentially the same as most basic corporate firewalls. Its a very good solid ruleset to protect against external intrustion attempts. Combined with solid AV protection and sensible downloading its pretty secure. -
#1.1 Posted by kingius on 09 Oct 2003 - 11:03
- Yes very true. Most people dont even know how to use the ICF.
-
(3 replies)
#2 Posted by Fally on 09 Oct 2003 - 14:03
- To most of us in the industry "Securing The Perimeter" is an old school idea. What we are looking at now is securing the chewy center...
Also, for lots of users, turning on ICF can interfere with certain applications. -
#2.1 Posted by Jon on 09 Oct 2003 - 14:16
- It's not old school, its just as essential, its just recongnised that most threats come from inside the network, rogue employees, stupid employees, viruses (which comes back to border security again).
Your post is misleading in that it implies its irrelevent or out of date. This is rubbish and you should know better, its still just as important. Partly as a result of perimeter securitie's success, attack vectors have changed, and corporations find themselfs spending more time defining AUPs and filesystem permissions than worrying about IDS systems. -
#2.2 Posted by Fally on 09 Oct 2003 - 17:33
- Securing the Perimeter is not out of date nor did I intend to imply that. I simply meant that it is no longer looked at as the only or even primary method for securing a network.
The new method for securing your network is securing each and every node on that network and each resource on each node.
Microsoft is trying to pass the responsibility off to the users by telling them to "Secure the Perimeter" when it is them that needs to secure their OS.
-
(5 replies)
#3 Posted by Coolme on 09 Oct 2003 - 14:54
QUOTE "Securing Windows is our top priority right now," said Muglia
So tell me again WHY DID M$ DELAY SP2 FOR WIN XP? and WORST PART OF IT WAS THAT they did it when EVERYONE HAD TO REINSTALL WIN XP AFTER THEY GOT ATTACKED BY THE BLASTER WORM. I mean I would rather download SP2 to install all patches rather than going to windows update and download SP1 and restart and go to WINDOWS UPDATE AGAIN to install ADDITIONAL patches.
-
#3.1 Posted by Jon on 09 Oct 2003 - 16:01
- Err blaster made you reinstall XP?
Hmmm, do you use AOL by any chance?
-
#3.2 Posted by Coolme on 09 Oct 2003 - 19:01
- No, I was not infected by the blaster worm and I don't use AOL, but earlier M$ recommended infected users to reinstall Windows.
-
#3.3 Posted by Jon on 09 Oct 2003 - 19:11
- I followed Lovesan *very* closely from the first sighting from a corporate POV and never saw this.
-
#3.4 Posted by trance on 09 Oct 2003 - 19:29
- MS NEVER recommended to customers to reinstall Windows. Not once.
-
#4 Posted by Ely on 09 Oct 2003 - 23:41
- MS is going to change core system settings, probably things like enable ICF by default, making windows force some updates when there are security implications on the upgrade and the user has not updated, more robust auto update system and security advisories in Windows as a whole. who knows, stay tuned, I'm sure there will be obvious security features additions.
In a wide-ranging interview with CRN this week, Bob Muglia, senior vice president of Microsoft's Enterprise Management Division, said the company is taking significant steps beyond patch management to better secure the Windows infrastructure.
"Securing Windows is our top priority right now," said Muglia, who hit the road this week to discuss security issues and to detail the 22 October launch of Systems Management Server 2003. "Securing the perimeter is how you put in place countermeasures beyond patch management. While we continue to make the operating system more secure at its core and issue patches, it's not the only thing we're focusing on."
The management chief said Microsoft recently ordered OEMs to start turning on the Windows Internet Connection Firewall (ICF) by default on all Windows XP-based PCs. "That's going to happen very quickly," he said. "We told OEMs to do that right after Blaster [the virus that hit this summer]. Those that had ICF turned on didn't get Blaster."
And while Muglia declined to go into specifics about the perimeter plan, he said a common infrastructure for patch management is needed. The major upgrade of SUS will help administrators automate the deployment of security fixes and patches in a more transparent fashion to Windows 2000/2003 servers and desktop PCs running Windows 2000 Professional or Windows XP Professional.
He likened Microsoft's Securing the Perimeter plan to installing a fence around a compound, or a gated community for homeowners. Stepped-up security measures can't eliminate break-ins, but they can reduce or thwart attempts by robbers--or, in the case of software, hackers--he explained.
"You need to have multiple levels of security in a corporation, multiple levels of defense. It's like a gated community. You need additional levels of security, doors locked and alarms turned on, and additional defenses, countermeasures such as putting up a fence, to be protected," said Muglia. "It doesn't always work, but it's additional protection," said Muglia.
Sources speculate that Microsoft is working with top firewall vendors and antivirus ISVs to allow them to hook into the Microsoft Update and Software Update Services -- and tap into .Net -- to coordinate an industrywide response to an attack across the internet.
Muglia would not comment on speculation about a possible .Net-based shield, and denied speculation that the company is poised to acquire a major firewall vendor.
In July, Microsoft moved into beta testing its more enterprise-oriented Internet Security & Acceleration (ISA) Server 2004 upgrade, code-named Stingray, a Windows server firewall solution. "Not to my knowledge," Muglia said when asked about a possible buy in the firewall space.
However, even as the company will evolve its ISA platform, Microsoft will need partnerships with ISVs and solution providers for Securing the Perimeter for heterogeneous networks. "We think every customer needs a firewall. But we're not going to do a Linux firewall."
Microsoft's forthcoming management stack is expected to help matters. He said the availability of SMS 2003 in November will help enterprises deploy security patches in a more efficient way while the Windows Update service for consumers and SUS upgrade will help both midsize companies and enterprises automate their infrastructure security.
"A year from now you'll see additional countermeasures in place, as well as better firewalls," said Muglia. " We'll have SMS 2003 out there so there's a better tool for deploying software and the next release of SUS for the Windows server for companies that don't require SMS. "
In addition, Microsoft plans to ship management packs for its forthcoming Microsoft Operations Manager (MOM) 2004 next summer. "The next generation of management packs for MOM 2004 will have a broad understanding of security events, as will the next management pack for the Windows server," Muglia said.
Observers said Securing the Perimeter is a step in the right direction -- if executed well.
"Microsoft appears to be working to improve patching on several fronts and will be working to create new and improved perimeter defenses," said Michael Cherry, an analyst with Directions on Microsoft, a newsletter. "Both are reasonable and good moves, if they can accomplish them in a timely manner, and provide perimeter defenses that people can reasonably install and configure."
Securing the Perimeter is just one of a number of security initiatives under way at Microsoft and across various divisions in the company.
Sources in the analyst community say they expect Microsoft will announce significant improvements to the Internet Connection Firewall in Windows XP and add behavior-blocking capability from the technology it acquired from Pelican early in 2003.
One systems integrator who asked not to be named said Microsoft is busy reducing the attack surface aspect of Windows, IE and DirectX components, and is "hardening" the defensive aspects of .Net technologies. But the Windows configuration plans and enhanced SUS are key parts of the countermeasures Microsoft plans, he said.
This week at Momentum, the company's annual partner confab in New Orleans, Microsoft is expected to rally partners to its security cause. The company is poised to detail an updated security solution accelerator for its forthcoming Systems Management Server 2003 and a new security solution accelerator for SUS, Muglia said.
"These are handbooks for the VAR channel," said Muglia, noting that the deployment guides help channel partners lock up customer infrastructures. "The channel is very important because it supports so many small and midsize businesses, and enterprises are doing more and more outsourcing."
Later this month, at its Professional Developer's Conference, Microsoft is expected to announce the availability of the first software development kit for Microsoft's Next Generation Secure Computing Base, formerly code-named Palladium.
The software, to be embedded in the Longhorn version of Windows due in 2005-06, will exploit security advances in Intel's next generation 32-bit and 64-bit processors.
Security executives confirmed for CRN recently that Microsoft is working on a series of enterprise-oriented security products/services but would not discuss details.
Possible products in the lineup include intrusion-detection, firewall and antivirus products, according to information available on Microsoft's website.
Sources predict Microsoft will debut intrusion-detection technology and possibly antivirus technology into Windows following its acquisition of Romanian antivirus vendor GeCAD, which closed 3 September.
However, no decision is final, said Amy Carrolle, director of product management for Microsoft's Security Business Unit. She did note, however, that a subscription-based service is likely.
"The deal just closed. We're in the alpha testing phase, and it's too early to speculate, " she said. "Our plan is not make antivirus free but in a model similar to a subscription model."
Observers said it remains unclear how well Microsoft can execute on its ambitious plans, but its security woes are as big a threat to its business as was the antitrust case.
Numerous viruses and worms this summer have exploited flaws in Windows and have infected hundreds of thousands of computers worldwide.
The problems cost businesses millions of dollars in lost productivity and service fees. One report recently issued by five security analysts claimed the government's sole reliance on Windows on the desktop constitutes a threat to national security.
Both Muglia and Microsoft CEO Steve Ballmer admit it's a bigger worry than Linux.
"Microsoft has thrown a lot of resources at trying to be more secure," said John Pescatore, a vice president at Gartner. "We've seen progress on Windows Server 2003, but they haven't had a new desktop software product since they got security religion, and security problems on their desktop software is a bigger threat to Microsoft's dominance on the desktop than the antitrust [case] ever was. The lawsuit didn't cause enterprises to try out Mac and Linux desktops -- security problems in Windows have, though."