Microsoft announced today several major changes to its security practices designed to help mitigate unpatched systems most recently affected by the Code Red and Nimda worms. Microsoft also hopes these practices will help companies build security into any future networks from the outset. Brian Valentine, senior vice president of the Windows division at Microsoft, said that the company will make an unprecedented effort to help customers secure their systems from Internet-based threats by using the new Microsoft Strategic Technology Protection Program (STPP).
Scott Culp, manager of the Microsoft Security Response Center, said that STPP will let customers take a simple two-phased approach to security: Get Secure and Stay Secure. The Get Secure phase includes proper planning and configuration before companies connect their systems to the Internet. The Stay Secure phase helps companies maintain ongoing security after they connect.
According to Valentine, STPP will offer customers five no-cost services that will dramatically enhance their overall security. The first service is available on the Microsoft Web site. This service consists of toolkits that contain the latest service packs; all critical security patches for Windows 2000, Windows NT 4.0, Microsoft IIS, and Internet Explorer (IE); and a tool that links to the Windows Update Web site for any late-breaking patches. Microsoft wants to provide a way for users to obtain all the latest patches without having to connect to the Internet to do so. Microsoft is now taking orders for a free toolkit CD-ROM, which the company will begin shipping to customers by mid-October.
The second STPP service is a collection of enterprise-level security tools that Microsoft intends to deliver in December 2001. Valentine said, "We will deliver a tool that scans a Windows 2000 server, highlights any potential misconfigurations that could undermine security, and advises the administrator in making changes." Culp added that the server-scanning tool will work similar to the Microsoft Personal Security Advisory, which scans workstations. However, the server scanner might be a standalone application as opposed to a Web-based tool like the Microsoft Personal Security Advisory. The company will also offer a patch-rollout tool that will work with Microsoft Systems Management Server (SMS) to better handle diverse patch-application needs.
The third service will help Microsoft customers, including home users, stay secure with toll-free, telephone-based security support. Microsoft has made a toll-free number (1-866-PC SAFETY) available to anyone in the United States. The company plans to also publish a toll-free number for international callers.
Culp said that Microsoft will reserve this phone-based support service for serious problems (e.g., Code Red, Nimda) that affect multiple software packages across a variety of platforms. Culp said that existing Microsoft support is product centric and the company must begin addressing new worms that affect multiple products. Culp added that users who discover new security problems should continue to report those matters through the Microsoft Security Response Center email address ([email protected]), and users who experience general virus and Trojan horse problems should contact an antivirus software vendor for the correct remedy and prevention tools.
As part of the 4th STPP program offering, Microsoft will deliver a cumulative security patch for Windows 2000 on a bi-monthly basis and simplify overall patch application. Valentine said that the company intends to deliver Win2K Service Pack 3 (SP3) by February 2002, and that SP3 will focus on security. To meet that goal, the company is using a custom advanced software-analysis tool to conduct a detailed code-level review of all Win2K security-sensitive components. Culp said that Microsoft developed advanced tools to help analyze Windows XP code during its development and will now apply those tools to Win2K. SP3 will also include a new automatic update client for Windows Update technology, which will let Microsoft automatically push out and install new patches on users' machines, as opposed to requiring users to visit the Windows Update Web site and manually downloading patches to install. Culp said that the new client will be completely configurable and will alert administrators about new patches the company releases. The client will also offer the option of installing new patches immediately or scheduling them for installation at a later time. Culp said that Microsoft based the new client on technology extracted from IIS 6.0 for XP, which lets IIS automatically download and install the latest hotfixes as they become available.
For enterprisewide updates, the 5th STPP will offer users a new Federated Corporate Windows Update (FCWU) solution, which will let administrators use Windows Update technology while still maintaining direct control over which patches users apply. FCWU will let companies host their own Windows Update Web site internally on their corporate network, where administrators can select which patches will be available to their users. Microsoft expects to make a beta version of FCWU available early in 2002—the company has slated the product release date for mid-2002.
Microsoft representatives will contact customers to determine whether Microsoft can assist them in getting secure and staying secure. The company intends to offer its customers advice regarding all stages of network operation—from the extreme need for proper initial planning to network construction and ongoing operations. Microsoft said it will also refer customers to third-party companies that might be well suited to address individual business needs.