In my September 2001 editorial for Windows 2000 Magazine, I boldly proclaimed that "Microsoft Gets Security," a message that might have been a bit premature, to be kind. But this week, the company actually proved me correct. Thanks to well-publicized security hacks and a less-than-honest report from Gartner Group (in which Gartner recommends that all Microsoft customers stop using Microsoft IIS), Microsoft is finally overhauling the way it approaches security.
The changes are part of a new initiative Microsoft calls the Strategic Technology Protection Program, which will help its customers get secure and stay secure. In the short term, Microsoft will use the Get Secure phase of the Strategic Technology Protection Program to take immediate steps to safeguard customer networks against attack. During this phase, the company will provide free customer-support calls for viruses and related problems: The program is live in the United States (1-866-PC-SAFETY, or 727-2338) and will be available worldwide by the end of the month. Microsoft has also released a new Security Tool Kit, in online and CD-ROM formats, for its customers. This kit includes all the security-oriented service packs, hotfixes, security tools, and other add-ons that the company has released for Windows 2000 and Windows NT 4.0, including the recent IIS Lockdown tool. The CD-ROM version of the Security Tool Kit—due October 15—will provide a one-install, one-reboot security update capability, which is a welcome change for anyone who has ever installed hotfixes one at a time.
Long term, the Stay Secure phase of the initiative will ensure that Microsoft products are secure going forward. The company is working on a set of comprehensive security roll-up packages, which it will provide through Windows Update and refresh "every couple of months." These roll-ups also will consolidate security updates into a one-install, one-reboot package. And Microsoft is porting Windows XP's Auto Update functionality to Win2K, so that Win2K users can automatically download and install security updates without any further interaction from an administrator or user; this functionality will be available by the end of the year. Microsoft will roll these features into Win2K Service Pack 3 (SP3), which is due by mid-2002. Finally, Microsoft is expanding the scope of its Secure Windows Initiative (SWI), which the company announced last April (prompting my original "Microsoft Gets Security" article). SWI will ensure that developers design all upcoming Microsoft releases with security in mind and rewrite them, if necessary, to include better security. Internet Information Services (IIS) 6.0, for example, will ship fully locked down in Windows .NET Server next year, in sharp contrast to previous versions.
To get a handle on these changes, I spoke with Steve Lipner, who manages the Microsoft Security Response Center. Lipner said that Microsoft is simply trying to make security easier and better in its products and services. "In response to customer demand, we announced the Strategic Technology Protection Program," Lipner said, "which will mobilize our services organizations that work directly with customers. The goal is to really address security needs at a new level, though in many cases today, a lot of this is about current products and getting help to customers immediately. But we're changing our development internally as well."
Lipner says that the Security Tool Kit will provide customers with a baseline of security for Win2K and NT 4.0. "We're providing what enterprises need to operate safely on the Internet," he told me. "This includes service packs, patches, and tools—including the IIS Lockdown Tool and IIS Security Roll-up. People tend to focus on the updating technology, but customers need to understand the tools as well. If you configured IIS in a paranoid fashion and applied no hotfixes, you'd still be protected from all the problems that have happened so far."
One interesting improvement that's coming early next year is the ability to install local Windows Update servers—a feature that Microsoft customers have been requesting for more than a year. "\[The feature\] will work with the Auto Update client from XP that we're moving to \[Windows\] 2000. In its default configuration, \[Auto Update\] will detect when you're connected, go to a Windows Update site, and see if there are any security or critical patches. Then it will download them at a slow rate, so as not to disrupt the user, and then prompt for install. We'll provide the capability to auto-install important patches as well, based on security severity levels. And eventually, this will be extensible by enterprises, who will be able to host their own Windows Update \[server\] internally."
Microsoft will release the security roll-ups every 2 months or so, according to Lipner, and roll them into the next service pack for each OS. So Win2K SP3 will include all security updates up to that time, and will again provide a one-click, one-reboot installation. The first security roll-up for Win2K will ship in November. For more information about the Security Tool Kit and Strategic Technology Protection Program, please visit the Microsoft Security Web site.
Thanks to everyone who wrote me about last week's Active Directory (AD) editorial. The feedback mirrored what Microsoft reported about AD take-up, and most people were surprisingly happy with the results thus far. However, as a few readers pointed out, the Mindcraft report that I mentioned in last week's UPDATE reflects total cost of ownership (TCO) results that were augmented by an OpenNetwork tool called DirectorySmart, which acts as a bridge between an internal network and an extranet. This information was omitted inadvertently, but it doesn't change the fact that AD is currently scaling far beyond what Microsoft originally expected. Sorry if that caused any confusion.
In my September 2001 editorial for Windows 2000 Magazine, I boldly proclaimed that "Microsoft Gets Security," a message that might have been a bit premature, to be kind. But this week, the company actually proved me correct. Thanks to well-publicized security hacks and a less-than-honest report from Gartner Group (in which Gartner recommends that all Microsoft customers stop using Microsoft IIS), Microsoft is finally overhauling the way it approaches security.
The changes are part of a new initiative Microsoft calls the Strategic Technology Protection Program, which will help its customers get secure and stay secure. In the short term, Microsoft will use the Get Secure phase of the Strategic Technology Protection Program to take immediate steps to safeguard customer networks against attack. During this phase, the company will provide free customer-support calls for viruses and related problems: The program is live in the United States (1-866-PC-SAFETY, or 727-2338) and will be available worldwide by the end of the month. Microsoft has also released a new Security Tool Kit, in online and CD-ROM formats, for its customers. This kit includes all the security-oriented service packs, hotfixes, security tools, and other add-ons that the company has released for Windows 2000 and Windows NT 4.0, including the recent IIS Lockdown tool. The CD-ROM version of the Security Tool Kit—due October 15—will provide a one-install, one-reboot security update capability, which is a welcome change for anyone who has ever installed hotfixes one at a time.
Long term, the Stay Secure phase of the initiative will ensure that Microsoft products are secure going forward. The company is working on a set of comprehensive security roll-up packages, which it will provide through Windows Update and refresh "every couple of months." These roll-ups also will consolidate security updates into a one-install, one-reboot package. And Microsoft is porting Windows XP's Auto Update functionality to Win2K, so that Win2K users can automatically download and install security updates without any further interaction from an administrator or user; this functionality will be available by the end of the year. Microsoft will roll these features into Win2K Service Pack 3 (SP3), which is due by mid-2002. Finally, Microsoft is expanding the scope of its Secure Windows Initiative (SWI), which the company announced last April (prompting my original "Microsoft Gets Security" article). SWI will ensure that developers design all upcoming Microsoft releases with security in mind and rewrite them, if necessary, to include better security. Internet Information Services (IIS) 6.0, for example, will ship fully locked down in Windows .NET Server next year, in sharp contrast to previous versions.
To get a handle on these changes, I spoke with Steve Lipner, who manages the Microsoft Security Response Center. Lipner said that Microsoft is simply trying to make security easier and better in its products and services. "In response to customer demand, we announced the Strategic Technology Protection Program," Lipner said, "which will mobilize our services organizations that work directly with customers. The goal is to really address security needs at a new level, though in many cases today, a lot of this is about current products and getting help to customers immediately. But we're changing our development internally as well."
Lipner says that the Security Tool Kit will provide customers with a baseline of security for Win2K and NT 4.0. "We're providing what enterprises need to operate safely on the Internet," he told me. "This includes service packs, patches, and tools—including the IIS Lockdown Tool and IIS Security Roll-up. People tend to focus on the updating technology, but customers need to understand the tools as well. If you configured IIS in a paranoid fashion and applied no hotfixes, you'd still be protected from all the problems that have happened so far."
One interesting improvement that's coming early next year is the ability to install local Windows Update servers—a feature that Microsoft customers have been requesting for more than a year. "\[The feature\] will work with the Auto Update client from XP that we're moving to \[Windows\] 2000. In its default configuration, \[Auto Update\] will detect when you're connected, go to a Windows Update site, and see if there are any security or critical patches. Then it will download them at a slow rate, so as not to disrupt the user, and then prompt for install. We'll provide the capability to auto-install important patches as well, based on security severity levels. And eventually, this will be extensible by enterprises, who will be able to host their own Windows Update \[server\] internally."
Microsoft will release the security roll-ups every 2 months or so, according to Lipner, and roll them into the next service pack for each OS. So Win2K SP3 will include all security updates up to that time, and will again provide a one-click, one-reboot installation. The first security roll-up for Win2K will ship in November. For more information about the Security Tool Kit and Strategic Technology Protection Program, please visit the Microsoft Security Web site.
Thanks to everyone who wrote me about last week's Active Directory (AD) editorial. The feedback mirrored what Microsoft reported about AD take-up, and most people were surprisingly happy with the results thus far. However, as a few readers pointed out, the Mindcraft report that I mentioned in last week's UPDATE reflects total cost of ownership (TCO) results that were augmented by an OpenNetwork tool called DirectorySmart, which acts as a bridge between an internal network and an extranet. This information was omitted inadvertently, but it doesn't change the fact that AD is currently scaling far beyond what Microsoft originally expected. Sorry if that caused any confusion.
