Microsoft Outlines New Win2K Security Strategy

On January 18, Brian Valentine, Microsoft’s senior vice president in charge of Windows 2000 (Win2K) and Windows 98, outlined Microsoft’s new Win2K security strategy in an address at the RSA 2000 security conference. At one point, Valentine announced that Win2K will ship worldwide with 128-bit encryption. He explained that Microsoft saw Win2K as a chance to respond to the security crisis that the rise of the Internet has created. He claimed that Microsoft is trying to present an industry call to action and raise the bar with regard to security. Valentine said that Microsoft took several key steps to increase security in Win2K. “The first thing we did was, we designed the product to round up with security,” explained Valentine. “We took the Windows NT 4.0 base, which we thought was a fairly secure base—much more secure from a kernel standpoint, device driver standpoint, than Windows 9x was. And we actually created what we call the penetration test team, which was 15 people that did nothing but review the source code for 18 months.” Microsoft also “designed security into all the specifications. So, when you wrote a design for a module, one of the specification templates for module design was, you had to do your security check-offs.” Valentine told the audience that Microsoft had put up a test site with a simple Win2K system. “I just told the people, put it up there, and let's just see what happens. We put it completely naked on the Internet. All we did was, we built the server, a single box server, and put it on the Internet with a direct connection. The only thing between it and the Internet connection was a router, but the router wasn't doing any filtering. We put a little guest book app up, because when people came there, we wanted them to be able to do something. We dropped it out on the Internet at 8:00 p.m. Within an hour, we had 100 connections—we didn't tell anybody it was out there; we just dropped it on the Internet—100 connections in 1 hour. Within 2 hours, we had over 1000 connections—as soon as the word got out. Of course, the home page said, 'This is a security test system. Please break in if you can. There're little Easter eggs here and there.' When you challenge people like that—we were attacked from everywhere.” According to Valentine, although Microsoft discovered four denial-of-service (DoS) bugs, he and his team believed that no one had breached the system and found the Easter eggs. In addition, they hired professional security consultants to attack Win2K systems and locate security problems in the code. Microsoft also tried to increase security “from a protocol standpoint and from a standards standpoint.” The company designed Win2K for C2 security, IP security, and to function with all Internet Engineering Task Force (IETF) standards. NT 4.0 just got C2 certification, as Windows 2000 Magazine recently reported in "Windows NT 4.0 Wins C2 Certification," and Win2K is now starting that certification process. Microsoft is also launching a security response center. The company promises responses to any security issues involving Microsoft products within 24 hours; however, Valentine expects most responses to come in short minutes. Microsoft also promises clear white papers on security issues involving Microsoft products; higher levels of checking regarding Microsoft’s service partners' security practices; and a frequently updated security section on the Microsoft Web site. For the entire text of Valentine's speech, see Microsoft Security Strategy speech.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.