Security or Else
Last week at the RSA Conference 2005 in San Francisco, Microsoft Chairman and Chief Software Architect Bill Gates revealed much of his company's security-oriented plans for the year. The relevant bits for Windows IT Pro UPDATE readers include the oft-delayed Microsoft Internet Security and Acceleration (ISA) Server 2004 Enterprise Edition, new antivirus and antispyware solutions, and, surprisingly, a major new version of Microsoft Internet Explorer (IE) that will include pervasive new security features. This week, I take a look at what Gates said--and didn't say--and wonder aloud again about whether charging customers for security is in Microsoft's--or its customers--best interests.
ISA Server 2004 Enterprise Edition
Last July, Microsoft released ISA Server 2004, the latest version of its application-level firewall and Web cache server. However, only the standard edition of ISA Server 2004 shipped last year. Since then, large corporations have been waiting for the more advanced enterprise edition. This version, which is now finally available, adds several high-end features. Chief among these features are the high-availability technology called Cache Array Routing Protocol (CARP)-based Web caching and an enhanced version of Windows Network Load Balancing (NLB) that adds support for bidirectional affinity for all Internet protocols, according to Microsoft. During his RSA keynote, Gates highlighted ISA Server 2004 Enterprise Edition's new support for Active Directory Application Mode (ADAM), which lets you replicate firewall policy across Active Directory (AD).
According to Gates, 88 percent of all virus-based attacks enter corporations through email. To help combat these attacks, Microsoft is working on "the ultimate mail virus protection," but sadly, that's about as specific as he got, which I found troubling. We do know that Microsoft's eventual antivirus solution will ship in a managed, enterprise version and will be based on Sybari Software's well-regarded antivirus engine technology, which lets you plug in antivirus engines from many third parties. Microsoft, of course, will supply its own engine, which is based on GeCAD Software technology. The product is expected to ship in late 2005.
Gates surprised onlookers by announcing that Microsoft would provide consumers with Microsoft Windows AntiSpyware for free. However, corporate customers won't be surprised to discover that the managed version will be sold as a subscription offering by late 2005. Based on the antispyware technology it purchased from GIANT Company Software in late 2004, Windows AntiSpyware is, in fact, the highest rated antispyware solution currently available for desktops. However, a problem exists with all today's antispyware applications: None can stop all spyware threats, and therefore consumers are advised to use two antispyware solutions in tandem to get the best protection (I use Windows AntiSpyware and Webroot Software's Spy Sweeper, the latter of which is rated the number-two solution). However, it would be better to fix the spyware problem at the source. But that brings us nicely to ...
The biggest security hole in any Windows system is IE. Although Microsoft made many important improvements to IE in Windows XP Service Pack 2 (SP2), the product is still a conduit for spyware and other malicious software (malware), phishing probes, and numerous other electronic attacks. Microsoft is going to attack the problem at the source: Rather than wait for the release of Longhorn in 2006, which was the original plan, Microsoft will ship IE 7.0 in late 2005. At least two public betas will ship around midyear. As with SP2, IE 7.0 will include sweeping security fixes and, possibly, heavily requested features such as tabbed browsing.
There's a catch, however. IE 7.0 will be made available only to XP SP2 users. That's right. Customers still using earlier XP versions, Windows 2000, or Windows 9x are out of luck. This kind of forced upgrade in the name of security is dangerous, in my opinion. Although I agree that XP SP2 includes low-level security features that aren't present in other OS versions and would be difficult or time consuming to add, forcing customers to upgrade an OS--with all the inherent time, difficulty, and cost associated with such an effort--is problematic.
The Big Picture: Microsoft Security
And that brings us to the big picture. Microsoft, at its heart, is a product company, and the aforementioned security-oriented products satisfy the company's need to line up technology in neatly packaged containers it can sell. But charging customers to fix problems caused by the inherent insecurity in the products they already purchased seems a bit unethical. Sure, many security problems can be blamed on misconfiguration and human error, but if Microsoft's products are faulty, the company should fix them for free, especially while the company is still actively supporting them. Specifically, instead of selling antivirus and antispyware solutions, Microsoft should make Windows more resilient to these kinds of attacks. And existing customers should get that functionality in a service pack. Email, database, and real-time communication are all value-added services that Microsoft can and should charge for. Security? No way.