Microsoft Monitor Weblog A Jupiter Research Business Weblog
 
Jupiter's Microsoft Monitor Research Service helps vendors prepare for market opportunities created by new Microsoft initiatives. In addition, Microsoft Monitor helps business and enterprise users discover which strategies are most successful in dealing with Microsoft and how to best exploit the customer relationship. The Microsoft Monitor Weblog is a companion to Jupiter's Microsoft Monitor Research Service and provides additional news, analysis and insight relevant to the areas most important for Microsoft's growth in both the business and consumer marketplaces. The content on this Weblog is often based on late-breaking events whose sources are deemed to be reliable. The insight and recommendations represent Jupiter's initial analysis. As a result, our positions are subject to refinements or major changes as Jupiter analysts gather more information and perform further analysis. Feedback is welcome at mm@jupitermedia.com.

Contact Us
More information about Jupiter's Microsoft Monitor Research service is available by contacting Kieran Kelly at researchsales@jupitermedia.com or by telephone at 1-800-481-1212

Blogroll
David Card
Michael Gartenberg
Alan Meckler
David Schatsky

September 2005
Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  
Archives
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003

Recent Entries
My PDC Post Morteum
Microsoft Office, the Server Edition, Part Two
Windows Workflow Foundation and Expression
PDC: The Big Day
Windows Vista Sleeper Announcements

October 09, 2003
Rewind: Secure Computing

Today, Microsoft revealed a new security initiative that will unfold over the next six to 12 months. The changes are a commendable improvement over Microsoft’s current approach to securing Windows-based systems, but I do think they miss some important issues that I will address later. The changes correspond to a three-prong attempt to improve security. (Microsoft’s brief explanation for IT professionals can be found here.)

For starters, Microsoft is tackling the sticky issue of patch management. The company plans to move to a monthly patch release schedule, except when a critical security vulnerability warrants an intermediary patch. Apparently, Microsoft reasons that a single monthly update will be easier for network administrators to test and roll out.

The company also plans to release, during first half of 2004, Software Update Services 2.0. The current version is mainly designed for platform software, such as Windows. The successor would allow patch scanning and updates for Exchange Server, Office, SQL Server,Visio and Windows.

In what I consider an extremely smart move, Microsoft is extending security support for Windows NT 4 Workstation with Service Pack 6a and Windows 2000 with Service Pack 2 through June 2004. The move rightly recognizes that a large number of companies still run NT 4 Workstation or Windows 2000 with the older service packs (The most current is Service Pack 4).

Education is Microsoft’s next strategy for improving security, and, again, the company should be commended. That’s because Microsoft will be paying the bill, so to speak, for educating businesses about software security. Later this Fall, Microsoft will start offering free TechNet security seminars. Additionally, starting in November, Microsoft will hold monthly security Webcasts.

Microsoft’s Oct. 26-30 developer conference will offer several security sessions, including those for better coding software, as today's announcement notes. I have to ding Microsoft for relegating the major security events to the last day of the conference, when the least number of attendees are likely to be there. Lest I’m mistaken, Microsoft’s mandate is to put security ahead of product features. So why relegate the showcase security events to the end of the show?

The third security change will affect Windows XP and Windows Server 2003. Microsoft plans several, as yet amorphous, safety technologies focusing on e-mail and port-based attacks, buffer overruns and malicious Web content. Microsoft considers these four areas to account for the largest percentage of vulnerabilities. These safety technologies would debut with release of Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1, both of which are scheduled to release in the first half of 2004.

My biggest problem with the security changes: I hear a lot of talk, but I would like to see more action. Most of these security changes won’t come until sometime next year--and some could be eight months or more away. I make a big deal out of this because Bill Gates’ mandate that Microsoft put security before all else came in January 2001. I’m trying to grapple with why Microsoft has taken so long to seriously deal with problems like patch management.

Even that effort falls short, because nowhere in Microsoft’s announcement is any indication the company plans to ease consumer patch management. One of the lessons learned from August’s Blaster outbreak: Too few consumers patch their computers. Why should they think to do so, when no other major consumer product--CD players, televisions, DVD players and the like--needs regular maintenance or security updates?

In today’s WiredNews story (here), "Cloaking Device Made for Spammers," reporter Brian McWilliams reveals that a Polish company is effectively hiding spammer sites using a network of 450,000 computers. The PCs, the majority in homes, have been infected with a Trojan horse that spoofs IP addresses. I find that number of compromised computers--presumably mostly running Windows because of Microsoft’s huge desktop presence--co-opted by one company to be a staggering amount and a sure sign of the vulnerability that exists among home-based PCs and their threat to the larger Internetworked community of users.

My other problem is Microsoft’s ongoing tendency of putting out fires rather than trying to prevent them. Certainly, today’s security changes are welcome steps forward. But they come in the wake of several nasty summer security vulnerabilities rather than Microsoft demonstrating true leadership by following a methodical process of improving security.

I know that Microsoft the individual company takes security very seriously. In fact, the company has put in some not-so-user friendly steps to ensure that only authorized, remote users get into its network and that their computers have up-to-date antivirus definitions and other security measures before the log-in process completes. Microsoft likes to tout the "dogfooding" of its products, meaning real employees exhaustively test software before shipping to customers. Hopefully, Microsoft can pass some of that dogfooding of security onto its customers through the education process and by incorporating into popular products like Windows some of the policies and technologies in use at Microsoft.

Posted by Joe Wilcox at October 09, 2003 04:00 PM
Copyright 2004 Jupitermedia Corporation. All Rights Reserved.
Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.