A Security Progress Report from Bill Gates
On March 31, 2004, Microsoft Chief Windows Architect Bill Gates released an Executive E-mail entitled “Microsoft Progress Report: Security.” Since so many of you use Windows on your desktops, servers, and in other places (as I do, too), I thought it might be of interest to recap some of the highlights from his open letter.
- Increased connectivity and increasingly sophisticated hacking have made instant propagation of and widespread damage from malicious software all too possible.
- New kinds of threats, particularly those that co-opt unsuspecting, unsophisticated users into unwitting participation in large-scale attacks require pre-emptive measures from IT professionals and users, innovation and development of new solutions from the technology industry.
- Microsoft is putting effort into several initiatives (called out in bold in following bullets) to help make “significant progress on the security front.”
- Isolation and resiliency: prevent malicious code from fomenting exploits by isolating that code; make systems more resilient so they can identify and stop suspicious activity. This will strongly influence forthcoming Windows XP Service Pack 2, which enables the Windows Firewall by default and supports its centralized configuration and administration. Going forward, IE will block unsolicited downloads and pop-ups. Improved attachment handling in Outlook and Messenger will reduce risks from downloads/file transfers. Also, major efforts to find and eradicate buffer overflows. Also, many server technologies—Windows Server 2003, IAS 2003, Exchange Edge Services, etc.—will be beefed up and made more secure. Connection-conscious software will also adapt to more or less secure Internet links. Behavior blocking and application-aware firewalls will also help contain and halt the spread of unwanted or malicious payloads. Add anti-spam tools, remote client status inspections, and security-enhanced Web services to this mix as well.
- Updating: Upgrade the quality and reliability of updates, work with administrators to make updates easier to handle, and supply server platforms (SMS and Windows Update Services) to make updates easier to deploy and install. Develop functionality to update major applications and services as well (SQL Server, Exchange Server, Office) and extend update to a broader set of Microsoft products. Easier end-user security posture and configuration checking and management are also key priorities (to be included in XP SP2).
- Authentication and Access Control: Improved and strengthened mechansisms will include stronger passwords (and password checks), Smartcard support, more pervasive use of digital certificates and PKI, support for biometric ID cards, and tighter integration of IPSec.
- Quality: continued implemention of an “engineering excellence” program to improve security consciousness in software design, development, testing, and release. Critical security bulletins are down from 40 (Windows 2000) to 9 (Windows Server 2003) in the first 320 days following release, as are other frequency measures.
- Customer Education and Partnerships: Improved outreach and educational materials through online forms, security summits, stronger security guidance, and more efforts to raise security awareness and improve security posture than ever before.
This is all good stuff, and the data Bill presents do make a case that Microsoft is cleaning up its security act. Hopefully, Windows XP Service Pack 2 can live up to its advance billing (it’s due in “late spring/early summer” according to Gates’ letter). At Microsoft, there’s never been a problem with talking the talk; I sincerely hope they can also keep walking the walk!