As director of product management in the Security Business and Technology Unit at Microsoft, Amy Carroll is responsible for making sure that new enhancements to Windows and new versions of Windows are very secure. Carroll spoke to Wayne Rash about the company's approach to security and commitment to improving the overall security of its operating system.
Q: How does the current atmosphere of dueling worm creators affect the problems that you are dealing with?
Carroll: There are two big challenges. One is the environmental challenge, where there is a great deal of emphasis on dueling virus creators. Currently those viruses are not necessarily exploiting a vulnerability in Windows or other software code, but are requiring users to double-click on malicious attachments. So the environmental challenge is often one of user education and awareness so customers don't get fooled by these social engineering viruses. While an IT administrator may be able to lock down the LAN environment that is hardwired, it becomes more difficult with increasingly mobile users and work-from-home users and remote users. The wide-scale availability of broadband connections poses increasing challenges for how you keep those users secure. And then the second challenge is how we respect legacy systems while building more and more secure products as we go along.
Q:: What kind of security enhancements do you have planned for Windows XP Service Pack 2?
Carroll: We're focused on making computers more resilient in the presence of worms and viruses, with Service Pack 2 focused on vectors or modes of attack rather than individual vulnerabilities. We are looking to address the threat from port-based attacks, malicious e-mail attachments, malicious Web contents, and buffer overrun. Specific enhancements we're doing to address those areas are, for network protection, Windows Firewall, which was previously called Internet Connection Firewall, will be enhanced to help stop network-based attacks by closing unnecessary ports by default. In addition, Windows Firewall is now centrally manageable either by group policy or by scripts in those environments that are not based on Active Directory. We're going to have a proof protection to block the transfer of executable files, e-mail, and instant messenger, so we can protect against those e-mail-born attacks. We'll have better and more granular Internet zone settings by default to prevent harmful Web downloads so that there can be safer browsing. And we're also going to do a lot of work for protection against buffer overrun, both in the ways that we compile the code and with the new no-execute zone, execution protection zone that will enable hardware-enforced execution protection on those microprocessors that contain the feature.
Q: Are you going to provide additional interfaces for other companies that make security software?
Carroll: The new security center in Windows XP SP2 is a streamlined UI or Control Panel for users to be able to more easily check to see the status of the security features on their PCs, including the status of third-party products like anti-virus protection or firewalls.
Q: How about changes and improvements for the enterprise?
Carroll: All of the security enhancements in Windows XP SP2 will now be centrally manageable within the enterprise either by group policy or via script so that IT administrators will have better or granular control over the security features across their broad base of users.
Q: Will the management tools be included with Windows?
Carroll: The management will be rolled into Active Directory environments; it's part of the group policy and the same interface that would be used for other group policy aspects.
Q: What about companies that are not using Active Directory?
Carroll: Then we're looking at scripts, and those will not be part of Windows XP SP2 in the initial release, although we'll certainly be working with customers to help develop those.
Q: How important, in terms of security, is the unauthorized release of some of the older Windows code?
Carroll: That's a very interesting question. We are working with law enforcement and with partners on the investigation, but we are in the midst of the investigation so I can't really comment.
Q: The code that was released is pretty old. Is it even relevant to the current versions of Windows?
Carroll: We continue to recommend that customers stay up to date with the latest security updates and service packs. There has been some discussion about (this), in the aftermath of an alleged vulnerability discovered in portions of IE that were leaked. But that was a known vulnerability that we were already aware of (and that was fixed) in Internet Explorer Version 6.0 SP1. So again, we continue to advise our customers that the latest versions of our software are the most secure and that should stay up to date with the security updates. Customers who are running older systems who can't or don't wish to upgrade, we recommend that they employ other (mitigation) technologies including anti-virus, firewall, and that they are running the latest version of Internet Explorer.
Q: Part of what you're working on is Microsoft's Trustworthy Computing Initiative. Have you gotten measurable results?
Carroll: We feel that we have made good progress. If we look at things like the number of vulnerabilities in Windows Server 2003, 292 days after release we had nine bulletins rated critical or important for Windows Server 2003 vs. 38 for Windows 2000 Server. We think nine is still too many, but we think that's good progress.
Q: Aside from whether the code is secure, what is the biggest security headache you have to deal with?
Carroll: The challenge is really how we respect those legacy systems as we build more and more products as we go along. I think we've seen good progress in addressing those changes, but there is a large installed base of existing customers that we need to be very sensitive to.
Q: How about customers that refuse to patch and refuse to upgrade?
Carroll: We would prefer that customers stay up to date with service packs and security bulletins. That said, we've also made a number of improvements to the patching process and we're continuing to work to improve to make that easier, so reducing the number of patch installers, moving to monthly patch releases so it's more predictable and more manageable, making the patches themselves smaller and of higher quality, and other efforts that we are taking to reduce downtime and increase manageability to make that process easier for everyone involved.
Q: If you could have any one thing in terms of security involving Windows, what would that one thing be?
Carroll: A consistent, comprehensive security framework that enables a smooth integration of security, both on products we sell and for third parties, so that you could have multiple security policies depending on the environment or the role, and that it's easy to administer and easy to implement. I think that's really the Holy Grail.
Q: : What do you think the chances are of reaching it?
Carroll: We'll get there.