Microsoft's latest security efforts are focused on Service Pack 2 for Windows XP, which is due in the next few months. Mike Nash, vice president of Microsoft's US security business and technology unit, recently discussed SP2 and the company's security strategy with Computerworld:
What guidance can you give IT pros about Windows XP Service Pack 2 breaking applications?
Making sure that we're doing things to make XP SP2 compatible with key customer scenarios is a top priority for us. One of the things with the new firewall in Service Pack 2 is to make sure that it's compatible with more scenarios so that it can be turned on by default and left on by the customers.
There may be some cases from a security perspective where we're doing things that change the behavior of the operating system. There may be certain cases where security and compatibility are at odds, and we're going to focus on security, because people really need us to be focusing on security.
The most important thing customers should be doing right now is planning for their rollouts of Windows XP Service Pack 2, which means testing it today so that if there are issues, we get that feedback now so we have a chance to respond to it before we ship the product.
How important is the firewall in Windows XP SP2 for companies that already have network firewalls?
When your machine is always inside the network, the primary thing that the firewall's going to do is protect your machine from another infected machine that was brought inside the network. If you have a laptop that comes in with an infection, the edge (network firewall) can't help you. But your machine will be protected from that attack. So I never turn my firewall off.
The other thing that will happen, if a machine comes in with malicious code on it, its ability to propagate can be somewhat slowed down by having a firewall there. The primary place it makes a difference is for machines that are checking in remotely. We know a number of situations where an end user VPNs into the corporation and didn't have a firewall turned on. That machine is both out on the Internet but inside the (corporate firewall) all at the same time. Think of it as redefining "edge of the network."
Will XP SP2's firewall work with other personal firewalls?
It is designed to support multiple firewalls, ours and a third party's, at the same time. Practically speaking, if you're using a third-party firewall and you're comfortable with its level of protection, that's a fine answer. Our primary goal is to make sure that customers have a choice.
I think one of the key benefits of our firewall is that it can be managed using group policy.
In Windows XP Service Pack 2, we've done work to make the firewall manageable using group policy with Active Directory but also allow it to support multiple profiles. So I can set my policy to a rule that says, "When the machine is inside the corporate network, allow it to do more things even though the firewall is still on. When that machine is not on the corporate network, and it's sitting in a coffee shop or in a hotel room or in someone's home, increase the level of protection because I don't have the corporate edge protected for that machine." That's something that an administrator could do by policy based on what's appropriate for their organization.
Someone at a large Microsoft customer that makes weapons systems for the government told me he believes that perfect software can be written. Is there any chance you'll rewrite Windows to take advantage of what you've learned about security?
I'm not a person who believes that perfect software is possible at that kind of scale, because there's always going to be some level of vulnerability. Pragmatically, certainly we do everything we can to make sure that we're training our engineers on how to build and design secure code, making sure that we're testing our software and making the software configuration as secure as possible. But there are going to be vulnerabilities in software, and therefore the approach is to make sure that we create essentially countermeasures to make sure that even if there is a vulnerability, we can isolate the system software or the application from the malicious software that might try to attack it and drive more resiliency of how that software behaves under attack.
Does that approach represent a change in strategy?
I wouldn't say it's a change in strategy as much as I would say it's a change in emphasis. Isolation and resiliency was something that we always understood. Being more pragmatic about how it could be used is what's different. If you look at why did we do Windows XP SP2, the original idea was, with the firewall built into Windows XP turned on, a customer wouldn't have been attacked by Blaster, even if they'd never installed a patch in their life.
We'll of course always work to improve quality. We're not letting up the gas at all on that. But as you go in and perhaps fix some of the quality issues, there is the risk of breaking things. You can introduce more problems, so you have to do that in a measured way.