Microsoft again goes on the security offensive

Microsoft Corp. is adding security features to the next version of Windows 2000 Server that will control the execution of mobile code on the platform and ease the rollout of an enterprise public-key infrastructure, according to company officials.

The announcements were made at the RSA Conference 2001, which is going on this week in San Francisco. The move is part of another Microsoft campaign aimed at convincing IT executives the software giant is serious about beefing up security surrounding its products.

The company has suffered through some major security flaws in the recent past, including the I Love You and Anna Kournikova viruses. Both used Microsoft Outlook to spread like wildfire. The company's Web site also was down for three days earlier this year due to a hacker attack, which left customers questioning Microsoft's commitment to security.

But Microsoft in the past year also has made some efforts to bolster security. It released Windows 2000 with its controversial implementation of Kerberos; the Outlook E-mail Security update designed to block malicious attachments; and the Internet Security and Acceleration Server 2000, a firewall and cache.

"We know that security is getting nothing but more important and that is driven by the Internet," says Steve Lipner, manager of Microsoft's Security Response Center. "We are dedicated to meet the challenge." Microsoft is calling the effort its war on hostile code.

The next round of features will come with Whistler, the codename for the next generation of Windows 2000 Servers, and in Windows XP, the next desktop version of the operating system.

Microsoft is adding a policy engine called Software Restriction Policies to both the server and desktop versions of Windows 2000 that will scrutinize mobile code that attempts to run on a user's machine. Mobile code is code that is delivered to a desktop or server from the Internet or e-mail and attempts to run on the local machine.

"It allows administrators to say if code is not signed or approved it will not run," Lipner says. Active Directory will play a key role in creating, storing and distributing the policies. Administrators can designate trusted sources for code and scripts.

For managed code that relies on Microsoft's .Net Common Language Runtime engine, administrators can configure the policies to allow the code to run on the desktop but not access any systems for which the user has privileges.

For example, the desktop could not be used as a funnel for access to databases or e-mail servers.

In the area of PKI, a security system of digital certificates and signatures, Microsoft is adding an auto-enroll feature to Whistler that marries PKI and smart cards. When a user first logs on, the system prompts that user to insert their smart card. A digital certificate is then burned onto the card. The system also can issue security tokens.

"We are trying to eliminate the physical roadblocks to getting smart cards and tokens deployed by not having to go to IT each time," says Jackson Shaw, product manager for Windows Server marketing. "In Windows 2000 now, people gets certificates for the encrypted file system and they don't even know it. We are trying to extend that ease of use to smart cards."

Microsoft also will include in Whistler improved Secure Socket Layer performance and an integrated version of the Security Configuration Tool, which helps users configure a secure Internet Information Server.

For the Windows XP desktop, Microsoft is adding a personal firewall called the Internet Connection Firewall, which keeps intruders from scanning the systems of users with always-on connections such as DSL.

Outside of product enhancements, Microsoft also said it is testing a rating system for its security bulletins, which are issued on a Web site when a problem is discovered in a Microsoft product. Last year, Microsoft issued 100 security bulletins and this year is on pace to come in below that number, company officials said. Microsoft also plans to add a bulletin search tool to the Web site that allows users to search by product and security patch.

The company also plans to release a Hotfix checking tool that uses XML to describe a patch's features, which systems it runs on and which files have changed. Users would run the file against their systems to discover if they had the most up-to-date patches.

To top it off, Microsoft internally is launching a Secure Windows Initiative that will bring specific training, tools, process controls and testing to the Windows Development Group.

"The goal is not to add security features to products, per se, but to ensure that products shipped are more secure," Lipner says. "It's all about assurance. Assuring that the software works securely and correctly."

If Microsoft can deliver that assurance, it will answer critics who say the company has always favored form and functionality over security.

Join the newsletter!

Error: Please check your email address.

More about MicrosoftSoftware Works

Show Comments