Microsoft adds security tools

By John Fontana
Network World, 04/16/01

Microsoft is looking to beef up security in the next version of Windows 2000 and, in the process, shed its reputation as poster child for the spread of malicious code.

Microsoft is adding controls to let administrators set policies that block the execution of downloaded code unless it is from a trusted source identified by corporate IT. The trusted sources are recognized as part of policies that are stored in Active Directory and automatically distributed to servers and desktops.

The company also is adding features to ease the rollout of certificates that help manage public-key infrastructure (PKI), a secure method for exchanging data. There also will be a new personal firewall in Windows XP, the next version of the desktop operating system.

IT executives are hoping the moves are a step toward more secure systems, but critics are calling them Band-Aids on a flawed architecture.

Windows XP and the next generation of Windows 2000 servers, code-named Whistler, will come with a policy engine called Software Restriction Policies that blocks mobile code from being executed by the user. Mobile code is executable code that is delivered to a desktop or server through the Internet or e-mail.

"I'm glad to see Microsoft acting instead of reacting," says Jeff Allred, manager of network services for the Duke University Cancer Center. Allred is keen on security issues because he is facing regulations under the Health Insurance Portability & Accountability Act of 1996, which sets standards for creating, storing and transferring medical-related data.

"I get a little comfort knowing controls like these are coming, because I will need them at some point," Allred says. But he also notes that he has dodged most of the problems because his mail system doesn't use Microsoft Outlook.

Outlook has been at the center of high-profile virus attacks in the past year. Those incidents have been a driving force behind another Microsoft push to show a dedication to security. This one is called "the war on hostile code."

But critics say the newest measures are a patchwork. "Anything they do in the security area around malicious code is just sticking something over the top of their systems so they don't bleed as quickly," says Frank Prince, an analyst for Forrester Research. Prince says the Office suite, which includes Outlook, has become its own distributed operating system, with executable code in the applications, but without the underlying security and management mechanisms of a true operating system.

Microsoft officials say that ensuring secure systems takes diligence in the product development process. "The challenge in the real world is to build software that is secure but that customers can buy and use," says Steve Lipner, manager of Microsoft's Security Response Center. "I don't think we have anything to apologize for, and we are committed to doing this well."

Microsoft internally is launching Secure Windows Initiative, which will bring specific training, tools, process controls and testing to the Windows Development Group.