Redmond enlists security vendors to automate policy compliance

Microsoft is working with anti-virus vendors to ensure that in the future its software will be able to verify a user’s desktop is secure and updated anti-virus signatures are in place before granting access to corporate resources.

Microsoft is working with anti-virus vendors to ensure that in the future its software will be able to verify a user’s desktop is secure and updated anti-virus signatures are in place before granting access to corporate resources.

With its forthcoming security-policy compliance strategy, that’s expected to be announced in the next few weeks, Microsoft is looking to make sure its patches are in place before a user is allowed onto a network. This will be accomplished by allowing for a period of “isolation” while security updates are downloaded to the user, sources say.

The capability to restrict network access based on a security check of a computer, whether an internal employee or trading partner, is increasingly viewed as desirable, particularly when unpatched Microsoft software-based machines introduce crippling worms such as the recent Sasser into corporate networks.

Microsoft’s plan appears similar to Cisco’s Network Admission Control initiative announced last November with the three leading anti-virus vendors: Network Associates, Symantec and Trend Micro. In that plan the anti-virus companies work with Cisco to ensure that Cisco’s trust agent desktop software, which will share policy-compliance data it collects with Cisco routers and management equipment, also can share information with anti-virus software and management consoles.

Cisco wants the three anti-virus vendors to integrate the trust agent into desktop anti-virus and management software. The trust agent software is now in beta and is expected to be released next month.

Microsoft has “the same thing from a quantitative point of view” for security policy compliance, says John Maddison, director of product management at Trend Micro, which is working closely with Microsoft. Microsoft and Cisco have the same goal: Keep computer users from the network until anti-virus updates or patches are added, and make it easy for them to do that.

Instead of focusing on routers and switches, as Cisco has, Microsoft’s approach to policy compliance will depend on making desktop and server software, Active Directory and DNS servers accomplish the task in coordination with anti-virus software, Maddison says. Other anti-virus software vendors are involved in the effort, but Microsoft said it was “too early” to talk about vendor participation and declined to provide details.

However, during his May 4 keynote at the WinHEC conference in Seattle, Jim Allchin, Microsoft’s group vice president for platforms, emphasized the need to add policy-compliance mechanisms for isolation and security-related checks into Microsoft products.

“You have a laptop, you connect through VPN to a company, or maybe you bring the laptop into the company physically and you plug it in, the thing is isolated until it goes through a set of tests,” Allchin said. “We’re working with a set of networking partners to pull this off for the whole experience, so that the PC is isolated until it goes through an approved set of IT tests.” He added these tests would be at the discretion of the IT manager.

“What could that be? It might be that it has to have a certain level of updates turned on, it might have to have a certain level of anti-virus, a certain level of anti-virus signatures, whatever,” Allchin said. “And it has to pass that test before it’s connected to the network.”

Microsoft is expected to ship the first installment of what it calls its isolation technology for marking computers for security checks later this year with Service Pack 1 for Windows Server 2003. It’s expected to work with clients connecting to a network via a VPN. Next year, the company is expected to release Windows Server 2003 Update, which will add wireless and wired connections to the isolation technology.

“This is the notion I’d call ‘just-in-time security.’ It’s the notion timing is everything,” says Pete Lindstrom, an analyst at Spire Security. “And it’s resonating a lot with end users.”

Lindstrom says a number of smaller software vendors, including Citadel, Sygate and WholeSecurity, have security policy-compliance products. Network Associates has worked with Nortel and Check Point, for instance, to ensure their VPNs can validate that a user has the appropriate anti-virus signature updates before letting the user access the corporate network.

Last week, the industry-standards organization Trusted Computing Group announced that by this fall it will publish its first take on a technical specification called Trusted Network Connect that could be used in a multi-vendor environment for compliance checks for virus and patch updates. Extreme Networks, Foundry Networks, Funk Software, HP, Intel, Juniper, Meetinghouse Data Communications, Network Associates, Sygate, Symantec Trend Micro and VeriSign are involved in the Trusted Network Connect effort.