Microsoft Says Security Improvements Coming

The company is querying its user base for security enhancements; meanwhile, security option defaults will be changed in future releases and updates.

Microsoft takes a lot of heat these days for its security vulnerabilities, so the chairman and chief software architect of Microsoft, took the stage at the RSA Conference, a well-known annual information security conference, to explain what the company’s doing to improve.

“If you look at our resources and what’s the biggest part of that R&D investment at Microsoft right now, it's focused on security,” Bill Gates told the crowd.

In a departure from his usual keynote spiel—Gates presenting high-concept ideas then ceding the floor to two or three successive Microsoft project managers demonstrating how current Microsoft products deliver on “Bill’s vision”—Gates instead laid out Microsoft’s security road map, then brought others onstage to discuss concrete examples of security improvements in specific products.

Gates said Microsoft is targeting the security problem in two ways: by pouring money into technical research—part of a $6 billion annual research and development budget—and by better educating users. For example, the next version of Windows XP will give users an interface with an all-in-one glance at their PC’s current security posture.

The company is also querying its user base for security enhancements. For example, Gates said Microsoft asked developers how to help secure code creation easier. One request was the ability to develop code in non-administrator mode. That is, developers wanted to write applications with only the ability to access the system calls available to a normal user. Creating code with less privilege escalation—when a program invokes administrator rights (regardless of the user’s credentials) to install itself or perform a process—means even if the application is compromised, attackers might not be able to execute privilege-scalation attacks. Those types of attacksutilize application vulnerabilities to give attackers root access. The new feature is slated for the next version of Visual Studio, code-named “Whidbey” (named for an island near Seattle).

One oft-leveled security criticism of Microsoft products is that they frequently ship with every last feature turned on. Then it’s up to security and IT managers to customize their individual rollouts with potentially harmful features disabled. Now, said Gates, more products will ship secure by default—with many settings in the off position. With default-off settings, it’s easier for administrators to see which services are active and why, instead of wading through them all, and easier for developers to grant temporary access to a sensitive feature, then again disable it. Gates also said products will ship more “secure by deployment,” which he said “means having logs, having the training activities there, doing security audits with customers, and making sure those things are absolutely clear.”

How far has Microsoft come, when it comes to security? Microsoft made security news in 2002 when Gates launched Microsoft’s Trustworthy Computing initiative to boost software quality levels, and put its more than 8,500 Windows developers through advanced security training. In 2003, Gates said products began arriving with the benefits.

As evidence of Microsoft’s bettering its security track record, he displayed a chart of security vulnerabilities for Windows Server 2000 versus Windows Server 2003 for the first 300 days after each was deployed. Server 2000 had 36 critical or important bulletins; Server 2003 had six. “Now, we're not saying that's a job done, but even in the face of the increased sophistication of the attackers [and] attack tools … this represents substantial progress.”

Improving security across all Microsoft products is, of course, a massive undertaking. Gates highlighted a number of steps the company is taking. The next version of Windows XP, SP 2, “is a release that's totally focused on security.” (Longhorn, the next new operating system—once slated for 2004—is still in the works, he said.)

In SP 2, due to ship by June, the built-in Windows Firewall is active by default—a feature and function many security experts recommend. Zachary Gutt, a Microsoft product manager sharing the stage with Gates, notes that for managing the firewall in corporate networks, “In SP 2 we've made all Windows Firewall settings centrally manageable through Active Directory Group Policy, or via scripts for non-Active Directory environments.” Each PC can have two firewall configurations: one for inside the corporate LAN, one for outside.

Also expect a Windows Server 2003 service pack, improving its security, by the end of the year.

Another technology under development is almost a meta-security program. Called Active Protection Technology, it watches Windows and blocks inappropriate activity. “For example, the Blaster worm caused the RPC service to open a back door and download more malicious code onto the machine. In this case, behavior blocking would recognize that this behavior is out of the ordinary for the RPC service and block it,” said Gutt. Microsoft predicts a 2005 release date for that tool.

At the RSA Conference, Gates played to the home crowd, flashing his own RSA Secure ID, a smart card, to applause. As part of Microsoft’s ever-evolving approach to security, Gates says the company now requires Secure IDs for employee network access.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.