Q&A: Is Microsoft's Security Trustworthy?

Three years after Microsoft launched an initiative to improve its products’ security, we talk to information security veteran Gary Morse, president of Razorpoint Security Technologies, about the results.

Trustworthy or still unreliable? Three years after Microsoft launched its Trustworthy Computing Initiative to improve the security of its products, what has it accomplished?

Security Strategies talks to Gary Morse, president of Razorpoint Security Technologies Inc. in New York City, about Microsoft’s security changes.

By releasing all of its patches once per month—on “Super Tuesday”—is Microsoft diverting discussion about the extent of its operating system vulnerabilities?

Some would say Microsoft security is like military intelligence—it’s an oxymoron. It’s a lot of patching—yes, that’s for sure. A couple of years ago, their whole Trustworthy Computing initiative was great PR, but there are a lot of people who have yet to see the trustworthiness realized. They’re going to address that, of course, with Longhorn, which just got pushed back again.

How long will it take Microsoft to realize noticeable security improvements?

Microsoft has the top operating system (OS) dominance, and they’re trying to go for the server OS dominance. So the whole dot-com years, say from ’95 to 2000 or so, you had Windows NT—then Windows 2000—that had just real holes and vulnerabilities, and that allowed, to some degree, a seemingly unknown, homegrown OS like Linux to come out of nowhere, because people were that desperate to see what’s out there.

And we have major financial firms downtown here in New York that have entire server farms that are all Linux. In fact, one firm here, if you want something else, it has a three-page document that you must fill out where you must explain why you must run on something other than Linux.

Has Microsoft security been improving?

Windows 2000 was certainly better than Windows NT. Windows Server 2003 was certainly better than 2000. Now we’ll see with Longhorn. That isn’t to say that every other operating system is perfect, because it isn’t. Whether you’re using Solaris or FreeeBSD or Mac OS 10 or Linux on the server, there’s no one perfect, out-of-the-box, amazing, secure OS. We all know that doesn’t exist.

However when you take a broader look at the whole picture, it’s now not only the cost of the hardware, operating system, pieces to run it, people it takes to maintain it and keep it secure—what they call total cost of ownership (TCO). There’ve been enough studies now that say Linux and some of the other products are more competitive on TCO. …

Has Microsoft had any demonstrable security improvements lately? For example, it’s been discussing a new version of Internet Explorer.

Again, there has been plenty of noise out there, there’s a lot of PR and press that says we’re going to secure this, and send our developers to training to secure everything better, but then a week later they find there are five new vulnerabilities.

Some, such as Penn State, have simply told students to use any browser other than Internet Explorer—Safari on OS X, Firefox, or other choices. And that’s because they’re spending too much time and money to clean up computers.

So I think Microsoft has talked a good game about having a good security effort. They really have sent their programmers and developers to be retrained. I think one of the reasons Longhorn is being delayed is not for PR; it’s actually because they’re legitimately trying to get this right. For example, they’ve put in RBAC, which is a higher-level, role-based access control … rather than technology-based access. So you’re a developer, or administrator, or executive.

So is Microsoft moving away from the sense that the administrator is God?

Exactly, it’s not that paradigm anymore, it’s a role-based thing—to use the buzzword. … So with Longhorn, out of the box, I think they’d really like to put their best foot forward. And that’s really one of the reasons Longhorn is being delayed. It’s not to create a new GUI, though they may be doing that. It’s for security issues.

When Microsoft releases Longhorn, what will companies’ attitude be, especially in light of the security track record?

A lot of firms are playing wait and see. A lot of firms that have Windows 2000 [Server] weren’t quick to jump on the Windows [Server] 2003 bandwagon. They said, "We have Windows 2000, it’s patched, let’s wait and see." … I think they might want to see the ROI before they get the first installation CD. In the meantime, let’s take that free copy of Linux.

Have large organizations moved to Windows XP on the desktop?

I’ve seen a number of clients just going to XP. Overall it’s about half, and the others are sticking with 2000 and just patching. From what we’ve seen in our day-to-day client discussions and interactions, not a lot of people immediately leapt to Windows 2003 Server or XP. So, roughly half our clients that use Windows on the desktop have XP on the desktop. We … also have plenty of OS X and Linux users.

Are security and TCO concerns driving more companies towards non-Microsoft operating systems?

A lot of companies at one point were like, "Of course we just use Windows on the desktop." I think that’s changed, and some of that was strong PR and word of mouth from others, like Mac OS X, or Linux. And from others it was desperation—enough of this, and especially on the desktop. I’m talking single-digit increases here for Linux and Mac OS X, on the desktop. It’s not a major threat to Bill [Gates]. But it is increasing; at least, people are talking about it.

Is Linux on the desktop making real inroads?

In some key departments in finance, or for development, or for Internet companies, yes. It’s not like, across the board every receptionist has one, or every executive. But all developers might … or an application development company that builds Web applications, like online banking, they might have Linux on the desktop—there’s your prompt, all your tools are right there.

Do desktop Linux users tend to be more technically oriented?

Yes, and some of them are the financial analysts or traders, but … although they might be running a PC with Linux on it … they’re using a custom application built by developers, and it happens to be running on Linux. But the end user couldn’t tell you that. For example, for a custom-built trading-floor application, the user has no idea what they’re running.

So for Microsoft shops, will Longhorn be a must-have if Microsoft nails the security problems?

It’s a wait and see [situation].

What can companies do in the meantime?

Unfortunately, it’s patch, patch, patch. You have to do that. With that OS, or any OS, you have to keep it secure and know what the threats are—you have to keep on top of that. Then you have to know how to secure that, whether it’s knowing how to secure your perimeter, [or] configure a router. … You have to have an all-encompassing security process in place … which also includes training your users.

Related Articles:

Microsoft Previews Longhorn Security
http://www.esj.com/Security/article.aspx?EditorialsID=1365

Ten Microsoft Problems
http://www.esj.com/Security/article.aspx?EditorialsID=1358

Microsoft Update Onslaught Targets Spyware, Viruses
http://www.esj.com/news/article.aspx?EditorialsID=1284

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.