In a speech at Microsoft`s worldwide partner conference last night, CEO Steve Ballmer outlined new initiatives in the company`s security efforts, including "improved patch management processes...and technologies", global education programmes and tools for securing systems.
Specifically, "safety technology" updates to Windows software will make it more resistant to attack, "even if patches do not yet exist or have not been installed", Ballmer said. "Our commitment is to protect our customers from the growing wave of criminal attacks."
The tone of this statement echoed Microsoft`s early statements downplaying the threat of a class action suit, saying hackers are the criminals, not makers of software found to be vulnerable.
Manageable patching
Improvements that aim at reducing the complexity of patch management include stepping up the frequency to monthly patch releases, "which will reduce the burden on IT administrators by adding a level of increased predictability and manageability".
Ballmer also said Microsoft is extending security patch support for Windows NT Workstation 4 Service Pack 6a and Windows 2000 Service Pack 2, through June 2004.
Tools of the trade
New tools include Microsoft`s free Software Update Services 2.0, due in the first half of 2004. It "will provide a seamless patch, scanning and installation experience for Windows, SQL Server, Office, Exchange Server and Visio", Ballmer said.
Microsoft will furthermore "consolidate the number of patch installers to two for Windows 2000-generation products by the first half of next year, introducing rollback capability for all new patches, and reducing downtime by requiring 30% fewer reboots during deployment in the same time frame".
Education is key
Microsoft has responded to the need for more advanced security guidance with new seminars and worldwide training courses. Examples include TechNet Security Seminars - monthly security Webcasts - beginning in November, new "prescriptive guidance" in the form of patterns and practices, better information on how to configure for security and sharing details on how Microsoft secures its own networking infrastructure.
But Ballmer acknowledged that patches and guidance are only part of the solution. As exploits become more sophisticated, technology must evolve. New safety technologies will first ship in Service Pack 2 for Windows XP, planned for the first half of 2004, and subsequently in the Service Pack 1 for Windows Server 2003.
Advancements for Windows XP will focus on protection against the four types of attacks that constitute the largest percentage of threats: port-based attacks, e-mail attacks, malicious Web content and buffer overruns.
For Windows Server 2003, the safety technologies will enable remote-access-connection client inspection and intranet client inspection to help protect corporate networks from potential infections introduced by mobile systems. These technologies are expected to be available in the second half of 2004.
Local perspective
"We recognise that Microsoft can play a key role in improving computer security: we need to continue to invest and deliver against security at a higher level, and we need to simplify security and drive the intelligence of security protections deeper into our software to reduce the demands on users and IT administrators," says Mike Cathie, business and marketing officer at Microsoft South Africa.
"Customers tell us that they expect us to do more, and we`re listening, and we`re working in multiple ways to innovate and address the problem."
Share