Is Microsoft Trustworthy Yet?


This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."

Download it now to read this article plus other related content.

Vista introduces some notable improvements. One much anticipated feature in the OS is the least privileged user account, which makes it possible for IT shops to prevent users from downloading harmful software or changing settings unless they have an administrative password. There is also hardware-based volume encryption for PCs called Bitlocker, and antispyware technology acquired from Giant Software. Vista also has provisions for using smart cards, like InfoCard, to log in.

Internet Explorer 7.0 will have built-in heuristics and support for high-assurance certificates for safer browsing and improved blocking of phishing attempts.

Customers will have to wait for Longhorn to get Network Access Protection, a feature that quarantines PCs found to have inadequate patch protection as they try to access a network. The server version will also include the Internet Information Server 7.0 upgrade.

Though Vista and Longhorn are the first platforms to get the full SDL treatment, others have benefited from TwC. Windows XP SP2, released in summer of 2004, was billed as a service pack but had so many changes to the desktop OS regarding security that it was considered by many to be an entirely new version of the software.

"We've seen benefits with XP SP2 and SQL Server 2005," says Neil Macehiter, a partner at Macehiter Ward-Dutton, a U.K.-based consulting firm. "The vulnerabilities are far less than they've been historically."

The numbers seem to agree. After

    Requires Free Membership to View

Windows Server 2003 had been on the market for 1,000 days, the number of critical bulletins dropped from 87 to 51 over Windows 2000 Server, calculates Scott Charney, Microsoft's chief security strategist. In the 785 days after Office 2003 was released, the number of critical bulletins dropped from 11 to six. SQL Server 2000 SP3 was released in January 2003, and since then critical bulletins have dropped from 16 to three.

"They're good numbers, but not good enough," Charney acknowledges.

What's important about Microsoft pro-ducts coming to market is that they've all been though SDL. Charney says he knows Microsoft will never reduce the number of vulnerabilities to zero, but aims "to get to the point where the level of risk in the IT world is akin to risk of what we are used to managing in the physical world."

This was first published in May 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: