Is Microsoft Trustworthy Yet?


This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."

Download it now to read this article plus other related content.

    Requires Free Membership to View

Security Everywhere
As part of Microsoft's Trustworthy COMPUTING Initiative, many of its new and forthcoming products have security integrated in their feature sets.

SQL Server 2005 (Released: November 2005)
  • Enhancements to SSL support
  • Permission-based access to metadata
  • Network login security
  • Built-in data encryption
  • User/schema separation
Windows Vista (Release: Code available in November; commercially available in January 2007)
  • User Account Control
  • IE anti-phishing filter
  • Windows Defender antispyware
  • Network Access Protection (used with Windows Server, code-named Longhorn)
  • Bitlocker Drive Encryption (with appropriate Trusted Platform Module chip)
  • Authentication architecture for passwords and smart cards
  • Improved firewall protection
Windows Server code-named Longhorn (Release: 2007)
  • Single worldwide patches for desktop and server
  • Secure at install
  • Enhanced security and componentization to reduce attack surface in IIS 7
  • Network Access Protection policy-enforcement technology is built into the Windows Vista and Longhorn operating systems; NAP enforces compliance with network health policies, protecting the network against unhealthy computers
Source: Microsoft

Newer Platforms = Better Security
For the broad market, securing Windows against vulnerabilities might mean spending the money to get on the newer platforms, such as XP SP2 or Windows Server 2003 SP1.

There was recent evidence in 2005 with the Dasher and Zotob worms. Customers on XP SP2 were not hit, says Harry Waldron, a Microsoft Most Valuable Professional (MVP) and IT manager at a major insurer. "These are the fruits of TwC. Some of the outbreaks impact only older technologies."

Microsoft will make the overall installed base more secure where feasible, Nash says. Microsoft's new antispyware software, Defender, for example, will be built into Vista, but will also be available for Windows 2000 and XP.

Earlier OSes, like Windows 98 and ME, are architectures built before Microsoft understood the Internet. "We do know that there are a lot of customers running older platforms, and it's important to help them be secure," says Fathi. "A lot of the work we are doing for Windows Vista will be made available down-level for older platforms."

For large IT shops, this is welcomed news. Moving to the latest versions of software is always challenging because most companies are unable to roll out new copies of an OS right away.

"I sure hope it will help to be on Vista," National Gypsum's Thomas says. "But for us, Vista is a long way out. We have XP SP2, but it's the best we can do for now, and exploits still come out."

The Threat Is Everywhere
Of course, IT experts can't just study their software and perimeter security tools to be sure their systems are locked down. A huge threat today comes from the inside.

Cybercriminals have sometimes taken jobs in banks just to get access to the systems--even the cleaning staff might be a security breach, warns Allan Pomerantz, chief security officer at the Philadelphia Stock Exchange. "Today someone can walk into your shop with an iPod--with its 60 gig capacity--jack it into your computer and download your entire customer database," he says. "Memory sticks fit into everything--someone can use one to inject a Trojan into your computer."

Customers have to get used to using policy restrictions and non-Windows security devices to help balance risks and recognize that there will always be potential for another security breach.

Some of Microsoft's strongest feedback through the years has come from their MVPs. These subject-matter experts have insisted that Microsoft deliver security improvements in its next-generation desktop and server technologies. But, Microsoft isn't the only company that has to step up.

"The industry has always recognized the need for improvement," says MVP Waldron. "Microsoft, or anyone, will get there. We've all got to stay one step ahead of the bad guys."

This was first published in May 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: