Microsoft has made some laudable improvements to Windows security, but based on the scattershot array of technologies unveiled at a recent conference, at least one expert believes the company needs a more coherent plan.
Apart from the successful release of Windows XP SP2 last year, and some specific improvements to a few of its point-release products, Microsoft's general security strategy has largely remained reactive and tactical, said Neil MacDonald, a group vice president at Gartner Inc., a Stamford, Conn., consulting firm.
At the recent RSA Conference 2005, Microsoft chairman and chief software architect Bill Gates listed some coming security products, albeit ones scant on detail. Those products include a new version of Internet Explorer prior to Longhorn, free antispyware and a future, paid antivirus product -- all aimed at consumers. For corporate customers, Gates mentioned a future antispyware tool for enterprises, a service pack for Rights Management Server and an enterprise edition of the ISA Server 2004 firewall.
The recent release of a free antispyware package, through the acquisition of Giant Company Software Inc., and the planned release of Internet Explorer 7.0, which is limited to XP SP2 users, strikes MacDonald as reactive responses to a shrinking browser market share.
"They could have laid out a vision," MacDonald said. "The whole reason there is a market for antivirus and antispyware products is because of deficiencies in Windows.
Some of Microsoft's customers agree with MacDonald.
Houston-based Memorial Hermann Healthcare System is a satisfied Windows customer. But Steve Guistwite, director of network solutions at the health care
"Every month, applications like Firefox gain market share because the hackers and black hats are going after IE," Guistwite said. "If they spent more time hardening that portal and less time worrying about providing [antivirus] software, then they would really be attacking the root cause."
Guistwite said he thinks items like the security center that comes with XP SP2 is a step in the right direction. "Issues will happen, security breaches will happen," he said. "But let's provide the [user] a way of discovering [security issues on their own]. Now that's proactive."
Gartner's MacDonald also pointed out some of Microsoft's successful initiatives, such as improvements to its Web server, Internet Information Services (IIS) 6.0 over previous releases, and XP SP2 overall. "You can really see the quality and the security mindset," he said. "But why not set the bar higher?"
MacDonald would rather see Microsoft work toward eliminating the need for antivirus and antispyware, rather than enter the market at a lower price point. "It's not visionary to throw up your hands and say, 'I can't fix it.' "
MacDonald offered some advice for IT administrators looking for short-term guidance.
- Customers today are consumed with fighting spyware, yet Microsoft says it won't have an enterprise plan until the end of the year. Also, the market is early and customers can expect plenty of shakeout. If you plan on making a tactical purchase, don't sign a contract with an antispyware vendor for longer than a year.
- Windows XP SP2 is a good operating system with improved security. If you are bringing in new machines, run XP SP2 even if you have to manage diversity. Internet Explorer 7.0, which will be available later this year, will run on XP SP2.
- If you are negotiating with Microsoft and an enterprise agreement is at stake, ask for more specifics about upcoming antivirus and antispyware products. Try to work them into the agreements so you're covered.
- If you're renegotiating a contract with an antivirus or antispyware vendor, use Microsoft's entry into the market as a negotiating tool. In most software sectors, customers have been getting more for less each year, but not in the antivirus market -- until now. "Symantec, McAfee and Trend Micro will come under serious strain as Microsoft enters the market and prices its product competitively," MacDonald said.