SAN FRANCISCO -- Apparently, it's going to take more than a slick PowerPoint presentation, demos of new technology...
and a brave foray before a packed house of security professionals for Bill Gates to win back the trust of administrators in the trenches.
Gates, Microsoft's chairman and chief architect, addressed thousands of RSA Conference attendees this morning, offering an advance look at the security-heavy Windows XP Service Pack 2, due out later this year, and a sneak peek of the dynamic protection capabilities of ISA Server 2004.
And, though the packed house applauded on several occasions, the realities of the last 13 months -- namely, sophisticated attacks that exploited vulnerabilities in Windows RPC and SQL Server -- weighed heavily on administrators' and security officers' minds. Many of them were forced to put out fires started by Slammer, Blaster and other code that came roaring through holes in Windows.
"I've had a beta of XP 2 sitting on my desk, but I'm afraid to install it," said Brad Melrose, security administrator for the city of Edmonton, Alberta. "I like the features -- but, on the other hand, is it going to blow my machine up and I'll have to rebuild it from scratch? [XP 2] is a step in the right direction, but on the other side of the coin, Microsoft has ... released code that doesn't work. These underlying design problems have contributed to the problems we're faced with today. If they had done it right the first time, we wouldn't be in this predicament."
Gates talked about "trustworthy computing," Microsoft's 2-year-old initiative to make security the driving force behind product development and deployment. He pointed out the numerous services now turned off by default in IIS and other products frequently targeted by attackers, as well as the steps taken in Redmond to simplify software updates.
"Customers have identified the need to keep software up to date," Gates said. "This is especially important for Internet-facing systems. But the responsibility comes back to us. Until we make it 100% attractive for customers to use, we are not doing our job."
The problem, however, lies in securing existing systems. Windows XP Service Pack 2, for example, is totally focused on security, Gates said. RSA attendees saw a demonstration of new features that include Windows Firewall, which will be turned on by default, enhancements to Internet Explorer and a new Windows Security Center management console.
SP2 adds a pop-up blocker and simpler Active X control management to IE. For example, Active X Controls can be allowed or denied on a site-by-site basis.
Windows Security Center, meanwhile, displays the status of security settings, like those related to antivirus software or the firewall, and recommends guidance.
"I like the idea that they are pushing that out to individual machines," said Glenn Powell, vice president of IT for Coast Central Credit Union of California. "It's a good idea that simplifies management."
Gates said that future XP updates leading up to Longhorn will also address security, with behavior-blocking technology that shuts off unexpected application system calls; this technology is called Active Protection Technology. It also can sense whether a machine is patched and if a patch is missing, and it can instruct the firewall to block a particular service until it is repaired.
"It's a trust issue with Microsoft," said Melrose of the city of Edmonton. "I don't know of anything [Gates] can do to fix the problem. We're here now. They're trying to do the right thing now, but they're always playing catch-up."
FOR MORE INFORMATION:
Dig Deeper on Secure software development