BOSTON -- If the security summit Microsoft Corp. hosted yesterday convinced IT practitioners of anything, it's that the software giant finally understands security is a big problem that must be addressed. Unfortunately, it also convinced them the company's efforts still fall short of what's needed to thwart the bad guys.
"I'm here to see what Microsoft is doing to be secure since many of my customers rely on them," Jozef Michalko, president of Hyannis, Mass.-based Michalko Computer Consulting, said several hours into the daylong conference. "I haven't seen or heard anything useful yet. I do think they're trying, and this event is a good step that shows they now take security seriously. But Microsoft is always a step behind and I want them to be a step ahead."
The event, held at the Hynes Convention Center, was one of an ongoing series of summits planned throughout the country, complete with training sessions designed to provide IT managers with a better understanding of security threats and how to deal with them. Sponsors include Computer Associates of Islandia, N.Y., Symantec Corp. of Cupertino, Calif.; Trend Micro of Cupertino; @Stake of Cambridge, Mass.; PricewaterhouseCoopers of Hartford, Conn.; and Wave Systems of Lee, Mass.
The keynote speaker was Microsoft Chief Security Strategist Scott Charney, who outlined future security measures the company will take. He said he envisions the day when machines will be able to automatically update and fix themselves. Until then, he said Microsoft is working to make its software more ironclad. As an example, he cited the Windows XP Service Pack 2 due out this summer -- a major upgrade designed to bring Windows XP up to the security levels of Windows Server 2003. There are the normal patches and updates, but SP2 also makes major changes that include enabling the Windows firewall by default. Charney added that Microsoft is working to make its Web sites more user-friendly, with an easier-to-navigate security center, more "how to" articles and online training clinics. Also, he said the company is working for better access control management, with smart cards, biometrics and other tools to eliminate the need for multiple passwords.
One growing threat he said Microsoft wants to address is that of hackers targeting laptops and other machines used by the mobile workforce to infect bigger networks.
"You'll see more inspections and quarantines with mobile systems," Charney said, adding that other products will be updated so that they're less complex, require fewer reboots and give IT managers the ability to undo patches when they discover the fixes don't mesh with other network software.
Steven D. Krause is IT manager for Connecticut-based Crown Uniform and Linen Service, which sells uniforms to companies throughout New England. He is among those who have found patches can react badly to other parts of his network, and is encouraged by the features in SP2. "I'm dying to install the service pack," he said. But he added that Microsoft still has "a long way to go" in the grand scheme of things.
"One problem they have yet to address is that it's easy for anyone using Windows systems to get full administrative access to networks," Krause said. "Only an administrator should be able to get full administrative rights to a system. That's the big problem with Windows. The 2003 software was an improvement, but the door is still open for the wrong people to get administrative access, and that's not safe at all."
Michalko wants Microsoft to start talking about wireless security. As wireless phones with e-mail and Internet access become cheaper and more available, he said hackers will start targeting them more. He hasn't heard Microsoft talk about that yet, and said it's an example of where they need to be a step ahead.
Despite concerns some continue to have over Microsoft's security efforts, many attendees praised the company for holding the summits and realizing the need for bolder action.
"I'm encouraged by the amount of effort they're taking; that they're starting to get it," said Terry Chase, analyst and project manager for IT and business line systems with Webster Bank of Bristol, Conn. "It seems they've changed their whole philosophy and are moving in the right direction with consolidation of patch management and the turnaround time for identifying threats and developing patches."
Thomas Gates, a software engineer for Progress Software Corp. of Bedford, Mass., said Microsoft has always gotten a bad rap. He believes the company has always done its best, but that "because everyone uses them, they're the biggest target, and they can only do so much to guard against every threat."