Published: 01 Nov 2003
So, Steve Ballmer is on the PR warpath again, promising all sorts of new security goodies for long-suffering Windows admins. In separate speeches in October, Ballmer huffed and puffed about how Redmond will ease our patching pains, upgrade security in XP, Win2003, ISA server and more.
"Let me make sure I talk about and really dramatize how much we understand the need to improve security," Ballmer told a group of Microsoft partners in New Orleans last month.
Hmmm ... where have we heard that before?
January 2002: Bill Gates, unveiling the "Trustworthy Computing" initiative, calls security Microsoft's "highest priority." "When we face a choice between adding features and resolving security issues, we need to choose security."
April 2001: David Thompson, a Microsoft VP, promotes the company's new Secure Windows Initiative: "In an increasingly interconnected world, Microsoft is delivering the products, technologies and services that empower safe, secure and trustworthy computing for customers."
July 2000: Steve Lipner, then-manager of Microsoft's Security Response Center, was asked about the future of Microsoft's products: "Believe it or not, I see fewer vulnerabilities and problems ahead."
With apologies to Bill -- Shakespeare, not Gates -- I'm reminded of Queen Gertrude's line in Hamlet: "The lady doth protest too much, methinks."
Of greater import, methinks, is this: Will the latest round of security announcements change anybody's mind about Microsoft? Or, is this another case of "much ado about nothing"?
The answer depends on whether you're an apologist, a naysayer or a realist.
APOLOGIST: "Microsoft is getting a bad rap, security-wise. Yes, they've had some problems in the past, but look at everything they've done to improve security. Have you actually tried Win2003? Some people call it 'annoying by default' because of its insistence on security over functionality.
"I, too, am tired of the patch parade. But look at what they're doing to address it. They're rolling 68 different patching systems into one. No matter what the patch is, or what system or version I'm running, I'll be able to find it in one place. And I won't be killed with the 'patch du jour' anymore. Now I'll get all patches delivered at the same time, once a month, save for emergency patches. Patch sizes will be reduced by up to 80 percent, and the new version of SUS will make patch automation faster.
"And, puh-leeze, don't preach Linux to me. Just look at the record: Red Hat 9 had 43 announced vulnerabilities in the first 150 days of its release. Win2003 had four."
NAYSAYER: "Ballmer and his cronies think if they repeat something often enough, people will eventually start believing it. The only reason Ballmer mentions Microsoft and security in the same sentence is because security is now the easiest path to more cash. M$ hasn't paid attention to security until recently because they didn't have a financial incentive. M$ knows old OSes and apps are insecure, and this is their opportunity to sell the upgrade: 'If you're sick of patching those old NT and Win2K boxes, maybe I can interest you in a shiny new Win2003 Server? Just sign here.'
"Well, I'm not buying it. Winblows; long live *nix."
REALIST: "Microsoft is here to stay. It's ubiquitous, it's easy to use, and my bosses depend on it. My job is to get off my soapbox and deal with it. The endless stream of patches sucks, but apparently Redmond is doing something about it. I won't hold my breath, but I'll welcome positive change." "Win2003? Who knows. We're looking at it, and we'll make the transition when it makes good business sense -- not a day sooner. Meanwhile, I'll continue to patch systems against critical vulnerabilities and -- understanding that may not be enough -- I'll continue to do what I've always done: harden default installs, build in layered security, update my incident response plan and educate my users."
Are you an apologist, a naysayer or realist? I hope the choice is obvious. We can sit around and complain about Microsoft insecurity, or we can do something about it.
I couldn't care less if the only reason Microsoft is "doing security" is to make more money. That's called capitalism. What I care about is that Microsoft is working to make its software easier to use, easier to manage and more secure.
If Microsoft wasn't doing anything about security, that'd be one thing. But they are -- just ask Ballmer, Gates, David Thompson or Steve Lipner.
About the author:
Andrew Briney, CISSP, is editorial director of Information Security.