Microsoft to Revamp Windows Security

[Guest Grim Reaper]

The software giant is planning a number of changes that will make the Windows client and server platforms more secure.

Microsoft Corp. is preparing a series of major changes to the security capabilities in the Windows client and server platforms, and they will further lock down the company's flagship operating systems.

In separate service packs due over the next six months, the Redmond, Wash., software developer plans to add several security features to Windows XP and Windows Server 2003, according to company officials here at Comdex last week. Microsoft also plans to harden the client by turning off more services by default.

The biggest change will be in the server product, which will get a feature that can prevent unsecured machines from connecting to corporate networks.

The changes result from discussions that Microsoft executives have been having with customers about ways to improve the security of the company's products.

The modifications won't stop with Windows, according to officials. Microsoft plans to add new security features to other products, including SQL Server, in the coming months, they said.

Service Pack 1 for Windows Server 2003, which is due to enter beta testing in the early part of next year, will include a function to check every device attempting to connect to the network.

The server will query the security configuration of the device and try to confirm that anti-virus software is running and that current patches are installed. If discrepancies are found, the software will notify the user and offer instructions on correcting the problems.

Administrators will have the ability to define companywide policies on what security is required on client devices.

All this is intended to prevent cyber-attacks and other breaches and is an extension of the overall change in the way Microsoft officials and engineers think about security—a process that began almost two years ago when the company launched its Trustworthy Computing initiative. In addition to working to write more secure code, the company is working on other ways to make its software more difficult to attack.

"This is a beginning—something that will ultimately engender a new generation of secure software," said Jonathan Perera, senior director in the Security Business Unit at Microsoft. "We have to take a wide range of approaches. The most important thing Microsoft can do is improve the base-line security of our software. We're thinking that through at the design stage at a far greater level."

The quarantine feature in Windows Server 2003 reflects a trend in the security industry at large. Several companies sell stand-alone solutions that perform this function, and Cisco Systems Inc. last week announced it will include similar functionality in some of its routers next year.

Windows XP will also get security upgrades, courtesy of Service Pack 2, which should be in beta by the end of the year, according to Microsoft officials.

Most of the changes will concern ICF (Internet Connection Firewall), which is a part of XP. The firewall will be enabled by default in the new service pack, and Microsoft plans to make ICF more like a corporate firewall than a personal one.

Administrators will have the ability to manage all ICFs in their organization from a central location. Customers will also have the option of running ICF in tandem with other firewalls, something that wasn't possible before.

Microsoft customers say that the company seems to be headed in the right direction with most of these changes and updates but that there is still plenty of room for improvement.

"The proposed solution of using a denied log-on to the network is a little late in the [graphical identification and authentication] process. If this occurs after the user provides credentials and logs in, that's bad," said Mark Deason, director of IT at Silverside Equipment Inc., in Reno, Nev.

"Microsoft has some so-so tools already. If they were integrated better together, like [software Update Services] and Automatic Updates, with a watchdog service before the system goes online, that could be quite powerful to help promote change," Deason said.

E-Week.com