In-Depth

Where Microsoft Stands With Security

Recent releases to implement security include Windows Server Update Services and Service Pack 1 for Windows Server 2003.

• By Danielle Ruest and Nelson Ruest
• 06/08/2005

At Tech•Ed two years ago, Microsoft chief security strategist Scott Charney delivered a keynote focused on how Microsoft wasn't doing well in security. His main point was that Microsoft had too many delivery systems for patches and security updates—eight different systems in fact.

The result: the upcoming Windows Server Update Services (WSUS), which is in Release Candidate right now. For the first time, Microsoft has one single integrated approach to patch management. WSUS provides a framework upon which all Microsoft software will eventually be maintained. WSUS will manage only core Microsoft technologies such as Windows, SQL Server, Exchange, and Office in its first release, but the framework it is built on allows you to add any other Microsoft product without requiring you to change anything at the level of operations practices or architecture.

WSUS also supports the integration of third-party products. Its interface is simple to use, its reports are excellent, and it is intelligent enough to know whether a computer system requires a given patch—all features that were sorely lacking in the previous Software Update Services version.

Another sign that Microsoft is taking security seriously is the recent release of Service Pack 1 for Windows Server 2003. As you might know, this service pack is touted as the most secure version of the server to date. It includes the Security Configuration Wizard (SCW), a powerful interface that lets you secure servers on a role basis, letting you turn on just enough to let the server provide the services it is designed to, and only that.

But SCW's best feature is not only the ability to lock down a system and lock it for good, but rather the explanations it provides about why you might want to turn off this or that service, port, or protocol. SCW also generates templates that you can use to modify and lock down systems one after the other. You can even apply these templates at system construction, making sure systems are safe and secure right out of the box. If you lock down a system so completely, on the other hand, you're bound to break things. One case in point is Dell's Open Manager: You'll need an updated version to be able to run it with Service Pack 1. This is only one example, so make sure you learn just what works and what doesn't with Service Pack 1 (see Resources).

Microsoft is also working on the upcoming R2 version of Windows Server 2003. R2 is touted as "built on Windows Server Service Pack 1," so it means an even more secure operating system. One new feature is Active Directory Federation Services, a Web-service based authentication model that lets Windows and Unix share authentication services beyond the firewall without having to establish trusts between the organizations. Users are authenticated in their own domains and are granted limited access rights in shared environments.

A whole series of new features has surfaced as a direct result of Charney's efforts starting two years ago, many of which are evident in Microsoft's new and upcoming products, but also in increased prescriptive guidance on database security, wireless computing, digital rights management, secure development practices, messaging, perimeter networks, public key infrastructures, and risk management.

The question remains: Is Microsoft doing better at security? Yes. But is it enough? The more you tighten systems down, the craftier attackers become. One hole being plugged often forces attackers to find another point of entry. Until people become completely trustworthy—which is completely unlikely—we'll never have enough security, but we can do our best to make sure all known holes are protected and closed.

That's what Microsoft is doing. It has trained its developers to keep security at the forefront whenever they are coding. This is a practice that all other organizations should follow with their own developers. It is tempting to take security shortcuts when coding and then "fix them later," but don't fall into that trap. Microsoft did, and look at the gargantuan effort it took to get out of it.

One of the most evident downsides of Microsoft's concerns about security and stability is that its whole software release cycle has changed. Microsoft is now taking longer and longer to get software out the door. Perhaps it isn't so good for organizations that have purchased software assurance and want several iterations of products to appear during the length of their licensing agreement with Microsoft, but overall, there is no doubt the industry as a whole welcomes this new approach.