Microsoft Corp. last week was once again responding to customers that have assailed the company for the latest security breaches affecting its products—this time with a new long-range security initiative and the development of several tools.
The Redmond, Wash., company announced the Strategic Technology Protection Program, which is aimed at plugging holes in its software. But according to observers, much of the program is nothing more than a repackaging of existing technologies and methods.
“I think its too little, too late,” said one Microsoft customer, who asked to remain anonymous. “Theres not really anything new in there.”
Microsoft officials acknowledged as much but insisted the effort is in the early stages. “Some of this has been released [previously], but this is just the beginning,” said Brian Valentine, senior vice president of Microsofts Windows division. “This is a continuing initiative from us.”
To that end, according to sources, Microsoft has several tools under development. The Federated Corporate Windows Update, for example, is a server that sits on a corporate network and performs the update functions that Microsofts Windows Update Web site does now.
It will allow administrators to pick and choose which options are installed on each machine, a task not possible with the existing Windows Update.
Also under development is a tool known as Critical Notification, which will sit on client PCs and enable them to automatically receive hot fixes without an administrators intervention.
Both packages are at least six months away from release.
Meanwhile, Microsofts Strategic Technology Protection Program is a response to the rash of viruses, worms and other security incidents of recent weeks, including the Code Red worm and the Nimda virus, both of which targeted the companys IIS (Internet Information Services) Web server.
The first phase of the program is called Get Secure and includes a security tool kit made up of service packs and hot fixes for Windows NT 4.0 and Windows 2000 environments. The tool kit also includes the new IIS lockdown tool designed to turn off many unneeded services and plug the known vulnerabilities in the server.
“We want to get everyone up to the same baseline of security,” Valentine said. “The rate of viruses and other attacks is up significantly, and the damage is really starting to affect businesses.”
The second part of the initiative is known as Stay Secure and comprises several security roll-up packages, an automated service for providing those roll-ups and the expanded application of the Secure Windows Initiative.
The SWI is a comprehensive development program that Microsoft used during the writing and debugging of Windows XP to ferret out and fix security holes before release. It will now be applied to Windows 2000 Service Pack 3, Microsoft officials said.
In addition to its software initiatives, Microsoft is planning a security summit called Trusted Computing 2001 for early next month that will gather industry and government representatives for three days of discussions.
“I think Microsoft is able to see the opportunity to add value by improving security further. I also think that heightened security concerns play into their agenda to promote Windows 2000 and XP network operating system boxes,” said J.B. Fields, of J.B. Fields and Associates LLC, in Washington, a Microsoft customer and Web developer. “Certificate-based systems can … nail down Internet-borne security problems. Microsoft products are well-positioned to benefit as businesses and consumers increasingly become comfortable with certificates. Despite these efforts … Microsofts critics say the company should be doing more.”
“The [Technology Protection] announcement shows they are mustering more forces and have better senior management buy-in, but without things to use, it was a rather hollow announcement,” said Russ Cooper, surgeon general of security vendor TruSecure Corp., in Reston, Va.