Now that the long-awaited next version of Windows is in customers hands, officials at Microsoft Corp. are bracing themselves for what they know is coming: vulnerability reports, bug alerts and all manner of other security-related issues. These problems are as inevitable as the sunrise, but Microsoft security personnel believe Windows Server 2003 is the most secure and reliable operating system the company has ever produced.
The final verdict on that belief is years away, but the early returns should be back within a matter of months thanks to an eager crowd of crackers salivating at the prospect of poking and prodding the new operating system.
The game is on.
“I am felling pretty good about it,” said Steve Lipner, director of security assurance at the Microsoft Security Response Center in Redmond, Wash. “This is the culmination of a lot of security work that we all did. Personally, this is the product that I worked most closely on because of the security push. Theres a lot of enthusiasm in the company around this and a lot of its due to the security aspect of it.”
Just as the crackers will be in their glory over the next weeks and months looking for holes and weaknesses, the internal and external penetration testing teams at Microsoft will continue to attack Windows Server 2003, hoping to beat the bad guys to the punch.
“We have people who continue to look at it and do that internally,” Lipner said. “And if theres a vulnerability found in Windows 2000 or XP, we look at [Windows Server 2003] and see if its vulnerable.”
But, regardless of how much work and planning Microsoft has put into the security and testing of the product, nothing can replace the experience of actually deploying it in a production environment and seeing what happens. Configurations rarely conform to neat and tidy templates, and the security of one application can directly affect that of many others in the envrionment. To help customers address these issues, Microsoft last week published the “Windows 2003 Security Guide,” a huge manual that concentrates on secure configurations and common threats and countermeasures.
“Were sure its not a perfect product, but were happy with what weve done so far,” Lipner said. “Usage and deployment will tell the story. The ultimate test of security assurance is the vulnerability report experience.”
Latest Security News:
Latest Microsoft News:
For more Microsoft scoops, check out Ziff Davis Microsoft Watch.
For more on Windows Server 2003, see our special section.