Microsoft Security Gets Mixed Reviews

Company makes big strides, but customers remain wary.

Microsofts transformation from pariah to trendsetter in the information security sector is slowly beginning to sink in, but users are mixed about hopping on the bandwagon.

At the TechEd conference here, the software maker worked overtime to convince the world that security really is its No. 1 priority. So far, with a few rare exceptions, customers and developers are buying it, but it remains to be seen if Microsoft can win the security game.

In the meantime, Microsoft is working diligently to be seen as a security player. On the TechEd show floor, Windows Vistas security goodies were front and center with booths showcasing UAC (User Account Control), a key operating system tweak aimed at countering the malware epidemic; BitLocker, a hard drive encryption tool; and new technologies for network access protection and smart card deployments.

Microsoft also introduced Ben Fathi as its new security czar and expanded its evangelism of the SDL (Security Development Lifecycle), a collection of high-level security principles and procedures covering every stage of software creation.

And the software company is even making friends with the hacker community, announcing that it will showcase Vista at the annual Black Hat conference in Las Vegas August 2-3, 2006.

Customers have noticed. "Im very impressed with everything Ive seen and heard, and Im convinced its not just lip service," said Colin Johnson, a microcomputer network administrator at Northeastern University.

While Johnson, who manages the universitys College of Computer and Information Science network in Boston, acknowledges Microsofts strides, he said he has concerns that security will always be a lose-lose scenario for the worlds largest software maker.

"Theyre fighting against a moving target, and, all the while, they are becoming a bigger sitting target [for attackers]. Two years from now, we could well be back at TechEd hearing the same message that Microsoft is prioritizing around security. Thats just the way the industry works these days," Johnson said.

Johnson wasnt alone with his qualified praise. Most TechEd attendees interviewed by eWeek acknowledged Microsofts progress to beef up Windows security since the release of Windows XP SP 2 (Service Pack 2). "At first, I thought they were just working on their image, but XP SP2 turned out to be a big deal. Yes, theres still a malware problem. But, compared to 2003, were in a better place," said Steve Scerpa, an AJAX (Asynchronous JavaScript and XML) developer for a small IT shop in Minnesota.

Scerpa, who spent at least 2 hours at the TechEd hands-on labs examining Vistas security upgrades, said UAC will significantly move the goal posts in the fight against virus, spyware and rootkit infections: "When the concept of a standard user becomes universal, it will blunt the attacks were seeing today. Yes, the attackers will eventually shift course, but, for whats out there today, UAC is a game-changer."

Another unresolved issue is how Microsofts new security efforts will impact day-to-day work, said Roy Zamora, a software engineer with New York-based digital image specialist WireImage. Zamora said hes been "very impressed" with Microsofts work in Vista and SharePoint Server. "It should be very interesting to see what they can do with Web 2.0, Atlas and AJAX," he said. "I think theres a real technology evolution going on with SDL, and were doing the same things with our own products." However, Zamora said he remains somewhat "skeptical" about features like UAC and how that change might affect his ability to get work done. He expects there will be an extended period of time needed to familiarize workers with the additions.

Phil Nash, an applications analyst with Federal Home Loan Bank of Boston, said his company is only now upgrading to Windows XP-based systems because of some of the security concerns around Microsofts products. Nash remains unconvinced that Microsoft truly will be able to improve the security of its products or deliver on its promise of providing malware-fighting technology on par with products made by third-party applications makers.

Based on the early feedback, Nash said he believes that users will be forced to disable some of Vistas new security features, when possible, to continue to work in the ways they are already accustomed.

"Microsoft is making things more secure, but there will always be backdoors left open, and people will find a way around the security features as they always do," said Nash in Boston. "They claim that they will have better malware-fighting tools than what is out there today, but all they have done is buy some other technologies and integrate them; well still need third-party applications to fill the gaps."

The security sales pitch

Microsofts evangelism around security and Vista includes meet-ups with the worlds smartest hackers, advance notice on security updates and an aggressive push to make high-quality software patches:

AUG. 2-3, 2006
  • Black Hat Windows Vista has a date with external security researchers OCT. 17, 2005
  • Blue Hat Microsoft invites hackers to Redmond MARCH 2005
  • Security Advisories Pre-patch notice on publicly reported vulnerabilities
  • Security Update Validation Program Third-party patch testers help with QA
  • Security Development Lifecycle Principles and procedures covering every stage of software creation at MicrosoftSource: eWEEK reporting