Microsofts Security Plan Gets Mixed Reviews

Microsoft Corp.s plan to add a slew of new security features and functionalities to Windows and other products is drawing a mix of public praise and criticism in the security community, even as many experts express private concerns about the companys motives and tactics.

The additions, which Microsoft Chairman and Chief Software Architect Bill Gates discussed at the RSA Conference here last week, include a range of improvements to the firewall in Windows XP as well as a plan to implement behavior-blocking and other dynamic security technology in the operating system. Microsoft will also add lightweight code-scanning tools in the next version of Visual Studio, code-named Whidbey.

All the moves come under yet another security umbrella from Microsoft called Active Protection, an extension of the companys Trustworthy Computing initiative.

Despite the positive direction, many experts at the conference were underwhelmed by Gates announcements.

“Security is not as exciting as the next cool thing in Windows,” said Bruce Schneier, chief technology officer of Counterpane Internet Security Inc., in Cupertino, Calif. “[Gates] had an opportunity to wow us. I wanted to be wowed. I didnt want to hear about cool dialog boxes.”

However, “its a big boat to turn around,” Schneier said. “Give him some quarter for that. But hes had some time to turn about the boat. Security should be his bottom line.”

/zimages/2/28571.gifTo find out what else Schneier had to say about Gates announcements, read“Security Guru Unmoved by Gates RSA Remarks.”

Users also criticized the Redmond, Wash., company for what they see as a lack of innovation, and they said it will be years before the Active Protection capabilities are refined enough to be useful.

“This is the way they work,” said a security manager from a large government agency who asked not to be identified. “They take things that other people have done, put them in their own products and then try to tell you theyre as good as the stuff thats already been out there for years. Its not going to suddenly make us think Windows is more secure or change the way we buy their stuff. But its probably bad news for a lot of security vendors.”

Vendors and users point to Microsofts partnerships and relationships with companies such as Sanctum Inc. and TippingPoint Inc. as evidence of such activity. Microsoft and Sanctum have worked together for some time, and Sanctums AppScan DE solution is similar to the code-scanning tool in Microsofts Visual Studio enhancements.

Next page: Security vendors express concern.

Page Two

Indeed, Microsofts moves were the main topic of conversation among security vendor executives here. Many said they were concerned about the possibility that Microsoft could ultimately give away technology their companies sell.

“The vision is very good. Its a good strategy,” said George Samenuk, CEO of Network Associates Inc., in Santa Clara, Calif., which recently shifted its focus to intrusion prevention, a market that Microsoft seems set to enter with the addition of the behavior-blocking technology. “But theyre going to need partners to pull it off. Just because Microsoft is going to give that stuff away doesnt mean that ISPs and enterprises will rely on it.”

Microsoft officials said the features and functionality Gates discussed are things customers have asked for and called them logical extensions of the companys Trustworthy Computing plan.

The biggest changes on tap are additions to the Dynamic System Protection technology, which can block malicious application activity, and the upgrades to the Windows firewall in Windows XP. In Service Pack 2, due by the end of June, the firewall will enable users to allow or deny applications access to the Internet on an individual basis, and it will open and close ports dynamically in an effort to prevent users from leaving ports open unnecessarily.

“We had to make some of these innovations,” said Mike Nash, vice president of the Security Business and Technology Unit at Microsoft. “From a usability perspective, customers needed them. Its a multifront war, and this is a combination of all our bets.”

Not surprisingly, some Microsoft competitors were critical of the companys plans, saying it was emphasizing the wrong things and taking a misguided approach to security.

“Network security is not the oxymoron our competitor would like you to believe, but its time the industry admitted that the defensive approaches to PC security—with bigger moats, taller walls and memos from the CEO—have clearly failed,” said Jonathan Schwartz, executive vice president of software at Sun Microsystems Inc., also in Santa Clara. “Its time we went on the offensive by proactively authenticating and differentiating service to the good guys, instead of always hunting the bad.”

Microsofts Nash said the company is still not sure exactly where Active Protection technology will show up, but he said it should be in Windows prior to the “Longhorn” release slated for 2006, possibly as part of a service pack.

Additional reporting by Scot Petersen.