New Security Rules to Raise Windows

Second phase of Microsoft's Trustworthy Computing initiative adds guidelines for Windows 2000.

One year after embarking on an ambitious plan to improve the security of its products, Microsoft Corp. is moving into the second phase of its Trustworthy Computing initiative and crafting several new projects to help secure applications all the way from the development process through customer deployment.

Among the efforts is a set of guidelines the companys Security Business Unit is developing for Windows 2000. Known as Prescriptive Architectural Guidance, the document will lay out instructions for ways IT managers can lock down Windows 2000 machines.

Under the guidelines, OEMs such as Dell Computer Corp. will be able to configure systems to customer specifications, including turning off unwanted services and features, such as active scripting in Internet Explorer. However, this can greatly reduce the machines ease of use and could hamper Windows compatibility with some applications.

"These are very specific, very precise steps to take. Theyre much more actionable than things you have seen before from us," said Mike Nash, corporate vice president of the Security Business Unit at Microsoft, in Redmond, Wash.

Similar guidelines for securing Windows XP are being considered, officials said.

Microsoft is also looking at ways to shore up the security of its products before they hit the shelves. One element of this strategy is an effort to find an objective way to assess the security of a particular application.

For instance, Microsoft uses a method called the Privacy Health Index to score each applications adherence to certain privacy principles and goals. Company officials would like to develop a similar system for security but have yet to find the right model.

"The questions we ask as part of the privacy index are binary, yes or no. But if you ask a developer if he did a security code review and he says, Yes, what does that mean?" said Scott Charney, chief security strategist at Microsoft. "Its a really important thing. Were struggling to find the right system."

The security push has resulted in drastic changes in the way forthcoming products will install and run. For example, Windows .Net Server 2003, due in April, will include a technology called Secure Server Roles, which will walk customers through a series of questions about the way they plan to use the software. The answers will determine which services and functions are enabled.

"We want to make sure the minimum set of features the customer wants is turned on," Nash said.

This approach is the result of a philosophical shift at Microsoft, which has made the security of its products the top priority, even at the expense of usability and compatibility.

"Microsoft has recognized that compatibility as a goal isnt livable with security as a goal," said Alan Paller, director of research at The SANS Institute, in Bethesda, Md. "Theyve taken it on themselves to say, We recognize that Windows is unsafe at any speed, but heres a guide on how to fix that."

Security experts—and even some of Microsofts competitors—say the company has made progress on security. But they caution that improving security requires constant training and vigilance on the part of developers.

"Training is really expensive. Its a huge investment, but it absolutely has to be done, and it needs to be continuous," said Chris Wysopal, director of research and development at security consultancy @Stake Inc., in Cambridge, Mass. "Hopefully, it will get embedded in their thought process. They sort of dug themselves a huge hole, and it will take a long time to get out of it."

One Microsoft customer who recently met with officials to discuss .Net and security said he remains unconvinced by Microsofts efforts.

"Microsoft is trying to offload responsibility for their problems and force the costs onto the customer. Microsoft is both blind to the issues and responds indignantly to anyone who questions them," said Tripp Hammer, chief of the IT bureau in the Department of Environment Quality for the state of Montana, in Helena. "Their promises havent shown a thing up to this point, so I have no reason to believe that they are going to do any better in the future."