Microsoft attempts to "Get Secure"

The world's largest software maker is looking to allay fears over ongoing security problems and recent worm attacks from Nimda and Code Red, which have led experts to warn that the company's Internet Information Server Web server software is not secure enough for customers.

On Tuesday, Microsoft contacted about 1,000 of its largest customers to outline its program, called the Strategic Technology Protection Program, and address their concerns about recent worm attacks, said analysts and sources close to the company.

STPP is supposed to deliver corporations short-term and long-term tools for combating recent devastating virus attacks and preventing future outbreaks.

Analysts warn that the damage to the credibility of some Microsoft products may be hard to repair and may cast a shadow over the company's impending move into Web services, with its .Net and .Net My Services initiatives.

"Microsoft has a potential credibility problem as they move into Web services. They place more and more security on these Web mechanisms trying to sell their software as a service," Gartner analyst John Pescatore said. "If you're afraid of these bugs popping up in Microsoft's server software, would you sign up for a Web service that automatically updates the desktop?"

Microsoft's reposturing comes about a week after market researcher Gartner recommended that some companies falling victim to the worms should seek out alternatives to IIS.

"It wasn't just me writing a research note," Pescatore said. "Following the Code Red and Nimda attacks, Microsoft heard back from users that they were just sick of this." More than anything, "it was the huge impact Code Red had on IIS users. It was horrendous."

Microsoft has been the subject of several recent security-related gaffes. The company had to offer several different patches for a hole in its Exchange email server after initial repairs crippled the servers they were applied to. An earlier hole in IIS was quickly exploited by online vandals. And an insurance firm that protects companies against hacker damage recently decided to boost premiums for customers who use Microsoft's Windows NT software.

Making it simpler
The first part of STPP, "Get Secure," provides Microsoft customers with a security toolkit that consolidates software patches, "hot fixes" and updates into one place. Microsoft also will offer free technical support for security matters, and through regional account representatives it will work with customers to assure their networks are secure.

But many of those processes already were in place, with Microsoft in some ways consolidating security fixes and product updates into one simple package. In the case of some recent IIS attacks, existing patches could have prevented the outbreaks had all IIS users applied them.

In the past, Microsoft has put the onus on users to get the fixes, but Wednesday's change recognizes that approach is no longer effective.

Although Microsoft estimates that it issues IIS patches about every other month, analysts say it is much more often.

"The problem is these patches are so frequent, Microsoft is adding to its resources to make sure you keep up with them," Pescatore said. "But my major issue is making the product better."

Microsoft plans to release new security-kit CDs about every other month, while offering more aggressive updating procedures over the Web.

"There is no real, true notification around security vulnerabilities that's an automatic notification that anyone can subscribe to and no easy way to push that down to you," said Brian Valentine, senior vice president of Microsoft's Windows division. The new online tools would more quickly notify Microsoft customers about security vulnerabilities and offer a quick means of downloading patches.

Microsoft doesn't face this problem with Windows XP, which uses more of a push than a pull method of delivering updates. If a person enables the automatic update feature, Microsoft can deliver security patches and other fixes as soon as they are released.

The company also hopes to calm customer fears about viruses by offering toll-free support to anyone with a virus question, be they consumers or large corporations.

"That gives people some sense of security, someone to help them when they don't know who to call for help," Valentine said.

Tailored for businesses
As part of the longer-term portion, "Stay Secure," Microsoft plans to automate Windows security updates, add additional security enhancements to the forthcoming Windows 2000 Service Pack 3 collection of bug fixes, and release the next version IIS 6 with the highest security settings turned off by default.

"The problem is that so many enterprises just use it the way it is right out of the box," Pescatore said. Microsoft "became a software giant by putting the control in the hands of the user. Their approach has been, let the user turn things off."

But the company's new approach is in some ways tacit admission that the former approach may not have been the right one in terms of Internet security.

"We've always had checklists up on our Web site that said, 'If you don't need those components, disable them and here's how,'" said Steve Lipner, head of Microsoft's security response center. "But customers haven't always noticed the checklist and done that."

Pescatore likened Microsoft's approach to running a bungee-jumping concession. "You probably ought to make the rubber band a little short," he said. "What Microsoft has always done in the past is give a really big rubber band and say, 'Oops, we heard a splat. Here's how you can shorten the rubber band.'"

But Valentine turned the issue around to companies' approach to security and the soundness of their existing security policies. "It isn't that they don't want to be secure; they just don't have the right policies in place," he said.

Companies have three choices in evaluating what to do with IIS, Pescatore said: Live with the situation and "continually clean up after these attacks," improve security processes by in part keeping up with IIS patches, or move to something else.

Microsoft's security toolkit addresses the second choice and makes it easier to stay with IIS, but Microsoft "still has addressed phase four, which is a product that requires fewer patches," Pescatore emphasized.

As Microsoft looks ahead to making IIS more reliable, the company will use tools from its research department that look for security vulnerabilities in the software code.

"So we actually enhanced our engineering process, so that it's even stronger than it was in Windows 2000," Valentine said. Microsoft has invested about US$50 million in these development tools, which were used in "the Windows XP development process and the Windows .Net Server development process, which includes II 6, Valentine said.

".Net is going to be a very visible litmus test of the hypothesis that Windows and Microsoft's servers are ready to scale," said Peter O'Kelly, an analyst with the Patricia Seybold Group. "If they have any other large-scale outages, it will cost them credibility and business."

But Valentine deflected such concerns.

"I think there is an industry credibility going on here, definitely," he said. "People are worried about using the Internet. Is it secure? In general, I don't think it's just a Microsoft problem."