REDMOND, Wash., April 10, 2001 — Its tough to pick up a newspaper or magazine without reading about computer viruses, of hackers stealing sensitive data, or privacy protection and other security issues. With more than 1 million copies of Microsoft Windows 2000 Server now with customers worldwide, the security of the operating system is an important concern. How secure is Windows 2000 — and how will that security evolve to meet changing security threats and concerns? To find out, PressPass sat down with Dave Thompson, vice president of Microsofts Windows Product Server Group. PressPass caught up with Thompson in San Francisco at RSA Conference 2001, the largest gathering of computer-security professionals, to discuss these questions.
PressPass: At last year’s RSA conference, Microsoft made a range of commitments regarding secure technology and products, secure solutions for customers, and Microsoft’s own role as a leader in the security community. How have you done in meeting those commitments?
Thompson: We like to point out that security is a journey rather than a destination, in the sense that youre never finished making a product secure; its a never-ending job. However, were very happy with the progress weve made over the last year. Windows 2000 isnt just the most secure operating system weve ever shipped; its also one of the most secure high-volume operating-system products in history. Weve made major improvements in the security resources we provide to customers, and weve stepped up to a new level of engagement with the broader community of people and organizations who are interested in security.
PressPass: Specifically, how are Microsoft products and technologies more secure now than a year ago?
Thompson: Let me give you two examples. The Microsoft Outlook E-mail Security Update is available as an update to Microsoft Office 2000 and built into the new Microsoft Office XP. It represents a case where we made a change in response to our customers concerns about security. Weve always had security built into Outlook, of course, but we changed the balance between security and function to provide the type of protection that our customers wanted against a growing class of security threats — mail-borne viruses. We are very pleased that no customer who installed the update has been affected by any e-mail virus such as I Love You, Anna Kournikova, and so forth.
Another example is our new Microsoft Internet Security and Acceleration (ISA) Server 2000. Its our first enterprise firewall product. It is fully certified by ICSA Labs, the leading certification authority in the field, so customers can be confident that its ready to provide mission-critical, enterprise-wide support. ISA Server earned certification in less than 30 days, while most products take 90 to 120 days. ICSA Labs said publicly that this was an impressive accomplishment that showed the software needed little adjustment to meet ICSAs demanding criteria.
PressPass: Beyond new and enhanced products, how has Microsoft delivered more secure solutions for customers?
Thompson: New and enhanced products are important, but theyre only part of what customers need to enhance the security of their environments. Weve provided new tools and resources to help our customers use our products securely. For example, we provided, for free download, a tool that automates the lockdown of Windows Web servers — very important for any company that wants to take advantage of e-commerce and distributed Web applications. We also enhanced the content of our Microsoft Security Web site for IT pros. It now provides a range of new features, such as step-by-step checklists for securing their systems.
There are many superb security-provider companies around the world who offer security solutions based on Windows 2000, so we launched a new Microsoft Security Services Partner Program. More than 50 companies from 16 countries now participate. It makes it easy for customers to find these providers, and it gives the providers the in-depth and up-to-the-minute information they need to provide great security solutions for Windows environments.
Finally, we know that security isnt just for IT professionals. Security, and the closely related topic of privacy, are increasingly important to home users. Thats why we recently launched a new Web site, called SafeInternet, dedicated to consumer security and privacy.
PressPass: What has Microsoft done to help lead the industry?
Thompson: Leading the industry means coming up with innovative technologies, solutions, programs and resources — but it also means working cooperatively with, and learning from, our partners and customers and industry participants throughout the IT community. Weve done a lot of learning and cooperating, and Im very pleased with our record.
We hosted the SafeNet 2000 security and privacy summit in December 2000, which brought together both privacy and computer security experts from all corners of the high-tech world. The meetings gave experts from around the world — some of whom are normally adversaries to each other — a chance to meet face-to-face and address tough issues of policy and practice. Weve also played a leading role in critical infrastructure protection efforts. We were a founder of the Partnership for Critical Infrastructure Security and a founder of the Information Technology Industry Information Sharing and Analysis Center. Our chief security officer, Howard Schmidt, is the president of the IT ISAC board. And thats just the start. You can expect to see this activity continue in the next year.
PressPass: What industry initiatives do you see Microsoft participating in — or leading — over the coming year?
Thompson: After the success of the first SafeNet conference, weve decided to make it an annual event, and well sponsor a second security and privacy summit at the Microsoft campus in Silicon Valley later this year. Were also playing a leading role with the World Wide Web Consortium (W3C) in the standardization and realization of the Platform for Privacy Preferences, or P3P. Internet Explorer 6.0 will include native support for P3P and all Microsoft Web sites will deploy P3P compliant policies.
PressPass: What is Microsoft doing to make security affordable for small and mid-sized users?
Thompson: Thats an important issue that sometimes gets lost in discussions about Internet and IT security. Security isnt just a concern for the biggest companies, its also a concern for consumers and even the smallest business users — and a more difficult one for them to manage, since they usually lack dedicated security staff to deal with it. One of the things weve done for these users is launch the new consumer security and privacy site I mentioned earlier, which provides security information tailored to their needs. For users in mid-sized companies, the security checklists on our site are a great way to make sure theyre covering the bases in securing their environment.
Weve also taken a series of steps to make security simpler to maintain, because small and mid-sized companies sometimes lack the time and resources to devote to this issue. By prioritizing security patches, improving patch distribution and management, and creating patches that dont require rebooting, were making it faster, cheaper and easier for these users to keep their systems secure.
PressPass: Security can’t be tacked on as an afterthought. What is Microsoft doing to ensure that security needs are addressed throughout the product design and development process?
Thompson: Internally at Microsoft, weve developed something we call the Secure Windows Initiative (SWI). Its nothing less than a sea change in the way we approach product development. The SWI is truly comprehensive, covering education, tools, processes and testing.
For example, were using the power of our Intranet to deliver the best information about building secure components to our engineering groups. Were using advanced tools as part of our daily development and testing processes to find potential security bugs. Were implementing processes that enable us to learn from our and others mistakes, and instilling secure practices into daily routines. Were testing to detect flaws through quality assurance processes that involve both internal and external experts. Those external experts include academic and research centers around the United States — were working with them to apply the latest security research to Microsoft products. We believe customers will see markedly better security in our upcoming products, even when compared to solid products like Windows 2000.
PressPass: What new security features can we expect to see in upcoming products? Thompson: Smart cards are an exciting area of IT security, because they are a simple, straightforward way both to make an enterprise more secure and to ease authorized access to a range of resources. We already support smart cards in Windows 2000 and weve enhanced that support with auto-enrollment and auto-renewal features that make deployment even easier, with more administrative functions able to take advantage of smart cards, with smart card support in Terminal Server, and with broader smart card interoperability.
Beyond smart cards, look for us to enhance the PKI [Public Key Infrastructure] support already in Windows 2000 with complete lifecycle support covering enrollment, revocation and renewal. We also plan to improve key archival, recovery and cross-certification.
But we also have significant security improvements for home users as well. A new feature in Windows XP that were very excited about is Internet-connection firewall protection. This is crucial as more consumers and small business users spend more time on the Internet, particularly with continuous connections like DSL and cable. The Internet connection firewall will give these users protection that makes continuous connection to the Internet a much safer configuration.
PressPass: Part of Microsoft’s .NET strategy includes a so-called “war on hostile code.” What’s that effort about?
Thompson: Its a multi-pronged approach to address the various sources of hostile code, and it covers new security support for applications, the Windows operating system and .NET runtime. The Outlook E-Mail Security Update I mentioned earlier is an example of this effort at the application level.
At the Windows level, were giving users the option to impose software restriction policies that give Windows the ability to prevent malicious native code from running, while giving administrators more freedom to deploy and authorize mobile programs. At the .NET level, the effort involves code access security. For managed code compiled through the .NET languages and Visual Studio .NET, the .NET runtime provides fine-grained control over the operations that programs can execute.
The overall effect is that we expect to see a dramatic reduction in the ability of viruses, Trojan horses, and other types of hostile code to run on Microsoft platforms.
PressPass: How would you sum up the extent of Microsoft’s commitment to security, and what message should customers and the rest of the industry take from that?
Thompson: We want the IT community to know that we are totally committed to being the industry leader in security. This is a tough problem that will be around as long as there are computers. We believe weve had a terrific year, and were looking forward to even more progress in the year ahead.