Brian Valentine, senior vice president of the Windows division at Microsoft
REDMOND, Wash., Oct. 3, 2001 — Today Microsoft announced that it is making an unprecedented effort to help its customers protect their systems from Internet-based threats. Under the new Strategic Technology Protection Program (STPP), the company is mobilizing its technical account managers to reach out to enterprise customers, and is extending security-related product support and online resources to all customers at no charge to help them secure their networks easily. The company also announced that it will sharply expand its ongoing security efforts, including distributing “security roll-up packages” via Windows Update, which will provide one-step software updates and “hot fixes” optimized for large enterprises, to ensure that customers’ Microsoft products are as secure as possible.
PressPass spoke with Brian Valentine, senior vice president of the Windows division at Microsoft, to learn more about the impetus for the security initiative and the steps Microsoft is taking to protect its customers.
PressPass: What is behind the security initiative announced by Microsoft today?
Valentine: Internet security is really about the ability of our customers — every business and every person — to be able to work, communicate and transact securely over the Internet and over their networks. It’s become incredibly clear that viruses and worms directed against our customers’ systems are on the increase. Microsoft is very aware of the fact that our customers are suffering from virus attacks that take their businesses offline or completely down, sometimes even for days. So we have to be able to respond in a much better way.
“Code Red” and “Nimda” are just the two latest examples of worm viruses that have impacted businesses and the economy worldwide. These viruses have gone way beyond someone’s dorm-room science project, and it is incumbent on Microsoft and the industry to respond. We can’t ignore the fact that this behavior is becoming more prevalent and more hostile. Internet security is a worldwide issue that affects not only our customers, but also everyone connecting to the Web, from consumers connected at home to delivery of online services to business-to-business interactions. No one is immune to the problem.
PressPass: How is Microsoft approaching the problem?
Valentine: Having a secure Internet is fundamentally important to the way we do business today. Our industry as a whole has to change the way it thinks about Internet security. Microsoft must take a leadership role in this effort. We’re hearing from CIOs and IT professionals that it’s very difficult to keep their systems secure from hackers. No matter their motivation, hackers are intent on breaking the law, disrupting businesses and people’s lives. And we just have to make it easier to maintain security. One aspect of the program we’re announcing today is how businesses can make their systems secure in a very simple way, and then how to keep them secure moving forward.
As a customer, it’s very difficult to get secure in the first place, and then it’s very difficult to ensure that you continue to stay secure as new threats or vulnerabilities come to light. Our current system is too cumbersome: We publicly notify businesses about newly discovered vulnerabilities, make available patches and updates, and provide security tools and have customers apply these patches and tools to their systems. It’s too time consuming and too hard.
Let me be clear, though. Microsoft has always taken our customers’ network security very, very seriously. We have the best security-response mechanism in the industry, and we have built one of the most secure sets of products in the industry. And I, in running the Windows division and working with all the other groups around Microsoft, continue to invest, in very substantial ways, in the security of our products. We’re not changing that at all. In fact, we’re increasing that investment over time, and we’ll continue to increase it, but we need to do better. Naturally, vulnerabilities will exist, and we need to increase our engineering investment and work with government agencies, the appropriate consulting agencies, to minimize those vulnerabilities. But they will exist in one form or another.
So with the STPP, we will work together with customers to make sure they have the tools and code updates they need, make sure they’re aware of all of the resources available online through our support and service groups, and make certain that we’re helping them approach security on their Windows-based systems with absolute passion, desire and the ability to keep those systems secure and up-to-date. It’s not just about the product. We also need to continue to invest in the industry, educating people, building the right processes, and helping with the people, processes and technology.
PressPass: Is it realistic to think that Microsoft can unilaterally protect its customers from Internet threats?
Valentine: We need to think beyond what we can do within Microsoft. We need to think very seriously about Microsoft’s position as a responsible leader within the digital community, and about how we partner with others in the industry to tackle issues of security on the Internet. I will work with anyone in the industry on this problem, so competitive lines are not the issue. If we need to build consortiums that include Microsoft competitors, we will commit to doing that.
PressPass: What are the key elements of the Strategic Technology Protection Program?
Valentine: We are deploying resources from all over Microsoft to begin this program — product-development resources, support resources, consulting resources and the like. The STPP is an expansion of the security efforts we’ve already begun. We will provide clear, unambiguous direction on how customers can build and maintain secure systems. So it’s also about services and support. To that end, our people are already making calls on customers to begin ramping up on this security initiative.
As part of the overall STPP effort, we are committing to five no-cost deliverables to customers:
1. A Security Tool Kit, available for download today from the Microsoft Security Website ( http://www.microsoft.com/security ), will enable customers to ensure that deployed Windows NT 4.0 and Windows 2000 systems are secure before they are ever connected to a network. The Security Tool Kit will contain the current service packs, all critical security patches for Windows NT 4.0 and Windows 2000, Internet Information Server and Internet Explorer, and a security tool that will tie back to the Windows Update site and ensure that any late-breaking patches also are installed.
2. Virus-related product support is now available free of charge to all customers — whether home consumers, businesses, enterprises, developers, or any other customers — from Microsoft Product Support Services via a toll-free hotline, 1-866-PC SAFETY. (Editor’s note: This number is for calls from within the U.S. only. Numbers for calls from outside the U.S. will be announced shortly.)
3. We will begin delivering a cumulative security patch for Windows 2000 on a bi-monthly basis. An administrator need only deploy the most recent cumulative patch to ensure that a new Windows 2000 system is fully up to date on all operating system patches. Our goal is to simplify the task of applying patches, especially as new hardware is being deployed.
4. The fourth of our six deliverables, which will be available in December, is a collection of additional enterprise security tools aimed at Windows 2000 servers. Server administrators need to ensure their servers are configured appropriately for the security level they choose. We will deliver a tool that scans a Windows 2000 server, highlights any potential misconfigurations that could undermine security and advises the administrator in making changes. Also in December, we will deliver a tool that makes it simple to deploy security patches network-wide, using scripting and software distribution tools such as SMS. This total package of tools, together with those in the Security Tool Kit, will give administrators what they need to support security maintenance throughout a server’s lifecycle — from configuration through operations and maintenance.
In February 2002, we will release Windows 2000 Service Pack 3 (SP3), which will have a special focus on security. To that end, we currently are making a detailed, code-level review of all security-sensitive components in Windows 2000, using an advanced software analysis tool we’ve developed. We are doing whatever is necessary to ensure the process is complete, and updates patching any vulnerabilities we find during this code review are be delivered in SP3.
Service Pack 3 also will be the final link enabling breakthrough technology delivered in the Security Tool Kit. The Windows Update Auto-update Client will, for the first time, enable Microsoft to directly install critical security patches onto participating machines with no operator action required.
Finally, by mid-year 2002, we will deploy the Federated Corporate Windows Update technology, which will give network administrators a way to benefit from the Windows Update technology without sacrificing the ability to control what patches their users apply. Simply put, system administrators will be able to host their own Windows Update Web sites for their internal users, and select which patches they will host.
Taken as a whole, these measures give customers a comprehensive collection of tools and technologies that not only help ensure the security of their systems, but also minimize administrators’ management burden.
PressPass: Above all, what would you like customers, partners and the public to come away with from today’s announcement?
Valentine: I cannot emphasize enough how very serious we are about this program. When we look back in a few years, we will see this as one of the critical inflection points in our company’s growth. There is a swelling worldwide crisis-of-confidence in the Internet as the collaboration medium for the coming years. We, together with each of our customers and partners, and the industry as a whole, have a vested stake in stemming that sentiment.