Microsoft Outlines Plans to Simplify Secure Computing

SAN FRANCISCO, April 14, 2003 — In his keynote address today at RSA Conference 2003, Mike Nash, corporate vice president of the Security Business Unit at Microsoft Corp., outlined the next steps in the ongoing initiative to simplify and better enable secure computing environments for computer users everywhere.

“Customers have told us that making trustworthy computing a reality will require greater simplicity and higher predictability when it comes to security,” Nash said. “I am excited to show today how we’re starting to deliver in these areas and to showcase the progress we’ll be making to provide a more trustworthy computing experience in the future.”

Nash cited Microsoft®
Windows Server (TM) 2003, due to be launched next week, as the most important example to date of how Microsoft’s process and culture is changing to improve the quality of its products and give customer a safer, more trustworthy computing experience.

In his keynote, Nash outlined the tools and technologies Microsoft will deliver over the next 12 months to address four key scenarios customers have described as critical to bringing added security to their computing environments: patch management, information worker enablement, secure Web development and secure network access.

Simpler and Centralized Patch Management

Although Microsoft is focusing on quality of future products via the secure by design, secure by default and secure in deployment (SD3) framework, it is equally important to help protect customers with securing existing products. Due in part to its complexity, patching existing products is one of the great “pain points” today for customers. A key focus for Microsoft is to make this process simpler.

For IT professionals, Microsoft Software Update Services (SUS) and Systems Management Server 2.0 Software Update Services Feature Pack currently help automate patch installation for the Windows®
platform. Later this year, Microsoft will release SUS 2.0, which will include update functionality for a broader set of Microsoft products. In addition, Microsoft will release Systems Management Server 2003 later this year, which will include key features such as the ability to automatically install patches during scheduled downtime.

For consumers and small businesses, Microsoft’s Windows Update and Automatic Update are the primary vehicles for delivering security patches for the Windows platform. In the coming year, Microsoft will establish an automatic update service for security patches and other critical updates that extends to other Microsoft products.

To further simplify security management and operations for all customers, Microsoft will reduce the number of patch installer technologies used across the company and offer new security configuration wizards. Also, Microsoft Baseline Security Analyzer 1.2 will be released later this year, making it easier for users to identify unpatched systems.

Information Worker Enablement

As information workers become more reliant on digital means for collaboration and communication, valuable data becomes more susceptible to being lost, leaked or stolen. As a result, CIOs are asking for better ways to apply persistent policy protections across their enterprises to keep internal documents, e-mail and Web content safe.

In response, Microsoft recently announced a new technology for Windows Server 2003, Windows Rights Management Services (RMS), designed to give organizations advanced ways to help secure sensitive data. For example, this technology enables the expression of persistent rights to a given document or e-mail, ensuring that it can’t be forwarded, printed or edited — regardless of where it goes. Today, customers are just beginning beta deployments of RMS with Office 2003.

“For Ernst and Young LLP, our intellectual property is our No. 1 asset,” said John McCreadie, Global CIO at Ernst & Young LLP. “We are committed to protecting that knowledge base and have recently started to evaluate Windows Rights Management Services for Windows Server 2003 as part of our efforts to increase the level of information protection within our enterprise.”

In addition, Microsoft announced new technology enhancements designed to help antivirus vendors provide customers with a deeper level of protection against future security threats. This is particularly important for information workers engaged in a high level of data exchange. (See related release, Platform Advancements From Microsoft Enable Antivirus Partners to Enhance Security Defenses, at http://www.microsoft.com/presspass/press/2003/Apr03/04-14AVArchitecturePR.asp .)

Secure Development Tools and Web Services

Microsoft is making it easier for developers to build secure applications. Next week, with the release of Visual Studio®
.NET 2003 and the .NET Framework 1.1, Microsoft will offer system administrators more-granular control over how they can lock down the Web applications and Web services running in their datacenters. Visual Studio .NET and the .NET Framework also will help enable secure deployment of Windows-based “smart” client applications over the Internet. In the third quarter of 2003 of this year, Microsoft also will release a guide to provide developers and administrators with development-through-deployment best security practices around .NET Framework-based solutions.

Secure Network Access

As users become more mobile and companies cast their nets broader than ever, managing identity and controlling access has increased in complexity. As an example of how Microsoft is working to help address the new issues raised, Nash highlighted Wi-Fi Protected Access, or WPA, a new standards-based wireless security technology available for download for users of Windows XP SP1. WPA offers much more robust methods of encryption and authentication compared with wireless encryption protocol WEP.

Another area of focus is Storage Area Network (SAN) security; Microsoft is working with the storage industry to drive the adoption of the Internet Authentication Service (IAS) component in Windows Server. The majority of SAN switch vendors including Brocade Communications Systems Inc., QLogic Corp. and McDATA Corp. are committed to driving the use of IAS in Windows Server for their customers’ SAN environments. (See related announcement, Microsoft Fuels Industry Adoption of Enhanced Storage Security at http://www.microsoft.com/presspass/press/2003/Apr03/04-14SANSecurityPR.asp .)

To help ensure network security, Microsoft earlier this year delivered Feature Pack 1 for its Internet Security and Acceleration server, which provided advanced application-level filtering capabilities.

Microsoft Industry Participation

One of the points emphasized by Nash in his keynote was the importance of partnering with others in the industry and helping increase security knowledge and expertise overall. The recently announced Trusted Computing Group, of which Microsoft is a founding member, is representative of this cross-industry commitment to developing the Next-Generation Secure Computing Base.

Another way Microsoft is contributing to improving practices across the industry is with “Writing Secure Code,” a book written by Microsoft security experts Michael Howard and David LeBlanc. Recipient of the 2003 RSA Industry Innovation award, “Writing Secure Code” has received widespread accolades and is being used to form the basis for university curriculum on secure coding practices. Most recently, Leeds University selected this title for its computer sciences curriculum.

In addition to Nash’s keynote, Microsoft experts are delivering seven technical sessions at RSA Conference 2003, covering a broad range of topics including “How to Deploy PKI in 15 Minutes or Less,” “Securing Your Wireless Network With 802.11g” and “Client-Side Requirements for Enterprise Security,” as well as a technical overview of the Next-Generation Secure Computing Base.

Customers are encouraged to visit http://www.microsoft.com/security/ for the latest security information and tools such as Microsoft Baseline Security Analyzer and the IIS lockdown tool.

Founded in 1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software, services and Internet technologies for personal and business computing. The company offers a wide range of products and services designed to empower people through great software — any time, any place and on any device.

Microsoft, Windows Server, Windows and Visual Studio are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Note to editors: If you are interested in viewing additional information on Microsoft, please visit the Microsoft Web page at http://www.microsoft.com/presspass/ on Microsoft’s corporate information pages. Web links, telephone numbers and titles were correct at time of publication, but may since have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at http://www.microsoft.com/presspass/contactpr.asp .

Related Posts

Q&A: Delivering on Secure Computing

As IT security experts gather for the annual RSA Conference, Mike Nash, head of Microsoft’s Security Business Unit, discusses how the company is acting on customer feedback to provide a more secure computing environment.