Feeds

MS relieves patching ‘pain point’

Trustworthy Computing phase II

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Microsoft yesterday outlined plans to simplify patch management, which even Redmond admits has been a long-term "pain point" for its customers.

In a keynote address this week's RSA Conference 2003, Mike Nash, corporate vice president of the Security Business Unit at Microsoft, outlined the next steps in the company's high-profile Trustworthy Computing initiative.

In his presentation, Nash outlined the tools and technologies Microsoft will deliver over the next 12 months to address four key scenarios customers have described as critical to bringing added security to their computing environments: patch management, information worker enable ment, secure Web development and secure network access.

With Windows Server 2003, Microsoft is beginning the apply secure by default ideas that will, hopefully, guard against repetition of the numerous security risks (Nimda, Love Bug etc,) which have taken advantage of weak default configuration. But that still leaves older products to worry about.

Due in part to its complexity, patching existing products is one of the great "pain points" today for customers, Microsoft says.

A key focus for Microsoft is to make this process simpler.

For IT admins, Microsoft Software Update Services (SUS) and Systems Management Server 2.0 Software Update Feature Pack 1 currently help automate patch installation for the Windows(R) platform.

Later this year, Microsoft will release SUS 2.0, which will include update functionality for a broader set of Microsoft products. In addition, Microsoft will release Systems Management Server 2003 later this year, which will include features such as the ability to automatically install patches during scheduled downtime.

For consumers and small businesses, Microsoft's Windows Update and Automatic Update are often the primary vehicles for delivering security patches for the Windows platform. Microsoft wants to extend these services over the coming year to a wider variety of Microsoft products.

To simplify security management and operations for all customers, Microsoft will reduce the number of patch installer technologies used across the company and offer new security configuration wizards. Also, Microsoft Baseline Security Analyzer 1.2 will be released later this year, making it easier for users to identify unpatched systems.

To further "Information worker Enablement", Microsoft is promoting Windows Rights Management Services (RMS), which allows organisations to control the distribution of documents within corporates, and improved technical collaboration with antivirus vendors.

Fix the problem, not the blame

Any computing platform is subject to security problems from time to time. Much energy is focused on counting the quantity of security problems (Is Linux better? Is Windows worse?), or accessing the seriousness of exploits.

Microsoft gets it in the neck on both these points, especially whenever a high-profile Windows exploit is released. There's often a rush to blame either Redmond or the end-user, for failing to apply long-available patches.

The sheer quantity of patches (for Windows, Unix, Linux and applications) can be hard to keep up with but the other factors are worth considering. Often (and this is particularly the case with MS patches, unfortunately) fixes fail to work as advertised, cause conflicts or are otherwise difficult to apply.

In recognising this problem - and trying to do something about it - Redmond deserves a small pat on the back. Just a small pat, mind you, let's reserve praise for a time our mailbags don't bulge with gripes about patching problems.

Secure by design

Microsoft also wants to make it easier for developers to build secure applications.

Next week, with the release of Visual Studio(R) .NET 2003 and the .NET Framework 1.1, Microsoft will offer system administrators "more-granular control" over how they can lock down the Web applications and Web services running in their datacenters.

Visual Studio .NET and the .NET Framework will also help enable secure deployment of Windows-based "smart" client applications over the Internet, it's hoped.

In the third quarter of 2003 of this year, Microsoft also will release a guide to provide developers and administrators with development-through-deployment best security practices around .NET Framework-based solutions.

As an example of how Microsoft is boosting secure net access, Nash highlighted Microsoft's decision to offer Wi-Fi Protected Access, or WPA, as a download for users of Windows XP SP1. WPA offers much more robust methods of encryption and authentication compared with its predecessor, WEP.

Another area of focus for Redmond is Storage Area Network (SAN) security.

Microsoft wants to drive the adoption of the Internet Authentication Service (IAS) component in Windows Server, which is supported by leasing SAN switch vendors such as Brocade and McDATA.

To help boost network security, Microsoft earlier this year delivered Feature Pack 1 for its Internet Security and Acceleration server, which provided advanced application-level filtering capabilities. ®

Related stories

IT managers trust Microsoft on security...
Leeds Uni, MS teach undergrads to write secure code
Open and closed security are roughly equivalent
Cost of securing Windows Server 2003? Nearly $200m
Trustworthy Computing does Moon Walk (but not yet)
Security 'impossible' for Win9x, buy XP now, says MS exec
Microsoft outlines 3D progress to Trustworthiness
Gartner slams MS security after latest flaw

Beginner's guide to SSL certificates

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
US government fines Intel's Wind River over crypto exports
New emphasis on encryption as a weapon?
To Russia With Love: Snowden's pole-dancer girlfriend is living with him in Moscow
While the NSA is tapping your PC, he's tapping ... nevermind
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
Slap for SnapChat web app in SNAP mishap: '200,000' snaps sapped
This is what happens if you hand your username and password to a 3rd-party
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.