MS relieves patching ‘pain point’

Trustworthy Computing phase II

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

Microsoft yesterday outlined plans to simplify patch management, which even Redmond admits has been a long-term "pain point" for its customers.

In a keynote address this week's RSA Conference 2003, Mike Nash, corporate vice president of the Security Business Unit at Microsoft, outlined the next steps in the company's high-profile Trustworthy Computing initiative.

In his presentation, Nash outlined the tools and technologies Microsoft will deliver over the next 12 months to address four key scenarios customers have described as critical to bringing added security to their computing environments: patch management, information worker enable ment, secure Web development and secure network access.

With Windows Server 2003, Microsoft is beginning the apply secure by default ideas that will, hopefully, guard against repetition of the numerous security risks (Nimda, Love Bug etc,) which have taken advantage of weak default configuration. But that still leaves older products to worry about.

Due in part to its complexity, patching existing products is one of the great "pain points" today for customers, Microsoft says.

A key focus for Microsoft is to make this process simpler.

For IT admins, Microsoft Software Update Services (SUS) and Systems Management Server 2.0 Software Update Feature Pack 1 currently help automate patch installation for the Windows(R) platform.

Later this year, Microsoft will release SUS 2.0, which will include update functionality for a broader set of Microsoft products. In addition, Microsoft will release Systems Management Server 2003 later this year, which will include features such as the ability to automatically install patches during scheduled downtime.

For consumers and small businesses, Microsoft's Windows Update and Automatic Update are often the primary vehicles for delivering security patches for the Windows platform. Microsoft wants to extend these services over the coming year to a wider variety of Microsoft products.

To simplify security management and operations for all customers, Microsoft will reduce the number of patch installer technologies used across the company and offer new security configuration wizards. Also, Microsoft Baseline Security Analyzer 1.2 will be released later this year, making it easier for users to identify unpatched systems.

To further "Information worker Enablement", Microsoft is promoting Windows Rights Management Services (RMS), which allows organisations to control the distribution of documents within corporates, and improved technical collaboration with antivirus vendors.

Fix the problem, not the blame

Any computing platform is subject to security problems from time to time. Much energy is focused on counting the quantity of security problems (Is Linux better? Is Windows worse?), or accessing the seriousness of exploits.

Microsoft gets it in the neck on both these points, especially whenever a high-profile Windows exploit is released. There's often a rush to blame either Redmond or the end-user, for failing to apply long-available patches.

The sheer quantity of patches (for Windows, Unix, Linux and applications) can be hard to keep up with but the other factors are worth considering. Often (and this is particularly the case with MS patches, unfortunately) fixes fail to work as advertised, cause conflicts or are otherwise difficult to apply.

In recognising this problem - and trying to do something about it - Redmond deserves a small pat on the back. Just a small pat, mind you, let's reserve praise for a time our mailbags don't bulge with gripes about patching problems.

Secure by design

Microsoft also wants to make it easier for developers to build secure applications.

Next week, with the release of Visual Studio(R) .NET 2003 and the .NET Framework 1.1, Microsoft will offer system administrators "more-granular control" over how they can lock down the Web applications and Web services running in their datacenters.

Visual Studio .NET and the .NET Framework will also help enable secure deployment of Windows-based "smart" client applications over the Internet, it's hoped.

In the third quarter of 2003 of this year, Microsoft also will release a guide to provide developers and administrators with development-through-deployment best security practices around .NET Framework-based solutions.

As an example of how Microsoft is boosting secure net access, Nash highlighted Microsoft's decision to offer Wi-Fi Protected Access, or WPA, as a download for users of Windows XP SP1. WPA offers much more robust methods of encryption and authentication compared with its predecessor, WEP.

Another area of focus for Redmond is Storage Area Network (SAN) security.

Microsoft wants to drive the adoption of the Internet Authentication Service (IAS) component in Windows Server, which is supported by leasing SAN switch vendors such as Brocade and McDATA.

To help boost network security, Microsoft earlier this year delivered Feature Pack 1 for its Internet Security and Acceleration server, which provided advanced application-level filtering capabilities. ®

Related stories

IT managers trust Microsoft on security...
Leeds Uni, MS teach undergrads to write secure code
Open and closed security are roughly equivalent
Cost of securing Windows Server 2003? Nearly $200m
Trustworthy Computing does Moon Walk (but not yet)
Security 'impossible' for Win9x, buy XP now, says MS exec
Microsoft outlines 3D progress to Trustworthiness
Gartner slams MS security after latest flaw

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.