MS relieves patching ‘pain point’

Trustworthy Computing phase II

Microsoft yesterday outlined plans to simplify patch management, which even Redmond admits has been a long-term "pain point" for its customers.

In a keynote address this week's RSA Conference 2003, Mike Nash, corporate vice president of the Security Business Unit at Microsoft, outlined the next steps in the company's high-profile Trustworthy Computing initiative.

In his presentation, Nash outlined the tools and technologies Microsoft will deliver over the next 12 months to address four key scenarios customers have described as critical to bringing added security to their computing environments: patch management, information worker enable ment, secure Web development and secure network access.

With Windows Server 2003, Microsoft is beginning the apply secure by default ideas that will, hopefully, guard against repetition of the numerous security risks (Nimda, Love Bug etc,) which have taken advantage of weak default configuration. But that still leaves older products to worry about.

Due in part to its complexity, patching existing products is one of the great "pain points" today for customers, Microsoft says.

A key focus for Microsoft is to make this process simpler.

For IT admins, Microsoft Software Update Services (SUS) and Systems Management Server 2.0 Software Update Feature Pack 1 currently help automate patch installation for the Windows(R) platform.

Later this year, Microsoft will release SUS 2.0, which will include update functionality for a broader set of Microsoft products. In addition, Microsoft will release Systems Management Server 2003 later this year, which will include features such as the ability to automatically install patches during scheduled downtime.

For consumers and small businesses, Microsoft's Windows Update and Automatic Update are often the primary vehicles for delivering security patches for the Windows platform. Microsoft wants to extend these services over the coming year to a wider variety of Microsoft products.

To simplify security management and operations for all customers, Microsoft will reduce the number of patch installer technologies used across the company and offer new security configuration wizards. Also, Microsoft Baseline Security Analyzer 1.2 will be released later this year, making it easier for users to identify unpatched systems.

To further "Information worker Enablement", Microsoft is promoting Windows Rights Management Services (RMS), which allows organisations to control the distribution of documents within corporates, and improved technical collaboration with antivirus vendors.

Fix the problem, not the blame

Any computing platform is subject to security problems from time to time. Much energy is focused on counting the quantity of security problems (Is Linux better? Is Windows worse?), or accessing the seriousness of exploits.

Microsoft gets it in the neck on both these points, especially whenever a high-profile Windows exploit is released. There's often a rush to blame either Redmond or the end-user, for failing to apply long-available patches.

The sheer quantity of patches (for Windows, Unix, Linux and applications) can be hard to keep up with but the other factors are worth considering. Often (and this is particularly the case with MS patches, unfortunately) fixes fail to work as advertised, cause conflicts or are otherwise difficult to apply.

In recognising this problem - and trying to do something about it - Redmond deserves a small pat on the back. Just a small pat, mind you, let's reserve praise for a time our mailbags don't bulge with gripes about patching problems.

Secure by design

Microsoft also wants to make it easier for developers to build secure applications.

Next week, with the release of Visual Studio(R) .NET 2003 and the .NET Framework 1.1, Microsoft will offer system administrators "more-granular control" over how they can lock down the Web applications and Web services running in their datacenters.

Visual Studio .NET and the .NET Framework will also help enable secure deployment of Windows-based "smart" client applications over the Internet, it's hoped.

In the third quarter of 2003 of this year, Microsoft also will release a guide to provide developers and administrators with development-through-deployment best security practices around .NET Framework-based solutions.

As an example of how Microsoft is boosting secure net access, Nash highlighted Microsoft's decision to offer Wi-Fi Protected Access, or WPA, as a download for users of Windows XP SP1. WPA offers much more robust methods of encryption and authentication compared with its predecessor, WEP.

Another area of focus for Redmond is Storage Area Network (SAN) security.

Microsoft wants to drive the adoption of the Internet Authentication Service (IAS) component in Windows Server, which is supported by leasing SAN switch vendors such as Brocade and McDATA.

To help boost network security, Microsoft earlier this year delivered Feature Pack 1 for its Internet Security and Acceleration server, which provided advanced application-level filtering capabilities. ®

Related stories

IT managers trust Microsoft on security...
Leeds Uni, MS teach undergrads to write secure code
Open and closed security are roughly equivalent
Cost of securing Windows Server 2003? Nearly $200m
Trustworthy Computing does Moon Walk (but not yet)
Security 'impossible' for Win9x, buy XP now, says MS exec
Microsoft outlines 3D progress to Trustworthiness
Gartner slams MS security after latest flaw

Sponsored: 10 ways wire data helps conquer IT complexity