MS relieves patching ‘pain point’

Trustworthy Computing phase II

  • alert
  • submit to reddit

High performance access to file storage

Microsoft yesterday outlined plans to simplify patch management, which even Redmond admits has been a long-term "pain point" for its customers.

In a keynote address this week's RSA Conference 2003, Mike Nash, corporate vice president of the Security Business Unit at Microsoft, outlined the next steps in the company's high-profile Trustworthy Computing initiative.

In his presentation, Nash outlined the tools and technologies Microsoft will deliver over the next 12 months to address four key scenarios customers have described as critical to bringing added security to their computing environments: patch management, information worker enable ment, secure Web development and secure network access.

With Windows Server 2003, Microsoft is beginning the apply secure by default ideas that will, hopefully, guard against repetition of the numerous security risks (Nimda, Love Bug etc,) which have taken advantage of weak default configuration. But that still leaves older products to worry about.

Due in part to its complexity, patching existing products is one of the great "pain points" today for customers, Microsoft says.

A key focus for Microsoft is to make this process simpler.

For IT admins, Microsoft Software Update Services (SUS) and Systems Management Server 2.0 Software Update Feature Pack 1 currently help automate patch installation for the Windows(R) platform.

Later this year, Microsoft will release SUS 2.0, which will include update functionality for a broader set of Microsoft products. In addition, Microsoft will release Systems Management Server 2003 later this year, which will include features such as the ability to automatically install patches during scheduled downtime.

For consumers and small businesses, Microsoft's Windows Update and Automatic Update are often the primary vehicles for delivering security patches for the Windows platform. Microsoft wants to extend these services over the coming year to a wider variety of Microsoft products.

To simplify security management and operations for all customers, Microsoft will reduce the number of patch installer technologies used across the company and offer new security configuration wizards. Also, Microsoft Baseline Security Analyzer 1.2 will be released later this year, making it easier for users to identify unpatched systems.

To further "Information worker Enablement", Microsoft is promoting Windows Rights Management Services (RMS), which allows organisations to control the distribution of documents within corporates, and improved technical collaboration with antivirus vendors.

Fix the problem, not the blame

Any computing platform is subject to security problems from time to time. Much energy is focused on counting the quantity of security problems (Is Linux better? Is Windows worse?), or accessing the seriousness of exploits.

Microsoft gets it in the neck on both these points, especially whenever a high-profile Windows exploit is released. There's often a rush to blame either Redmond or the end-user, for failing to apply long-available patches.

The sheer quantity of patches (for Windows, Unix, Linux and applications) can be hard to keep up with but the other factors are worth considering. Often (and this is particularly the case with MS patches, unfortunately) fixes fail to work as advertised, cause conflicts or are otherwise difficult to apply.

In recognising this problem - and trying to do something about it - Redmond deserves a small pat on the back. Just a small pat, mind you, let's reserve praise for a time our mailbags don't bulge with gripes about patching problems.

Secure by design

Microsoft also wants to make it easier for developers to build secure applications.

Next week, with the release of Visual Studio(R) .NET 2003 and the .NET Framework 1.1, Microsoft will offer system administrators "more-granular control" over how they can lock down the Web applications and Web services running in their datacenters.

Visual Studio .NET and the .NET Framework will also help enable secure deployment of Windows-based "smart" client applications over the Internet, it's hoped.

In the third quarter of 2003 of this year, Microsoft also will release a guide to provide developers and administrators with development-through-deployment best security practices around .NET Framework-based solutions.

As an example of how Microsoft is boosting secure net access, Nash highlighted Microsoft's decision to offer Wi-Fi Protected Access, or WPA, as a download for users of Windows XP SP1. WPA offers much more robust methods of encryption and authentication compared with its predecessor, WEP.

Another area of focus for Redmond is Storage Area Network (SAN) security.

Microsoft wants to drive the adoption of the Internet Authentication Service (IAS) component in Windows Server, which is supported by leasing SAN switch vendors such as Brocade and McDATA.

To help boost network security, Microsoft earlier this year delivered Feature Pack 1 for its Internet Security and Acceleration server, which provided advanced application-level filtering capabilities. ®

Related stories

IT managers trust Microsoft on security...
Leeds Uni, MS teach undergrads to write secure code
Open and closed security are roughly equivalent
Cost of securing Windows Server 2003? Nearly $200m
Trustworthy Computing does Moon Walk (but not yet)
Security 'impossible' for Win9x, buy XP now, says MS exec
Microsoft outlines 3D progress to Trustworthiness
Gartner slams MS security after latest flaw

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.