Microsoft Corp.'s latest security efforts are focused on Service Pack 2 for Windows XP, which is due shortly. Mike Nash, vice-president of Microsoft's security business and technology unit, recently discussed SP2 and the company's security strategy with Computerworld. Excerpts from the interview follow: What guidance can you give IT pros about Windows XP Service Pack 2 breaking applications? Making sure that we're doing things to make XP SP2 compatible with key customer scenarios is a top priority for us. One of the things with the new firewall in Service Pack 2 is to make sure that it's compatible with more scenarios so that it can be turned on by default and left on by the customers.
There may be some cases from a security perspective where we're doing things that change the behavior of the operating system. . . . There may be certain cases where security and compatibility are at odds, and we're going to focus on security, because people really need us to be focusing on security. . . . The most important thing customers should be doing right now is planning for their rollouts of Windows XP Service Pack 2, which means testing it today so that if there are issues, we get that feedback now so we have a chance to respond to it before we ship the product.
How important is the firewall in Windows XP SP2 for companies that already have network firewalls? When your machine is always inside the network, the primary thing that the firewall's going to do is protect your machine from another infected machine that was brought inside the network. If you have a laptop that comes in with an infection, the edge (network firewall) can't help you. But your machine will be protected from that attack. So I never turn my firewall off.
The other thing that will happen, if a machine comes in with malicious code on it, its ability to propagate can be somewhat slowed down by having a firewall there. The primary place it makes a difference is for machines that are checking in remotely. We know a number of situations where an end user VPNs into the corporation and didn't have a firewall turned on. That machine is both out on the Internet but inside the (corporate firewall) all at the same time. Think of it as redefining "edge of the network."
Will XP SP2's firewall work with other personal firewalls? It is designed to support multiple firewalls, ours and a third party's, at the same time. Practically speaking, if you're using a third-party firewall and you're comfortable with its level of protection, that's a fine answer. Our primary goal is to make sure that customers have a choice.
I think one of the key benefits of our firewall is that it can be managed using group policy. . . . In Windows XP Service Pack 2, we've done work to make the firewall manageable using group policy with Active Directory but also allow it to support multiple profiles. So I can set my policy to a rule that says, "When the machine is inside the corporate network, allow it to do more things even though the firewall is still on. When that machine is not on the corporate network, and it's sitting in a coffee shop or in a hotel room or in someone's home, increase the level of protection because I don't have the corporate edge protected for that machine." That's something that an administrator could do by policy based on what's appropriate for their organization.
Someone at a large Microsoft customer that makes weapons systems for the government told me he believes that perfect software can be written. Is there any chance you'll rewrite Windows to take advantage of what you've learned about security? I'm not a person who believes that perfect software is possible at that kind of scale, because there's always going to be some level of vulnerability. Pragmatically, certainly we do everything we can to make sure that we're training our engineers on how to build and design secure code, making sure that we're testing our software and making the software configuration as secure as possible. But there are going to be vulnerabilities in software, and therefore the approach is to make sure that we create essentially countermeasures to make sure that even if there is a vulnerability, we can isolate the system software or the application from the malicious software that might try to attack it and drive more resiliency of how that software behaves under attack.
Does that approach represent a change in strategy? I wouldn't say it's a change in strategy as much as I would say it's a change in emphasis. Isolation and resiliency was something that we always understood. Being more pragmatic about how it could be used is what's different. If you look at why did we do Windows XP SP2, the original idea was, with the firewall built into Windows XP turned on, a customer wouldn't have been attacked by Blaster, even if they'd never installed a patch in their life. . . . We'll of course always work to improve quality. We're not letting up the gas at all on that. But as you go in and perhaps fix some of the quality issues, there is the risk of breaking things. You can introduce more problems, so you have to do that in a measured way.
Microsoft Sees Need to Escalate Efforts in Security War
A Microsoft security executive said that the threat of potentially more destructive viruses makes it difficult to gauge whether the company is winning the war to protect its products from malicious attacks.
"It's hard to tell because we haven't seen some things yet that may reshape the dynamics," Scott Charney, Microsoft's chief security strategist, said during an interview with Computerworld at a company security summit here. "We haven't seen polymorphic viruses very much that change their signatures on the fly. The existing set of tools doesn't work with that. That's not just an issue for us, but (for) the antivirus vendors" as well, he said.
Charney said the potential for more destructive viruses that could format or encrypt drives on the fly has made him a proponent of backing up data. "Hard drives became so reliable that people stopped backing up," he said. "And the industry stopped telling people to back up. Now I'm a huge proponent of it. I'm telling people to back up again, because we know that virus is coming."
Charney said Microsoft products are becoming more secure and easier to manage, and customer feedback has shown that the company is starting to make a difference. "But we need to stay the course," he added. "We need to do more."
Microsoft has been reviewing and refining the Trustworthy Computing initiative it launched over two years ago, adding requirements for annual training to help software engineers keep up with changing threat models, according to Charney.
He said the company has also been testing a survey tool to more objectively measure how its software engineers are applying their security and privacy training to their day-to-day work.
Charney said Microsoft has also launched a project called the Trustworthy Computing Inquiry Board, modeled after the National Transportation Safety Board. Microsoft currently does root-cause analysis, he noted, but that may not be enough. Some of his staff members took a course to learn more about the NTSB's methodology, which involves analyzing the series of events that occurred before and after an accident to see if it could have been prevented, Charney explained.
"They're trying this process to see what the report looks like in comparison," he said. "We continue to try and think outside the box." -- Computerworld (US)
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.