Is Windows Safer?

Although the release of Microsoft's quarantine technology has already been delayed and will lag behind the network access control solutions of Cisco Systems and Juniper Networks, Microsoft's integration of NAP with its next-generation Windows platformas well as with Windows XP and Windows Server 2003will give it a leg up on competitors, sources say.

The Redmond, Wash.-based company is no longer just battling blazes, they say, but taking on competitors for available security dollars.

At RSA this week, for example, Microsoft's focus on protection and prevention with Vista, Internet Explorer 7 and NAP, as well as investments in forthcoming security products and services such as ISA 2006 and antivirus and Web filtering products for business customers, show the company has worked hard to clean up its reputation in the security arena, partners say.

Last week, Microsoft announced the public beta release of ISA 2006 firewall and early customer beta versions of its long-awaited Client Protection and Microsoft Antigen for Exchange antivirus for business. In 2006 Microsoft also intends to take on ISVs such as SurfControl and Websense in the Web filtering arena, following an announcement last week that it acquired FutureSoft's DynaComm i:filter product.

In addition, plans to open up its Security Development Lifecycle practices to partners and customers at RSA demonstrate the company's growing confidence that it can establish a leadership role in the security space, a Microsoft spokesman said.

It's a stark contrast to the defensive posture Microsoft assumed in January 2002, when naysayers predicted a doomsday scenario for the leading OS platform and Gates declared an all-out war on the mounting security threats, viruses and worms that had infested the corporate IT landscape and threatened to dismantle his Windows franchise.

"Two and a half years ago, it was an unmanageable mess out there. Engineers would constantly expect security patch updates on a daily, if not hourly, basis and today it doesn't happen that much," said Phil Ernst, CEO of Convergence Technology Consulting, Bowie, Md. "Microsoft is light-years ahead of where they were two years ago."

The much-anticipated launch of the Windows Vista client later this year and server complement in 2007the first major Windows upgrades designed from the ground up in accordance with Microsoft's Trustworthy Computing initiativewill represent a major turning point for the company and its partners, observers predict. "Yes, there are still vulnerabilities out there," Ernst said, "but I think Microsoft has made endless strides. Vista encapsulates the whole secure computing model."

Delivery of the more secure Windows platform is drawing closer. Vista Beta 2 for businesses is expected this quarter, and next quarter Microsoft plans to launch a Community Technology Preview program for Longhorn Server that will incorporate NAP, Server Core and the Internet Information Server (IIS) 7.0 upgrade, said David Lowe, senior product manager in the Windows Server group.

Also at RSA, rivals Sun Microsystems, Novell and Red Hat plan to detail their own security enhancements for Solaris and Linux. Sun said it will unveil plans to launch into beta this April and ship in August Trusted Extensions for Solaris 10, which will give Solaris the highest security rating of any OS.

But all eyes will be on Vista and Longhorn Server, analysts say. "Vista will be the next major OS product they will ship since taking security seriously," said John Pescatore, vice president at Gartner. "Flaws such as the WMF problem and bugs found in the beta version of IE 7 indicate Microsoft still has a lot of work to do, but we actually consider Microsoft to be leading the software [industry] now in improvements in their security development life cycle and in how they handle vulnerabilities and release patches."

HARDENING SECURITY
Partners attribute the improvements to a variety of factors both inside and outside the company, including Microsoft's ongoing patch-and-spackle job on the Windows code. While the long-term prospects for the code base are unclear, the release of Windows XP SP2 in late 2004, though bumpy out of the gate, along with the security-enhanced server equivalent Windows Server 2003 SP1, have helped stem the flow of problems in the field, partners note.

Some observers maintain, for instance, that recent attacks on older Windows codesuch as the WMF exploitdemonstrate that security is hardening with each new release of Windows.

"I'm not surprised [WMF] exploited 16-bit code," said Robert Helm, an analyst at Directions on Microsoft. "If you look over the security vulnerabilities, more and more are affecting versions of Windows prior to Windows XP SP2 and Windows Server 2003, and that's a good sign that the beating Windows took in prior years is slowing and that XP SP2 has affected the behavior [of hackers]."

Partners also attribute Microsoft's improving status to its security response center's quicker actions and the flood of new security features, products and patching services, including Microsoft's Windows Services Update Server, Microsoft Update, ISA 2004, IIS 6.0 and Windows Anti-Spyware.

Windows is also making some strides on the edge of the network, where the lean, secure Linux kernel has fared well, other partners say. "Security has improved immensely. IIS is more secure than Apache nowadays, and with the SP2 for Windows XP and SP1 for Windows 2003, a lot of those vulnerabilities got fixed," said Douglas Brown, president and CTO of DABCC, Clarkston, Mich. "Some of my customers got nailed by SQL Slammer a few years ago, but I don't know anyone affected by the recent WMF one."

Others say the number and severity of exploits and patches haven't changed much, as demonstrated by ongoing advisoriessuch as the two security problems identified last week. Still, they maintain that its security image is improving as others such as Oracle and rival applications such as RealNetworks' RealPlayer, Adobe Flash, Mozilla Firefox and Linux are increasingly targeted by hackers. This is likely helping Microsoft's services partners sell Windows against rival platforms. "Microsoft has moved up a bit, but other systems have moved down," said Mark Shavlik, CEO of Shavlik Technologies, St. Paul, Minn. "There's no safe place to go."

One solution provider said Microsoft has also benefited from government security regulations that have forced customers to shore up their networks. "There will still be problems around security, but everyone getting hit at the same time? You've seen a decline in that," said Matt Scherocman, director of Cincinnati-based PCMS IT Advisor Group.

That doesn't mean, however, that there will be declining opportunities for partners. As the WMF exploit attests, there is no danger that security partners and consulting firms will go out of business in the near term.

MORE SOPHISCATED ATTACKS
In fact, the increasing sophistication of attacks bearing down on Windows and other network assets is spawning an ever-expanding network of security ISVs and solution providers, observers say. In the past year, for instance, roughly 400 Microsoft partners earned Microsoft's security competency, and many more are expected, Allison Watson, Microsoft's vice president of the worldwide partner and small business group, told CRN last week. And not all of them are battling Microsoft's problems.

"There are fewer cleanup scenarios, but there are so many different fronts the war is being fought on," said Tom Barnes, marketing manager at NSPI, Roswell, Ga. "Network access control products help, but at the same time Cisco is a target and people are going after [Cisco's] IOS these days. So the fight is not over just because the OS is better."

Partners are also exploring new opportunities with Microsoft's Active Directory Federated Services, identity and authentication software and smart card technology. There may also be new partner opportunities as Microsoft tinkers with alternative Windows desktop delivery methods that promise enhanced security over traditional fat clients.

Recently, for example, Microsoft and application virtualization vendor Softricity announced a partnership and release of that ISV's SoftGrid for Microsoft Systems Management Server patching and software distribution platform. In addition, Microsoft's new Terminal Services gateway and Remote Applications technology in Longhorn Server will offer other thin-client alternatives for partners to explore deploying for their customers. Prospects look good for partners, but the full impact of Microsoft's shifting security investments on the channel remains unclear.

Putting out Microsoft's security fires has generated new product and services income for many Microsoft value-added resellers and solution providers over the past few years. It has also enabled partners to develop relationships with many new customers.

Still, many solution providers say the outbreaks are a headache and often put them at odds with their customers. "It's given us a lot of great opportunities to form a long-term relationship with clients, but it's not always a good thing," NSPI's Barnes said. "I know there are a lot of people out there selling with scare tactics, the ones who don't want to see viruses go away. I disagree with that sales philosophy, but I see a lot of it."

And many partners are worried about potential conflicts with Microsoft in the product and services realm. Raising concerns are its efforts to integrate anti-malware, authentication, biometrics, digital certificates and rights management software directly into the Windows OS. Sources also said Microsoft is considering applying digital certificates to all code binaries and offering authentication directly to the Windows desktop via a built-in connector without having to go through a server.

"A lot of VARs were skeptical and concerned [about Microsoft's partnership with RSA Security] because they make a lot of money selling RSA authentication and if Microsoft can resell the RSA solution, then customers don't have to come to them," said Pat Grillo, CEO of Atrion Communi- cations Resources, Branchburg, N.J., which recently hired a dedicated Microsoft security salesperson.

While partners last week applauded the reasonable pricing strategy Microsoft set for Windows OneCare service, some lamented the fact that the service is not currently open to resellers. Microsoft's Watson told CRN the company has not made a final decision on its channel strategy for Windows and Office Live service and security services.

Lane Bess, Trend Micro's U.S. president of operations and general manager of its global consumer segment, said Trend Micro, Cupertino, Calif., already has a security-as-a-service offering for consumers that it's ready to roll out, but has decided to "wait and see how the market acceptance is for [Microsoft] OneCare and [Symantec] Genesis."

The bigger issue that Microsoft must tackle is its credibility in the security market, said Bess. "Does Microsoft truly have credibility in the security protection space?" asked Bess. "Let's face it, the majority of the value of OneCare is, 'Do they have that credibility? Does a channel partner feel that Microsoft can get over that credibility issue and build that trust?' "

Others chuckle at the notion of Microsoft usurping the security channel. Adam Lipson, CEO of Network and Security Technologies, Pearl River, N.Y., said that while Windows security has improved, the company should consider a five-year strategy that calls for an entire rip and replace of the Windows OS beyond Longhorn and Blackcomb. "If it's even possible, they should have a team working on a completely new OS," Lipson said. "That's what I'd be doing."

Though some partners say Vista and Longhorn are the security rewrites of Windows, others agree that Microsoft may have to reinvent the wheel one day. "I don't know if the patch-and-spackle approach will force them to do it, but they can't ignore the possibility either," said Rick Crane, director of security at Evolution, a Columbia, Md.-based solution provider. "We run firewalls on hardened Linux kernel because customers still won't run Microsoft in the DMZ."