Microsoft: New Launches Evidence Of Security Commitment

Those launches come more than a year into the company's vaunted Trustworthy Computing initiative,and just months after the SQL Slammer worm ravaged Microsoft databases around the world, including many at the software company itself.

Competitors were quick to capitalize on SQL Slammer. Oracle, for example, made hay by claiming that its database is more secure than SQL Server and that Oracle 9i running on commodity boxes and Linux is a comparable solution to SQL Server in terms of pricing and security.

"People were livid over SQL Slammer," said Ray Roccaforte, Oracle's vice president of server development for business intelligence, information retrieval and bioinformatics. "This thing shut them down for a few days. %85 Now [people are] thinking that maybe there's an alternative [to SQL Server]."

But no one doubts that Microsoft has taken the security issue to heart. Efforts to ensure that upcoming offerings are more airtight delayed the launch of Windows Server 2003 and put development of Yukon, the next-generation SQL Server, on hold, company executives said.

"Unfortunately, we spent a year on Trustworthy Computing and delivered the service pack [with the SQL Slammer fix] four days before [the virus] hit," said Gordon Mangione, vice president of SQL Server at Microsoft. "People didn't have a chance to deploy."

Another issue is that while proactive, Microsoft's myriad bug fixes and patches strain IT resources.

But the vendor now is creating an overarching Microsoft Update patch system, with the goal of simplifying patch application and avoiding reboots whenever possible.

Although partners agree with Mangione's assertion that security breaches are an industrywide problem,and not specific to Microsoft,widespread use of the vendor's technology makes it an attractive target for hackers, and it's hard to defend such a huge installed base from a slew of clever, motivated attackers, industry observers said.

"Anytime you have someone so pervasive on the Internet, they'll be a target. It's the old battle of sword and shield, [where the] sword usually wins. You can react, but you're in defensive mode," said Rick Fricchione, vice president of Enterprise Microsoft Services at Hewlett-Packard. "It's a serious problem, but I think [Microsoft has] reacted to it well. A lot of these problems [came up] because customers simply didn't follow good [procedures]. They didn't apply patches. They didn't have good security upgrade procedures in place."

On the other hand, large enterprises have tightened security, and solution providers have gotten better at working out the kinks in customer security since Sept. 11, Fricchione said. Microsoft, too, has made strides in improving the version of Internet Information Services bundled with Windows Server 2003, he added.

Phil Cox, a consultant at SystemExperts, a network security consulting firm in Sudbury, Mass., said Microsoft is headed in the right direction with Windows Server 2003 when it comes to security.

"Windows Server 2003 is more secure out of the box," Cox said, citing as an example that the software now has more templates for automating security functions. The application also features services that it

didn't before, such as .Net, which "are likely not to be understood [by end users] and to be improperly configured from a security standpoint," he said.

Solution providers could improve providing security services to smaller, midmarket companies that don't have huge IT resources to devote to that area, Fricchione said.

"For companies that can't afford permanent security functions, we probably need to do a better job as service and technology providers," Fricchione said. HP, for instance, is working on ways to help deploy such services affordably for smaller businesses, he said.

MARCIA SAVAGE contributed to this story.