Microsoft's Muglia Details 'Securing The Perimeter' Initiative
In a wide-ranging interview with CRN on Tuesday, Bob Muglia, senior vice president of Microsoft's Enterprise Management Division, said the company is taking significant steps beyond patch management to better secure the Windows infrastructure.
"Securing Windows is our top priority right now," said Muglia, who hit the road this week to discuss security issues and to detail the Oct. 22 launch of Systems Management Server 2003. "Securing the perimeter is how you put in place countermeasures beyond patch management. While we continue to make the operating system more secure at its core and issue patches, it's not the only thing we're focusing on."
The management chief said Microsoft recently ordered OEMs to start turning on the Windows Internet Connection Firewall (ICF) by default on all Windows XP-based PCs. "That's going to happen very quickly," he said. "We told OEMs to do that right after Blaster [the virus that hit this summer]. Those that had ICF turned on didn't get Blaster."
And while Muglia declined to go into specifics about the perimeter plan, he said a common infrastructure for patch management is needed. The major upgrade of SUS will help administrators automate the deployment of security fixes and patches in a more transparent fashion to Windows 2000/2003 servers and desktop PCs running Windows 2000 Professional or Windows XP Professional.
He likened Microsoft's Securing the Perimeter plan to installing a fence around a compound, or a gated community for homeowners. Stepped-up security measures can't eliminate break-ins, but they can reduce or thwart attempts by robbers--or, in the case of software, hackers--he explained.
"You need to have multiple levels of security in a corporation, multiple levels of defense. It's like a gated community. You need additional levels of security, doors locked and alarms turned on, and additional defenses, countermeasures such as putting up a fence, to be protected," said Muglia. "It doesn't always work, but it's additional protection," said Muglia.
Sources speculate that Microsoft is working with top firewall vendors and antivirus ISVs to allow them to hook into the Microsoft Update and Software Update Services--and tap into .Net--to coordinate an industrywide response to an attack across the Internet.
Muglia would not comment on speculation about a possible .Net-based shield, and denied speculation that the company is poised to acquire a major firewall vendor.
In July, Microsoft moved into beta testing its more enterprise-oriented Internet Security & Acceleration (ISA) Server 2004 upgrade, code-named Stingray, a Windows server firewall solution. "Not to my knowledge," Muglia said when asked about a possible buy in the firewall space.
However, even as the company will evolve its ISA platform, Microsoft will need partnerships with ISVs and solution providers for Securing the Perimeter for heterogeneous networks. "We think every customer needs a firewall. But we're not going to do a Linux firewall."
Microsoft's forthcoming management stack is expected to help matters. He said the availability of SMS 2003 in November will help enterprises deploy security patches in a more efficient way while the Windows Update service for consumers and SUS upgrade will help both midsize companies and enterprises automate their infrastructure security.
"A year from now you'll see additional countermeasures in place, as well as better firewalls," said Muglia. " We'll have SMS 2003 out there so there's a better tool for deploying software and the next release of SUS for the Windows server for companies that don't require SMS. "
In addition, Microsoft plans to ship management packs for its forthcoming Microsoft Operations Manager (MOM) 2004 next summer. "The next generation of management packs for MOM 2004 will have a broad understanding of security events, as will the next management pack for the Windows server," Muglia said.
Observers said Securing the Perimeter is a step in the right direction--if executed well.
"Microsoft appears to be working to improve patching on several fronts and will be working to create new and improved perimeter defenses," said Michael Cherry, an analyst with Directions on Microsoft, a Redmond, Wash., newsletter. "Both are reasonable and good moves, if they can accomplish them in a timely manner, and provide perimeter defenses that people can reasonably install and configure."
Securing the Perimeter is just one of a number of security initiatives under way at Microsoft and across various divisions in the company.
Sources in the analyst community say they expect Microsoft will announce significant improvements to the Internet Connection Firewall in Windows XP and add behavior-blocking capability from the technology it acquired from Pelican early in 2003.
One systems integrator who asked not to be named said Microsoft is busy reducing the attack surface aspect of Windows, IE and DirectX components, and is "hardening" the defensive aspects of .Net technologies. But the Windows configuration plans and enhanced SUS are key parts of the countermeasures Microsoft plans, he said.
This week at Momentum, the company's annual partner confab in New Orleans, Microsoft is expected to rally partners to its security cause. The company is poised to detail an updated security solution accelerator for its forthcoming Systems Management Server 2003 and a new security solution accelerator for SUS, Muglia said.
"These are handbooks for the VAR channel," said Muglia, noting that the deployment guides help channel partners lock up customer infrastructures. "The channel is very important because it supports so many small and midsize businesses, and enterprises are doing more and more outsourcing."
Later this month, at its Professional Developer's Conference, Microsoft is expected to announce the availability of the first software development kit for Microsoft's Next Generation Secure Computing Base, formerly code-named Palladium.
The software, to be embedded in the Longhorn version of Windows due in 2005-06, will exploit security advances in Intel's next generation 32-bit and 64-bit processors.
Security executives confirmed for CRN recently that Microsoft is working on a series of enterprise-oriented security products/services but would not discuss details.
Possible products in the lineup include intrusion-detection, firewall and antivirus products, according to information available on Microsoft's Web site.
Sources predict Microsoft will debut intrusion-detection technology and possibly antivirus technology into Windows following its acquisition of Romanian antivirus vendor GeCAD, which closed Sept. 3.
However, no decision is final, said Amy Carrolle, director of product management for Microsoft's Security Business Unit. She did note, however, that a subscription-based service is likely.
"The deal just closed. We're in the alpha testing phase, and it's too early to speculate, " she said. "Our plan is not make antivirus free but in a model similar to a subscription model."
Observers said it remains unclear how well Microsoft can execute on its ambitious plans, but its security woes are as big a threat to its business as was the antitrust case.
Numerous viruses and worms this summer have exploited flaws in Windows and have infected hundreds of thousands of computers worldwide, including computers at the U.S. State Department, the Federal Reserve in Atlanta, Maryland's motor vehicle agency and the Minnesota Transportation Department.
The problems cost businesses millions of dollars in lost productivity and service fees. One report recently issued by five security analysts claimed the government's sole reliance on Windows on the desktop constitutes a threat to national security.
Both Muglia and Microsoft CEO Steve Ballmer admit it's a bigger worry than Linux.
"Microsoft has thrown a lot of resources at trying to be more secure," said John Pescatore, a vice president at Gartner. "We've seen progress on Windows Server 2003, but they haven't had a new desktop software product since they got security religion, and security problems on their desktop software is a bigger threat to Microsoft's dominance on the desktop than the antitrust [case] ever was. The lawsuit didn't cause enterprises to try out Mac and Linux desktops--security problems in Windows have, though."