Microsoft Launches Security Offensive

"There comes a time when you have to step back and listen and take what you hear as a defining moment," says Ballmer, who cited the need to jump on the Internet train in 1995 and Microsoft's legal battle with the U.S. Department of Justice as two such instances. "The crisis right now around security is that defining moment."

With startling specificity, Ballmer rattled off a bevy of enhanced products, including Windows XP SP2 and Windows Server 2003 SP1; new perimeter technologies and automatic patching software; and upcoming partner education and training programs aimed at throwing up a major roadblock against malicious hack attacks. He also outlined a road map of security-related goals for the coming year, many related to improving both the patching process and the quality of Microsoft's software. Finally, he offered partners prescriptive guidelines for protecting their customers' IT infrastructure. Several of the new initiatives will roll out immediately, while others will be phased in during the next year, Ballmer says.

One thing is perfectly clear: The Redmond software giant is feeling the heat from customers and partners who have grown increasingly frustrated after a string of virus and worm attacks, notably Blaster and SoBig, that thrived by exploiting holes in Microsoft software. In session after session with Microsoft executives, the topic of security infused every discussion, from a briefing on the launch of Small Business Server 2.0 to details on the company's ISV strategy.

And yet, partners have heard this mantra before and frankly have seen few real improvements; think of the noise when Microsoft launched its Trustworthy Computing initiative as an integral part of the development and delivery of Windows Server 2003. But this time around, Ballmer's sense of urgency seemed, well, more acute. And his action plan and road map played well with partners. You had only to hear the applause erupt at several points during his speech, notably when describing plans to move by May 1 to a single patching system across all software products and to confine patch releases to once per month except in cases of emergency.

Partners interviewed at the conference welcomed Ballmer's security offensive, but also deemed it long overdue. Security has been a top concern for their customers for years. And dealing with security is their own biggest headache.

"To date, security and patching have been tedious to deal with, to say the least," says Jason Harrison of Harrison Technology Consulting, a Microsoft partner based in North Carolina. "With the Blaster [virus], I had to schedule four days of work to get to all my customers with patches. It takes you off the real work you need to be doing."

For the first time, Ballmer acknowledged that service packs and patches cannot be the only line of defense. Microsoft is pitching partners on perimeter measures and other "safety" technologies to thwart viruses and worms from gaining access to IT infrastructure via such weak spots as remote laptops logging in from home. Microsoft plans to enact these measures in several ways: bolstering its Internet Connection Firewall to allow administrators to better parcel out access to the network among users, creating new e-mail and instant-messaging-filtering capabilities, enhancing memory protection to protect against worms that take advantage of buffer overruns, and fortifying the browser so it will not run ActiveX Controls on untrusted Web sites and will isolate suspect code.

These technologies will be implemented in the forthcoming release of Windows XP SP2, which Ballmer calls "a service pack on steroids," and Windows Server 2003 SPI. Both are due out during the first half of 2004.

Another release coming in the first half of next year is version 2.0 of Software Update Server, the little-used tool from Microsoft that automatically distributes patches as they arise to IT systems. SUS 2.0 is free of charge.

"The fact that it is free is just great," says Jenna Hurren, partner engagement manager for Baltimore-based integrator eMagination. "Security is one of those ongoing issues for us and our customers."

It remains to be seen how well Microsoft can execute on its security strategy and stay ahead of the hacker curve. Ballmer advises partners to take several steps to help mitigate risk to their customers, among them performing a security audit and building a security plan for a company, activating SUS 2.0 for patch management, upgrading laptops and remote client systems to Windows XP from older versions of the OS, and moving Internet-facing servers to Windows Server 2003.

"A lot of you have said, 'The best thing I can do for security is walk away from Microsoft.' That notion is bad," says Ballmer, who then contended that Red Hat Linux Enterprise Edition has 43 security vulnerabilities of its own currently. "There's no other port in the security storm that's safer than this one."

More than a few partners raised an eyebrow at that dose of hyperbole.