• Sidebar: Steve Ballmer on Shielding

Steve Ballmer, Microsoft's CEO, typically plays the role of Microsoft’s chief cheerleader. But recently Ballmer has put that role aside; instead of leading the cheer for Microsoft, he has used several recent speeches as opportunities to address the security of Microsoft’s products. For example, during his keynote speech at the Microsoft Worldwide Partner Conference in Oct. 2003, Ballmer reviewed the progress the company has made to improve the security of its products; introduced the concept of perimeter shielding or safety technologies, which Microsoft hopes will become a first line of defense in the security battle; and outlined some near-term security-related deliverables.

Ballmer’s View of the Situation

Security has become such a big concern that some customers have hesitated to sign multiyear licensing agreements, impacting Microsoft's revenues in the most recent quarter. (See "Unearned Revenue Drops in Q1'04".) In several recent speeches, Ballmer has acknowledged this concern. He also indicated that the attacks that exploit vulnerabilities in Microsoft’s software are increasing in frequency and sophistication, that the time between a vulnerability being found and the introduction of malicious code that exploits it is shrinking, and that the people who launch such attacks to inflict maximum damage are criminals.

Ballmer reviewed the steps that Microsoft has already taken to improve the quality of its products, such as the security code review performed on Windows Server 2003 and other products, and indicated that Microsoft will work with authorities around the world to find and prosecute the people responsible for these attacks.

But Ballmer also expressed some frustration that customers are not using the tools that are already available to make systems more secure. For example, when Ballmer asked the audience at the partner conference how many were using Microsoft Software Update Services (SUS), a free server-based tool for distributing patches within an organization, very few attendees raised their hands and some did not even know that the tool was available. Ballmer said Microsoft would have to work harder to get the message out about these tools.

Shielding the Perimeter

Ballmer acknowledged current customer concerns about the problems of patching software, including concerns about the size and frequency of patches and the likelihood that in the future a vulnerability will be exploited before the company can issue a patch for it. With these concerns in mind, Ballmer introduced a new initiative to provide stronger perimeter defenses—a notion he called "shielding." (See the sidebar "Steve Ballmer on Shielding".)

Microsoft already recommends the use of firewalls as a perimeter defense in its "Protect Your PC" campaign for consumers (which also recommends that users have up-to-date antivirus software and patch their machines regularly), but this new perimeter shielding initiative implies a new level of defense that would potentially examine inbound content such as e-mails, instant messages, and Web pages for malicious code such as viruses, worms, and attempts to exploit a buffer overflow. An additional set of mitigating technologies would attempt to protect a secured infrastructure from exploits introduced by an infected or unsecured PC. For example, a laptop or a home PC connecting to an organization’s network could be examined to ensure it met corporate security standards before being granted full access (similar to the quarantine feature already supported in Windows Server 2003 Routing and Remote Access Service and used by Microsoft on its corporate network).

Specific technical details for these safety technologies (code-named Springboard) are not yet available. However, some of the safety technologies will likely be part of the next service pack for Windows XP and Windows Server 2003 and may involve enabling the Internet Connection Firewall (ICF) by default.

Ballmer was careful, however, not to overpromote the safety technologies as a "silver bullet." Although shielding is an interesting approach, it involves several technological challenges, such as providing the right level of security without causing existing applications to stop working, and not making the new software an additional attack surface due to buffer overflows or other bugs in it.

Near-Term Deliverables

In the near term, Ballmer made several promises to customers, including the following:

• Addressing concerns about the frequency of patches by moving to a monthly (instead of weekly) release schedule for noncritical patches
• Extending security support to June 2004 for Windows 2000 Service Pack (SP) 2 and for Windows NT Workstations SP6A, allowing customers more time to either get up to date with security patches or upgrade to newer versions
• Improving the security guidance offered to customers by adding new security training to TechNet, scheduling monthly security Webcasts with Mike Nash, vice president of Microsoft’s Security Business Unit, and publishing more security-related prescriptive guides, such as how to secure a wireless LAN.

He also reiterated several existing promises, such as the following:

• Improving the patching experience by unifying the currently separate Windows and Office Update sites, reducing the number of patch installers (one for system software and one for applications), and improving the overall quality of patches
• Continuing to improve patch distribution tools, such as SUS and Systems Management Services.

Delivery Vehicle: Service Packs

By including the new safety technology, having ICF turned on by default, and potentially having other little-used services turned off (similar to what was done with Windows Server 2003 to make it "secure by default"), Windows XP SP2 would fall somewhere between a traditional service pack and a full release—somewhat like Windows 98 Second Edition. In fact, Ballmer called SP2 the next release of Windows XP.

This release will require substantial testing to ensure that the changes do not unexpectedly hurt application compatibility. This level of testing will likely mean that SP2 will not be available until mid-2004.

Resources

Transcripts of Steve Ballmer’s speeches are available at www.microsoft.com/presspass/exec/steve/default.asp.

Microsoft’s security information Web site is located at www.microsoft.com/security.

For more information on Microsoft’s Software Update Service, see "Software Update Service to Ease Patch Distribution" on page 3 of the May 2002 Update.

For more information on the quarantine support in Windows Server 2003, see "Supporting Remote Users with Windows Server 2003" on page 3 of the Mar. 2003 Update.