twitter
facebook 
| Microsoft Slowly Delivering on Security Promises |
| Aug. 9, 2004 |
|
The next step toward Trustworthy Computing will take longer than originally estimated, according to announcements in July 2004 by Microsoft executives. Microsoft released the long-awaited second service pack for Windows XP on Aug. 6, 2004, and will later introduce a new set of Network Access Protection (NAP) technologies, but these announcements were tempered by the confirmation that other promised capabilities, such as improved patching, would be delayed until 2005. Other questions, such as the availability of security-related improvements for versions of Windows still under Mainstream support, remain unanswered. Windows XP SP2 Available in August Will Poole, senior vice president of the Windows Client business, indicated at the Worldwide Partner Conference in July 2004 that Microsoft will release Windows XP Service Pack (SP) 2 in Aug. 2004. The service pack, which was released on Aug. 6, 2004, almost two years after the first service pack for Windows XP, has several new security features, including security configuration changes such as turning on the Windows Firewall by default, and patches and configuration changes to close security vulnerabilities in Internet Explorer (IE). The service pack will be made available for download from an updated Windows Update site, which has been improved to better support the large number of users expected to access it to download XP SP2. (However, the new Windows Update 5.0 is not the promised combination of multiple update sites into a unified Microsoft Update, a single stop for updating all Microsoft products.) Microsoft is confident that most users will download XP SP2 from the Windows Update site, despite the fact that the final release will likely be between 80 and 100 megabytes. To begin setting the stage for the release, Microsoft provided an updated version of its Background Intelligent Transfer Service (BITS) in July 2004. Although this update does not repair any security-related vulnerabilities, it was labeled as critical because Windows Update uses different criteria for labeling its updates than Microsoft’s Security Response Center (which has vowed to label updates "critical" only when security is involved), and because Microsoft wants to ensure that Windows Update users have the BITS update to improve the downloading of large files on slow links prior to the release of XP SP2. Improvements to BITS version 2.0 include concurrent foreground downloads, the ability to download a file in sections, and a limit on client bandwidth. BITS is particularly important for the successful installation of large updates, such as XP SP2, because it allows users to begin downloading the update, disconnect before it is complete, and continue where they left off the next time they connect to the Internet. Poole also confirmed that customers will be able to order Windows XP SP2 on CD from the Microsoft Web site or pick up a copy from a variety of retail locations. Poole did not indicate whether there would be a cost for the service pack on CD, but in the past Microsoft has made such updates available for the cost of manufacturing and distributing the CD, typically less than US$10. Finally, Microsoft indicated that it has worked with OEMs and system integrators to ensure that Windows XP SP2 will be preloaded on new computers shortly after Microsoft releases it. Network Access Protection At the July 2004 partner conference, Mike Nash, corporate vice president for the Security Business and Technology Unit (SBTU), provided some additional direction on Microsoft’s NAP technologies, first introduced by CEO Steve Ballmer as Client Inspection, or "shielding," at the previous Worldwide Partner Conference in Oct. 2003. NAP will inspect all computers connecting to an organization’s network, including wired, wireless, and virtual private network (VPN) connections. A limited form of such client inspection for VPN connections is available today in a resource kit for Windows Server 2003, and it is the basis of the "quarantine" system Microsoft uses on its own corporate network. When a computer connects to an organization’s network, NAP inspects the computer to ensure it complies with the organization’s security policies, such as the need for the latest security updates, an antivirus program with up-to-date signature files, and a software firewall. Failure to comply with the policy results in the computer either being denied a connection or being isolated to a subnet where it can be brought into compliance (for example, by installing the necessary patches). Computers that meet the policy requirements are connected to the network. Customers looking for such a solution today can begin by implementing the limited version of NAP in Windows Server 2003. Microsoft will release a NAP API with Windows Server 2003 SP1 so that industry partners, such as antivirus software, patch management, and systems management vendors, can ensure that their products will work with NAP technologies. The full NAP will be a feature of Windows Server 2003 Release 2 (R2), which is due in the second half of 2005. Key Promises Still Pending Senior Microsoft executives, including Chief Software Architect Bill Gates and Ballmer, have made major promises over the last year to back their position that Microsoft is seriously committed to improving the security of its products and services. Many customers had assumed that several of these promises would be fulfilled simultaneously with the release of Windows XP SP2, such as the following:
(For a summary, see the chart "Security Promises and Their Status".) It fell to Nash to deliver the bad news that while some improvements are being made to reduce the number and size of patches, most of these security-related promises will remain unfulfilled until the release of WUS 2.0 sometime in 2005. Nash tried to put the delay in the best light, indicating that the primary causes were changes related to customer feedback from a limited beta of WUS 2.0 in early 2004 and the challenges related to unifying the different clients used by Windows and Systems Management Server (SMS) to detect the presence of vulnerabilities and patches that correct the vulnerabilities. (At the same time, the focus on Windows XP SP2 is delaying other Windows deliverables. In late July, Microsoft announced that it now anticipates the first service pack for Windows Server 2003 and Windows Server 2003 for 64-Bit Extended Systems will ship in the first half of 2005, whereas the company had previously estimated that both would be released by the end of 2004. The delay of these products could mean that the release of "Longhorn," the next version of the Windows client, and Windows Server 2003 R2, the next version of Windows Server, will also be pushed out.) Unanswered Question Despite clarification on several pieces of the Trustworthy Computing initiative, a key question remains unanswered. Will users of other Windows versions, and particularly Windows 2000, receive the fully tested patches required to make their OS secure? Although Microsoft has said in the past that customers should not have to buy new or additional software to get secure, Windows 2000 customers, whose software is still in Mainstream support, may nevertheless be required to upgrade to Windows XP in order to get the most secure version of Windows. The company has indicated that some improvements in XP SP2 will be moved forward for incorporation into Windows Server 2003 SP1, and Microsoft released a series of IE patches to protect against exploits like Download.Ject on older versions of Windows. But Microsoft has not said whether the full complement of security patches, such as tightening of remote procedure calls (RPC) and DCOM security in XP SP2, will ever be available as part of a fully tested service pack for Windows 2000. Nor has Microsoft said whether the full array of security-related changes to IE in Windows XP SP2, such as built-in pop-up blocking, will be available for Windows 2000 or other platforms. Instead, customers may have to continue to rely upon separate, case-by-case patches and updates to IE. Availability and Resources For background on the changes to IE in XP SP 2 and Download.Ject, see "No Stand-Alone Updates on IE Roadmap" on page 3 of the Aug. 2004 Update. Changes in Windows XP SP2 are outlined in the articles "XP Service Pack Needs Significant Testing" on page 3 of the May 2004 Update, "XP Service Pack Highlights Security Dilemma" on page 3 of the Jan. 2004 Update, and "No Stand-Alone Updates on IE Roadmap" on page 3 of the Aug. 2004 Update. Microsoft’s Windows XP SP2 resources for IT professionals is at www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx. Security promises made by Microsoft executives are reviewed in the articles "Ballmer Addresses Security" on page 25 of the Dec. 2003 Update and "Gates Outlines Future Security Efforts" on page 18 of the Apr. 2004 Update. Microsoft’s technology center for Network Access Protection in Windows Server 2003 is at www.microsoft.com/windowsserver2003/technologies/networking/nap/default.mspx. A description of the current level of Network Access Protection in Windows Server 2003 is available in "Supporting Remote Users with Windows Server 2003" on page 3 of the Mar. 2003 Update. Information on using the quarantine feature that is part of the current Windows Server 2003 Resource Kit is detailed at www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/all/deployguide/en-us/dnsbf_vpn_aosh.asp. |
