A look at new security measures from Microsoft

Last week, Microsoft unveiled a bold new initiative to help protect its beleaguered corporate Windows customers and IIS Web server families from future malicious code attacks. Even the Microsoft press release offers this frank admission: "It's become incredibly clear that viruses and worms directed against our customers' systems are on the increase." Well, better late than never. The new Strategic Technology Protection Program (STPP) is designed to help enterprise customers keep their Internet businesses secure (and keep Microsoft as their software provider).

The announced program will be released in two phases. The first phase, Get Secure, includes online tools to check your system and install the necessary patches. The second phase, Stay Secure, will include a commitment from Microsoft to ship the next version of IIS in lockdown mode with a tool to help users customize the product to their specific needs. Microsoft will also provide comprehensive security roll-up packages via Windows Update, and these are rumored to be available bi-monthly starting in February 2002.

THE GET SECURE PHASE, available now, is quite an ambitious first step. There's a telephone number, 1-866-727-2338 (listed on the Web site as 1-866-PCSAFETY) for free answers to virus-related problems. When I tried the number, I sat on hold for several minutes before being disconnected. Subsequent redials proved no better. Presumably, had this been a real virus emergency, I would have been able to speak to someone at Microsoft without going through their usual technical support fee-based access hassles.

In addition to the announced free phone support, Microsoft's Security Tool kit has been revamped. Various online tools (which require Internet Explorer) are now available for scanning and downloading updates to your software. The updates are also available as a free CD, which is ideal for small and medium sized companies that need to patch several desktop systems.

For Windows NT workstations and 2000 Professional desktop users, there's Microsoft Personal Security Advisor (MPSA). This online tool analyzes your system and informs you whether the passwords you are using are safe, or if the latest patches have been installed on your machine. BugNet recently reviewed this tool in greater detail.

For Windows NT and 2000 Web server users, HFNetChk is a command line tool that compares the patch status of all the machines in a network with an XML database updated by Microsoft. HFNetChk will scan for patches available for Internet Information Server 4.0 and 5.0, SQL Server 7.0 and 2000 (including Microsoft Data Engine), and Internet Explorer 5.01 and later.

Other tools available include the IIS 4.0/5.0 lockdown tool, designed to configure Internet Information Servers 4.0 and 5.0 against Web server attacks such as Code Red and Nimda, and the URLScan Security Tool which helps ensure that IIS servers only respond to valid requests based on rules set by the administrator.

BUT WAIT, THERE'S MORE. Poking around the TechNet Web site, there's a guide for configuring enterprise security policies. There's also Qchain, a tool that allows users of Windows XP, 2000, and NT to chain fixes together for one reboot.

All this attention to fixing the problems that currently exist is commendable. But what I'm waiting for is Microsoft's announced phase two commitment to securing their own programs. The Secure Windows Initiative (SWI), announced at the April 2001 RSA conference, includes aggressive steps to eliminate buffer overruns in the next version of IIS, as well as to improve Microsoft's own development processes. When that happens, then I'll really start to sing Microsoft's praises.