Last week, Microsoft unveiled a bold new initiative to help protect
its beleaguered corporate Windows customers and IIS Web server
families from future malicious code attacks. Even the Microsoft
press release offers this frank admission: "It's become incredibly
clear that viruses and worms directed against our customers' systems
are on the increase." Well, better late than never. The new Strategic
Technology Protection Program (STPP) is designed to help enterprise
customers keep their Internet businesses secure (and keep Microsoft
as their software provider).
The announced program will be released in two phases. The
first phase, Get Secure, includes online tools to check your
system and install the necessary patches. The second phase,
Stay Secure, will include a commitment from Microsoft to ship
the next version of IIS in lockdown mode with a tool to help
users customize the product to their specific needs. Microsoft
will also provide comprehensive security roll-up packages via
Windows Update, and these are rumored to be available bi-monthly
starting in February 2002.
THE GET SECURE PHASE, available now, is quite an ambitious
first step. There's a telephone number, 1-866-727-2338 (listed
on the Web site as 1-866-PCSAFETY) for free answers to virus-related
problems. When I tried the number, I sat on hold for several
minutes before being disconnected. Subsequent redials proved
no better. Presumably, had this been a real virus emergency,
I would have been able to speak to someone at Microsoft without
going through their usual technical support fee-based access
In addition to the announced free phone support, Microsoft's
Security Tool kit has been revamped. Various online tools (which
require Internet Explorer) are now available for scanning and
downloading updates to your software. The updates are also available
as a free CD, which is ideal for small and medium sized companies
that need to patch several desktop systems.
For Windows NT workstations and 2000 Professional desktop
users, there's Microsoft Personal Security Advisor (MPSA). This
online tool analyzes your system and informs you whether the
passwords you are using are safe, or if the latest patches have
been installed on your machine. BugNet recently reviewed this
tool in greater detail.
For Windows NT and 2000 Web server users, HFNetChk is a command
line tool that compares the patch status of all the machines
in a network with an XML database updated by Microsoft. HFNetChk
will scan for patches available for Internet Information Server
4.0 and 5.0, SQL Server 7.0 and 2000 (including Microsoft Data
Engine), and Internet Explorer 5.01 and later.
Other tools available include the IIS 4.0/5.0 lockdown tool,
designed to configure Internet Information Servers 4.0 and 5.0
against Web server attacks such as Code Red and Nimda, and the
URLScan Security Tool which helps ensure that IIS servers only
respond to valid requests based on rules set by the administrator.
BUT WAIT, THERE'S MORE. Poking around the TechNet Web
site, there's a guide for configuring enterprise security policies.
There's also Qchain, a tool that allows users of Windows XP,
2000, and NT to chain fixes together for one reboot.
All this attention to fixing the problems that currently exist
is commendable. But what I'm waiting for is Microsoft's announced
phase two commitment to securing their own programs. The Secure
Windows Initiative (SWI), announced at the April 2001 RSA conference,
includes aggressive steps to eliminate buffer overruns in the
next version of IIS, as well as to improve Microsoft's own development
processes. When that happens, then I'll really start to sing