Microsoft is undergoing a major cultural shift in the way it deals with security, but it has come much later than it should have, said company executives at its TechEd conference in Brisbane.
"Would I have preferred to see it happen earlier? Yes I would have," said Steve Riley, senior consultant at Microsoft Consulting Services' EC3 security practice division.
"For a long time, what was important to customers was features and performance -- because our products were deployed mainly in trusted environments, where security and resiliency from attack just wasn't an issue," said Riley.
He believes that as customers started to use its product in ways it hadn't envisioned, security became more of an issue.
This may have been true in 1995, but Microsoft has been pitching a vision of Internet-connected applications at least since the late 90s. Yet the focus on security has come about much more recently. The outbreaks of the Code Red and Nimda worms last year were a wake-up call for the company.
"Around the start of this year, I actually shut down the Windows division for two months, so we could go and code review every single line of code in Windows XP, Windows .Net Server, and also a lot of the code that exists in Windows 2000, looking for security vulnerabilities," said Brian Valentine, senior vice president of the Windows division, in a videotaped address to the conference.
"In the past Microsoft would ship a product that was kind of open," said Valentine. "We had the least secure configuration when you installed it by default out of the box."
The results of this code review are to be incorporated into the upcoming versions of Microsoft's server operating system -- Windows .Net Server -- due in the first half of next year. The security review will also be retroactively applied in service packs to Windows XP and Windows 2000.
The company is now trying to engineer all its products for security from the ground up, even at the expense of performance or ease of deployment, said Valentine.
"We've changed our engineering process so that each milestone in the product delivery cycle has security milestones built in," he said.
"Now when you install a product from Microsoft like .Net Server, it will be locked down in high secure mode from the day you install it."
Services such as the IIS Web server will be shut down by default, and systems administrators will have to enable them. "It is going to be harder for systems administrators, and these are the only people who are complaining about our approach," said Riley. The company's new approach is more than just posturing, according to Kevin McIsaac, programme director of server infrastructure strategies at industry analyst META Group.
"It's more a natural maturing of the operating system, although it may have come five or six years too late. It's late for anything that would like to be considered a serious enterprise operating system," said McIssac.
"Brian Valentine now is sounding like senior Unix guys in 1989 to 1990," he argued. "Around the time of the Morris Worm, Unix got hammered about security by the mainframe vendors; Unix was too permissive and needed to be locked down. The same thing is happening now with Windows."
Taking the lead
While admitting it has fallen behind, Microsoft believes it is in a position to alter the security landscape. "Microsoft has the most operating system installations out there, so it's incumbent on Microsoft to do an orders of magnitude better job than anybody else in the industry," said Valentine. "Microsoft has to lead the industry, working with partners, standards groups, even competitors. Security shouldn't be a competitive environment; we need to make sure everything we learn... we share with partners and industry." But the question remains, can Microsoft lead the industry? "Can anyone else?", Riley retorted. "Who else in the industry is positioned to do something like this? Our financial position gives us the opportunity." "We're going to have to do a whole lot to work against some negative perceptions that have developed over time, but we'll get there." META Group's McIsaac is more sceptical. "Microsoft has a reputation for not getting it right the first two or three times. They will get it right, but it's a question of how quickly, and how much pain the industry will need to go through."