Some of Microsoft's largest partners said they are sensing a real shift in the company's attitude about security,...
and they believe the company is starting to back its words with some action.
"You can feel it within the organization, even in Europe," said Dieter Genscheimer, product marketing and business development manager at Companex Information Systems, a Mannheim, Germany integrator.
Genscheimer said recent attacks had shaken his customers, many of whom are IT executives who operate some of the world's largest enterprise networks. "Everyone learned that Microsoft, as well as its customers, would have to change security practices," Genscheimer said.
Alex Oliveri, vice president at Bravepoint Inc., in Atlanta, said he sees evidence of Microsoft's renewed commitment to product quality. "They are certainly a big target, so all the hackers will try to hit them," Oliveri said. "But the management and analysis tools have really moved forward."
Microsoft's Mike Nash, corporate vice president of the security business unit, gave some of the Microsoft resellers attending Fusion 2002 in Los Angeles last weekend an outline of how its "Trustworthy Computing" initiative has changed its security practices.
Microsoft changed its tune toward software security after two debilitating viruses -- Code Red and Nimda -- pelted its Windows platforms last year.
In January, Bill Gates issued a memo urging all Microsoft employees to place a greater emphasis on security across all software platforms.
Nash described how the software maker halted work within its Windows division last December so employees could study Windows code. The review, which took about 10 weeks, included placing all Microsoft developers in training classes to learn how to write secure code.
The developers addressed every aspect of the Windows operating system, Nash said, creating a "scorecard" for each platform. They took threat models and ran them against code. They then made changes available by service packs.
As Microsoft has said, in future versions of Windows starting with .NET, all services will be turned off by default, and no sample code will be installed by default.
To improve security in the deployment phase, Microsoft has so far responded by introducing its Microsoft Base Security Analyzer, which brings in a small XML database to compare data.
The company also set up a security response center to help communicate to its customers some of the most important issues regarding security, such as the necessity of having a patch management system and how to assess the vulnerability of all systems.
At the time Code Red hit, the latest security patch was about six weeks old, Nash said. Gerscheimer and other integrators said they found out that many customers had not installed their patches by the time the Nimda virus hit soon thereafter.
Customers must become more vigilant about what data is being accessed, particularly as enterprises have more distributed data, more mobile users, and as more non-employees have access to the corporate network.
In terms of creating a proper defense, IT managers need to clear for viruses, close ports and block IP addresses in response to new threats. They also must disable compromised user accounts. Nash said trends to watch for are repeated logon attempts, port scanning and polymorphic viruses.
Nash explained that many of the new viruses exploit the network at the applications layer, not at the firewall. To protect the network, customers need to have an application gateway, such as the Internet Security and Acceleration Server (ISA). Application servers can filter for viruses at the application layer to enable a deeper inspection of content.
"A virus might still tunnel through the firewall, but with the application gateway the payload is decrypted and inspected," Nash said. "It's either passed along or not."