Even though the increased volume of patches means more work for the average Windows administrator, many admins...
said they believe Microsoft's initial efforts toward building more secure software are a success.
It's been one year since Bill Gates issued a memo to Microsoft employees that signaled a shift in the company's emphasis -- a shift from building fancy features to fortifying its software. In the early months since Microsoft launched its Trustworthy Computing initiative, customers reacted with skepticism because Microsoft had such a big job to tackle.
But some customers have slowly warmed to the idea that Microsoft is really working hard to plug the holes in its software, even if it makes a Windows admin's job harder in the short term. "They are moving forward, which is good, but we are trying to keep up with how quickly they are moving," said Jim Acevedo, a network manager at IdaCorp Energy, Boise, Idaho.
Acevedo and other customers are grappling with the sheer number of patches that have poured out of Microsoft during the past year as Windows developers cleaned up the software's code. Keeping up has been tough, but for many it's better than leaving the systems vulnerable, particularly where servers are directly exposed to the Internet.
"We've stayed on top of our updates," said Paul Edwards, a Windows administrator at Cendant Corp., a global financial services, real estate and hospitality company. "It's more of a challenge, but we haven't been hit."
For some customers, the difficulty in dealing with the multiple patches is compounded by the fact that they have not yet migrated to Windows 2000. Many of the products that help distribute patches -- from Microsoft and other vendors -- are only really useful on Windows 2000 and beyond. Abbott Laboratories in Chicago has held off on its migration because of the cost, but it should be fully upgraded to Windows 2000 by June, said Corey Hopple, a network administrator.
"Getting the security patches is one thing, staying on top of them is another," Hopple said. "We've got hundreds of clients out there. [Microsoft] has [Software Update Services], but unless you are using Windows 2000, you need to do registry hacks to each server. The move to Active Directory alone will help us apply security patches."
One security analyst said that the biggest accomplishment of Gates' memo was to change the emphasis of Microsoft's product management culture from one where security becomes more important than whiz-bang features.
It's no small feat since the company once gave the highest rewards to product managers, said John Pescatore, an analyst at Gartner, Stamford, Conn. No one was rewarded for writing the most secure code.
But the fact that .NET Server 2003 was pushed back, and features will be locked down out of the box, is a big change for the company, where software is touted for its ease of use. In the future, it will harder to get a Web server running.
When Microsoft made the switch last year, it also stopped its developers from writing code to start looking to add security fixes -- another unusual move. "It's as if you are putting the trim on your house, and you suddenly tell everyone to stop what they are doing and start working on the foundation," Pescatore said.
Of course, any proof of success must wait until the newest versions of Microsoft software ship this year. The next version of Windows, .NET Server 2003 (or Windows Server 2003 as it may be called) and the next version of SQL Server, code-named Yukon, will incorporate efforts from the Trustworthy Computing initiative. Though most customers are a long way from installing those major platforms, they will be the proving grounds where admins most clearly will be able to evaluate the initiative's success.
For the many long suffering IT managers, Microsoft's effort is most welcome, though long overdue. "They should have given us better software in the first place," Acevedo said. "[Microsoft] has given us way too many neat looking things rather than secure and functional [products]."
FOR MORE INFORMATION
Interview: Security guru looks back at Trustworthy Computing
Article: IT pros skeptical of Microsoft's security claims
Article: New Microsoft service to help ease patch pains
Best Web Links on patches