With the release of Windows Server 2003 just over a year ago, Microsoft has made strides in terms of improving security. But customers remain ambivalent about the success of the software vendor's Trustworthy Computing initiative.
About half of the customers responding to the survey described the overall security of Windows Server 2003 as "better than average" or "excels." While about 34% of respondents said they didn't
The ratings of other Microsoft products were largely unchanged from a year ago.
For some users, the fact that Microsoft is considering security from a product's inception goes a long way toward improving the software maker's reputation with customers. Two years ago, Microsoft told customers it had halted production of its software to clean up the Windows code before proceeding with its next major release.
Turn on what you need, leave the rest off
Windows Server 2003 was shipped with many, if not most of its features turned off, so customers could activate only features suitable to the needs of their enterprise.
For many customers, this concept was excellent for security purposes, even though it may have hampered some of the product's usability and functions. For some administrators, it may take more work than before to get servers configured, said Josh MacNeil, assistant director of technology services at the Whitman-Hanson Regional School District in Whitman, Mass.
As to Trustworthy Computing, Microsoft is currently in the middle of a multi-city Security Summit road show to evangelize its security efforts and share prescriptive guidance with customers. How much is that worth? It depends.
"It's a good start to get them on the road to protecting their customer," MacNeil said.
Security is everyone's job
MacNeil said he gives Microsoft an A+ for its effort and challenged other IT users to look at the job they are doing shoring up security on their end. "If [Microsoft] is wanting, then go ask, but if you are wanting, then go do," he said.
Other IT experts agreed.
"They are raising the profile of security, and at least implying there is a corporate commitment is good," Kent Smith, president of IPSO Inc., a Wayland, Mass., consulting firm. Smith is also the new chairman of the Boston Area Windows Server User Group.
Security expert and author Roberta Bragg said she sees huge improvements overall at Microsoft, both in the company's attitude and in its products. Bragg said some customers seem to be locked in an old mentality, claiming that Microsoft has to secure the network "as if there were no facilities out there, no recommendations, best practices or documentation."
On the other hand, she said, more customers are taking the time to read the documentation and take the initiative to shore up their enterprises.
Meeting the demands of customers
Regarding Windows Server 2003, Bragg said, "It seems to me that Microsoft listened to what customers said about Windows 2000, Active Directory and PKI, and, in many cases, worked hard to provide the answers.
"In Windows 2003 we had better use of the PKI infrastructure," said Bragg, a Microsoft MVP and information systems security consultant. "If you use Microsoft's implementation of PKI, you have more control, you have key archival, the ability to take custom templates and change them around, the ability to obtain certifications at the user level automatically so the implementation of smart cards is user friendly."
There is a tremendous amount of documentation on Microsoft's site that explains how to take a domain and lock it down further, she said.
"It's time to be accountable," Bragg said. "We are making Microsoft accountable. Are they perfect? No. But we are accountable too. It's time to turn this focus around."