BOSTON -- Of the 200 IT administrators attending a whistle-stop tour featuring Microsoft's top security executives last week, many said they think the software giant is making a good effort but believe it will be a long time before "Microsoft software" is synonymous with "secure software."
Customers said that in spite of the enormous investment that Microsoft is making in its "Trustworthy Computing" initiative, they still wonder whether Microsoft can create software that, once installed, doesn't crash something else in the enterprise. They were also skeptical about some of the facts and figures the company is citing in order to prove its software is as secure as -- or more secure than -- other platforms.
Company executives at the Boston stop included Mike Nash, corporate vice president of Microsoft's security business unit; Allen Jones, a security strategy manager; and several others. The executives laid out the company's progress to date in terms of how it is addressing vulnerabilities in its software. They also detailed the announced changes to the next versions of Microsoft software.
Nash and Jones also outlined the various free security tools made available during the past year, including the Microsoft Baseline Security Analyzer, Software Update Services (SUS) and others. They said that the company has spent more than $100 million on security initiatives so far.
Other big changes going forward include the lockdown of about 20 services in the upcoming .NET Server platform and the release of IIS 6.0 as a disabled service.
But analysts and users were suspicious of Microsoft's calculations in regard to the number of vulnerabilities per platform this year. Nash said that Microsoft tallied 38 vulnerabilities, while there were 57 for Sun Microsystems and 73 for Red Hat Linux.
"I'd like to know how they are counting," said one systems manager, who declined to be identified.
Many agreed that Microsoft has finally become proactive and is now taking security to heart, although they were keenly aware of the marketing spin that, in their view, provides something of a revisionist history.
"Their message is, 'we want you to believe we've always been thinking of security, when we've really been thinking about marketing and the next product cycles,'" said Don Orifice, a security expert, former CTO of a cable network company and current executive director of the North Shore Computer Society, which is based in Peabody, Mass.
"Microsoft has a long way to go to convince everyone that it is serious," he said.
Several IT administrators believe Microsoft understands the job that must be done to make a platform secure, but they are not sure that the company can actually deliver on all of its promises.
One systems administrator at a midsized biotechnology company in Beverly, Mass., said that for security reasons, he prefers keeping enterprise systems on more than one platform. The company does all of its research and development on an Apple Macintosh platform and on Unix, but there is also a large population of Windows 2000 desktops and servers.
"We have survived many a virus attack because of our segregation," said the administrator, who declined to be identified.
The company's enterprise resource planning (ERP) application is on Windows 2000, he said, and that's the driving force behind the need to learn how to secure Windows.
"They are spending the money, and I've seen some positive outcome on Windows 2000 and Windows 2000 Pro, but I'm not completely convinced," he said. "I've seen it too many times where you deploy a patch or an update which solves one problem but breaks something else."
Administrators reacted to Microsoft's assertion that patches able to thwart both the Nimda and Code Red viruses were available four to six weeks prior to the viruses striking. Nash said that customers could have applied the patches -- and therefore could have been protected -- from an attack.
But customers said that Microsoft's history of releasing patches that break something else in the enterprise causes them to shy away from rushing to apply patches when they are first issued. "Microsoft hasn't shown that you can deploy their patches quickly," said a network manager at a Nashua, N.H., construction company.
The network manager had just installed a trial version of SUS but hasn't decided how he will install the server next year because the size of the installation practically requires a separate computer -- and therefore a separate software license, which is difficult for his small company to afford.
The cost is complicated by the fact that Microsoft is pushing its customers to change its systems at what he calls an unreasonable rate.
Donald Kalloway, a Boston consultant, said that Microsoft still needs to do a better job making all of its software and services easier for the average user to understand.
Dig Deeper on Windows Server troubleshooting
A corporate vice president at Microsoft, Fathi is replacing Mike Nash, Microsoft's high-profile security guru who left on sabbatical. Although storage, file protocols and high-availability clustering had been Fathi's focal points when he was a general manager of the Windows Server division, he said he is relishing this new challenge. Fathi was at TechEd in Boston last week talking with SearchWinIT.com about how he will put his imprint on Microsoft security.