As director of product management in the Security
Business and Technology Unit at Microsoft, Amy Carroll is
responsible for making sure that new enhancements to Windows and
new versions of Windows are very secure. Carroll answered questions
about the company's approach to security and commitment to
improving the overall security of its operating
system.
How does the current atmosphere of duelling worm
creators affect the problems that you are dealing
with?
Carroll: There are two big challenges. One is the
environmental challenge, where there is a great deal of emphasis on
duelling virus creators. Currently those viruses are not
necessarily exploiting a vulnerability in Windows or other software
code, but are requiring users to double-click on malicious
attachments.
So the environmental challenge is often one of user education
and awareness so customers don't get fooled by these social
engineering viruses. While an IT administrator may be able to lock
down the Lan environment that is hardwired, it becomes more
difficult with increasingly mobile users and work-from-home users
and remote users. The wide-scale availability of broadband
connections poses increasing challenges for how you keep those
users secure. And then the second challenge is how we respect
legacy systems while building more and more secure products as we
go along.
What kind of security enhancements do you have planned
for Windows XP Service Pack 2?
Carroll: We're focused on making computers more
resilient in the presence of worms and viruses, with Service Pack 2
focused on vectors or modes of attack rather than individual
vulnerabilities. We are looking to address the threat from
port-based attacks, malicious e-mail attachments, malicious web
contents, and buffer overrun.
Specific enhancements we're doing to address those areas are,
for network protection, Windows Firewall, which was previously
called Internet Connection Firewall, will be enhanced to help stop
network-based attacks by closing unnecessary ports by default.
In addition, Windows Firewall is now centrally manageable either
by group policy or by scripts in those environments that are not
based on Active Directory. We're going to have a proof protection
to block the transfer of executable files, e-mail, and instant
messenger, so we can protect against those e-mail-born attacks.
We'll have better and more granular internet zone settings by
default to prevent harmful web downloads so that there can be safer
browsing. And we're also going to do a lot of work for protection
against buffer overrun, both in the ways that we compile the code
and with the new no-execute zone, execution protection zone that
will enable hardware-enforced execution protection on those
microprocessors that contain the feature.
Are you going to provide additional interfaces for other
companies that make security software?
Carroll: The new security centre in Windows XP SP2 is a
streamlined UI or control panel for users to be able to more easily
check to see the status of the security features on their PCs,
including the status of third-party products like anti-virus
protection or firewalls.
How about changes and improvements for the
enterprise?
Carroll: All of the security enhancements in Windows XP
SP2 will now be centrally manageable within the enterprise either
by group policy or via script so that IT administrators will have
better or granular control over the security features across their
broad base of users.
Will the management tools be included with
Windows?
Carroll: The management will be rolled into Active
Directory environments; it's part of the group policy and the same
interface that would be used for other group policy aspects.
What about companies that are not using Active
Directory?
Carroll: Then we're looking at scripts, and those will not
be part of Windows XP SP2 in the initial release, although we'll
certainly be working with customers to help develop those.
How important, in terms of security, is the unauthorised
release of some of the older Windows code?
Carroll: That's a very interesting question. We are
working with law enforcement and with partners on the
investigation, but we are in the midst of the investigation so I
can't really comment.
The code that was released is pretty old. Is it even
relevant to the current versions of Windows?
Carroll: We continue to recommend that customers stay
up to date with the latest security updates and service packs.
There has been some discussion about (this), in the aftermath of an
alleged vulnerability discovered in portions of IE that were
leaked.
But that was a known vulnerability that we were already aware of
[and that was fixed] in Internet Explorer Version 6.0 SP1. So
again, we continue to advise our customers that the latest versions
of our software are the most secure and that should stay up to date
with the security updates.
Customers who are running older systems who can't or don't wish
to upgrade, we recommend that they employ other [mitigation]
technologies including anti-virus, firewall, and that they are
running the latest version of Internet Explorer.
Part of what you're working on is Microsoft's
Trustworthy Computing Initiative. Have you got measurable
results?
Carroll: We feel that we have made good progress. If we
look at things like the number of vulnerabilities in Windows Server
2003, 292 days after release we had nine bulletins rated critical
or important for Windows Server 2003 vs. 38 for Windows 2000
Server. We think nine is still too many, but we think that's good
progress.
Aside from whether the code is secure, what is the
biggest security headache you have to deal with?
Carroll: The challenge is really how we respect those
legacy systems as we build more and more products as we go along. I
think we've seen good progress in addressing those changes, but
there is a large installed base of existing customers that we need
to be very sensitive to.
How about customers that refuse to patch and refuse to
upgrade?
Carroll: We would prefer that customers stay up to date
with service packs and security bulletins. That said, we've also
made a number of improvements to the patching process and we're
continuing to work to improve to make that easier, so reducing the
number of patch installers, moving to monthly patch releases so
it's more predictable and more manageable, making the patches
themselves smaller and of higher quality, and other efforts that we
are taking to reduce downtime and increase manageability to make
that process easier for everyone involved.
If you could have any one thing in terms of security
involving Windows, what would that one thing be?
Carroll: A consistent, comprehensive security framework
that enables a smooth integration of security, both on products we
sell and for third parties, so that you could have multiple
security policies depending on the environment or the role, and
that it's easy to administer and easy to implement. I think that's
really the Holy Grail.
Wayne Rash writes for InfoWorld