Microsoft 'on right track' in securing its software, says Gates

Microsoft is "on the right track" in securing its software, said chairman and chief software architect Bill Gates at the RSA...

Microsoft is "on the right track" in securing its software, said chairman and chief software architect Bill Gates at the RSA Conference in San Francisco.

Microsoft's presentation also included details on a Windows XP update and the company's spam-fighting efforts.

The company unveiled the latest feature for Windows XP called Windows Security Centre, which will be part of Windows XP Service Pack 2 (SP2), a significant update to the operating system due out in the first half of this year.

The Windows Security Centre will be a central place to check important security settings, for example for firewall and antivirus software. It will also offer suggestions to improve Windows XP system protection, said Zachary Gutt, a Microsoft product manager.

Gutt also demonstrated the improved Windows Firewall, previously called Internet Connection Firewall, which will be delivered with Windows XP SP2 and showed off the pop-up ad blocker for Internet Explorer.

For enterprise users, Gutt underscored the ease of central management of the firewall, including two profiles: one for when a PC is connected to a corporate network and one for when it is not.

"SP2 is a release that is totally focused on security and today that is the primary focus on the Windows team," Gates said. "We think this will be a very important release and we will ask people to install broadly."

Gates also promoted Microsoft's plans to combat unsolicited commercial e-mail, or spam, which he called a nuisance and a security threat. The company is proposing technical standards it calls Caller ID for e-mail to authenticate the sender of an e-mail message.

"Having e-mail come in and not being able to identify where it is coming from is a huge security hole," Gates said. "Authenticating e-mail is a very key initiative for us."

Microsoft's Caller ID will use the internet's DNS (domain name system) to verify the domain a message came from. The plan requires e-mail server administrators to make changes. E-mail messages will have to include the IP (Internet Protocol) address of their mail server, while the receiver's system has to be able to verify the address.

Microsoft will test Caller ID on its Hotmail service. The web-based e-mail service will begin publishing outbound IP addresses and will start checking inbound addresses mid-year.

The company will offer a royalty-free licence on the patents it has on Caller ID for e-mail features. 

Microsoft is also giving Exchange the ability run e-mail filtering and proofing away from the main e-mail server. The company will deliver the Exchange Edge Services, an enhancement to the SMTP (Simple Mail Transfer Protocol) relay implementation in Exchange Server.

The Exchange Edge Services will work as an e-mail gatekeeper to block junk e-mail and apply routing rules. Other software makers will be able to sell products on top of the Exchange addition for advanced e-mail security, said Microsoft. 

Gates also touched on other Microsoft security products such as its Internet Security and Acceleration Server 2004, due out later this year, and security enhancements in the upcoming Visual Studio "Whidbey" release of its developer tools.

He also highlighted a partnership with RSA Security to bring strong user authentication technology to Windows desktops.

It has been little over two years since Microsoft launched its Trustworthy Computing Initiative to focus on security. The effort is paying off, said Gates.

Since its release, there have been six security bulletins rated critical or important, while for Windows 2000 there were 36 such bulletins in the same period after its release, he said.

"Now, we're not saying that is a job done. But even in the face of the increased sophistication of attackers, this represents substantial progress," he said. "Clearly there is more to do, but that is one of the metrics that shows us that we are definitely on the right track."

Joris Evers writes for IDG News Service

Read more on IT risk management