Gates pledges 'active protection' to improve Windows security

Bill Gates proposes changes to internet, e-mail and security extensions but can Microsoft secure the backing of internet...

Bill Gates proposes changes to internet, e-mail and security extensions but can Microsoft secure the backing of internet standards organisations?

Microsoft chairman and chief software architect Bill Gates has answered criticism of his company's security track record with measures designed to improve the company's Trustworthy Computing strategy.

Speaking at last week's RSA Conference in San Francisco, Gates told delegates that no single technology could adequately protect against the many different kinds of attacks that computers face.

Gates said, "Resiliency can only be achieved with a combination of security technologies designed to combat the sophisticated threat from worms and viruses."

The long-term strategy at Microsoft involves what Gates described as "active protection technologies", which he claimed would protect computers running the Windows operating system from security threats.

He focused on three areas: the first was dynamic system protection, an attempt by Microsoft to adjust systems defence on each computer to reduce the likelihood of a successful attack.

Gates said Microsoft would also be developing a form of "behavioural blocking" to limit the ability of worms and viruses to cause damage once in a computer, helping to contain the attack and act as a last line of defence.

Finally, he said Microsoft would develop an application-aware firewall and intrusion prevention system to identify malicious traffic and stop it, helping to prevent infection.

Microsoft is planning to tackle e-mail security with what Gates described as "extensions to SMTP", the protocol used to transmit e-mail. He said Microsoft would deliver Exchange Edge Services, an add-on to the SMTP relay implementation in Exchange 2003. This will provide a new way to extend a Windows-based infrastructure.

In the short-term, Gates said, Windows XP Service Pack 2, which is due out this summer, will address several shortcomings in Microsoft security. He demonstrated a new feature called the Windows Security Centre, which enables users to check the status of essential security features, such as firewalls, automatic updates and anti-virus functionality.

When the tool detects a problem, it notified users and offers recommended solutions to help them improve security.

Changes need industry approval   

Microsoft's approach to improving the security of its Windows operating system by adding features rather than simplifying the code, outlined at the RSA conference, caused concern among some analysts and security experts. Some warned they would not be possible without the backing of standards bodies. 

Dan Blum, research director at the Burton Group, was concerned that Microsoft chairman and chief software architect Bill Gates was planning to add more code to Windows to resolve security issues.   "Windows has 60 million lines of code, compared with about five to six million in Linux," Blum said.  

The risk with Windows lay with the fact that Microsoft was integrating too much technology into the operating system, with each extension representing a potential security risk, he added.  

"Unix and Linux do not include web servers, a directory, support for older protocols and backwards compatibility, which makes them easier to secure," said Blum.  

Peter Sommer, head of computer security research at the London School of Economics, warned that Microsoft's attempts to extend the widely-used SMTP mail protocol could lock users into proprietary e-mail.  

"There will be huge resistance to transferring everyone onto a Microsoft protocol," he said.  

As SMTP is open source technology, Microsoft may have to give the extensions away as open source code, to encourage other e-mail packages to support it.  

Sommer suggested that the Internet Engineering Task Force (IETF), which sets many of the basic internet standards, should drive the delivery of these extensions. But he said, "It can take many years for a standard to be set, since the IETF operates by consensus."  Andy Kellett, senior research analyst at Butler Group, said, "It is important that the industry collaborates, given the importance of e-mail to every business across the world."  

Kellett said the approach outlined by Gates would go some way in preventing spam, but called for governments to take firmer action.

Avoid patch and pray syndrome >>

Read more on IT risk management