mailing list archives
FW: Microsoft Progress Report: Security
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Wed, 31 Mar 2004 15:44:06 -0500
From: Bill Gates [mailto:billgates () chairman microsoft com]
Sent: Wednesday, March 31, 2004 3:42 PM
Subject: Microsoft Progress Report: Security
Malicious software code has been around for decades. But only in the last
few years have the Internet, high-speed connections and millions of new
computing devices converged to create a truly global computing network in
which a virus or worm can circle the world in a matter of minutes.
Meanwhile, criminal hackers have become more sophisticated, creating and
distributing digital epidemics like Slammer, Blaster, Sobig and Mydoom that
spread almost instantaneously, threatening the potential of technology to
advance business productivity, commerce and communication.
The kinds of threats are evolving too. Blaster, for example, hijacked
individual computers, turning innocent users into unknowing and innocent
worm propagators. These kinds of attacks - "swarming" attacks that are
coordinated to cause multiplied, cascading effects - change the landscape of
security threats. They put new demands on IT professionals and consumers to
take preventative measures, and on the technology industry to continue to
innovate and develop new solutions.
While there are considerable challenges ahead, Microsoft and our industry
are making significant progress on the security front. This email, which
you're receiving as a subscriber to executive emails from Microsoft, offers
insights into Microsoft's significant investments in four areas of security:
- Isolation and Resiliency
- Authentication and Access Control
Additionally, we are committed to major investments in customer education
and partnerships that will help make the computing environment safer and
Given human nature, evolving threat models and the increasing
interconnectedness of computers, the number of security exploits will never
reach zero. But we can dramatically blunt the impact of cybercriminals, and
are dedicating a major portion of our R&D investments to security advances.
ISOLATION AND RESILIENCY
Central to our security efforts is preventing malicious code from being able
to exploit a vulnerability by isolating such code, providing more effective
control over what computer processes can talk to or work with, and making
systems more resilient so they are able to identify and stop suspicious or
bad behavior in its tracks.
Windows XP Service Pack 2: We are working on a number of isolation and
resiliency advances that address four specific modes of attack in our
flagship client operating system. These will be available in late
- Network Protection: Windows Firewall will be turned on by default, and
global firewall settings and central administration of firewall
configuration will be enabled. This reduces the "attack surface" of PCs and
- Safer Web Browsing: To reduce the impact of malicious code and Web sites
that can damage computers or defraud users, Internet Explorer will
automatically block unsolicited downloads from Web sites as well as block
unwanted pop-ups unless a user clicks on a download link. IT administrators
will also be able to manage this capability to enforce a consistent policy
across their organizations. In addition, wireless setup will be improved for
more secure browsing on wireless home networks.
- Safer Email and Instant Messaging: To reduce the risk of attacks, we are
building better file attachment handling in Outlook Express and Windows
Messenger instant messaging, and offering increased customer control over
downloads of external content in Outlook Express that could enable a sender
to identify your computer.
- Memory Protection: Malicious software designed to exploit buffer overruns
can allow too much data to be copied into areas of the computer's memory.
Although no single technique can completely eliminate this type of
vulnerability, Microsoft is employing a number of security technologies to
mitigate these attacks. First, core Windows components have been recompiled
with the most recent version of our compiler technology to protect against
stack and heap overruns. Microsoft is also working with microprocessor
companies, including Intel and AMD, to help Windows support
hardware-enforced data execute protection (also known as NX, or no execute).
NX uses the CPU to mark all memory locations in an application as
non-executable unless the location explicitly contains executable code. This
way, when an attacking worm or virus inserts program code into a portion of
memory marked for data only, it cannot be run.
Windows Server 2003: In an environment in which every computer can be seen
as living in a "hostile world," our work on Windows Server 2003 has focused
on how to help reduce, mitigate or contain threats. We plan to ship security
advances in Windows Server 2003 Service Pack 1 in the second half of 2004
that will include the server-relevant security technologies found in Windows
XP SP2. To improve the isolation capabilities, the Windows Firewall will be
enabled during setup on new server installs so that the server is more
protected from potential network-based exploits during configuration. A
security configuration wizard will also be included so that once server
roles (such as file server, app server, etc.) are enabled, they can be
further locked down based on the specific usage model for that role.
Internet Security and Acceleration Server 2004: Security advances in
Internet Security and Acceleration Server 2004 include much deeper content
inspection, which will enable customers to better protect their Microsoft
applications and fortify remote VPN connections. An enhanced user interface
and management tools will make it easier for customers to implement and
manage security policies, reducing the potential for misconfiguration - a
common cause of network breaches.
Exchange Edge Services: This new technology addresses the evolving security
problems associated with Internet email. Exchange Edge Services is designed
to block incoming or outgoing malicious email and junk mail, defend against
email server attacks and email-borne viruses, and encrypt messages to
optimize for security. It is also designed to provide a foundation on which
third-party developers can build technologies such as next-generation email
filters, email encryption products and email compliance solutions.
Active protection technologies: Making computers even more resilient in the
presence of increasingly sophisticated worms and viruses is key in
preventing and containing attacks. To this end, Microsoft is investing in
the development of an integrated set of protection technologies that
- Dynamic system protection that proactively adjusts defenses on each
computer based on changes in its "state." For example, installing new
software, making a configuration change, the need for a new update, or
connecting to different networks can make a computer more vulnerable.
Dynamic system protection detects these changes and adjusts the level of
protection accordingly. Today, customers benefit from Automatic Update in
Windows, which detects when a computer requires a new security update. In
the future, Microsoft envisions computers not only being able to detect
changes, but proactively responding to them too. For example, a laptop
moving from a corporate network to a home cable modem or DSL connection
could cause the integrated firewall to close more ports for additional
- Behavior blocking that limits the ability of a computer infected with a
worm or virus to cause further damage, by intercepting suspicious behavior,
determining if it is out of the ordinary, and stopping it if it is. For
example, the Blaster worm exploited a vulnerability that caused Windows to
replicate the worm to other computers. Behavior blocking would contain this
- Application-aware firewall and intrusion prevention that is designed to
identify malicious traffic and block it. Traditional firewalls can be
bypassed by worms and viruses embedded in what appears to be valid network
traffic. This new technology will enable deep inspection of network traffic
and stop or limit distribution of this malicious content.
Spam Tools: Because viruses, worms and other malicious code often spread via
spam, Microsoft is waging a multi-pronged anti-spam effort. Last November,
Microsoft announced SmartScreen Technology, a filter used in our client and
online email programs. It gets progressively "smarter" as email users train
the filter to identify unwanted spam. Last month, Microsoft unveiled a pilot
implementation of Caller-ID, a technology that authenticates the origin of
email, much like telephone Caller-ID. On the enforcement front, meanwhile,
the company took 66 legal actions last year against spammers worldwide.
Client Inspection: At the corporate level, one of the biggest concerns is
home computers or remote laptops infected with a virus or worm that are
connected to a corporate network. We are working on technologies that will
inspect these remote devices and block network access if they don't pass a
Web Services: The delivery in 2002 of WS-Security, a standardized
specification that improves the integrity, confidentiality and security of
Web Services, will help businesses link systems internally and externally in
a more secure, cost-efficient and flexible way by allowing for the
encryption of messages and support for digital signatures. A recent report
by the WS-I Security Profile Working Group outlines new countermeasures to
combat challenges and threats in building interoperable Web services
Until now, software updates have been the primary way that customers protect
against security vulnerabilities. Although the evolving nature of threats
requires a broader, multi-pronged response, Microsoft is continuing to make
significant upgrades to the quality of our updates and associated processes,
and building more advanced tools to help IT administrators optimize their
infrastructure for security.
Last fall, we moved to monthly releases of updates to improve predictability
and manageability, and to reduce the burden on IT administrators (although
we will continue to release updates out-of-cycle to protect customers in the
case of an active threat). We also are improving testing processes to
minimize update inconsistencies and recall rates, and by this summer most of
our updates will have full rollback capabilities.
System Management Server 2003, launched last November, is a comprehensive
update and software management and distribution solution that enables
organizations to quickly and easily deploy the latest updates in a
systematic manner. In January, we released Microsoft Baseline Security
Analyzer v1.2, a free tool that provides a streamlined method of identifying
common security misconfigurations.
Windows Update Services, an evolution of Software Update Services 1.0 (SUS),
is a major step forward in Microsoft's patch and update management strategy.
A free component of Windows Server, Windows Update Services gives IT
administrators a seamless update, scanning and installation capability for
Windows servers and desktops. New features include the ability to provide
customers with additional automation and control that reduces interruption
when updating systems, and expanded functionality to update SQL Server,
Exchange Server, Office 2003 and Office XP, in addition to Windows. It is
currently in beta and scheduled for release in the second half of 2004. For
consumers, we are also complementing Windows Update with a new service to
automatically keep consumers up to date on a broader set of Microsoft
products beyond Windows. This new service, called Microsoft Update, will be
available later this year.
We are also incorporating the ability to automatically check the status of
crucial security functionality such as firewall, automatic update and
anti-virus. A new Security Center feature in the Windows XP Control Panel
will tell a customer whether key security capabilities are turned on and up
to date. When a problem is detected, they will receive a notification and
recommended actions to help them become more secure.
AUTHENTICATION AND ACCESS CONTROL
Computer networks are no longer closed systems in which a user's mere
presence on the network can serve as proof of identity. In an era where
millions of computing devices are interconnected, and vendors and partners
often have access to an organization's network, there are many potential
opportunities for unauthorized individuals to gain access to digital
information such as e-mail, e-commerce transactions or proprietary files. In
this environment, access control (who, what and when) and authentication are
critical aspects of ensuring an organization's security.
Passwords: Passwords provide the most common mechanism for authenticating
users who need access to computers and networks. They also can be a weak
link if users choose common passwords to more easily remember them. The
Windows Server 2003 family has a new feature that checks the complexity of
the password for the Administrator account during setup. If the password is
blank or does not meet complexity requirements, a dialog box warns of the
dangers of not using a strong password. We also are expanding our support
for strong, two-factor authentication mechanisms through partnerships with
companies like RSA Security, Inc. and VeriSign, Inc.
Smartcards: Windows Server 2003 and Windows XP also support smart cards,
credit-card-sized devices that securely store certificates, public and
private keys, passwords, and other types of personal information. Logging on
to a network with a smart card provides a strong form of authentication
because it uses cryptography-based identification and proof of possession of
the private key held on the smartcard when authenticating a user to a
network; in other words, something you have and something you know.
Public Key Infrastructure (PKI): Windows Server 2003 includes features to
help organizations implement a public key infrastructure, including
certificates and associated services and templates. A PKI provides the
mechanisms needed to support issuance and life-cycle management of digital
certificates. By trusting the digital certificate issuing authorities, other
parties can independently determine the identity of clients presenting the
digital certificates for authentication purposes. Use of this authentication
technology can provide strong authentication based on industry standard
public key cryptographic technology.
Biometric ID Card: Farther out, the Tamper-Resistant Biometric ID Card
system will provide an innovative, simple and affordable solution for
providing cryptographically secure photo-ID cards using a unique combination
of public key cryptography, compression and barcode technologies.
IPsec: Another important component of a comprehensive defense-in-depth
information protection strategy, IPsec eliminates many threats by mutually
authenticating computers and restricting incoming network traffic based on
that authentication. In addition, it provides for digitally signing traffic
to ensure integrity, and encrypting traffic to provide privacy. Microsoft's
IPsec implementation-in use in our own corporate network-is completely
standards-compliant and will interoperate with all other compliant IPsec
implementations, including those that support network address translation.
As we've said before, Microsoft is strongly committed to using
state-of-the-art engineering practices, standards and processes in the
creation of our software. We have undertaken a rigorous "engineering
excellence" initiative so that our engineers understand and use best
practices in software design, development, testing and release.
The security development processes we instituted prior to releasing Windows
Server 2003 last year are a prime example of where this effort is showing
results that benefit customers. The number of "critical" or "important"
security bulletins issued for Windows Server 2003, compared to Windows 2000
Server, dropped from 40 to 9 in the first 320 days each product was on the
market. Similarly, for SQL Server 2000, there were 3 bulletins issued in the
15 months after release of Service Pack 3, compared to 13 bulletins in the
15 months prior to its release. With Exchange 2000 SP3, there was just 1
bulletin in the 21 months after its release, compared to 7 bulletins in the
21 months prior.
We also have had some great success developing new internal tools that
automatically check code for common errors, and more thoroughly test
software before its release. For example, we use code-checking tools that
automatically search for classes of bugs that can lead to security
vulnerabilities, program crashes and hangs. We have committed to making
these engineering advances available to other software developers through
training and tools, including the next release of Visual Studio.
In Service Pack 1 for Windows Server 2003, we will continue efforts to
reduce surface attack area by removing older, unused technology.
CUSTOMER EDUCATION AND PARTNERSHIPS
The best technologies in the world are ineffective if people don't know how
to use them, or aren't aware they exist. With hundreds of millions of
computer users around the globe, and varying levels of knowledge about
security, this is a major challenge, but Microsoft is investing
significantly to help customers understand how they can make their
environments more secure.
By the end of this year, our aim is to reach 500,000 business customers
worldwide with information on how to optimize their systems and networks for
security. We're partnering with other industry leaders to help business
customers optimize update management and security solutions. And we're
providing seminars and publications for developers to help them build secure
applications and Web services.
Starting in April, Microsoft will host the first of 21 Security Summits in
cities across the U.S., intended to provide deep technical security training
for IT and Developer professionals. This training, offered at no charge,
complements a variety of other opportunities Microsoft is providing for
customers to help protect their computers and networks, including Webcasts,
self-paced learning and hands-on labs. We also are providing security
training for customers worldwide, and more information is available from
regional Microsoft offices.
We have also created a Security Guidance Center for developers and IT pros
at microsoft.com/security/guidance, where customers can find in-depth
technical guidance, tools, training and updates to help plan and manage more
effective security strategies. This free information includes checklists to
help perform security-related checks and processes, step-by-step
instructions for a broad range of security tasks, and product- and
technology-specific guidance to help protect platforms, networks, desktops
For consumers, we're working on a worldwide education campaign with computer
manufacturers, retailers, ISPs and other partners to create broader
awareness of best practices in PC "hygiene," and how to make protection
technologies easier to enable. This has three aspects: installing antivirus
software, using an Internet firewall, and using the Automatic Update
features in Windows to automatically download the latest Microsoft security
We have joined forces with companies such as Computer Associates, Network
Associates, Symantec, Trend Micro, F-Secure, ISS (BlackICE), Tiny Software
and Zone Labs to provide special offers on third-party antivirus and
We helped form the Virus Information Alliance, which includes 10 leading
anti-virus vendors, to help Internet users find information about the latest
virus threats affecting Microsoft technology.
Last month, the Global Infrastructure Alliance for Internet Safety (GIAIS)
was announced to enable even stronger collaboration between Microsoft and
Internet Service Providers regarding security issues. Already, GIAIS members
performed a critical role in working with Microsoft to identify the virus
signatures for MyDoom, and to develop remediation tactics to ensure consumer
Security experts from Microsoft also are participating in initiatives
sponsored by the Department of Homeland Security and Congress aimed at
strengthening the nation's critical infrastructure, ranging from recommended
engineering processes in software development, to effective patch
management, to how best to create the business ecosystem required to broadly
support robust security practices.
Microsoft is also working with law enforcement on a global basis to deter
hackers from software sabotage. Last November Microsoft established the
Anti-Virus Rewards Program, which offers cash rewards for information
provided to the FBI or Secret Service that results in the arrest and
conviction of those responsible for unleashing viruses and worms.
Security is as big and important a challenge as any our industry has ever
tackled. It is not a case of simply fixing a few vulnerabilities and moving
on. Reducing the impact of viruses and worms to an acceptable level requires
fundamentally new thinking about software quality, continuous improvement in
tools and processes, and ongoing investments in resilient new security
technologies designed to block malicious or destructive software code before
it can wreak havoc. It also requires computer users to be proactive about
deploying and managing products. Detailed information to help customers
become more secure is at www.microsoft.com/security.
Technology has come an incredibly long way in the past two decades, and it
is far too important to let a few criminals stop the rest of us from
enjoying its amazing benefits.
To cancel your subscription to future executive emails, please reply to this
email with the word UNSUBSCRIBE in the subject line. To contact us, write to
us at One Microsoft Way, Redmond, Wash., 98052. To manage your Microsoft.com
subscriptions, please sign in at the Microsoft Profile Center here:
http://register.microsoft.com/regsys/pic.asp. To see the Microsoft.com
Privacy Statement, please go to http://www.microsoft.com/info/privacy.mspx.
Full-Disclosure - We believe in it.
- FW: Microsoft Progress Report: Security Richard M. Smith (Mar 31)