Information Security News
mailing list archives
At last! At last! New security measures from Microsoft
From: InfoSec News <isn () c4i org>
Date: Wed, 10 Oct 2001 02:38:16 -0500 (CDT)
Wednesday, October 10, 2001
Last week, Microsoft unveiled a bold new initiative to help protect
its beleaguered corporate Windows customers and IIS Web server
families from future malicious code attacks. Even the Microsoft press
release offered this frank admission: "It's become incredibly clear
that viruses and worms directed against our customers' systems are on
the increase." Well, better late than never. The new Strategic
Technology Protection Program (STPP) is designed to help enterprise
customers keep their Internet businesses secure (and keep Microsoft as
their software provider).
The announced program will be released in two phases. The first phase,
Get Secure, includes online tools to check your system and install the
necessary patches. The second phase, Stay Secure, will include a
commitment from Microsoft to ship the next version of IIS in lockdown
mode with a tool to help users customize the product to their specific
needs. Microsoft will also provide comprehensive security roll-up
packages via Windows Update, and these are rumored to be available
bi-monthly starting in February 2002.
THE GET SECURE PHASE, available now, is quite an ambitious first step.
There's a telephone number, 1-866-727-2338 (listed on the Web site as
1-866-PCSAFETY) for free answers to virus-related problems. When I
tried the number, I sat on hold for several minutes before being
disconnected. Subsequent redials proved no better. Presumably, had
this been a real virus emergency, I would have been able to speak to
someone at Microsoft without going through their usual technical
support fee-based access hassles.
* In addition to the announced free phone support, Microsoft's
Security Tool Kit has been revamped. Various online tools (which
require Internet Explorer) are now available for scanning and
downloading updates to your software. The updates are also available
as a free CD, which is ideal for small and medium-size companies
that need to patch several desktop systems.
* For Windows NT workstations and 2000 Professional desktop users,
there's Microsoft Personal Security Advisor (MPSA). This online tool
analyzes your system and informs you whether the passwords you are
using are safe, or if the latest patches have been installed on your
machine. BugNet recently reviewed this tool in greater detail.
* For Windows NT and 2000 Web server users, HFNetChk is a command-line
tool that compares the patch status of all the machines in a network
with an XML database updated by Microsoft. HFNetChk will scan for
patches available for Internet Information Server 4.0 and 5.0, SQL
Server 7.0 and 2000 (including Microsoft Data Engine), and Internet
Explorer 5.01 and later.
* Other tools available include the IIS 4.0/5.0 lockdown tool,
designed to configure Internet Information Servers 4.0 and 5.0
against Web server attacks such as Code Red and Nimda, and the
URLScan Security Tool which helps ensure that IIS servers respond
only to valid requests based on rules set by the administrator.
BUT WAIT, THERE'S MORE. Poking around the TechNet Web site, there's a
guide for configuring enterprise security policies. There's also
Qchain, a tool that allows users of Windows XP, 2000, and NT to chain
fixes together for one reboot.
All this attention to fixing the problems that currently exist is
commendable. But what I'm waiting for is Microsoft's announced Phase
Two commitment to securing its own programs. The Secure Windows
Initiative (SWI), announced at the April 2001 RSA conference, includes
aggressive steps to eliminate buffer overruns in the next version of
IIS, as well as to improve Microsoft's own development processes.
When that happens, then I'll really start to sing Microsoft's praises.
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
- At last! At last! New security measures from Microsoft InfoSec News (Oct 10)