Viewpoint: Windows Server 2003 Security
- By Scott Bekker
Microsoft's patch factory was running at full production last week at
the same time that the company's formidable marketing arm was publicly
launching a new operating system designed to reduce the frequency of
security bugs. This apparent contradiction isn't proof that Trustworthy
Computing is failing; instead, it's evidence that the initiative is
critically necessary. Even though Windows Server 2003 is more secure
than any previous Microsoft operating system, there will be no let up
in patching for several years.
As he launched Windows Server 2003 on Thursday in San Francisco,
Microsoft CEO Steve Ballmer emphasized Microsoft's $200 million
Trustworthy Computing investment designed to fuse security into the
very joints of the newly released operating system. Microsoft turned
off dozens of features and services by default, most notably in IIS
6.0; reviewed the code of the operating system line-by-line; and plans
to release tools and documentation to help administrators lock down
servers by role. The end result should be fewer critical security
patches for the Windows-based servers that are working their way
further and further into mission-critical roles.
These are all welcome improvements. But Ballmer struck a realistic tone in shaping expectations about the security of an operating system with 50 million lines of code. "Will there never be another [security]
issue?" Ballmer asked rhetorically. "I can’t say that. We have built
better processes to respond and help you respond to any issues that
I'll take Ballmer's comment one step further. The operating system is generally available now, and pre-release deployment has been rapid,
according to Microsoft. Nonetheless, the vast, vast majority of the
installed base of Windows systems is older software developed under
Microsoft's pre-Trustworthy Computing product development philosophy –-
liberally paraphrased here as, "pack it with as many new features as
possible and enable most of them by default." It will be several years
before Trustworthy Computing-inspired server operating systems account
for even half of the installed base, and a few years longer on the
client side. And that's assuming Microsoft continues, as I believe they
will, to prioritize security over features for the long term.
Which means we can look forward to frequent security patches for years to come. Ample evidence arrived this week. Laboring in the less secure morass of the current installed base, Microsoft's security teams pumped out two new critical security bulletins and reissued a previous
bulletin the night before the Windows Server 2003 launch. The day after
the launch, Microsoft's security teams acknowledged a quality control
problem with another critical security patch from earlier this month
and promised to post a new version shortly.
In case you missed the patches:Microsoft Security Bulletin MS03-015 patched Internet Explorer
against three critical new vulnerabilities and a fourth vulnerability
of moderate threat.
Microsoft Security Bulletin MS03-014 contains a cumulative patch for
Outlook Express. It fixes a critical vulnerability that could allow an
attacker to run code on a target machine.
Microsoft Security Bulletin MS03-007, from March 17, is updated to include a patch for Windows NT 4.0. While Microsoft considered the patch critical for Windows 2000, the company designates it with the lower "important" priority for NT 4.0.
Microsoft Security Bulletin MS03-013 is updated to confirm that the Windows XP version of the patch causes problems with XP Service Pack 1 systems. Microsoft is working on a new patch.
The heightened activity out of Microsoft's security team shouldn't
detract from Microsoft's accomplishment of shipping Windows 2003. The
new server operating system truly represents a security landmark for
Microsoft and the industry. Just remember that Trustworthy Computing is
forward-focused. The patches of last week serve as a reminder that the
flaws in the old Windows design won't magically disappear just because
of the launch of Windows 2003, the first full Trustworthy Computing
product release. Given the software we're all running now and for the
next several years, any reduction in the volume of patches won't appear
any time soon. The patches are dead. Long live the patches.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.