News

Gates Makes Case for Progress by Microsoft on Security

• By Scott Bekker
• March 31, 2004

The e-mail, "Microsoft Progress Report: Security," went to subscribers to Microsoft's Executive E-mail service, which usually consists of high-level communication to customers and partners from Gates or CEO Steve Ballmer. A similar e-mail two years ago announced Microsoft's Trustworthy Computing initiative. That was the watershed moment when the company made a public commitment to take security much more seriously in its product development and product maintenance processes.

Gates said Microsoft is concentrating its R&D investments in security in four areas: isolation and resiliency; updating; quality; and authentication and access control. Primarily the e-mail recapped Microsoft's security moves in the last few years.

Much of the e-mail is dedicated to products and technologies that were recently released or are soon to be released that Microsoft argues will strengthen the security of its platform. In that category, Gates discussed Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, Internet Security & Acceleration Server 2004, Systems Management Server 2003, Exchange Edge Services, SmartScreen Technology for blocking spam, and Windows Update Services.

But Gates also unveiled some security technologies that are still in the development stage. A set of "active protection technologies" is being developed to make Windows' defenses against viruses and worms more robust. The integrated technologies will include dynamic system protection that changes the defenses of a system based on its "state." As an example, Gates said, "A laptop moving from a corporate network to a home cable modem or DSL connection could cause the integrated firewall to close more ports for additional protection."

Another active protection technology is "behavior blocking" to limit the ability of a computer infected with a worm or virus to cause further damage. Microsoft also intends to continue the development of its integrated Windows Firewall by giving the component application awareness and intrusion prevention technology, Gates said.

Microsoft's chief software architect used the e-mail to dribble out a few tidbits about the forthcoming service packs for Windows XP and Windows Server 2003.

Gates gave a "late spring/early summer" timeframe for Windows XP SP2, which entered the Release Candidate 1 testing phase earlier this month.

He reiterated a second half 2004 delivery date for Windows Server 2003 SP1, but offered new detail on its feature set.

"The Windows Firewall will be enabled during setup on new server installs so that the server is more protected from potential network-based exploits during configuration," Gates said.

He also made this tantalizing statement but provided no further detail: "In Service Pack 1 for Windows Server 2003, we will continue efforts to reduce surface attack area by removing older, unused technology."

Gates used his e-mail to make the case that Microsoft's recent patching history shows that its development quality is improving.

"The security development processes we instituted prior to releasing Windows Server 2003 last year are a prime example of where this effort is showing results that benefit customers," Gates said. "The number of 'critical' or 'important' security bulletins issued for Windows Server 2003, compared to Windows 2000 Server, dropped from 40 to 9 in the first 320 days each product was on the market."

The e-mail states that Microsoft is embarking on an education campaign with a goal of reaching 500,000 business customers by the end of the year. In the United States, the company is starting with a series of 21 free Security Summits for IT administrators and developers.

The full text of the Gates e-mail is available at:
www.microsoft.com/mscorp/execmail/.