| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Gates: We'll Make Security Our Forte | |
|
||
| Time: 16:15 EST/21:15 GMT | News Source: E-Mail | Posted By: Byron Hinson | ||
|
Security will come to be seen as a Microsoft strength. So says Bill Gates, who raised the bar significantly last week when he told financial analysts that ongoing development projects will transform security "from a concern for us into something that's a significant, unique asset as well as a business opportunity." | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 152 Last | Next |
The time now is
3:56:36 PM
ET.
Any comment problems? E-mail us |
| #1 By 21203 (4.5.32.137) at 8/13/2004 9:32:00 PM |
| When the TCI was announced in 2002 I was (believe it or not) skeptical. Now I'm excited... I would like to see what MS can bring further to the table in regards to security. The features displayed in 2003 R2 look extremely robust for not only implementation security but then post-installation verification security. And as they keep attesting ... they only consider that just starting! |
| #2 By 23275 (67.32.52.5) at 8/14/2004 12:42:29 AM |
|
Here are more subtle signs that MS has made fundamental changes across the board:
Encrytped communications between clients and the internal interface for ISA 2004 Firewall Clients users - that so rocks in a branch configuration, or when alternate upstream ISA's are used across subnets!!! RPC over HTTPS support for remote MS MAPI Outlook 2003 Clients - I know, ClosedStandards will jump all over me for that - ooohhh you use SSL....ooohh - yah dude, if you had a clue, you'd have a full MS MAPI Client that was secure - no matter where you were located outside your LAN and w/o having to use a VPN client, or device! "My clients LOVE it and PAY for it!" SSL Support for all Mobile Device access and secure through the air synchronization with Exchange - yeah, Closed, I hear ya, but I'm getting fees for that one, too and under-cutting Black Berry by 60%! Quaranatines and GPO validation for remote users to verify user system policy conformance. Stronger encryption for wireless devices - yes Virginia, 5.2 versions of Intellipoint and Intellitype have value. SP1 for Exchange 2003 and Hotfixes for its OWA - both pretty tightly focused on security. A new message screener for ISA. Online tools for creating Sender Policy Framework text records - _eps zones in each DNS Zone to verify senders and sending domains. Still richer tools for using XML to pass complex policy objects providing flexibility to network admins and ease of use for end users. FastCode for checking the integrity of the SW they author. Data Execution Protection which is independent of hardware. I could go on, but I reasoned that some of the less publicized measures were also significant and signal two things, 1) Bill Gates and Microsoft have been sincere and very busy with their Trustworthy Computing initiatives and 2) Across the board, Microsoft has been working to provide an effective and layered security model to not only reduce surface area, but do it in a way that still allows them to address the demand for features and flexibility. They are integrating these layers, measures and techniques - just as they integrate servers, clients and tools. Microsoft leads the world in features and integration. Now they are integrating security to all of it. I suspect they will do as well in this effort as they have in satisfying our insatiable appetite for features. |
| #3 By 23275 (68.17.42.38) at 8/14/2004 6:05:00 AM |
|
Hal, some of the next pieces will include SMB on 443, or "SMB over SSL" - this will change everything. [TCP 445 for the port friendly].
WSE will also evolve, and a bevy of new adapters will make secure web services a lot more prevelant and easier to configure - especially in Avalon. Porting of ISA 2004 to appliances designed to specifically secure Exchange Servers is another -with out of the box configuration utilities, AV and message screeners. Similarly, the Enterprise Edition of ISA 2004 will come out this year - and with it AD Integration, CARP Compliance and the ability to support very large enterprises. In such a scenario, one would install an array at the edge and an ISA based appliance at the perimeter in front of the Exchange. New AV products that analyze code for the desktop, then server and likely integrated across the platform will follow soon after. These new methods, with native NW and Host IDS, will change the way anti-mal-ware is executed - within a sandbox where behaviors are analyzed. These are but a few in the pipeline, but are examples that have not been covered well. Many are in BETA now and will arrive sooner than later. They also speak to the absolute mandate that all MS products will be secure - not just "more secure." It is part of the MS culture, now and will only get better. |
| #4 By 23275 (68.17.42.38) at 8/14/2004 4:04:35 PM |
|
As I have stressed, there is so much to this within MS and it has been there since the company made security a priority. It has evolved rapidly and will continue to.
Threat modelling alone, is very significant and MS has made very useful tools freely available to all who are interested in writing secure code, http://www.microsoft.com/downloads/details.aspx?FamilyID=62830f95-0e61-4f87-88a6-e7c663444ac1&displaylang=en |
| #5 By 23275 (68.17.42.38) at 8/14/2004 6:03:32 PM |
|
#17, not even close to the same....where would the support for AD be?
CIFS - the latest incarnation of the Server Message Block (SMB) protocol and its uses also do not apply. I am however, speaking to a much richer implementation in R2, which will allow for full support of AD using SSL SMB - a much larger and more useful implementation that CIFS access on SMB. In R2, the same central management and controls using GPO will be supported. That's a heck of a lot more significant that some and an encrypted simple simon file share. Please don't confuse people by suggesting they are they same. There is enough of that. And no, right now OSS does not have a comprehensive answer to Microsoft's broad security initiatives. No more than it has a comprehensive answer with a common source of governance for addressing business and personal computing requirements. You seem to continue to forget about Microsoft's integration of systems, servers, clients, tools and applications with legacy, current and future technologies. The value and the strength of Microsoft's initiatives rests in its unified and consistent implementations on its platform - which are extended through equally consistent partnering channels to consumers of all types. When people stop sniping and start innovating to do the same - regardless of which platform they choose, then and only then, will they succeed. Until then OSS and its advocates will lag way behind Micrsoft and its software - and until then, we will continue to choose Microsoft. |
| #6 By 21203 (4.5.32.137) at 8/15/2004 2:08:34 AM |
|
Here are some answers:
TCI was announced in 2002. You've been beaten to death with the results. This is nothing more than the same. Quit being skeptical. It's just a reassurance that just because both a server and client product have been released since the TCI, that it's not going away. Do you want tangible proof of what's coming? Sorry, you'll have to take it on faith that security will be a main part of every product being released by MS. If you don't have faith based upon what you've seen in the last two years, you really shouldn't even be here listening. I think Microsoft has done a seriously good effort at making security their forte and if they announce they have only just begun, I will be taking them seriously now where I really considered it a joke prior to the TCI. |
| #7 By 23275 (68.17.42.38) at 8/15/2004 3:33:32 AM |
|
#25, now that is a fair question, Hal. And a good one that needs to be answered.
This could take some time - sorry in advance. Here's what I assess is going on and has been going on. Take a company focused almost entirely on satisfying its customers' and partners' need for more features [certainly guilty here], add a lot of clearly criminal activity, always on and under serviced novice users, and well, you have a mess. How quickly things change... Bill Gates says, "enough." He launches Microsoft on a Trustworthy computing initiative that has real teeth - progress is made in key areas, but they need better integration to the company's management systems and tools. Before things start to get better, they get worse...Blaster, Sasser and a bevy of email worms. W2K3 gains some serious traction and IIS 6 out of the box is tight as a tick. XP SP2 comes out and just how much progress has been made starts to become clearer, but not quite clear. For those that work this, and integrate nearly all Microsoft technologies, it is clearer, but still not quite clear. I think it is true that security, or having to have it, just sucks. I rememer very fondly working with people that were so good that one could leave anything laying around - crimes just did not happen; peolple were fundamentally good and certainly always honest. I think Bill Gates fell into that kind of thinking, too - "why would anyone do such...steal x, hurt y..." It was so ironic that we were all working to break software and computer based encryption systems... Cont... |
| #8 By 23275 (68.17.42.38) at 8/15/2004 3:48:06 AM |
|
Ok, so we have to deal with security. It remains a mess for all of us, and this is where I assess Bill Gates and Co. are headed - to provide it the same unified and well integrated operating environment as they have in other areas. BTW, I have an XP SP2 "mule" sitting wide open on the cloud w/o its firewall up. Watching people trying to hurt it...they still have not gotten into it - despite some paths created for them. Same guys that hit the edge and perimeter all the time... "two words here...HoneyPots and Policemen - hit one, have breakfast with the other" - Sorry to digress...
So Hal asks basically, "what is it?" I'd like to know, too. I think I can see "it" but it still is not real clear. No Ding on Mr. Gates or MS, either, because I think what is happening is normal. Microsoft has made huge amounts of progress - I can see it and feel it in so many areas, and I can also see the start of the integration. I think the question is, "what is the strategic direction" and "what new tools, systems management components and products can we expect to see?" I reason that Microsoft saw a responsibility thrust upon them by criminals, and sincerely worked to address is. I assess much of the integration and execution side of the house was left to companies like mine and regular less resourced end-users. That is changing - rapidly. As the integration takes place - a natural process for Microsoft, I see Security emerging for the as one of their "fundamentals" under Avalon, Indigo and others, etc... However, I also see security productized by Microsoft along the lines of a far more accessible model that is consistent with a strategic direction that has margins - e.g., like any good large organization, they set these margins and let lower level leaders exercise a lot of freedom and flexibility - so long as the decisions made and actions taken are consistent with the strategic direction. Cont... |
| #9 By 23275 (68.17.42.38) at 8/15/2004 4:02:40 AM |
|
Now, to the core of what I think Hal is asking: "Define it better?"
That is where I reason Micrsosoft is....days, perhaps weeks away from providing that definition and setting margins. I reason that what we will see are a host of products from the Business Services Division that will include fee based monitoring, third-party assessments [like SAS 70, etc... or Sarbanes-Oxley, or HIPAA Compliance] and much more - using Microsoft Software, servers, tools, clients, etc... to achieve a Trustworthy Computing environment that is a) still fun to be in, and b) stays out of the way of people and business processes. I expect that the ad-hoc unification and integration that many of us have had to provide, will benefit from leadership, utilities, and components native to all Microsoft software and services. Free guides, checklists and some of the most useful tools I have ever seen are already emerging in the partner channel, but again, the larger EPE - eclectronic preparation of the environment [borrowing from Govt's EPB], needs to be provided. Scenarios need to be used to allow all of us to see ourselves in the context of Microsoft's solution. I reason they have looked at themselves and said - "mine us; use our methods as the basis, but make them realistic for our customers." afetr all, not many companies can afford Smart Cards... So what started out as the right thing to do, has evolved into an opportunity that Microsoft and its customers will benefit from. Ironically, the same criminals that sought to hurt Microsoft and its customers, only made them stronger and more resolved. All that said, I ask, too, "Mr. Gates, please hurry and provide more clarity, or some kind of map - 1 to 24:0000 is not necessary, 1 to 500:0000 will do." |
| #10 By 23275 (68.17.42.38) at 8/15/2004 2:09:41 PM |
|
Unfortunately when programmers come out of school they have their heads full of theory and not practice or implementation Man, ain't that the truth...
When we hire - doesn't matter what kind of engineer, we do so with the full knowledge that we are about to make a full year long investment in the new hire - in intense training and hands-on practical exercises. This process isn't pretty, either - vetting not just along technical lines, either, but to see how well they can work in small teams and how sincere they are about wanting to "matter." That's why we try to find them while they are still in school and support them in their last year or two - exposing them to things they would not likely be able to do for many years early on. Works well, but not always and infusing security into their thinking is a big part of that. It is expensive and taxing - requiring a lot of long hours to bring new people up to the standards we are trying to set and maintain. People unable or unwilling to commit like that just don't make it. I do assess that Microsoft is very close to openning a new resource which provides for the clarity I have been sensing will be provided. While the security site they now maintain is good, and individual tools are there, it pales in comparison to the station security occupies opposite such a large company - the XBox site has more pages... For example, let's say that one is going to run static addressing for VPN clients in a different sub-net from the host domain - specifics need to be provided opposite how to set up the routing so VPN clients can see internal resources once connected - vice having to use DHCP from an internal host controller. These kinds of practical set up guides opposite their products and how to lock them down, test them and get them certified and keep them certified is what is needed is MS is to capitalize on their security initiatives. On one side, the set up should be open, where the certification and monitoring would be fee based and legitimate revenue opportunities. |
| #11 By 23275 (68.17.42.38) at 8/15/2004 9:23:12 PM |
| Hal, emulation doesn't count - neither do uninstrumented packages - that is exactly the kind of messaging and communications systems that are points of attack. The formats that these use to communicate are well known and in the public domain - items one never gives to anyone with even modest skill. Since so many OSS devs keep tools on the production systems, they leave the ability to recompile any exploit executed - making it next to impossible for any OSS admin to detect it, much less remove it - w/o using new drives and a new installation. Setting that aside for a moment, how many people and businesses have the resident talent to review and fully understand the contents of any package installed under OSS? Even in cases where they do use a source like Red Hat's RHN, then they pay way more per server/system than one does with Microsoft - "for a source of governance and accountability." So even when done properly, one still is not certain that what they are putting on did not come from the OSS community at large. From the perspective of developing a security model that is not open to the very people that would exploit it, that suggests one should avoid that. Look at even MS - when they send out a patch for a vulnerability the themselves have discovered...what happens? It is reverse engineered and an exploit is released and the source is closed! What do you think happens when the source is wide open and compilers are on the production target? I just cannot endorse that model as being inherently more secure - just because one can write one's own, or modify it - who has time or money for that and against such exposure? I don't - not any more - it's not about pure research and when it was, there were still objectives and budgets. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 152 Last | Next |
The time now is
3:56:36 PM
ET.
Any comment problems? E-mail us |
