The new plan to "secure the perimeter" outlined by Microsoft executives last week is drawing mixed reviews from customers and analysts, whose reactions range from high praise to "show me."
The strategy, revealed by Steve Ballmer, Microsoft's chief executive, at the company's partner conference in New Orleans, was a multi-point program that promises to do a better job serving customers who are confused about the myriad ways of getting information from the company about security and patches.
The company plans to move to one patching "experience" by May 2004, and it has promised better patch quality. Microsoft will also put all of its security information on one Web site. Patches will be released once a month, with the exception of emergency patches. The company will also release, over time, some new technologies called "shields," which will be safety measures designed to protect the enterprise.
One IT expert gave the plan a good review, even suggesting that the changes will launch a new era for systems administrators burdened with the task of patch management.
The fact that Microsoft is moving to monthly patch releases for non-emergency patches and consolidating the installers means that IT administrators will spend less time trying to figure out how to patch systems and more time doing it, said Larry Duncan, a Nashville, Tenn., systems management consultant and acting chairman of the worldwide Systems Management Server user group.
Mid-2004 time frame for client enhancement
Microsoft's decision to build new "safety" technology into its Windows client, due out in mid-2004, is also welcome. The idea is that, even if a patch is not installed, customers would still be somehow protected through enhanced firewall protection and manageability features.
Microsoft was somewhat vague on exactly how these features will look, but they will include improved attachment blocking, protection in the browser so users can't run ActiveX controls from Web sites they cannot trust, and better memory protection for buffer overruns.
"I think the IT community would welcome a mechanism that would allow the blockage of nonstandard, insecure clients from participating in the network architecture," Duncan said. "But [their concern is that] they need to be able to specify what exactly is considered nonstandard and to ensure a prompt notification system that will trigger alerts when these intrusions happen.
"The last thing we want to see are legitimate clients being denied access to business-critical applications and services."
Though IT administrators would certainly like to believe that Microsoft's new security strategy will be effective, many prefer to hold their opinions until they see some real action.
"It's the same old thing [Microsoft] has been saying," said Jim Acevedo, a network manager at IdaCorp Energy, a Boise, Idaho, energy trading company. "If they can just come up with a better patch management plan with the end users in mind, rather than relying on the end users to educate themselves, it would help.
"I do make an effort to educate myself, and it's to all IT managers' advantage to stay current. But I would like all companies to come across as clean as possible and do a better job of quality control on their software before they put it out to market."
For many companies, the message coming from the CEO and CIO to the IT staff is, "You'd better start putting these systems together more securely," Acevedo said. The top executives are at a loss; new accounting regulations such as Sarbanes-Oxley are now in effect, and they see their IT shops battling what amounts to an exploit a week, more or less.
These executives are looking at their investments, and they are not looking at any manufacturer in particular. "They do understand that Microsoft is easier or better to use, but they will pull the plug [on Windows] if they have to," Acevedo said.
Praise for Microsoft's direction
Other IT executives agree. Michael Stoeckert, chief information and technology officer at EPL Inc., a Birmingham, Ala., company that makes software for credit unions, said he's concerned that Microsoft is merely plugging holes in its architecture, when it really needs to change its architecture.
"The OS is better today than it has been, but there is still a good bit of work to do to get it up to some of the competitive standards that are out there," Stoeckert said.
"I like the direction Microsoft is taking, but this should have started two or three years ago. Back then, they didn't think any other OS was competing for their market. Now they are being pushed."
For one analyst, the biggest improvement of all will be having Microsoft put all of its security information on one Web site. "This is not a tough technical issue, but rather an issue of how Microsoft manages the problem," said Paul DeGroot, an analyst at Directions on Microsoft, Kirkland, Wash.
FOR MORE INFORMATION: