Microsoft Corp. is “on the right track” in securing its software, the company’s chairman and chief software architect Bill Gates said Tuesday in a presentation that included new details on a Windows XP update and the company’s spam-fighting efforts.
During Gates’ keynote presentation at the RSA Conference in San Francisco, a Microsoft product manager showed for the first time a new feature for Windows XP called Windows Security Center that will be part of Windows XP Service Pack 2 (SP2), a significant update to the operating system that is due out in the first half of this year.
The Windows Security Center will be a central place to check important security settings, for example for firewall and antivirus software. It will also offer suggestions to better protect a Windows XP system, said Zachary Gutt, a Microsoft product manager who joined Gates on stage to demonstrate the Windows XP SP2 features.
Gutt also demonstrated the improved Windows Firewall, previously called Internet Connection Firewall, which will be delivered with Windows XP SP2 and showed off the pop-up ad blocker for Internet Explorer. For enterprise users, he underscored the ease of central management of the firewall, including two profiles: one for when a PC is connected to a corporate network and one for when it is not.
“SP2 is a release that is totally focused on security and in fact today that is the primary focus on the Windows team,” Gates said. “We think this will be a very important release and we will ask people to install broadly.”
As expected, Gates also promoted Microsoft’s plans to combat unsolicited commercial e-mail, or spam, which he called not only a nuisance, but also a security threat. The Redmond, Wash., company is proposing technical standards it calls Caller ID for e-mail to authenticate the sender of an e-mail message.
“Having e-mail come in and not being able to identify where it is coming from is a huge security hole,” Gates said. “Authenticating e-mail is a very key initiative for us.” Gates described Caller ID as a “very specific technical proposal” that he expects his company can act on by this summer if it gets sufficient backing.
Microsoft’s Caller ID plan uses the Internet’s DNS to verify the domain a message came from. The plan requires e-mail server administrators to make changes. E-mail messages will have to include the IP address of their mail server, while the receiver’s system has to be able to verify the address.
Microsoft will test Caller ID on its Hotmail service. The Web-based e-mail service will begin publishing outbound IP addresses Tuesday and will start checking inbound addresses midyear, Microsoft said in a statement. The company plans to offer a royalty free license on the patents it has on Caller ID for e-mail features, Gates said.
Microsoft is also giving Exchange the ability run e-mail filtering and proofing away from the main e-mail server. The company will deliver what it calls Exchange Edge Services, an enhancement to the SMTP relay implementation in Exchange Server, according to a Microsoft statement Tuesday.
The Exchange Edge Services will work as an e-mail gatekeeper to block junk e-mail and apply routing rules, Microsoft said. Other software makers will be able to sell products on top of the Exchange addition for advanced e-mail security, according to Microsoft.
In his presentation, Gates also touched on other Microsoft security products such as its Internet Security and Acceleration Server 2004, due out midyear, and security enhancements in the upcoming Visual Studio “Whidbey” release of its developer tools. Gates also highlighted a partnership with RSA Security Inc. to bring strong user authentication technology to Windows desktops.
It has been little over two years since Microsoft launched its Trustworthy Computing Initiative to focus on security. The effort is paying off, according to Gates. Windows Server 2003 is a good example, he said. In the just over 300 days since its release, there have been six security bulletins rated critical or important, while for Windows 2000 there were 36 such bulletins in the same period after its release, Gates said.
“Now, we’re not saying that is a job done. But even in the face of the increased sophistication of attackers, this represents substantial progress,” he said. “Clearly there is more to do, but that is one of the metrics that shows us that we are definitely on the right track.”
Attendees, many of them security professionals, had mixed opinions on Gates’ speech.
“I think it is a major step in the right direction,” said Bob Terry, chairman and CTO of BBX Technologies Inc. in Nashville, Tenn. Terry, whose company sells intrusion prevention technology, was particularly encouraged by Microsoft’s emphasis on working with third-party companies on security problems.
Others were less sanguine about Gates’ promises on security and spam. Oliver Atoa-Ortiz, vice-president of security services of Netxar Technologies Inc. of Hato Rey, Puerto Rico, was happy to hear about Microsoft’s antispam initiatives, but said he doubted that the Caller ID technology would find widespread adoption.
“When you’re talking about modifying DNS, you need a lot of people to buy into it, and there are a lot of other e-mail systems out there,” he said.
– With files from Paul Roberts, IDG News Service