[ISN] At last! At last! New security measures from Microsoft

From: InfoSec News (isnat_private)
Date: Wed Oct 10 2001 - 00:38:16 PDT

  • Next message: InfoSec News: "[ISN] Experts: Cyberspace could be next target"

    Robert Vamosi,
    Associate Editor,
    ZDNet Reviews
    Wednesday, October 10, 2001  
    Last week, Microsoft unveiled a bold new initiative to help protect
    its beleaguered corporate Windows customers and IIS Web server
    families from future malicious code attacks. Even the Microsoft press
    release offered this frank admission: "It's become incredibly clear
    that viruses and worms directed against our customers' systems are on
    the increase." Well, better late than never. The new Strategic
    Technology Protection Program (STPP) is designed to help enterprise
    customers keep their Internet businesses secure (and keep Microsoft as
    their software provider).
    The announced program will be released in two phases. The first phase,
    Get Secure, includes online tools to check your system and install the
    necessary patches. The second phase, Stay Secure, will include a
    commitment from Microsoft to ship the next version of IIS in lockdown
    mode with a tool to help users customize the product to their specific
    needs. Microsoft will also provide comprehensive security roll-up
    packages via Windows Update, and these are rumored to be available
    bi-monthly starting in February 2002.
    THE GET SECURE PHASE, available now, is quite an ambitious first step.
    There's a telephone number, 1-866-727-2338 (listed on the Web site as
    1-866-PCSAFETY) for free answers to virus-related problems. When I
    tried the number, I sat on hold for several minutes before being
    disconnected. Subsequent redials proved no better. Presumably, had
    this been a real virus emergency, I would have been able to speak to
    someone at Microsoft without going through their usual technical
    support fee-based access hassles.
    * In addition to the announced free phone support, Microsoft's
      Security Tool Kit has been revamped. Various online tools (which
      require Internet Explorer) are now available for scanning and
      downloading updates to your software. The updates are also available
      as a free CD, which is ideal for small and medium-size companies
      that need to patch several desktop systems. 
    * For Windows NT workstations and 2000 Professional desktop users,
      there's Microsoft Personal Security Advisor (MPSA). This online tool
      analyzes your system and informs you whether the passwords you are
      using are safe, or if the latest patches have been installed on your
      machine. BugNet recently reviewed this tool in greater detail. 
    * For Windows NT and 2000 Web server users, HFNetChk is a command-line
      tool that compares the patch status of all the machines in a network
      with an XML database updated by Microsoft. HFNetChk will scan for
      patches available for Internet Information Server 4.0 and 5.0, SQL
      Server 7.0 and 2000 (including Microsoft Data Engine), and Internet
      Explorer 5.01 and later. 
    * Other tools available include the IIS 4.0/5.0 lockdown tool,
      designed to configure Internet Information Servers 4.0 and 5.0
      against Web server attacks such as Code Red and Nimda, and the
      URLScan Security Tool which helps ensure that IIS servers respond
      only to valid requests based on rules set by the administrator.
    BUT WAIT, THERE'S MORE. Poking around the TechNet Web site, there's a
    guide for configuring enterprise security policies. There's also
    Qchain, a tool that allows users of Windows XP, 2000, and NT to chain
    fixes together for one reboot.
    All this attention to fixing the problems that currently exist is
    commendable. But what I'm waiting for is Microsoft's announced Phase
    Two commitment to securing its own programs. The Secure Windows
    Initiative (SWI), announced at the April 2001 RSA conference, includes
    aggressive steps to eliminate buffer overruns in the next version of
    IIS, as well as to improve Microsoft's own development processes.
    When that happens, then I'll really start to sing Microsoft's praises.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Oct 10 2001 - 02:16:09 PDT