[ISN] Microsoft Braces for Windows Attacks

From: InfoSec News (isnat_private)
Date: Tue Apr 29 2003 - 00:24:53 PDT

  • Next message: InfoSec News: "[ISN] Coded Messages Add to Mystery Of a Failed Spy"

    http://www.eweek.com/article2/0,3959,1046726,00.asp
    
    By Dennis Fisher
    April 28, 2003 
    
    Now that the long-awaited next version of Windows is in customers'
    hands, officials at Microsoft Corp. are bracing themselves for what
    they know is coming: vulnerability reports, bug alerts and all manner
    of other security-related issues. These problems are as inevitable as
    the sunrise, but Microsoft security personnel believe Windows Server
    2003 is the most secure and reliable operating system the company has
    ever produced.
    
    The final verdict on that belief is years away, but the early returns
    should be back within a matter of months thanks to an eager crowd of
    crackers salivating at the prospect of poking and prodding the new
    operating system.
    
    The game is on.
    
    "I am felling pretty good about it," said Steve Lipner, director of
    security assurance at the Microsoft Security Response Center in
    Redmond, Wash. "This is the culmination of a lot of security work that
    we all did. Personally, this is the product that I worked most closely
    on because of the security push. There's a lot of enthusiasm in the
    company around this and a lot of its due to the security aspect of
    it."
    
    Just as the crackers will be in their glory over the next weeks and
    months looking for holes and weaknesses, the internal and external
    penetration testing teams at Microsoft will continue to attack Windows
    Server 2003, hoping to beat the bad guys to the punch.
    
    "We have people who continue to look at it and do that internally,"  
    Lipner said. "And if there's a vulnerability found in Windows 2000 or
    XP, we look at [Windows Server 2003] and see if it's vulnerable."
    
    But, regardless of how much work and planning Microsoft has put into
    the security and testing of the product, nothing can replace the
    experience of actually deploying it in a production environment and
    seeing what happens. Configurations rarely conform to neat and tidy
    templates, and the security of one application can directly affect
    that of many others in the envrionment. To help customers address
    these issues, Microsoft last week published the "Windows 2003 Security
    Guide," a huge manual that concentrates on secure configurations and
    common threats and countermeasures.
    
    "We're sure it's not a perfect product, but we're happy with what
    we've done so far," Lipner said. "Usage and deployment will tell the
    story. The ultimate test of security assurance is the vulnerability
    report experience."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Apr 29 2003 - 02:35:13 PDT