http://www.eweek.com/article2/0,3959,1046726,00.asp By Dennis Fisher April 28, 2003 Now that the long-awaited next version of Windows is in customers' hands, officials at Microsoft Corp. are bracing themselves for what they know is coming: vulnerability reports, bug alerts and all manner of other security-related issues. These problems are as inevitable as the sunrise, but Microsoft security personnel believe Windows Server 2003 is the most secure and reliable operating system the company has ever produced. The final verdict on that belief is years away, but the early returns should be back within a matter of months thanks to an eager crowd of crackers salivating at the prospect of poking and prodding the new operating system. The game is on. "I am felling pretty good about it," said Steve Lipner, director of security assurance at the Microsoft Security Response Center in Redmond, Wash. "This is the culmination of a lot of security work that we all did. Personally, this is the product that I worked most closely on because of the security push. There's a lot of enthusiasm in the company around this and a lot of its due to the security aspect of it." Just as the crackers will be in their glory over the next weeks and months looking for holes and weaknesses, the internal and external penetration testing teams at Microsoft will continue to attack Windows Server 2003, hoping to beat the bad guys to the punch. "We have people who continue to look at it and do that internally," Lipner said. "And if there's a vulnerability found in Windows 2000 or XP, we look at [Windows Server 2003] and see if it's vulnerable." But, regardless of how much work and planning Microsoft has put into the security and testing of the product, nothing can replace the experience of actually deploying it in a production environment and seeing what happens. Configurations rarely conform to neat and tidy templates, and the security of one application can directly affect that of many others in the envrionment. To help customers address these issues, Microsoft last week published the "Windows 2003 Security Guide," a huge manual that concentrates on secure configurations and common threats and countermeasures. "We're sure it's not a perfect product, but we're happy with what we've done so far," Lipner said. "Usage and deployment will tell the story. The ultimate test of security assurance is the vulnerability report experience." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Apr 29 2003 - 02:35:13 PDT