Computerworld - Steve Lipner is the lead program manager of Windows security at Microsoft Corp. He's responsible for Microsoft's Security Response Center, and he's chief of the company's Secure Windows Initiative. Under his watch, Microsoft has begun a security review of its entire code base. Lipner spoke with Computerworld's Robert L. Mitchell about the Code Red worm, the state of the Windows code base and Microsoft's efforts to improve the security of its products.
What role does the Secure Windows Initiative play at Microsoft?
The Secure Windows Initiative is an effort to improve the security of all Microsoft products. It encompasses everything Microsoft ships. We attempt to improve security by improving processes, by providing training, by applying advanced tools and by improving the quality of our security testing.
Considering Code Red and the publicized vulnerability statistics of other viruses, Microsoft Web servers would seem to be more vulnerable to attack than other products.
In terms of perception, I think a lot of that is because we have a lot of systems out there and because when there's a vulnerability, we shout it from the rooftops. We knew that [Code Red] was a serious vulnerability from the day it was reported to us. When we had the patch ready for that, we went out not only to our customers, but also to the press to say this is a serious vulnerability. I think another factor is that because [Internet Information Server (IIS)] and Windows are so easy to use and because it's so easy to set up a Web server on IIS, people may, in some cases, do that without realizing that they have to worry about security, without realizing that there are security steps or security configurations that they have to apply.
IIS doesn't install securely out of the box. For a Web-facing product, why not default to a more secure install?
With products that install with defaults, you're always making a trade-off in terms of what features are available and how they're configured. That said, Internet Information Server 6 will walk you through a dialog that will ask what services you want. We expect that dialog will have the effect of getting the configuration right and secure for most users. We also make available on the Web the IIS Lockdown [security configuration] tool and checklists for securing Web servers.
Microsoft released a Code Red patch on June 18, yet a month later, the worm infected more than 250,000 systems. How could that happen?
The patch for Code Red was very likely the most heavily downloaded in our history. Why didn't more people install it? I think that it may be that people still don't subscribe to the Security Notification Service. They still don't go to [the] Windows Update [Web page\, http://windowsupdate.microsoft.com], and we want to get the word out that those services are there.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
