Microsoft Braces for Windows Attacks

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,1046726,00.asp

By Dennis Fisher
April 28, 2003 

Now that the long-awaited next version of Windows is in customers'
hands, officials at Microsoft Corp. are bracing themselves for what
they know is coming: vulnerability reports, bug alerts and all manner
of other security-related issues. These problems are as inevitable as
the sunrise, but Microsoft security personnel believe Windows Server
2003 is the most secure and reliable operating system the company has
ever produced.

The final verdict on that belief is years away, but the early returns
should be back within a matter of months thanks to an eager crowd of
crackers salivating at the prospect of poking and prodding the new
operating system.

The game is on.

"I am felling pretty good about it," said Steve Lipner, director of
security assurance at the Microsoft Security Response Center in
Redmond, Wash. "This is the culmination of a lot of security work that
we all did. Personally, this is the product that I worked most closely
on because of the security push. There's a lot of enthusiasm in the
company around this and a lot of its due to the security aspect of
it."

Just as the crackers will be in their glory over the next weeks and
months looking for holes and weaknesses, the internal and external
penetration testing teams at Microsoft will continue to attack Windows
Server 2003, hoping to beat the bad guys to the punch.

"We have people who continue to look at it and do that internally,"  
Lipner said. "And if there's a vulnerability found in Windows 2000 or
XP, we look at [Windows Server 2003] and see if it's vulnerable."

But, regardless of how much work and planning Microsoft has put into
the security and testing of the product, nothing can replace the
experience of actually deploying it in a production environment and
seeing what happens. Configurations rarely conform to neat and tidy
templates, and the security of one application can directly affect
that of many others in the envrionment. To help customers address
these issues, Microsoft last week published the "Windows 2003 Security
Guide," a huge manual that concentrates on secure configurations and
common threats and countermeasures.

"We're sure it's not a perfect product, but we're happy with what
we've done so far," Lipner said. "Usage and deployment will tell the
story. The ultimate test of security assurance is the vulnerability
report experience."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.