Devenuti recounted those two comments as among those he's encountered most frequently as he talks to customers about how to improve security.
As part of its effort to be more prescriptive, Microsoft has staged a series of "summits" around the country seeking to advise customers on how to implement greater security in the Microsoft portion of the enterprise infrastructure. Devenuti made the last stop of the tour on Tuesday in San Francisco, where he advised several hundred customers at the Moscone Center they would gain a stronger perimeter if they standardize on Windows 2003 Server for their Web servers, mail servers, and other gateways into the company. During its first 12 months, Windows Server 2003 had only 13 Security Bulletins issued on problems with the operating system, compared with 43 in the first 12 months of Windows 2000, he said.
Earlier this month, Devenuti noted, Microsoft upgraded its Windows XP client operating system by issuing Service Pack 2 with an improved Windows Firewall, which has previously been shut off by default. Such was the case even inside Microsoft, and Devenuti said he and other employees questioned why the firewall was shut off as the Blaster worm spread through companies in 2003. If the firewall had been easier to activate, Blaster would have encountered more barriers to its spread.
Service Pack 2 for Windows XP includes a Security Center that quickly tells the user whether the firewall is off or on and gives the user the means to turn on desired features. It also provides an attachment manager that protects against potentially malicious E-mail and includes a blocker of pop-ups and other downloaded code into Internet Explorer.
Overall, the service pack is reducing the number of things turned on in Windows XP unless the user decides they need to be turned on. The adjustment means the operating system now ships "following the idea of least privilege. The surface for attack has been made as small as possible," because viruses, worms, and other exploits often find a way into a system through little-used but open features, Devenuti said.
In the meantime, Microsoft is working on additional security features for Windows, but customers will have to wait until 2007 for the Longhorn version of Windows to appear. One is to include "behavior blocking," or a self-monitoring feature in Windows that can tell when the machine is being put to use outside a range of normal patterns.
"We know using Notepad to send E-mail to everybody in the address book is not normal. Block it. The machine will remain infected but it won't have a chance to infect everyone else's," noted Devenuti.
Microsoft is in the process of simplifying its method for updating its software. "Right now, we have eight different flavors of updates. We're moving to only two, one for operating systems and one for applications," he said.
Microsoft will also seek to reduce the size of updates and build in a rollback capability so that customers may install them more quickly, and return to an earlier version if something goes awry. Many IT organizations hesitate to install security patches or updates without extensive testing against existing systems to make sure the additions won't disrupt their operations, Devenuti said, adding that, "Customers have told me 'the medicine has got to be less painful than the disease.'"