I don't want to play the contrarian, but given a recent post, I think some balance is in order. Let me start off with a disclaimer: Microsoft is not perfect. In fact, I'm not a big fan. Of the 4 boxes I have within 5 feet of me right now, 1 of them is Windows.
On the other hand, of the millions of computers in the world, a very large (and somewhat unknown) number of them are Windows. They're not just Windows XP, or even 2000, but many Win98 and the fabulously frustrating WindowME. When looking at Microsoft's security strategy and progress, one must account for this context. They have the biggest marketshare in many markets, and they are a for-profit business. Part of the reason that MS products continue to be the realization of serious security incidents is that consumers continue to use them past an appropriate date. Part of the reason that MS takes so much of the blame is that they make so many products. Finally, they can't undue history. Thus, the introduction of automatic updates. Consumers can now set their system to update itself when updates are available. My FreeBSD box could do this, but only with significant work on my part to set it up. Then again, I don't want it being updated automatically...too many things break in the process.
There are other actions that MS has taken to improve security:
- Internal Security Focus
Ok, we can't see this one externally, except in the results. That's probably an argument for Open-Source. What's more, the data about reported vulnerabilities in products is hard to get and even harder to validate.
It's a free tool. In order to give it away, they have to understand at some level the effect that spyware can have on their business overall.
- Malicious Software Removal Tool
This is another free tool that MS has put out there to help customers keep their PCs secure.
- WSUS
For the enterprise, MS has improved the way that software updates are managed. Helping customers deploy patches is critical to preventing worm outbreaks.
I'm sure there's more to be said about how MS has improved the security of their products. Moreover, I'm quite sure that MS still has serious problems. They have tried, and continue to try, to find the right balance between usability and security because, of course, if the security functions aren't usable, then no one will use them. If the product isn't usable, then they go out of business.
Comments (5)
I gotta agree, Mr. Terlin. Nobody is perfect, but at least MS provides the tools. As an adjunct point, I recently wrote about software distribution methodologies in the ISC2 Jan/Feb issue. At least MS provides hierarchical trust and authentication on their patch distribution website and tools. Also note that their patches and drivers are signed. Cisco is still only offering FTP download of images. Are those images signed? If it is signed, can your router check the X.509 cert on said image?
Posted by storms | February 27, 2006 1:26 PM
Posted on February 27, 2006 13:26
Hey look, a whole blog about running Windows as a non-admin user: http://nonadmin.editme.com/
Posted by terlin | February 28, 2006 6:14 AM
Posted on February 28, 2006 06:14
Why aren't some of these default settings? Why hasn't Microsoft started an end-user education campaign to drive these point home to users?
Posted by Byron Sonne | February 28, 2006 8:19 AM
Posted on February 28, 2006 08:19
Some of them are. XP SP2 turns on the firewall by default. XP now warns users about their security posture, harassing them endlessly about installing anti-virus, automatic updates, and the status of their firewall.
Posted by terlin | February 28, 2006 8:44 AM
Posted on February 28, 2006 08:44
Caught this link off slashdot, and if it actually comes to fruition and works, I may have to be eating some crow: http://www.extremetech.com/article2/0,1697,1931914,00.asp
Posted by Byron Sonne | February 28, 2006 3:03 PM
Posted on February 28, 2006 15:03