Microsoft Hits, Misses on Security Releases

TORONTO — For those who like their bad news first, Microsoft said it plans to release its Network Access Protection patch management tools in 2005 instead of this year.

During Microsoft’s Worldwide Partner Conference here, Mike Nash, Microsoft corporate vice president for security business and technology, outlined Microsoft’s Network Access Protection (NAP) technology strategy and announced the general availability of Microsoft Internet Security and Acceleration (ISA) Server 2004.

He also said the set of APIs , which allow the Windows Server 2003 and third-party software applications (whether they’re from anti-virus, patch
management of other types of network security companies) to communicate with
each other, will be available in the next release of the server software, codenamed “R2,” in 2005. They were expected this year.

The update service has been getting a real workout in terms of
the number of users connecting every day. In the past 10 months, the company has logged about 400 percent growth in the use of Windows Automatic Update.

The delay in the patch management services followed news that Microsoft’s Windows XP Service Pack 2 (SP 2) would be delayed until August.

SP2 is seen as major security overhaul of Windows XP, both for its operating system and its Internet Explorer (IE) Web browser, which has been hit with a string of attacks in recent months.

During his remarks here, Nash spoke candidly about his security mission, drawing on his personal experiences. Nash showed a
video of a conversation he had with his 90-year-old grandmother about why her new PC was running slower than usual.

Nash’s grandmother had not installed any Windows patches, wasn’t updating anti-virus definitions and had no malware scanning capacity. Nash’s theme: to provide ubiquitous and pervasive security for Microsoft users, so they don’t have to do it themselves, which, at least in Nash’s grandmother’s case, wasn’t going to happen.

Nash said NAP technology provides for network, policy validation, network restriction and network policy compliance. It’s essentially a framework that allows vendors to detect the ‘health state’ of PCs and workstations connecting to a server. Once identified, the individual machines can be quarantined from the rest of the network until they’re patched.

According to Nash, more than 25 industry partner are on board to support the technology initiative. One of them, Dwain Kinghorn, CTO of patch management vendor Altiris, said, “Microsoft is doing a good job in terms of working with the ISV community to give them a heads up and allow them to critique and participate in the definition of some APIs. In the Windows-only space, this has validity
and will extend and enhance the base Microsoft capabilities.”

ISA Server 2004, on the other hand, is an application-layer firewall, VPN and Web caching solution that out of the gate is supported by 10 companies
including, Cloudmark, FilterLogix, Forum Systems, GFI Software, McAfee,
Panda Software, Rainfinity, RSA Security, SurfControl and WebSpy.

“Our customers have asked us to work together to make it easier for them to
protect their networks against malicious attacks,” Nash said. “Although
we’ve seen progress in addressing some of our top customer concerns, we
remain focused on the evolving security challenges and are committed to
working with industry partners to improve the security of PCs and networks
around the world.”

(Jim Wagner contributed to this article.)

News Around the Web