Joshua Allen: The IIS Plan – This interview with Brian Valentine sums up the main action plan for addressing IIS concerns. The quote that sums up his attitude best is “When we look back in a few years, we will see this as one of the critical inflection points in our company's growth.”
Here are my notes, detailing the parts of the plan I found interesting:
Two initiatives for customers: Get Secure:
All virus-related PSS calls for all customers (not just enterprise) are now free. 1-866-PC-SAFETY.
Regularly updated Security Toolkit will be distributed. Each will include all known patches and tools, and a one-click “make my system secure.” First toolkit mailed and web-distributed on October 15. As of tomorrow, the tools should be available to MS Employees to hand out to customers. All of the tools are fully supported, and are made to run on NT4, Windows 2000, and Windows XP. This is not “resource kit” or loose collection of unsupported tools. Localized versions come later, since getting tools available quickly is top priority.
Stay Secure:
Mid 2002 availability of federated Windows Update for enterprises. This lets enterprises run their own windows update service under their own control.
Feb 2002, Provide version of windows update that can be configured to accept and install updates with zero user intervention.
Make security bulletins simpler and integrated with update technology so an IT administrator can simply approve a security patch and have it automatically be pushed to the whole enterprise.
Security patches will now contain absolute minimum fix; no QFE, etc. stuff lumped in.
So the way I see it, we will be successful to the degree that we:
Assure that no customer ever again finds it difficult, confusing, or time-consuming to keep their system secure.
Improve security going out the door so that fewer patches are required (IMO, this wouldn't have made a difference in any of the recent worms, but is still a good goal for countering potential future threats). The goal here is to be the platform with fewest known vulnerabilities that need to be patched, using any metric you care to apply.
Be a lot more proactive in contacting, encouraging, and helping customers keep their systems secure.
And of course, huge progress in fighting worms could be made by getting the router vendors, OS vendors, and other infrastructure vendors to all work together, and hopefully that happens too. [Better Living Through Software]