Security in Microsoft Products with Mike Nash

Published: April 16, 2004

Please note: Portions of this transcript have been edited for clarity

Introduction

Host: Mike Nash (Microsoft)
Good morning (or afternoon or evening depending on where you are) and welcome to the monthly security chat

Host: Mike Nash (Microsoft)
My name is Mike Nash and I am the corporate vice president of the Security Business & Technology Unit (SBTU) here at Microsoft.

Host: Mike Nash (Microsoft)
In today's chat, please feel free to ask any question you have about computer security, security of Microsoft products or Microsoft security technology.

Host: Mike Nash (Microsoft)
I am joined today by a crack team of security experts here at the Microsoft campus in Redmond in case you have questions that require their help.

Host: Mike Nash (Microsoft)
One question for all of you: How many of you have been to one of our security summits?

Start of Chat

Host: Mike Nash (Microsoft)
Q: AlunJones_MVP: How does Rich Kaplan's latest move fit him in around you and the rest of the team?
A: Great question Alun. Rich is joining my team (effective May 1) and will be responsible for all of our customer outreach and marketing.

Host: Mike Nash (Microsoft)
Q: nw_xStainDx: I am currently using Windows XP SP2 RC1 am I Protected from the April Security Bulletins?
A: Great question! Yes, RC1 includes all of the fixes that were in the bulletins this month.

Host: Mike Nash (Microsoft)
Q: Bitz: Joe Wilcox of Jupiter/Microsoft Monitor has a piece about how the consolidation of all these security issues in one bulletin is "Security by PR", what's your take on Tuesday's security bulletins?
A: Hey Bitz...great question. I actually hadn't seen Joe's piece, but people have asked us about this. There are really two key things here. 1) we really wanted to focus on quality of these updates. One of the issues we face is that as we look at various patches, we have the need to test all of the combinations. By moving things into a single patch, we have the ability to have more in depth testing, to deliver a higher quality set of updates. The second issue is that many customers told us that they wanted a smaller number of patches to reduce the number of times that people need to touch their machines. There is no intent to do anything funny with the numbers. We are pretty clear on the number of issues fixed in each bulletin. Our focus here is helping people to have an easier time with the process of updating, so we are 100% focused on that.

Host: Mike Nash (Microsoft)
Q: nw|voodoo: A lot of noise has been made in the press (us included) about the new monthly update scheme & its impact on WU. Does MS have a way to alleviate fears about this?
A: Great question nw|voodoo. We have a pretty good system for running WU at scale. While it’s true that the load is more focused on one time frame, we are doing things to watch performance and add necessary bandwidth as necessary. This is a key part of our job to keep people safe and secure.

Host: Mike Nash (Microsoft)
Q: Christian_Hougardy_MVP: Mike, the Security Center in SP2 is great. I was told that we can't expect a version for win2000 ? Any reason why?
A: Great question Christian. It’s always hard to know what to do downlevel.Overall, the primary focus on security center is on consumers and small businesses.These customers tend to use Windows Xp.

Host: Mike Nash (Microsoft)
Q: elJames: It’s ready de Win XP SP2 in Spanish?
A: When XP SP2 ships, it will be available in Spanish.

Host: Mike Nash (Microsoft)
Q: merkafon : MIke tell me what’s your opinion about the ISA server product?
A: Great question Merafon. ISA Server is a great product that really goes a long way to helping customer protect their infrastructure from malicious attack. In addition to providing L4 firewall support, it also does application level filtering. There is a new version in beta test called ISA Server 2004. This new version supports more complex networks, better management and some quarantine functionality.

Host: Mike Nash (Microsoft)
Q: delly_jm : What are the security implications we should expect after the signing of the SUN Microsoft agreement?
A: Great question delly. To me, the biggest issue that has been resolved is our ability to support customers using the Java Virtual Machine. Prior to the agreement, it was not clear how we would deal with a situation where we had a report of a security issue in the JVM since it wasn't clear what our rights to service it would be. Good news is that now we have the ability to help our customers which is key.

Host: Mike Nash (Microsoft)
Q: nw|voodoo: MS recently introduced more friendly bulletins & alerts for end users, does MS plan to expand this idea more?
A: Great question nw|voodoo. the bulletin story is interesting. About a year ago, we had some people telling us that our bulletins were too detailed and others saying that they were not detailed enough. We decided to have TWO bulletins per update: One for consumers, one for technical people. The result is that you can get the bulletin that is right for you. We have also begun more work to help consumers be safer and more secure. These include the new security site www.microsoft.com/security as well as the new protect your PC at www.microsoft.com/protect.

Host: Mike Nash (Microsoft)
Q: AlunJones_MVP: After the Sun/MS agreement, will we see a return of the Microsoft JVM [Java Virtual Machine] to Internet Explorer?
A: There is no plan to put the JVM into IE.

Host: Mike Nash (Microsoft)
Q: Kemistry : Is it possible to deploy XP SP2 with Windows Firewall turned off?
A: You can turn the firewall in XP SP2 off if you want. You can do this locally (if you are an admin) or via policy using Group Policy and Active Directory.

Host: Mike Nash (Microsoft)
Q: AndrewC_MVP: While the 'Security Updates CD' was a fantastic idea, it was six months out of date when it was released, and is getting more stale as time passes. Are there any plans to release a new .ISO image of the disc on a monthly basis as new pat
A: Great feedback. We are looking into how to do this.

Host: Mike Nash (Microsoft)
Q: BAW: When SP2 is released will users be able to run both the built-in windows firewall alongside other software firewalls such as Norton/ZoneAlarm without any problem or conflict?
A: The goal is to support our firewall and a third party firewall at the same time.

Host: Mike Nash (Microsoft)
Q: AlunJones_MVP: I would to disagree that consumers and small businesses tend to use Windows XP. Several of my neighbors are still using Windows 98.
A: Great point Alun. We really need to encourage people who are using Windows 98 to go to the internet to think seriously about going to Windows XP.

Host: Mike Nash (Microsoft)
Q: JeffM: I've been making a request for over 2yrs for a feature add to the Security Bulletin database. A weekly transaction log. This should show a highlight of each change to any bulletin, what change was made, why, Bulletin number, impacted OS/app..qu
A: Great feedback and something we should look into.

Host: Mike Nash (Microsoft)
Q: nw|voodoo: MS has just announced its continued support for MSJVM, does this include security updates?
A: Yes. We will include security updates for the JVM.

Host: Mike Nash (Microsoft)
Q: Steve : There are conflicting rumors about Whidbey as it relates to security. Will Whidbey require .NET developers to make more use of Code Access Security to improve security, or will it be backwards compatible with .NET 1.0/1.1 apps that don't make use of CAS?
A: Great question Steve. Whidbey will absolutely be backwards compatible with .NET Framework 1.0/1.1 apps, and there will not be mandatory requirements to use CAS. However, we are investing in new CAS features that if used will allow you to write more secure apps.

Host: Mike Nash (Microsoft)
Q: dave_ncl: the security update cd is excellent, do you plan to update it frequently and why can’t we download it instead of having to send off for it?
A: Great question Dave. We are working on this.

Host: Mike Nash (Microsoft)
Q: LenS-MVP: I also disagree about XP popularity. One of the largest hospital conglomerates in Boston JUST migrated desktops from Win98 to Win2000Pro!
A: I hear you LenS. My point was about consumer machines. In the enterprise, customer are using Windows 2000. We strongly recommend that for laptop and remote systems, that those systems be on Windows XP (Ideally SP2 when it ships).

Host: Mike Nash (Microsoft)
Q: Jason: Will it be possible for user of XP on their laptop have the firewall on at home but as soon as they connect to the corp network a GPO disables it ?
A: Great question. You can do exactly that. you can have one profile for when you are on the corp net and when for when you are at home...and it’s all managed with GPO.

Host: Mike Nash (Microsoft)
Q: Columbus_OH hopes that Mr. Nash will answer my question about S/MIME signing security bulletins - instead of, or in addition to PGP signing.
A: Great question. This is something we should look into. Good feedback.

Host: Mike Nash (Microsoft)
Q: Jason: the autoupdate for patches they install at scheduled times, would an option to install when the computer is idle be possible, instead of a set time ?
A: Answer: You can get detailed information about new Autoupdate features on SP2 at http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2maint.mspx#XSLTsection123121120120. SP2 includes Background Intelligent Transfer Service (BITS), BITS 2.0, which is designed to improve bandwidth efficiency. This means that, when Automatic Updates connects to the Windows Update site or a server running Windows Update Services, it has to transfer less data, and transfers it faster. This minimizes the impact Automatic Updates might have on your Internet connection or corporate network. BITS improvements include the following: BITS 2.0 can be configured to download updates during a specified time, such as periods of less network use. BITS 2.0 can be configured to use only a specific portion of available network bandwidth. BITS 2.0 is optimized to download only the portions of files that have changed. For example if only one byte changed in an updated 1 megabyte (MB) file, BITS will transfer only a few bytes instead of transferring the entire 1 MB file. BITS 2.0 can recover from network failures. BITS can resume a file transfer if a network fails or a connection is lost during download. It will not restart the download, but instead will start from where it stopped.

Host: Mike Nash (Microsoft)
Q: Steve: Mike, MS makes a lot of noise about writing more secure code, but, I've yet to see any developer questions answered. Is this only for Operations people? Is Securing Coding just a media campaign?
A: We will answer any developer questions that you ask....ask away.

Host: Mike Nash (Microsoft)
There have been a lot of questions about AV. As you know we acquired an AV technology from GeCAD a few months ago. We are still working on our specific plans for this technology. When we have these more finalized we will be able to discuss this more.

Host: Mike Nash (Microsoft)
Q: Christian_Hougardy_MVP: Mike, you get used to that one What about patching the pirated versions ? not to help pirates but to protect the infrastructure.
A: We hear this a lot Christian. We certainly understand the issue, but our policy is to support customers with licensed copies of Windows. Customers who pirate windows do have the option of using the download center to get patches.

Host: Mike Nash (Microsoft)
Q: Jason : My only problem with XP updates is that this current service pack should be SP3 and last year we should have had SP2 and it should have consisted of all the current fixes only (as of last year).
A: The point is that we want to make fixes available when ready. This is why Windows update is so important.

Host: Mike Nash (Microsoft)
Q: Scott: Any projection on XPSP2 and WUS availability? Test going good?
A: XPSP2 testing is going well. We are still targeting first half of 2004. WUS is on track to ship this year.

Host: Mike Nash (Microsoft)
First I want to thank you all for the great questions today. We got many more questions this month than in the past, so I apologize for not being able to answer them all.

Host: Mike Nash (Microsoft)
I have some questions for you.

Host: Mike Nash (Microsoft)
Question from Mike: How many of you are running SP2 in beta test? what is your feedback?

Response from Customers:

1.) I have SP2 loaded here. A couple of issues that I think are related to RPC/DCOM security changes.

2.) I am in the Beta Test Team also, as an XP MVP, I have to :)

3.) I am in XP SP2 Beta Test Team

4.) just installed today on a vpc :)

5.) 2 machines running. one RC1, second - 2055 (I need multiple Remote Connections :))

6.) Feedback: You need to address UPnP IGD Discovery and Control Client compatibility with current UPnP IGDs

7.) quite stable, no issues

8.) yep sp2 here, was shaky with b1 but has improved since rc.

9.) I used it but I went back to SP1, it made my hard disk make weird noises and eventually wouldn't boot, formatting back to SP1 its all fine, any ideas it was a clean install of SP2 ?

10.) I abandoned testing SP2 when it left me wide open to security problems some months ago (couldn't patch real problems since WU claimed I was "up to date")!

11.) Nash. I'd like to see Symantec get their Products working with NAV2004 its still has issues with security center :S

12.) Feedback: Since SP2 has the (over a year ago announced) Windows File System Filter Manager and APIs, perhaps you should disclose what modules use them

13.) feedback: sp2 is working awesome - I have yet to see a security popup saying an app is trying to access the internet though...

14.) I'd like to hope that Microsoft is pressing all the hi level security firms to get their products working with SP2 before it ships.

15.) SP2 FEEDBACK : Blocked external content bar in outlook express should have the same appearance as the Internet Explorer Information Bar.

16.) Mike, I'm running XPSP2 at home. I love the security features and have found no problems with it at all so far. :-)

17.) Feedback: Why has it taken over a year to get the Windows File System Filter Manager and APIs into Windows XP?

18.) I thought my hard dish was dying, but formatting with SP1 its working fine, it was making click noises but not any more

19.) Q: Part of SP2 testing could be to DL/install REAL security patches so we stay secure while testing?

20.) Running SP2 on VM because my pc has a French version of xp. work fine

21.) Feedback: If you want people to TEST the new Windows File System Filter Manager/APIs, perhaps you should release/disclose some code/modules that use it?

22.) feedback - trend micros recent a/v beta worked best across the board with sp2 imho

23.) SP2 rocks.

Host: Mike Nash (Microsoft)
Question from Mike: How many of you have been to a security summit or signed up for one in the future.

Response from Customers:

1.) Never been to a summit, or signed up.

2.) I haven't but people I work with have (local government)

3.) Bring a security summit to Austin, and I'll go. I can't get babysitting to allow me to get to Dallas.

4.) Security Summits in the UK please!!

5.) mike: if you call Winhec & teched a summit i do ;)

6.) Mike: waiting for a Security Summit in South Africa :) I went to the Cisco Security Tour BTW :) that's all I had :(

7.) Microsoft seems to be ignoring those who live on Long Island for events.. I'm disappointed.

8.) I become the invitation today and will go on 5th of Mai in Lausanne - Switzerland

9.) A: Signed up for Security Summit 6/2 Boston. Monday attended all day hands-on Security Workshop. GOOD stuff thx to MS!

10.) Answer: Id go to a security summit, IF you announced the MS AV product and gave me a copy to test

Host: Mike Nash (Microsoft)
OK. Great feedback all. Again thanks for taking the time to ask so many great questions. See you all next month for my next security chat on May 13 from 9-10 AM pacific time

Host: Mike Nash (Microsoft)
Talk to you all then

For further information on this topic please visit the following: