Skip to main content

Security in Microsoft Products, with Rich Kaplan, VP of the Microsoft Security Business & Technology Unit

Published: October 28, 2004

Please note: Portions of this transcript have been edited for clarity

Introduction

Jerry Bryant (Moderator):
Hello everyone and welcome to today’s chat. We have with us today Rich Kaplan, VP of the Microsoft Security Business & Technology Unit. Mike cannot be with us today as he is visiting with customers.

Jerry Bryant (Moderator):
If you would like to ask a question for our experts, please make sure to click the Question radio button so that we can find it.

Jerry Bryant (Moderator):
With that, let’s introduce Rich

Rich Kaplan (Expert):
Welcome, I look after Product management and Planning and work for Mike Nash.

Rich Kaplan (Expert):
Please submit your questions and I will do the best to answer.

Start of Chat

Rich Kaplan (Expert):
Q:
Can you explain the diff between the "Security Business Unit" and the MSRC? Are they one and the same? Diff? What role does SBU do? [sorry for the dumb question right off the bat]
A: MSRC is part of SBTU. It is the team that is responsible for responding to reports about security vulnerabilities and releasing the bulletins.

Rich Kaplan (Expert):
Q:
Did you install SP2 on your home computers? What do you recommend as a good response to users who tell others not to install SP2?
A: Absolutely, I installed SP2 on all my home computers and it gives you the strongest protection that you can have at home. It makes it easy for end users to understand the status of their updates, AV and firewall.

Rich Kaplan (Expert):
Q:
Speaking of Product Management... how's SUS 2.0 coming?
A: We are working on the next release of SUS. As Mike noted in July, we plan to release the next version of SUS, which will be called Windows Update Services in 2005. We plan to move to beta of this within the next several months

Rich Kaplan (Expert):
Q:
What tools does your team recommend to secure dozens/hundreds of Win2003 servers from a central point (same config)?
A: Active Directory with group policy. Along with our Windows Server 2003 hardening guide (online), we have also provided sample group policy objects that can be leveraged for your use and you can do that now. In service pack 1, we will be introducing a security configuration wizard that will help walk you through all of the considerations for different server roles, which will help make it even easier.

Rich Kaplan (Expert):
Q:
Is there a simple way to get non-domain machines to look at my SUS server for updates?
A: There’s a registry setting that you can use to do this, for more details goto http://www.microsoft.com/sus

Rich Kaplan (Expert):
Q:
I really like the MSDN and TechNet Security sites (please send my kudos to the teams), what is the SBUs role with these sites and do you coordinate what content customers need? How do you get the word out to folks who don't visit these sites?
A: We have a close working relationship with this team, In fact in my previous role I managed the TechNet and MSDN teams. So as a result of that we have good cross team colab. and based on feedback form you and others we use that to decide and features and ease of use

Rich Kaplan (Expert):
Q:
Mike stated in previous chats that " Isolation and resiliency enhancing our OS so it can be in protected state even though vulnerability exists" was #1 item in the Microsoft Security Strategy. Can you please explain on what is Microsoft doing in this area.
A: Isolation and resiliency are absolutely some of the most important things we are doing for security. A great example of this is the work in done in XP SP2 – enhancing and enabling the firewall by default, refactoring services to run at lower privilege that are on the network like DCOM and RPC, and supporting HW with No Execute functionality. You’ll see more of this kind of work in Windows Server 2003 SP1.

Rich Kaplan (Expert):
Q:
Are you guys coming out with an anti-virus add on to Windows? And if so, when consumer subscriptions will become an option?
A: As we stated when we acquired the assets of GeCAD last year, Microsoft plans to offer complete AV solutions in the future, including engines and signatures. Our plan is to make our AV solution be part of pay-for products and services, but we are not prepared to announce specific products, services, packaging or pricing at this time.

Rich Kaplan (Expert):
Q:
When MS moved to the monthly updates - it was stated that Critical updates would be brought out immediately - without waiting for the second Tuesday. Recent batch has more than a few Criticals in it. Why did MS wait???
A: We moved to monthly bulletins based on feedback from our customers. This gives an opportunity to IT depts to better plan their deployment. We have also said that if vulnerability poses an immediate threat to our customers that we will ship outside of the monthly cycle assuming we can reach the appropriate level of quality.

Rich Kaplan (Expert):
Q:
A couple of years ago, there was talk of an application/service by Microsoft to centralize Windows Security Event logs in order to support aggregated review of event log data by a system administrator. Is that project been overtaken by MOM?
A: This technology is called Audit Collection Services. ACS is a security event collection tool. The plan is for ACS to collect security events in a secure (mutually authenticated and encrypted) manner and load the events into a database in a way optimized for analysis. ACS is being designed to support applications that perform real-time analysis via a subscriber interface implemented as a WMI provider. We have not announced availability for this yet but stay tuned.

Rich Kaplan (Expert):
Q:
After the recent JPEG vulnerability required patches to applications not included in SUS at present. Will WUS support patching all Microsoft applications ?
A: WUS is going to be the software update infrastructure for all Microsoft products moving forward. It is our goal to eventually support updating all Microsoft applications using the WUS infrastructure, but there is no schedule to announce right now

Rich Kaplan (Expert):
How many of you installed SP2 and what has your experience so far?

Rich Kaplan (Expert):
That great

Rich Kaplan (Expert):
Q:
The recent GDI+ issues really hit Office apps besides the base OS(es) - Yet office updates "frequently" want access back to the installation media - making automated/scripted updates painful - Any technical reason why Office "behaves" so differently?
A: GDI+ was a redistributable component that was shipped with the OS, office and other Microsoft applications. GDI+ exposes a user to both our updating technologies - Windows update and Office Update. Part of our long-term strategy is to unify the servicing technologies under a single one which will improve the update experience.

Rich Kaplan (Expert):
Q:
Can you give us any 'advance' on any new security features in 'LongHorn'?
A: With Longhorn we plan to continue the improvements in the areas of isolation and resiliency, authentication, authorization and access control, and other security innovations that began in XP SP2. We’re not prepared, however, to get into any specific details regarding our security enhancements for Longhorn in this chat today.

Rich Kaplan (Expert):
Q:
We have rolled SP2 out to our at risk users (laptops) and are slowly rolling it out to the rest of the domain PC's.
A: Great, looking forward to you feedback

Rich Kaplan (Expert):
Q:
I installed SP2 on all our domain PC's this week the only problem is with some program exceptions
A: Are you getting the support you need on those exceptions

Rich Kaplan (Expert):
I only found out about them this morning and am working my way through them the thing that has me stumped is the program works on some but not all

Rich Kaplan (Expert):
Q:
I still think a nicer "how to" group policy for dummies would be good. A step by step with pictures?
A: Have you seen the guidance on http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/gp/default.mspx

What do you think ?

Rich Kaplan (Expert):
Q:
Thanks for the link... I am sometimes overwhelmed by the amount of stuff on TechNet...
A: Yes, I know it’s a balance of providing detailed information for a broad audience and making easily searchable. We are working to make sure we can do both. We are looking at how to make it available by job function, problem and or product.

Rich Kaplan (Expert):
Q:
Why does runas not support an encrypted password as parameter?
A: Note, if you enter your password in Credential Manager (it’s in Control Panel) it is encrypted and protected by the OS, and can be loaded automatically by RunAs. Same with the /savecred option. Finally, you can use a smartcard in highly secure environments.

Rich Kaplan (Expert):
Q:
A few of our PCs bluescreened after Service Pack application, one had an issue with the user profile, another one continued after booting Safe Mode with command prompt.
A: We did see some limited scenarios where the service pack install could fail and fortunately we quickly made changes to the way it installs through Windows Update to prevent the issues we have been seeing. Be sure to run updated AV and anti-spyware software before doing the update – more information can be found at http://www.microsoft.com/sp2install.

JeffJones_MSFT (Expert):
Q:
At the risk of belaboring the GDI/office bit - I know that Office & OS use different updates and "someday" they will be "unified" - Still wondering the technical reasons why Office wants links back to original media, and any way to "get around that need"
A: It has to do with that package installer technology that was developed a few years ago, which added some capabilities that allow, for example, to help ensure ongoing integrity of the installed bits. As part of our patch management strategy, this is one of the issues that is being resolved as we move to a common installer package technology for applications.

Rich Kaplan (Expert):
Q:
One of the constant pains with home user and SMB users are the spyware products which use vulnerabilities and social engineering to get the user to install. Are Microsoft looking to address this problem in the future?
A: We are committed to providing customers with the resources and technology that will help protect them against this detrimental software, like spyware. Toward this end, we are committed to helping provide customers with additional visibility and control so that they can make informed decisions about what software installs and runs on their machines. In addition, Windows XP Service Pack 2 provides a number of technologies—like the pop-up blocker--to thwart some methods that unscrupulous software makers use to install software on PCs without user consent. Overall, Microsoft believes there is no “silver bullet” to address the wide range of issues associated with spyware and other unwanted software, so we are focusing on the some key areas to address this issue, including technological innovation, consumer education, industry cooperation, enforcement and legislation as needed.

Rich Kaplan (Expert):
How many people are using secure wireless with 802.1x

Rich Kaplan (Expert):
Seems like a lot of the questions today are around management and Security together. Would it be interesting to do a chat on Security and Management together?

Rich Kaplan (Expert):
Q:
No widespread wireless users in our environment. (Has 802.1x been cert'd yet? Thought it was pre-release.......)
A: Yes it has been certified

Rich Kaplan (Expert):
OK we will figure out how to do a chat on that.

Rich Kaplan (Expert):
Q:
Group Policy Editor - why does it hide its settings so well? No search for a certain policy or keyword, no help, no description for many of the offered settings?
A: That’s good feedback that we can share with the team. It wasn’t planned as a part of the original feature set

Jerry Bryant (Moderator):
Two minutes left in today's chat..

Rich Kaplan (Expert):
Q:
I want a "jump to edit" in the GPE I see the result - but I want to edit it, then right mouse click and jump right back to the section you need to edit
A: You might want to try out the new GPMC (Group policy management Console): http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

Rich Kaplan (Expert):
Thank you guys. Looking forward to our next chat

Jerry Bryant (Moderator):
Thanks everyone for joining us today.

Jerry Bryant (Moderator):
The next chat with Mike Nash will be November 18th at 9:00 AM PST.