12 Months of Progress for the Microsoft Security Response Centre

As the Internet has grown in popularity so too have threats against computer users; making it critical for individuals and companies to employ effective security strategies to protect their critical information. Microsoft created the Microsoft Security Response Centre (MSRC) to investigate, fix and learn about security vulnerabilities and to help keep customers protected from malicious attacks. The MSRC is comprised of individuals, teams and entire groups around Microsoft; all dedicated to analysing, developing and delivering quality security updates, tools and prescriptive guidance to customers to help protect customers from security threats.

The last 12 months have been a particularly busy time for the MSRC, and, upon reflection, there are two activities that stand out to me. These were the releases of two major operating system service packs: Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1.

Windows XP SP2 was released in August 2004, and we are very pleased with the results so far. One of the key goals around this release was to get enhanced security features for Windows XP into the hands of consumers and enterprises, and so far more than 218 million copies have been distributed worldwide. This was an important security milestone for us. Many people put a lot of effort into this service pack and features like the firewall being on by default and the hardening changes made to Internet Explorer are already paying off and helping customers become more secure.

In Service Pack 1 for Windows Server 2003, the great features and security enhancements I mention above for Windows XP SP2 were also incorporated into this product, along with many other changes. We’re particularly excited about the Security Configuration Wizard feature, which reduces the attack surface by querying users about the role their servers fill and then stopping all services and blocking ports that are not needed.

There is very significant work going on behind the scenes in the development cycle of current and all future software releases coming from Microsoft. Now, certain categories of software released from Microsoft now must go through the Security Development Lifecycle process which aims to provide customers with high quality software that is meticulously engineered and rigorously tested to help withstand malicious attack. We’ve published a lengthy whitepaper about this which is available here. Essentially the SDL is a mandatory process that certain categories of Microsoft software must go through before it is released publicly. It helps us make sure that the software coming from Microsoft today has the latest security engineering advancements included in the code for the benefit of customers. It’s a huge step forward for us to have this now as a formal process for our software. So far, we have used the SDL on Windows Server 2003, SQL Server 2000 SP3, and Microsoft Exchange Server SP3. Windows Server 2003 was the first operating released at Microsoft that implemented large portions of the SDL, and compared to Windows 2000, it had 63 percent fewer vulnerabilities in the first year.

While these developments cover significant activity on the product development side at Microsoft as a whole, the Microsoft Security Response Center has also made available a number of free tools and special guidance that can help customers become more secure.

Customers have told us that they want more prescriptive and timely guidance on security issues and Microsoft has responded to that feedback by continuously improving the security communications we deliver to customers. This spring, we announced a pilot of a new offering, Microsoft Security Advisories, which aim to provide guidance and information about security related software changes or software updates. Microsoft Security Advisories, a supplement to the Microsoft Security Bulletins, address security changes that may not require a security bulletin but that may still impact customers’ overall security.

In addition to the Microsoft Security Advisories, Microsoft has recently made available the Advanced Notification Program to help IT professionals plan their resources appropriately for deploying security updates. Three business days before the bulletins are released, general information is provided about the maximum number and severity of the bulletins. We’ve also enabled a Security Notification Service to alert customers to new bulletins and advisories as well as an RSS feed and MSN Messenger Alerts for security bulletins.

The MSRC also hosts monthly technical webcasts to offer customers additional support and guidance when deploying security updates and a regular Security360 webcasts to make prescriptive security guidance, education and training available to customers.

One of my favorite new things we’ve launched this year is the MSRC blog which provides insight directly from those working in the MSRC on recent security related news, announcements, activities and threat issues. This is a great way to get to know those folks that are working behind the scenes night and day to help protect customers. You can read all about at blogs.technet.com/msrc/default.aspx.

Another new tool released this year is the Malicious Software Removal Tool. This tool is updated each month to remove the most common malware threats that may be present on a user’s machine. To be clear, this tool is not meant to be a substitute for good anti-virus software. However, it can help customers get back on their feet if they have been affected by any of the threats the tool is designed to remove. We have had a good response to this so far and look forward to continuing to update it each month to help customers.

In addition, Microsoft has come to offer customers a consistent and integrated set of new technologies that reduce the complexity and help customers better manage the update process for Microsoft software. In June we announced the immediate availability of Windows Server Update Services (WSUS) and Microsoft Update (MU). WSUS is the update management component of Windows Server that enables mid-sized and enterprise companies to more easily assess, control and automate the deployment of Microsoft software updates. MU is a new service offered at no charge that gives customers everything they get through Windows Update (WU), plus high priority updates for more recent versions of Office and other Microsoft applications. It’s a one-stop destination for updates that help make your computer more secure, up-to-date, and performing at its best.

Only recently in July, we released the Microsoft Baseline Security Analyzer (MBSA) 2.0 which helps improve the security management process by detecting common security misconfigurations and missing security updates on your computer systems. We also released the SMS 2003 Inventory Tool (SMS). This tool enables the detection and deployment of the latest security updates, update rollups and service packs from Microsoft; improved patch management through a more comprehensive and more widely-supported detection technology; broader detection support for more Microsoft products; and consistent product support across multiple detection technologies including parity with Automatic Updates.

The next 12 months will be as busy as these last 12 months have been. The security of our customers’ computers and networks will remain a top priority for Microsoft, and Microsoft remains committed to building software and services that will help better protect our customers and the industry. It may never be possible to completely “cure” the security problem, but Microsoft and the MSRC is hard at work every single day, working in conjunction with the industry, with law enforcement, and with experts in government, academia and the private sector around the world to make the impact of malicious hackers as manageable as humanly possible. By building trust in computing our technology can be experienced in the way it was intended: to help customers accomplish what they need and want to do.