Interview: Securing Windows

As director of product management in the Security Business and Technology Unit at Microsoft, Amy Carroll is responsible for making sure that new enhancements to Windows and new versions of Windows are very secure. Carroll spoke to InfoWorld Senior Analyst Wayne Rash about the company's approach to security and commitment to improving the overall security of its operating system.

InfoWorld: How does the current atmosphere of dueling worm creators affect the problems that you are dealing with?

Carroll: There are two big challenges. One is the environmental challenge, where there is a great deal of emphasis on dueling virus creators. Currently those viruses are not necessarily exploiting a vulnerability in Windows or other software code, but are requiring users to double-click on malicious attachments. So the environmental challenge is often one of user education and awareness so customers don't get fooled by these social engineering viruses. While an IT administrator may be able to lock down the LAN environment that is hardwired, it becomes more difficult with increasingly mobile users and work-from-home users and remote users. The wide-scale availability of broadband connections poses increasing challenges for how you keep those users secure. And then the second challenge is how we respect legacy systems while building more and more secure products as we go along.

InfoWorld: What kind of security enhancements do you have planned for Windows XP Service Pack 2?

Carroll: We're focused on making computers more resilient in the presence of worms and viruses, with Service Pack 2 focused on vectors or modes of attack rather than individual vulnerabilities. We are looking to address the threat from port-based attacks, malicious e-mail attachments, malicious Web contents, and buffer overrun. Specific enhancements we're doing to address those areas are, for network protection, Windows Firewall, which was previously called Internet Connection Firewall, will be enhanced to help stop network-based attacks by closing unnecessary ports by default. In addition, Windows Firewall is now centrally manageable either by group policy or by scripts in those environments that are not based on Active Directory. We're going to have a proof protection to block the transfer of executable files, e-mail, and instant messenger, so we can protect against those e-mail-born attacks. We'll have better and more granular Internet zone settings by default to prevent harmful Web downloads so that there can be safer browsing. And we're also going to do a lot of work for protection against buffer overrun, both in the ways that we compile the code and with the new no-execute zone, execution protection zone that will enable hardware-enforced execution protection on those microprocessors that contain the feature.

InfoWorld: Are you going to provide additional interfaces for other companies that make security software?