Microsoft sued over security? No surprises here

Oh, who am I kidding? I’m a columnist. To us, saying “I told you so” means validation akin to Dante Hall ’s 95-yard  touchdown punt return against Denver last weekend.

So I get to revel a bit, and once again, I’m doing it at Redmond’s expense. I’ve said it here and in the pages of other publications: If Microsoft doesn’t clean up its security act, it risks becoming a prime lawsuit target. Lo and behold, last week, a class-action lawsuit was filed against Microsoft in California, alleging that the company’s insecure products have placed customers at an extended risk of security breaches with global repercussions due to the potential for “massive, cascading failures.”

Ironically, the lawyers finally get into the game at a time when Microsoft is paying more attention to security issues than ever before. Windows Server 2003, for example, represents several new Microsoft security initiatives and a host of related features.

Not to digress, but a systems administrator recently asked me to help out while he tested one of these new security features, namely Quarantine. This feature is intended to mirror the functionality of third-party VPN products that check client hardware or software for specific requirements before allowing log-in. So, for example, clients without Symantec’s AntiVirus software could be quarantined from the network, even if the user has an account and knows the correct passwords.

Microsoft built this functionality into its own VPN feature set, allowing a Windows Server 2003 machine running VPN services as well as the IAS (Internet Authentication Service) and RADIUS authentication to run a script on any remote client attempting access. This script can then perform a variety of queries looking for appropriate software or even specific files.  Depending on what this script discovers and reports back to the IAS server, one of several remote access policies can be enforced on the user — including permanent or temporary lockout from the network. Quarantine.

Windows Server 2003 has several similar features, many revolving around Active Directory and even more ways to use GPOs (group policy objects) to implement secure network policies than were available under Windows 2000. After we finished hashing out the Quarantine testing and gazing at new security documentation from Microsoft, my buddy asked me if I’d use Microsoft’s Quarantine feature over a third-party product such as one from Cisco Systems.

The answer to that, for now, is "no." Not because I don’t like the feature; I think Microsoft has responded admirably on the new security-features front. What worries most about Windows security has never been lack of features; it’s been a lack of proven, quality code. Even Redmond has spent nearly a decade cultivating a reputation for releasing sloppy code riddled with security holes. Hackers the world over have spent many hours giggling over glowing screens in the dead of night, repeatedly proving this very fact.

Having Microsoft throw new security features at me is partially reassuring, but how are we to know if these very same new features don’t contain yet more code-based security loopholes? Systems administrators, especially us consulting types, simply don’t have the clearance or resources to check code quality ourselves. To get us to trust our reputations to Microsoft-based security, Redmond needs to do more than add features. You boys and girls need to prove to everyone that your coding practices have improved. And you’d better do it fast or you’ll be joining some senior tobacco executives in weekly “I can’t believe we had to pay that much” support groups.