Windows Server 2003 vanishes from vulnerability list

Getting a message or two daily from Symantec’s Deep Sight is pretty normal. In those messages I get an early warning of things that could turn out to be vulnerabilities. Sometimes that trickle of warnings becomes a flood, which lets me know that something is about to break loose.

Normally, I scan through the long lists of software or hardware affected and wonder if anything I’m using will become a problem. As you’d expect, those long lists usually include entry after entry for one version or another of Microsoft Windows. In fact, that list usually includes every recent version of Windows.

Lately, though, I’ve noticed that one version doesn’t show up: Microsoft Windows Server 2003 is notable in its absence. Because I tend to save the Deep Sight reports (at least for a while) I went back and did some checking. I was startled to discover that Windows Server 2003 is almost never on this list. Has Microsoft finally turned the corner on security?

So I called up Microsoft to ask the question; their public relations agency eventually tracked down Michael Howard, senior program manager of Microsoft’s security business and technology unit. I asked him if the company has finally managed to get security right.

“Yeah,” said Howard.

Fortunately, he elaborated, helping to keep this from being a really short column. “The only way over time to reduce vulnerability,” Howard explained, “is to admit you have a problem.”

Howard said that making the right choices has been one key change to reducing the number of Microsoft vulnerabilities so significantly. “I’m always leery of asking the user to do the right thing,” he noted. “We make most of the trust decisions automatically.”

Howard also said that a key factor in making those trust decisions was to look at the impact on the IT staffs that have to work with Windows 2003 every day. “IT folks are stretched; anything we can do to make life easier is good,” he added.

Microsoft was able to bring about the improvements in Windows security only by making fundamental changes in the way development takes place. “You need a better process,” Howard said, explaining that Microsoft has adopted a program it calls the Software Development Lifecycle. According to Howard, this means that when Windows goes through the development process, security is now designed in from the beginning. He said that the next package to have gone through the Software Development Lifecycle program will be Windows XP Service Pack 2, due out shortly.

Of course, the Software Development Lifecycle program requires more than lip service. “Education is a huge thing,” Howard said, adding that Microsoft is also now putting its engineers and developers through intensive security training as a part of the development process.

So far, it seems to be working. Those Symantec reports are a good indication of where vulnerabilities really stand, and they show remarkably few problems with Windows 2003. Does this mean Microsoft has solved the vulnerability problem forever? Of course not. As long as there are worm and virus writers, new problems will appear from time to time. But perhaps Microsoft’s new process will reduce the number and severity of vulnerabilities that do appear.