Microsoft launches two new security offerings for enterprises

By Mumbai: | 19 May 2005

Mumbai: As part of its five-city security seminar currently underway in India, Microsoft Corporation India Pvt. Ltd. today launched two new enterprise security offerings — the 'Windows server 2003 service pack 1' and a 'security risk self-assessment tool.

The 'Windows server 2003 service pack 1' (SP1) provides Windows server 2003 users with significant security enhancements as well as reliability and performance improvements. Building on a comprehensive collection of security updates, SP1 addresses core enterprise security issues. The tool provides customers with a reduced attack surface by gathering information about specific server roles, and then automatically blocking all services and ports not needed to perform these roles.

The 'security risk self-assessment' tool from Microsoft is designed to help organisations with fewer than 1,000 employees assess weaknesses in their current IT security environment. It helps identify processes, resources, and technologies that are designed to promote good security planning and risk mitigation practices within enterprises.

'Windows server SP1' is available to customers as a free download at: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/
servicepack/default.mspx. The 'security risk self assessment' tool is a detailed questionnaire that organisations need to fill out and responses are then processed to evaluate the organisation's security practices in such areas as infrastructure, applications, operations, and people. The 'security risk self-assessment' tool is available for free download at http://www.securityguidance.com/.

"Microsoft realises the importance of providing its customers with the latest tools and technologies to always stay one step ahead of security vulnerabilities and our endeavour has been to treat the root cause of these security issues rather than just the symptoms. The 'Windows server 2003' SP1 and 'security risk self-assessment' tool will enable organisations to reduce system vulnerability to viruses, worms and hacker attacks, and add functionality that will reduce security management costs," said Sanjiv Mathur, director, Microsoft India. He further added, "With the launch of these products and the earlier availability of the Windows XP SP2, Microsoft is making significant progress in helping enterprises stay secure and we are sure our customers will benefit greatly from these initiatives."

Microsoft 'Windows server 2003 SPI:
Windows Server 2003 Service Pack 1 provides new functionality to address known security vulnerabilities and prepares companies to better face future security threats. These new technologies include the following:

Security configuration wizard to enable customers can more easily reduce vulnerabilities with the new security configuration wizard. The tool reduces the attack surface by gathering information about specific server roles, then automatically blocking all services and ports not needed to perform those roles
Windows firewall to help customers can increase their security with the new 'Windows firewall' on the server, allowing network-wide control through group policy. Also released with 'Windows XP service pack 2,' 'Windows firewall' serves as a host (software) firewall around each client and server computer on a customer's network
Post-setup security updates (PSSU): Servers are vulnerable during the time between their installation and application of the latest security updates. In response, 'Windows server 2003 SP1 blocks all inbound connections to the server after installation until Windows update has delivered the latest security updates to the new computer

Other service pack 1 features include a more robust security defence, stronger defaults and privilege reduction on services to establish a minimum security threshold for applications, and the addition of Network Access Quarantine Control components to allow administrators to isolate out-of-date Virtual Private Networking (VPN) assets.

Areas included in the 'Microsoft security risk self-assessment' tool:

Business Risk Profile	Importance to security
Business Risk Profile	Understanding how the nature of the business affects risk is important in determining where to apply resources in order to help mitigate those risks. Recognising areas of business risk will help enterprises to optimise allocation of their security budget.
Infrastructure	Importance to security
Perimeter Defense	Perimeter defence addresses security at network borders, where internal network connects to the outside world. This constitutes the first line of defence against intruders.
Authentication	Rigorous authentication procedures for users, administrators, and remote users help prevent outsiders from gaining unauthorised access to the network through the use of local or remote attacks.
Management & Monitoring	Management, monitoring, and proper logging are critical to maintaining and analysing IT environments. These tools are even more important after an attack has occurred and incident analysis is required.
Workstations	The security of individual workstations is a critical factor in the defence of any environment, especially when remote access is allowed. Workstations should have safeguards in place to resist common attacks.
Applications	Importance to security
Deployment & Use	When business-critical applications are deployed in production, the security and availability of those applications and servers must be protected. Continued maintenance is essential to help ensure that security bugs are patched and that new vulnerabilities are not introduced into the environment.
Application Design	Design that does not properly address security mechanisms such as authentication, authorisation, and data validation can allow attackers to exploit security vulnerabilities and thereby gain access to sensitive information.
Data Storage & Communications	Integrity and confidentiality of data is one of the greatest concerns for any business. Data loss or theft can hurt an organisations revenue as well as its reputation. It is important to understand how applications handle business critical data and how that data is protected.
Operations	Importance to security
Environment	The security of an organisation is dependent on the operational procedures, processes and guidelines that are applied to the environment. They enhance the security of an organisation by including more than just technology defences. Accurate environment documentation and guidelines are critical to the operation team's ability to support and maintain the security of the environment.
Security Policy	Corporate security policy refers to individual policies and guidelines that exist to govern the secure and appropriate use of technology and processes within the organisation. This area covers policies to address all types of security, such as user, system, and data.
Backup & Recovery	Data backup and recovery is essential to maintaining business continuity in the event of a disaster or hardware/software failure. Lack of appropriate backup and recovery procedures could lead to significant loss of data and productivity.
Patch & Update Management	Good management of patches and updates is important in helping secure an organisations IT environment. The timely application of patches and updates is necessary to help protect against known and exploitable vulnerabilities.
People	Importance to security
Requirements and Assessments	Security requirements should be understood by all decision-makers so that both their technical and their business decisions enhance security rather than conflict with it. Regular assessments by a third party can help a company review, evaluate, and identify areas for improvement.
Policies and Procedures	Clear, practical procedures for managing relationships with vendors and partners can help protect the company from exposure to risk. Procedures covering employee hiring and termination can help protect the company from unscrupulous or disgruntled employees.
Training and Awareness	Employees should be trained and made aware of how security applies to their daily job activities so that they do not inadvertently expose the company to greater risks.