Following Code Red, Code Red II, and Nimda, Microsoft has been making substantial public commitments about structural improvements to their security posture. Rumours of a much larger initiative are circulating; specific concrete announcements have started.
A walk through what is actually committed and how to read it.
What has been announced
Three specific things since August.
Default-secure configuration for new IIS deployments. Future IIS versions will ship with most features disabled by default. The deployment workflow becomes "install IIS; enable specific features as needed" rather than "install IIS; everything is on; disable what you do not want". This is the structural change I have been arguing for.
Outlook 2002 default attachment blocking. Already shipped (May 2001); detailed in my midyear review. Reduces the mass-mailing-worm attack surface meaningfully.
Substantial improvements to Windows Update. Better notification of security patches, simpler installation process, automatic update for critical patches in Windows XP (which ships in October). The patching-cadence problem has Microsoft's attention.
What is being rumoured but not committed
At least three substantial things in development:
A large internal security initiative with company-wide implications. Reports describe development teams being pulled off feature work to do security reviews on existing code. The scale is reportedly substantial — hundreds of engineer-months of effort.
A formal commitment from senior leadership. Bill Gates is personally reported to be involved. A public memo or announcement is expected in early 2002.
Restructured product-development practices. Threat modelling as a first-class part of design; security review as a release gate; mandatory training for developers. The cultural change is the slowest part.
How seriously to take this
Three observations.
The shift is real but slow. What is committed today affects products that will ship in 2003 or later. The current product line — Windows 2000, Office 2000, IIS 5.0 — will continue to produce advisories at the current rate for years. Operators running these products have no near-term relief.
Microsoft's track record on structural commitments is mixed. Previous announcements about security have produced incremental improvements but not the structural shift the rhetoric promised. Whether this round is different remains to be seen.
The market pressure is real this time. The cumulative cost of the year's incidents is substantial. Many large enterprise customers are explicitly reconsidering their Microsoft commitment. The economic pressure on the structural shift is the strongest it has ever been.
What I am watching for
A few specific things over the next 6-12 months.
The Gates memo, if it appears. A public commitment from Microsoft leadership would be significant — an explicit signal that security is a strategic priority, not just one feature among many.
The Windows XP security posture. XP ships in October. Its default configuration, the activeness of its security work, and the cadence of post-release patches will tell me how serious the structural shift is.
The IIS 6 release. Whenever it ships, IIS 6's default configuration will be the empirical test of the secure-default commitment. If it ships with the modest defaults Microsoft is promising, the commitment is meaningful. If it ships with familiar IIS-style defaults, the commitment was rhetoric.
The disclosure-and-patch cadence. Microsoft's response to the next serious vulnerability will be informative. Faster, clearer, more aggressive patching deployment would suggest real change.
What this changes for my advice
For operators currently running Microsoft infrastructure:
The disciplines I have been writing about remain necessary. Patching, defence in depth, structured logs, forensic readiness. All of these continue to apply.
The future Microsoft products may be meaningfully better. Plan for a 2-3 year horizon during which the platform's posture improves. Capital decisions made now should account for the possibility that Microsoft's products in 2004-2005 are substantially different from today's.
The pressure should continue. Operators communicating clearly that security is a strategic concern — through purchasing decisions, through conversations with sales reps, through public commentary — accelerates the change. The economic feedback is the lever.
A quiet observation
This would be the first time, in my reading of the industry, that a major vendor has made a structural commitment to fundamentally change how they build security. If it actually happens, it will be a meaningful inflection point.
My prior probability is roughly 60% that the announced changes are real and 40% that they are repackaging of existing efforts. I will update as the evidence accumulates.
More as the year develops.