MSoft preps Windows security scanner

The software will scan Windows for missing patches, weak passwords and other vulnerabilities
As part of a push to regain the public trust, Microsoft plans to release a wizard-like program to help home software users and network administrators protect their computer systems from outside attack.

Called the Baseline Security Advisor, the program will scan Windows computers for unpatched programs, weak passwords, and vulnerabilities in the operating system and in several Microsoft products.

"Our goal is to allow (home) users to check their own machines," said Jason Shaw, lead product manager for Microsoft. "Company administrators can also use it to check their entire network."

While Microsoft has still not announced the product, the software titan showed off an early version of the scanner at its booth at the RSA Conference 2002 in San Jose, California. Shaw said the program will be available for free download from Microsoft's Web site in March.

The scanner is the latest move by the software giant to beef up Windows security. Microsoft was stung by a series of embarrassing flaws in 2001 that demonstrated how vulnerable some of the company's products were to outside attack. In mid-January, chairman Bill Gates wrote a memo exhorting the company's employees to smack bugs to earn customer's trust in Microsoft software.

While other companies have come out with scanners, none has the reach of Microsoft. Many other scanners are also designed to sniff out vulnerabilities in other software.

"It won't matter what we do now and in the future if people don't trust computers," Craig Mundie, Microsoft vice president and chief technical officer for advanced strategies and policy, said during a Wednesday afternoon keynote address. "This is not a new initiative at the company; there has been a lot of people at it for a long time."

Microsoft has trained more than 9,000 of its programmers and developers in secure coding techniques since last fall, Mundie said. The company has also had outside security consultants pick through the source code for Windows, the .Net Web services framework and .Net server.

"For all of us, this cycle really has no end," Mundie said. "Programmers today are still human beings, and despite training them, it is difficult to get them to look to the future."

Sometimes the effort to better secure against attack makes it difficult for software users to take full advantage of the software they receive. For example, Microsoft's latest operating system, Windows XP, includes the company's Web server software, IIS 5.1. Unlike past versions, the Web server is turned off by default, protecting the software user from potential security problems posed by a Web server.

The new Microsoft Baseline Security Advisor (MBSA) adds user education and an additional check for Windows users who want to ensure that their systems are up-to-date on patches from Microsoft, are using good password policy, and are aware of any insecure settings.

Unlike many vulnerability scanners, the MBSA doesn't take the role of an attacker and look for vulnerabilities. Instead, the scanner acts as an expert administrator looking for problems on the Microsoft security checklist.

The MBSA downloads a 700KB vulnerability and patch database from Microsoft that the company has created in Extensible Markup Language, or XML. XML is a popular Web standard by which businesses can easily exchange data between employees, customers, partners and suppliers. The software giant intends to maintain the database and provide the software for free.

Considering that Microsoft has a group studying the feasibility of diving headfirst into the security marketplace, a full-featured service may also be in the works

---

source: CNET new.com