Microsoft s Trustworthy Computing Initiative

Microsoft's Trustworthy Computing Initiative

Microsoft has undergone a vast transformation in regards to security. Microsoft seeks to provide server products, like Exchange Server 2003, that are "secure by design, secure by default, and secure by development." Every security aspect in virtually all of its server products is scrutinized. Specific features, vulnerabilities, and code have been analyzed to ensure that Exchange Server 2003 is as secure as possible.

Secure by Design

Microsoft's Trustworthy Computing Initiative is the cornerstone of Exchange Server 2003 development. The initiative began by providing security-focused training to the entire Exchange Server 2003 team and specially created cross-component, security-focused teams. These teams shared developer best practices to increase code quality and minimize the attack surface. Microsoft then performed code reviews to ensure that changes made to one feature set did not impose or create a security risk in others. This entire process is performed constantly.

In addition to constant code reviews, teams of security experts, called Red Teams, performed product testing and threat reviews. These teams essentially acted as hackers, attempting to compromise systems and exploit vulnerabilities based on function or feature.

Secure by Default

Another integral part of the security initiative was to minimize the attack surface areas possible with Exchange Server 2003. This translates to keeping default installations more secure. By minimizing the number of services and functions that are enabled by default, organizations are less likely to have features unknowingly enabled that may present a security risk. For instance, frequently used protocols are no longer enabled by default. These protocols include POP3, IMAP4, NNTP and Outlook Mobile Access (OMA). Other features, such as new user restrictions and messaging limitations, have also been enabled to reduce the likelihood that default installations are unsecure.

Secure by Deployment

Microsoft equips IT personnel with the necessary tools and documentation to securely and successfully deploy Exchange Server 2003. The deployment tools and documentation ensure that the network environment is healthy , properly configured, and ready to accept Exchange Server 2003.

Coupling these tools and documentation with the appropriate training helps prepare Exchange Server 2003 administrators. It gives them the necessary resources and knowledge to adequately secure the messaging environment based on the security requirements of the specific organization.

Building Communications and Community

Another focal point to the security initiative is building communications and community around all server products. This framework for encouraging the sharing of information is analogous to user groups where groups of IT professionals shared experiences, insights, and other pertinent knowledge. Communications and community can be fostered through a number of different mediums such as newsgroups, discussion lists, user groups, and security Web sites.