Declaring "war on hostile code" here on Tuesday, Microsoft Corp. detailed
several new features for securing privacy in both current and future Microsoft
products here at the RSA Conference 2001.

On the Windows .NET front, XML-based user authentication technology, code-named
"HailStorm", topped the list. HailStorm will allow client-side applications
and Web services to exchange user information.

"Privacy is at the core of the HailStorm system," said Dave Thompson,
vice president of Windows development, who delivered a keynote address. "The
only way that it [is] tractable for a user to deal with ... the myriad of Web
services ... is through personalization. The only way to easily move from site
to site and have your destiny under control is ... for you to give information
up, as you want, to the right sources."

The Windows XP operating system, too, will feature beefed-up security. In particular,
Thompson noted that PKI (Public Key Infrastructure) improvements are in the
pipeline.

"We're filling in some of the places where we could have done better,"
he said, adding that new auto-enrollment and auto-renewal services for users
"will make it very easy to deploy PKI."

Smart card support will further bolster XP privacy, according to Thompson.
"All the functions that an administrator needs to do can be done with smart
cards, including Terminal Service sections. You can uniformly require an administrator
to use smart cards. That eliminates the risk of using passwords," he said.

XP will also allow for interoperability between smart cards and EFS (electronic
filing system), which will let companies accept certificates issued by other
PKIs.

Other XP announcements included faster SSL (Secure Sockets Layer) services,
version 2 of the company's Security Configuration Wizard, which will let users
configure access controls and turn off unneeded services, and an Internet Connection
Firewall to allow users to safely connect directly to a network.

Thompson also addressed Microsoft's upcoming Internet Explorer 6.0 browser.
As the company announced on March 21, IE 6.0 will feature native support for
P3P (the Platform for Privacy Preferences). P3P is a privacy standard developed
by the World Wide Web Consortium that notifies users about the privacy rules
used at visited Web sites.

Another part of Microsoft's IE 6.0 privacy plan involves the Privacy Statement
Generator, which will generate policy statements at IIS (Internet Information
Server)-hosted Web sites.

Thompson also announced a strategy to lower the cost of guaranteeing privacy
for its customers. By reducing the need for users to reboot patched systems
and sending out bulletins that list virus severity ratings and patch availability,
Microsoft hopes to streamline its customers' operations, according to Thompson.

As well, Microsoft is trying harder to train its developers to spot privacy
loopholes, Thompson said. He noted that the company's Secure Windows Initiative
team has been assigned to scrutinize privacy in Microsoft products and train
internal developers to create secure code.

Thompson was careful not to overstate Microsoft's role in determining privacy
standards.

"I don't want to imply ... that Microsoft is driving or controlling or
is the leading expert in security," he said. "[But] because of our
role and the products we ship, we have an obligation to provide leadership [by]
catalyzing the advancement of security knowledge."

» posted by ITworld staff

InfoWorld

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine