Steve Lamb's Blog

Security Matters

Blogs

What feedback would you like to give Microsoft Product Groups on Security

  • Comments 11
  • Likes

I'm working in Redmond(Seattle) this week - I flew over from the UK last night. I'm working with the product groups for the entire week and am keen to give your feedback regarding security functionality of our products(Windows, Office, Security Business Unit) to the management, technical and product leads.

So now's your opportunity to get your comments, frustrations and suggestions for improvements to those that can make a difference - I'll champion your cause providing the feedback is constructive :-)

Feedback to this post with you comments & suggestions.

What would you like Microsoft to do differently to make your life easier in the area of security?

Comments
  • A central updating service for all Microsoft products. Is it coming? It was promised two years ago.
    Auto-update features in all products, like Office, not only Windows.
    Better ui and controls for the auto-update service in XP. I want the following:
    Ability to automatically install downloaded critical updates on next shutdown or next startup -reboot. This option might be available in XP SP2 but it is hiding somewhere. It should be made obvious and explained in the ui if it already exists.
    Ability to download and install updates immediately. Why should I have to choose a schedule for automatic installation of updates. I might want them to install as soon as they are downloaded. I might be a home user who does not care if updates install as soon as they are downloaded.
    Ability for non-administrative users to prevent a computer from rebooting after a critical update which needs a reboot has been automatically installed. Currently, if this happens the non-administrative user is given 5 minutes to save his work before the computer automatically restarts. And if the user is not there then ... very good! he loses his work. I should be able to decide if the computer will restart or not. Or at least I should be able to decide if I wish the updates to be installed on next shutdown and not now. Or, at least allow administrators to modify the time limit before an automatic reboot from 5 minutes to other reasonable time limits.
    Inform users in the ui for the auto-update configuration that if they set a time for automatic installation of updates and at that time the computer is turned off, that the update will be install the next time the computer is turned on. Or, if this is not the case, then provide a solution to the problem that occurs when you set an installation time at which the computer is turned off and then no updates are installed.
    Ability to download and automatically install other updates, not only critical ones.

  • If running as non-admin user, prompt for admin password when any action that requires admin rights is run, such as software install, changing desktop resolution, etc.

  • Ray> Are you aware of "RunAs"? In case you (or any other reader) isn't - simply hit right mouse button and "RunAs" when executing the application.

    I agree it would be nice for the system to automatically prompt the user to enter the high privilege credentials when appropriate.

  • Simple. I want to see a commitment on Microsoft's part to make ALL security products and solutions available to ALL Windows users, without any requirement to prove that their copy of Windows is legal and without any cost of any kind. This should include patches and other add-ons (especially MS AntiSpyware).

  • Ed> You don't have to complete the validation to download such software.

    For example, to download the anti-spyware beta you must select "Continue" in the "Validation Recommended" dialog on the associated webpage(http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en) on the subsequent page hit "No, do not validate Windows at this time, but take me to the download." and you will be able to proceed with the download.

  • Ed> Please could you explain more about why you'd like to avoid the need to prove that the copy of Windows is legitimate?

    I'm not being weird here, just want to understand why this is a problem for you.

  • RunAs in contextmenu not only for applications but also for batch- and script-files.

  • > Steve: I'm not being weird here, just want to understand why this is a problem for you.

    Fair question.

    First, because it's a barrier to acceptance. Some people have OEM computers that are pre-activated. For them to pass the Genuine Windows test, they have to track down the serial number from their CD, which they may not be able to find. If it becomes a hassle, then they give up and they avoid security software.

    Second, because security is an ecosystem. If my neighbor has a virus, a worm, or a piece of hostile software, his experience could affect mine and that of many other people. In the interest of the ecosystem, the bias should be toward maximum security for all. If someone has what appears to be a pirated copy of Windows, it may be perfectly legal, or they may have purchased it in good faith from a criminal. They shouldn't be punished by being forced to risk infection.

    Yes, I know that currently one can bypass the validation step. But that option is hidden to the average person; I've criticized others for missing that detail in their reviews, and that's crucial, because those smart people thought they had to validate their copy to continue. More importantly, this requirement can change in the future.

    I really, really, REALLY want to see Windows security become an issue where Microsoft says "We think this is so important we will give it away to everyone." That is a win-win-win.

  • Steve Lamb is lead Technical Security Advisor for Microsoft's ITPro community in the UK. He’s in Redmond this week and is soliciting feedback for Microsoft product groups. I'm working with the product groups for the entire week and am keen to give your feedback regarding security functionality of our products(Windows, Office, Security Business Unit) to the management, technical and product leads.So now's your opportunity to get your comments, frustrations and suggestions for improvements to those that can make a difference - I'll champion your cause providing the feedback is constructive :-) If you’ve got something to say, go visit Steve’s blog and post your comments there....

  • Ed> Thanks for taking the time to explain what you meant.

    I agree that it's hardly obvious that you don't have to go through the validation & I've already fed this back.

    I also agree that we're at risk from anyone who's system is insecure regardless of whether it's legitimate or not.

    In my experience OEM machines have a sticker on their case (underneath on laptops, on the rear on desktops - which is a pain to get to) with the license key on.

    We certainly DO think that security's so important that we'll give it away to everyone - hence the free anti-spyware software & improved personal firewall(Microsoft Firewall) @ XP SP2.

    I do agree that there are cases when legitimacy gets in the way though - if your machine has a known invalid license then you won't be able to apply service packs to it and hence it could become an owned machine (a bot / trojan host) and therefore be a launch platform for a Distributed Denial of Service(DDOS) attack.

    I'll discuss this with the Windows Product Group & the Security Business Unit & Blog my findings.

  • Ah... Please let the user choose, which file-types should be blocked in Outlook. By default you can block Scripts and so on, but please add an easy to use dialog to configure the file-types.