Microsoft Introduces Security Architecture, APIs

Microsoft hopes to rally the industry around its new network access protection (NAP) architecture and related set of APIs for the next Windows Server, even as it prepares two enhanced security frameworks for future Windows releases.

At its Worldwide Partner Conference in Toronto, Microsoft said it plans to establish NAP as an industry standard. The technology, described by some executives in the past as Active Defense technology, will give end users secure access to the corporate network and IT administrators a way to set policies and detect the "health" and security configuration of incoming PCs, laptops and handhelds, executives said.

Looking beyond NAP, the software giant is also developing two major security enhancements for Windows in the future including Next Generation Authentication and Authorization (NGNZ) and Application Security (AppSec) frameworks, sources said.

The momentum behind NAP is already substantial. More than 25 security, firewall, patch management and networking ISV partners including Symantec, Trend Micro, Citrix, Shavlik and Juniper Networks announced support for the NAP architecture and application programming interfaces (APIs) planned for the next Windows server upgrade, codenamed R2 and due in late 2005.

While Cisco Systems was noticeably absent from this list of ISVs, Microsoft hinted a deal is close at hand. The vendor is in "deep negotiations" with the leading networking vendor on a variety of security technology including quarantine, VPN, wireless and wired technologies, said Steve Anderson, a product marketing manager with the Windows Server group.The policy coordinator server will enforce policies set by administrators and would, for example, prevent access by any laptop that isn't equipped with appropriate patches or critical updates. Such a solution would have prevented destructive viruses and worms, such as Sasser and Blaster from spreading throughout many networks, Microsoft claims.

Microsoft systems integration partners Avanade, Capgemini and PricewaterhouseCoopers have signed up to provide NAP services. The technology -- designed to secure the perimeter around the corporate network -- is music to the ears of many Microsoft solution providers working in the enterprise and midmarket space. Still, many wish NAP would come before the next Windows Server code late next year.

"Customers asked us for this a year ago, but Cisco was the only company that provided a solution," said Ted Dinsmore, president of Conchango, a New York solution provider. "But this should be a higher priority than getting it out in the R2 timeframe. This should be released as soon as possible."

The software will check applications and firewalls against a set of IT or partner-defined policies before opening the gate to the network. In addition to network policy validation, the technology also restricts non-compliant client machines to another site where patch and virus updates from third-party ISVs can bring the client back to health, Microsoft said.

Windows XP Service Pack 2 and NAP are grouped in one of five pillars of Microsoft next-generation security framework and provide isolation and resiliency.Looking beyond NAP, the NGNZ framework under development extends authentication in Windows beyond the corporate domain to any device and will support roles and delegation, sources said. AppSec, which is designed to eradicate viruses and spyware, gives application access control to Windows. Sources said this provides authentication and isolation for applications entering the network.

Microsoft is still trying to make good on year-old promises to make current Windows more secure by default. At Microsoft's partner conference last October, Microsoft CEO Steve Ballmer formally announced plans to release the security-focused Windows XP Service Pack in the first half of 2004 and later unveiled plans to offer features in the server code to protect the network perimeter.

This week, Microsoft formally announced that its delayed Windows XP SP2 will be released to manufacturing in August with OEM shipments and general availability in the fourth quarter of 2005. The NAP technology, however, isn't expected until the second half of 2005.

Microsoft also announced the general availability of its ISA 2004 firewall Standard Edition, but it acknowledged that ISA 2004 Enterprise Edition won't be ready until later this year.

Moreover, the Windows Update Services patch management server code -- formerly known as SUS 2.0 -- has also been delayed until the first half of 2005, executives also said this week. It was originally due in mid-2004. The NAP architecture resides on Microsoft's implementation of the Radius server protocol in Windows Server, called Internet Authentication Server (IAS). The NAP APIs will be built into the dial-up authentication server and policy authority. Third-party policy providers including leading antivirus, firewall, policy management, patch management and networking vendors will support the Network Access Protocol solution, Microsoft said.Only one VPN company, SyGate, announced support for Microsoft's NAP.

Microsoft acknowledges that it currently has a VPN quarantine function that exists as an undocumented API in the Windows Server 2003 server code. The company will expose and document that VPN Quarantine feature in the forthcoming Windows Server 2003 Service Pack 1. Its inclusion would enable developers to limit or define policies for remote users coming in on a VPN.

Microsoft intends to make the NAP technology robust and straightforward for IT administrators to implement at customer sites but it won't be an out-of-the-box solution, executives said. This will give services providers additional security opportunities, executives note.

"It's not a turnkey solution," said Anderson.