Remarks by Bill Gates, Chairman and Chief Software Architect, Microsoft Corporation
RSA Conference 2005: "Security: Raising the Bar"
San Francisco, California
February 15, 2005

BILL GATES: Well, good morning. It's great to be here to talk about the progress that's been made in the last year and some of the challenges ahead, both in terms of what Microsoft is doing and the work we're doing with partners to set new standards, enforce new laws and make sure that the full potential of the digital revolution is not held back by security problems. So I titled my speech today "Raising the Security Bar."

I wanted to mention that I was recently involved in a very interesting breach of security. I was off at a conference called the World Economic Forum in Davos, and what happened was I wrote some notes, very important notes during a session sitting next to the prime minister of the UK Tony Blair. And I accidentally left these notes behind, which was very irresponsible. And so the press came up and got those and they mistakenly thought they were from Prime Minister Blair. In fact, they did deep handwriting analysis to see that he was not a natural leader, he must have been nervous and really wasn't sure what he was doing. (Laughter.)

And the British press really had a heyday with this. It went on for many days and I was off traveling, but someone who works for me noticed that these scribbles looked a lot like my scribbles, and so they called up 10 Downing Street and said that the prime minister was off the hook -- that, in fact, they were my notes.

So I brought them here. These are the actual notes that I mistakenly left behind, so I can show you some of the things that are on here: Remind Melinda to record "24"; why does Bill Clinton get to sit next to Angelina Jolie? (laughter) I'm hungry. And perhaps worst of all, I've got my new password up there. (Laughter.)

So in the future, I will exercise more care but I got a very nice note from the prime minister for fessing up that these were, in fact, my notes.

Well, moving on to broader security problems, there's no doubt that every year that goes by the world is more and more connected, the need for the Internet to work reliably and all the systems on it to be able to trust the information that's out there, it's greater all the time. And most of the talks I give are really focused on the great improvements there and how that will improve efficiency, how it will streamline commerce, how e-government is a fundamental improvement in the way citizens relate to the various departments -- fantastic advances. And the hardware industry is delivering its improvements. With new versions of Windows and Office, we're enabling new things and it's quite fantastic; bringing together the world of telephony, the world of video, the world of data -- very rich new scenarios going ahead at full speed.

And there's really only one thing that could stand in the way of realizing the full potential of that digital infrastructure, and that's the topic we're totally focused on here at this conference. Broadly, we think about these as the concerns around Trustworthy Computing. That's a very broad term for us, everything from privacy, keeping documents confidential, code attacks, social engineering, the broad range of things that we need to make sure are kept to a minimum and don't hold us back.

And so that is the top priority for Microsoft, the top priority in terms of our R&D, the top priority in terms of our communications with customers and helping them get the right configuration. And I can see that that will remain our top priority, because it's the one thing we need to make sure we get absolutely right to unlock all of those other exciting things.

Now, in terms of delivering on more secure systems, I think there are three general things that we do. The first is advancing the technology. We spend over US$6 billion a year on research and development. I'd say that over a third of that is directly security-focused, and the other two-thirds all tie in and relate to that security work, all the new code being reviewed and going through the threat model, a pretty dramatic thing there. So, big advances on the technology front, and I'll spend most of my time talking about the milestones there and the road ahead there.

We also provide guidance to customers, and we've stepped that up a lot. I think a lot of the kudos for the improved dialogue over the last year has come from being a lot clearer about how to use the capabilities there as much as the new capabilities we've put out. so prescriptive guidance. And finally, working as an industry, making sure this industry is leading with standards, and dialogue with government enforcement tools to make sure that this industry is connected in the way that we should be, to bring people who exploit vulnerabilities to justice.

So what are the technology fundamentals? Well, first and foremost, there's the idea of how you write the code, what we call engineering excellence. Certainly, over the years, the ability to have automatic checking tools and really understand the nature of mistakes that people make -- that's been improving, and we've built a lot of very special tools internally that do checking, checking for particular patterns, buffer type checks, fact type checks and general proof of the relationship between modules.

We've had to invent a lot of this technology in the face of the need to have this extremely reliable software. We've had to invest in training. We've had to create a whole lifecycle as we go through and do the design analysis and get check-offs from security experts as we go through that. We've had to create a new type of tester that has the mind of a malicious attacker, and both on a white box and a black box basis is performing attacks where there might be a level of vulnerability.

A lot of these things, like the way we do the threat modeling, have come out books that are required reading internally, but also now available externally. And the final element of this is having a Security Response Center. 24 hours a day, experts monitor lots of information coming in from our monitoring tools, and our partners and making sure that the response and understanding is very, very rapid and that we're sharing very broadly with people.

We've been able to standardize a great deal of this, the regular updates coming on a monthly basis, but also have a system that when it needs to do something on an immediate basis, does that exactly the way it should.

Now, we want to take what we've done internally and also make sure that's available to developers. Gartner looked at security problems, and said that 75 percent of them occur at the applications level and so that's code written by our customers.

As we talk to developers, they have a real interest in this information; 64 percent of them rated writing secure code as a key new skill that they want to acquire, and they want tools to really be able to go in and audit what they're doing.

And so many of these tools that were initially used internally are now part of the Visual Studio development environment. We've put those out in beta, things like the FXCop, PREfast, gsSwitch, AppVerifier, a number of them and now with the release of Visual Studio those get incorporated in so you've got a very simple user interface there.

We've taken our MVP program, the developers we work with closely, and created targeted security activity there, and that's all on the MSDN Security Development Center. So we're creating a community for sharing best practices, getting feedback, making sure that the tools are very strong there.

So let's look at the elements of technology innovation. I think we can divide the challenge and the needs for advances into four different buckets that I've got here. Getting software up to date; that is, using the ability of the Internet to fix problems and making sure that operates faster than the ability of the Internet to propagate problems, so updating has been a big focus.

Isolation: This is a very profound technique that exists at many levels; isolation within a machine so bad code can't do much, isolation within a network and isolation perimeter type work. So isolation is fundamental. The Internet connects everyone together, but we have to be able to look at those connections and make sure there's the appropriate connections, and isolation is a fundamental technique for making sure we don't have the spread of malicious code.

A third area that is getting more attention is authorization and access control. As we strengthen other elements of the system, the weak link often becomes the ability to guess at people's passwords because they use the same password in many places. So we have to strengthen this and strengthen the administrative tools around it so that you know all your resources have the appropriate access controls applied to them.

And then finally, something that has really been probably the fastest growing challenge is what's gone on in social engineering -- the mail that encourages you to supply information; phishing, code that encourages you to download it because it seems benign and yet it's actually spying on your machine or doing something inappropriate to your machine. And these are cases where from a technical point of view there's no exploit or anything, they've simply taken the privilege of the user and fooled them into running code that they don't want to run. And so, we need significant advances to make sure that that category doesn't keep expanding the way it did this year. So important investments in all four of these areas.

Let me now take them one by one and talk about where we are and the new things going on.

Updates. You're going to have systems that you can't isolate, things that are in your DMZ or mail server receiving SMTP or Web server receiving HTTP, and so those exposed machines have code paths that are trigged by these arbitrary connections and making sure that if there's a way to exploit that code, that the update comes in, comes in easily with very little overhead -- that is crucial.

I'm sure you've all noticed that the amount of time between when an exploit is discussed by security experts and somebody with bad intent actually packages that up and tries to use it -- that amount of time has compressed quite a bit. If you go back two or three years, it was measured in months. Now that timeframe is measured in a few weeks, or in a few cases even in a number of days.

So the idea of this updating infrastructure being simple, being automatic, being clear about what's being included, there's been a huge pressure on that.

Fortunately, we've seen a great response to that. Customers have been putting in the infrastructure, spending the time on this. They've had a lot of demands in terms of reducing the size of those fixes so they're minimal, reducing it so that when we update a module it's only the critical fixes that come along with that. A year ago we didn't have that methodology for all of our software, we call that reduction of encompassed fixes. Now we fork and only give the ones that are critical, rather than everything that happened to be in that area. It makes a big difference in size and a very big difference in terms of the kind of application compatibility challenges that people have.

We've come up with a way to automatically test these things in a very broad way before we put them out inside Microsoft. Typically, we'll have over 10,000 desktops running these things and hundreds or thousands of servers before they even get into this update process.

The regularity, the better use of terminology here, a lot of process-type improvements that have made this go more smoothly, and we really have a great engagement with customers, particularly the enterprise customers using deployment tools like SMS, smaller customers who are getting the updates directly from us, so this has been a real improvement.

In updating, the actual infrastructure is being used very heavily. The Windows Update piece, we've got about 150 million people who connect into that. We're certainly encouraging at the consumer level that number to become 100 percent of consumer machines.

We did have a different approach for different products, so you can see on this slide I show a different user interface for Office, Windows, Visual Studio. What we're announcing now is that we're bringing all of this together, so there's just one update center, one scanner, totally consistent across the different products and now there's a single database. And the way you access it if you're a consumer, it's Auto Update, or even a small business would probably go through Auto Update. As your business gets larger, then you would use the free Windows capability called Windows Update Service, where you get to have a little bit more control and it connects to many machines. If you want really deep and rich control, you connect up through SMS, our Software Management Server that does the very rich updating. And so, each class of user has an interface in the connection that's appropriate to them and it works across all of these different products.

We beta this new infrastructure starting in March to simplify things, and we're excited to get feedback on that.

This is also where we update our so-called Baseline Security Analyzer so that it connects exactly up into the database, and you always see consistent results in terms of how you scan things and do analysis; so a very good evolution based on the importance of updating and the feedback we've had there.

Well, let's talk about isolation. I said the first element here is isolating the individual machines, and our big advance in this during the last year was the delivery of Windows XP Service Pack 2. That was a major piece of work for us and I have to say that has gone super, super well. The response to it, the level of update is phenomenal.

We've got 170 million people who did the automatic download and more people who have taken the CDs and installed those very broadly, so that's a very significant amount of updating.

On a weekend, if you look out on the Internet and see the activities that are going on, you have about half the users connecting up to Web sites who are using SP 2, and so here where we're about less than five months after the release of this, that's a good number, But over the next year, we need to drive that number up to be almost all of those users and so getting the word out about that is important.

We're having so-called Security Days in many countries where we talk about best practices, including the strong message about SP 2.

For a corporation, our message about SP 2 is a nuanced message. If you have machines that are behind your firewall, the urgency of updating those is not as great as for the portable machines that are going out and often connecting up in a completely open way. Over time, we'd like to see all those things updated because you want multiple layers of defense, but the key thing -- and we've had a lot of good dialogue on this with customers -- is those portable machines.

We also have an update of the Windows Server. This is called Service Pack 1 and it went into beta last week. This includes a quarantine capability so that when somebody VPNs in, the ability to check their machine and only give them very limited access until those checks have taken place, that is built in. So it's a very rich capability there.

We also have our anti-spyware product that I'll talk about more that's very important to make sure that arbitrary code doesn't get on the machine, even if it's brought in by a use action, that can compromise the security base.

And then finally we have tools that let you restrict what software runs.

I've spent a lot of time talking with customers about SP 2 and their experience. They're pleased with the compatibility and the way that we've rolled that out with the tests and things. We have one very good example of that is a company called Holland & Knight, a big law firm, and I thought I'd let them talk about their experience in rolling out SP 2, so let's go ahead and look at that video.

(Video segment.)

BILL GATES: Of course, one of the big changes in SP 2 was the work we did in Internet Explorer. Internet Explorer 6.0, SP 2 had a number of new capabilities: zone and domain restriction, which we think is a very key technique, anti-spoofing capabilities, blocking suspicious content, memory protection and a lot more user control. Not just a popup blocker, but letting people really decide what code they want to download, understanding through the add-on manager what they have there. So that's been a very big improvement for us.

We've also now got with our different products what we call the Security Configuration Wizard. It lets you define for a role, particularly on a server, exactly what things are enabled and disabled, and these 24 predefined roles can be added to for different server types that you have, so it makes it very easy to administer those things.

A final area that a lot of customers have been using very effectively is taking what we call group policy, where you have Active Directory and you can take groups of users and decide what software they can install, what software they can run in what ways. And by having those explicit lists, it stops bad code completely because you know exactly what you've decided that they can run; so using group policy to do that software restriction is very important.

Well, let's talk about spyware. This I'd have to say in the last year -- malware, spyware as a category -- has been the thing that's risen the most dramatically, and it's slowing down machines, it's causing popups people don't want. It's compromising privacy. This is a very serious problem, a lot of malicious code out there preying on these systems.

Now, what can we do about that? Well, we can not only scan to see what's there and remove it and have that done on a regular basis, but even more importantly, we can make sure that we detect this when it's coming down. We call this real-time protection. There's over 50 different places where we've got add-in capabilities on the PC that we need to see what's coming down, check that against the information that we have and alert people so that they can make sure they're not bringing down something they don't expect.

One of the most exciting things we've got here is what we call SpyNet and this is where we can get reports from people who are being asked to download things about whether they chose to download it and what their experience with it is and so we can see when something new is emerging market exactly how people are experiencing that and make sure that the signatures, the pattern matches that we have that do both cleaning and detect the download are kept very, very up to date.

This is a product where we acquired a company called Giant late last year, put out in beta, and we've had over five million downloads. I'd say the good news/bad news is that it's helped to find many of those tens of millions pieces of unwanted software. That's good in the sense that it did a great job detecting those things -- people's machines ran faster, and they were completely clean and happy with that. But it just shows the extent that spyware has gotten out onto different machines.

We get about a half-million reports a day through this SpyNet, and we've got the data we use to make sure that we're completely on top of these things, and we can stop something very early in its tracks. So, if there is something new, or if somebody just changes their spyware to look a little bit different, we have to match it in a slightly different way. We've got about half the users of the anti-spyware beta participating in this network.

We've looked hard at the nature of this problem, and made a decision that this anti-spyware capability will become something that's available at no additional charge for Windows users -- both the blocking capability, and the scanning and removal capabilities. Those are features we think should be available to protect every system.

Just like for Windows Update software updating, we'll have solutions that include rich administrative capabilities, and when there's a centralized management and control requirement, we'll have a separately licensed product that does that. But, for the basic idea of spyware as something we've got to nip now before it gets worse than it is today, we've made the decision that all of our Windows licensees should have that capability. And I'm very excited that we've got this technology, and it really addresses what is a burning need for our users.

The best way to see both what I've talked about with Internet Explorer, the 6.0 that's in SP 2, and see why we're so excited about this anti-spyware capability is to see it in action. And so I would like to ask Zachary Gutt, Product Manager, to come out and show us these things at work.

Welcome, Zachary.

ZACHARY GUTT: Thanks, Bill.

I'm here today to show you how Internet Explorer enhancements in Windows Service Pack 2 combined with the new Windows AntiSpyware Beta help protect customers from two common threats on the Internet today, download spoofing, and spyware. So, let's start out with download spoofing. This is a Windows XP computer running Service Pack 1. And I'm going to open up the Internet and go to my favorite auto enthusiast site. I'm going to click on a link to read an article, and what we see here is that a security warning appeared, meaning that Windows has detected an attack on my computer. Interestingly enough, the only option I have at the bottom is to click yes. What we're actually seeing here is a download spoofing attack. We can see as I move the dialog box to the side that these are actually frame width Javascript windows that are covering up the actual text in the dialog box.

So, let's see how the experience improves in Windows XP with Service Pack 2. So, this is an XP 2 machine, and now when I click on the same link, the first thing we notice is that the information bar appears at the top, preventing that window from automatically appearing. But even if I click through the information bar here, we can see that the security warning now completely appears because these frameless Javascript windows are no longer able to cover up this important warning.

Next, let's move on to spyware, another very common threat on the Internet today. Low PC performance, annoying pop-up ads, and unwanted change to Internet settings are just some of the common issues caused by spyware and other potentially unwanted software. Windows AntiSpyware helps protect users by doing three things: detecting and removing spyware, improving Internet browsing safety and stopping the latest threats. So, let's start with detecting and removing spyware.

This is a Windows XP SP 2 computer that I suspect has spyware on it, because it's suffering from some of these same symptoms I just mentioned. The first thing we see here are pop-ups telling me I can win big, telling me my credit score, and lose 50 pounds. The next thing we see here is a home page I don't recognize. I have reason to believe that my home page has been hijacked. So, let's see how Windows AntiSpyware can help.

This is the main screen. Right now it's telling me that 10 threats were detected during my last scan. Clicking on this takes me to the scan results, where we can see that an action has been automatically recommended for each piece of spyware that was detected. In addition to remove, I also have the option to ignore or quarantine, or always ignore each one of these threats. So, I'm going to follow the recommended actions by clicking continue, yes to confirm, and yes to close my Internet Explorer window.

So, as the spyware is cleaned off my computer, it's important to note that regularly scheduled spyware scans are set up during the install process to help keep spyware off of my computer. I'm going to click OK to close this dialog box, and we can see back on the main screen that my computer is now free of known spyware.

So, the next step is to make sure that I keep new spyware off my computer on an ongoing basis. This brings us to the second way Windows AntiSpyware helps protect users, which is by improving Internet browsing safety. So, I'm going to go to a site on the Internet that I know offers spyware in the from of a download. The first thing we see here is the information bar, an XP SP 2 feature that's blocked this spyware from automatically downloading. But even if I bypass this warning by clicking download file, and run, I get another warning that's telling me that the publisher of this file is unknown, and it's asking me if I'm really sure that I want to download it. Even if I bypass this warning by clicking run again, I'm going to show you how Windows AntiSpyware adds another layer of protection. It further improves Internet browsing safety through real-time protection, which continuously works in the background to monitor my PC for any signs of incoming spyware.

We see in the corner that a red pop-up has appeared telling me that the client 'Man Browser Plug-in' has been detected. The description here says that it's trying to insert itself in the start-up portion of the registry. This is a common trick used by spyware that gets started every time I start my computer. And because this is a known threat, I'm going to click remove, and yes to confirm. As the spyware is removed, it's also important to note that users have the ability to customize what types of pop-ups like this that they see, and how often that they see them. This window is telling me that the threat has been successfully removed, and it's recommending I run a full scan. For the purposes of the demo today I'm just going to click no.

This is the status for the real-time protection that we just saw, so we can see that all of my security checkpoints are active. Digging a little bit deeper, we can see, here's the start-up registry files checkpoint, which detected the piece of spyware that we just blocked. Scrolling down, we see another important checkpoint, which is the Internet Explorer toolbar checkpoint. This one prevents unwanted toolbars from being added to Internet Explorer. So, in addition to these two checkpoints, there are 57 additional checkpoints continuously working in the background to improve my Internet browsing safety.

The third way Windows AntiSpyware protects users is by stopping the latest threats, and a key piece of this is SpyNet, the worldwide community of Windows AntiSpyware users. These users play a key role in determining which programs are classified as spyware. Anytime any of these security checkpoints detects an unknown program, users have the option to send this data to SpyNet.

What I'm about to show you now has never been shown in public before, and we're really very happy to be showing this for the very first time right here at RSA. This is the SpyNet Research Center at Microsoft, which collects all the data that's submitted to SpyNet. This data shows our researchers the most common threats that users are seeing out on the Internet, enabling us to quickly respond and build signatures to stop them. Let's dig into the research analysis section, which brings me to a page where a researcher can create a report on any attribute of this data. I'm going to skip down to the custom data view cell and take a look at what's been emerging over the last 96 hours.

What we see here is all the data submitted to SpyNet over the last 96 hours. And, as you can see, there's quite a lot of it. The green entries on this list represent programs that are known not to be spyware, and the black ones on this list represent programs that are unknown. So, looking at the first one here, we can see that almost 55,000 people have submitted a report for this Admancontrol.exe. We can see by looking at the data here that in total over 66,000 people have blocked this, and only 12,000 people have allowed it. Now, because this is unknown, because so many people are blocking it, it could be spyware.

So, I'm going to submit this to the research queue for the researchers by clicking this icon. From here, if this is actually deemed to be spyware, a signature will be created, and then that update will be made available to all users. You can see the next two items on the list are green, meaning they're known not to be spyware, and they're actually Apple iTunes in the Microsoft .NET Framework. You can see that the data here says that the vast majority of people are allowing these programs. So, as more and more users participate, and there are 3 million today already, the power of SpyNet will grow, enabling new spyware to be discovered and classified more quickly, so everyone will be better protected.

So, in summary, I've shown you how Internet Explorer enhancements in Windows XP Service Pack 2 and the new Windows AntiSpyware Beta protects users everywhere from the threat of download spoofing and spyware.

Thank you. (Applause.)

BILL GATES: The response to all the particular enhancements to Internet Explorer have been very positive. We're also going to dialogue about what more can we do, because browsing definitely is a point of vulnerability. Allowing people to have the richness and the extensibility, and yet be protected, that's a challenge. You don't want to lock things down so you can't ever get to rich Web sites, and yet you still want to make sure this is not the path that security threats are coming in through.

We have a dialogue to make sure that we're understanding exactly what people would like to have us do in Internet Explorer, and what we've decided to do is a new version of Internet Explorer, this is IE 7, and it adds a new level of security. We will be able to put this into beta by early in the summer. And, one thing to be clear on, this will be in the Internet Explorer that's available to people using Windows XP SP 2. Of course, as well, we'll include these capabilities in the next release of Windows scheduled for 2006, which is our "Longhorn" release. But we decided we're going to have the new capabilities even available befor having the Windows license to the install base here. Some of the advances include things focused on fishing, where people use URLs that appear to come from another location, things related to malware. So, it will be another important advance here, and we're excited we have the dialogue to make sure we're putting exactly what customers want into this.

We've talked about isolation on the individual machines, what I call post-isolation. Now we're going to talk about how we can make sure that a machine that is running well doesn't get connected to and somehow affected in a negative way by another machine. So, there's a wonderful technique that lets you do this, and bring other benefits as well. And that, in fact, is the IPsect capability. It makes sure that the traffic is encrypted, so there is no eavesdropping or modification that can take place, but it also makes absolutely sure through the use of certificates that the machine that you're connected to is the machine that you want to be able to connect to.

So, what this does is, it drops away from the notion of a single parameter with the firewall and says, 'Let's make sure the connections are only the ones that should be there.' Microsoft is using this itself. We have over 200,000 different devices and machines, and we've gone and rolled out the connections so that there's no connections that we haven't authorized there. We've made this easier to set up with the Security Configuration Wizard that ships in the Windows Server 2003 Service Pack 1. And we believe that this idea of controlling connections in a very rich way is a key element in the security mix. In fact, in Visual Studio, we're going to make it so that you can develop new applications by using rich Web services that, as you deploy those applications, we automatically understand what users can connect to those applications, what machines they use -- and so we can set up without any extra work the idea of the IPsect enablement that that application wants.

If you turn off an application or change who can use it, we can automatically connect down and reconfigure the IPsect policy accordingly. So eventually you'll just think in terms of application deployment, even though this mechanism will be down there working at the IP level to control those connections. So a new technique that we think will have very broad use.

Finally there is the idea of the perimeter, and making sure that's handled very well. In this, of course, people have multiple zones. They have the things that are outside the perimeter that are connecting to the Internet, and then they have the things inside this corporate network.

People want to be able to examine exactly the protocols coming in, so they can restrict at a very granular level what operations can be performed by things that are external. And being able to set up these trusted zones, understanding particular applications, like Web service applications, or mail with exchange, building those profiles in is something we've done a richer and richer job of.

Today we're announcing that we released our ISA Server 2004 Enterprise Edition to manufacturing. That's a product where if you have a complex network, it's very important because it lets you set the policies in one place across many, many different machines. And it understands profiles like branch offices. It understands network load balancing, and the things that are very typical there. This is another thing that we've been using ourselves to great benefit now. It's much easier to set up, and much richer, because permanent isolation, although it's not the only level, it is a key element of an overall security strategy.

Let's talk about viruses, detecting and removing viruses. The e-mail vector continues to be the primary means of virus threat, 88 percent of virus incidents in corporations are coming through e-mail. And it's our belief that we need to beef up and really improve the scanning capabilities there. In fact, it's argued that having a single engine to do that scanning is really not sufficient. You really want to take the best ideas of many people writing these scanning engines, and get those working on your behalf. Yet, you want to catch the thing early. You don't want to necessarily have it get into the store. You want to scan at the SMTP level as well as at the store level. Both of those are very important.

We're looking at building sort of the ultimate mail virus protection. We looked at what we're using internally at Microsoft, that was the Sybari product. We looked at what they'd done with the multiple engines, the different layers of scanning, and really specializing in infrastructure and drawing on others for the virus engines. And we saw that as a very exciting approach, really allowing us to be able to say to our Exchange customers, 'We've got a complete solution here, and we're going to integrate it in with the administrative interface in a nice rich way.'

So they were the leading provider. We were able to reach an agreement to buy them. They've got over 10,000 customers. Of course, it's not only for Exchange, but for SharePoint and Live Communication Server. Those are emerging more and more as key collaboration tools, to making sure right from the beginning we get the same infrastructure and the rich support in those is a very big deal. So this will become in time a Microsoft product, one that we think is very exciting.

In the area of AV (AntiVirus), we can also say that we're on a path to deliver a product that includes AV capabilities broadly to consumers by the end of this year. So AV continues to be a very important element, both the e-mail part, and other ways of blocking.

Now, let me turn to authorization. As I noted earlier, if somebody knows your password, it doesn't matter what other security precautions have been taken, they obviously have access to your information and the ability to install code. So that is a serious problem. Yet, the complexity of managing IDs is making it almost impossible for even a very responsible person to be changing their password, making it hard to guess, using different passwords on all the different systems. There' a lot of overhead in this, not just for the user, but for the IT department.

Password resets are a fairly extensive thing, and often that, too, is a weak link, where you can spoof somebody into resetting somebody else's password. A lot of corporations and government agencies are stepping up now and saying, 'Hey, we've got to have stronger authentication.' Many of the banks, and other corporations, Microsoft's remote access, we're saying it's time to have multiple factor identification, and particularly bringing in the smart cards. The key element of this for us is using Active Directory. Active Directory, there's been a huge investment in that, because it's a common platform for file protection, mail set up, and all the different security things you want to run on your computer networks. To be able to have that ID, that includes user certificates in that, is something we think is very, very important.

So with the Windows Server update, Windows Server SP 1, we've included the digital identity management capability. That allows you to easily roam these certificates across different machines. It makes it easy to have high reliability with adding servers in without administrative overhead. It's a pretty big improvement for the people who have been doing this. But, perhaps most importantly now, we're getting it to a level where the guidance can make it simple enough where this will be done very, very broadly.

Another element of this is what we call the Microsoft Identity Integration Server, that's our meta-directory product. It makes it very easy to set up for all the different directories you have -- human resources, other applications that you have -- and really define what the common attributes should be and how those move around, which is the master and what the policies are against that.

It's very, very flexible. It's got connectors for all the different things in the backend. By using a product like this, the overhead of directory management and the quality of directory management can be improved dramatically. If somebody joins the organization as a consultant to the organization, changes roles, leaves the organization, you go to one place, and that information is propagated in the right way across of the different places that it should be.

Another big milestone for us will be an update of the Windows Server that comes next year called R2. This is where we have federated identity management, the ability for corporations to simply at the administrative level exchange certificates, so that for all of the things like SharePoint connections, or applications, you don't have to issue a new account and a new password. You can simply use the chain of trust, and have the authentication that took place in that other corporate domain be checked, and have that apply in terms of what permissions you want to grant there.

Federation is a very, very important thing. The only way we're going to get all of these trust connections to work well is to have federation. It can't just be a point-to-point thing. So this Server R2 that's going on, the standards work that we did around Web services will be an important milestone there, and let you work with outside organizations in a very secure way.

We also think that it's very important to have data protection. When we think about this, we think about Office documents, we think about e-mail that you may want to control exactly where that goes. We started in this market a little over a year ago with our Rights Management Server first version. We have now coming out the Rights Management Server SP 1, and a number of improvements, adding some new scenarios so that you don't have to connect back to the main server, so you can store the credentials locally. That lets you do lockbox scenarios. Also supporting the smart card, which as I said is something we expect over the next several years that will become almost commonsense for corporate authentication.

So making it easier to deploy for our government customers, it's a nice evolution here of the idea of data protection that is of critical importance. Of course, you have a lot of data in databases and things, but you also have lots and lots of documents that have key information, and this extends by having the right hooks in Office and the right administrative tools, it gets security out to that document level.

So I've talked about a lot of these pieces and how they can be used in the enterprise. Again, I think seeing it in action, how you set these things up, seeing what the user scenario looks like is the best way to appreciate what we're aiming for. So I'd like to ask Josue Fontanez (sp), who is a senior product manager in our security business unit, to come up and show us these products in action.

Welcome.

JOSUE FONTANEZ: Thanks, Bill.

As we go out and talk to customers, a few of the things that we've been hearing is that customers want to enable key business applications on the Internet in a secure fashion, as well as safeguard sensitive documents from unauthorized use. Now, customers are looking for solutions that are easy to use, update, and manage, as well as integrate with their existing infrastructure.

Let me show you how we've helped a fictitious organization, Kintoso Pharmaceuticals, meet those key business needs. Now, before Kintoso Pharmaceuticals can enable those key business scenarios, they need to ensure that their platform is up to date with the latest software updates. Therefore, they've deployed SMS 2003, which allows them to stay aware of the latest software updates, identify systems which are not up to date, as well as deploy those updates quickly to those systems.

Currently, they want to ensure that their platform is up to date with the latest software updates, therefore they're going to run the SMS report manager to verify that their systems are up to date. Let's go ahead and display one of these reports, and this report will identify for me the updates that are applicable to my environment. As well, if I scroll to the right, you'll notice that I have a compliant column. The fact that a star is there shows me that all of the applicable updates for my environment are already installed on my system. So with SMS 2003 I've been able to ensure that my platform is up to date.

We can now go and enable those key business scenarios that we spoke of earlier. Now, the first business scenario that we want to enable on the Internet is a key business application that our customers want to enable. And a great example of that is Outlook Web Access. Our users want to be able to access their e-mail from any machine with a Web browser, and Outlook Web Access allows them to do that. But, customers have told us that they're looking for a solution that provides advanced protection from a new wave of application layer attacks, as well as block the common attack vector to Web applications, which is anonymous access.

Therefore, we've developed a solution with ISA Server 2004 Enterprise Edition that allows them to do that. ISA Server 2004 Enterprise Edition is uniquely optimized to protect Exchange. Let me show you how we've done this. I'm currently at the ISA Server 2004 Enterprise Edition management console, and with Enterprise Edition I'm able to sensibly manage my firewall policies across a group of servers, and with the integration of network load balancing, I'm able to balance the requests as they come into the environment.

So since I want to enable Outlook Web Access on the Internet, let's go to the 'Publish a mail server' wizard, which will walk me through all of the steps to enable OWA on the Internet. I specify a name for this rule, and click next. The next two screens I specify the access types, and the services that I want to enable. Both of these will be OWA. Here I specify how I want ISA Server to handle SSL termination. Now, with traditional solutions, traffic coming in through port 443 is not heavily inspected. With the integration of ISA Server 2004 and the application layer filtering, we're able to perform advanced inspections, even when traffic is coming in through port 443.

Let's click next, and I know specify the internal and external names that users use to access this environment. In this case the name is the same, mail.kintoso.com. I apply that here, as well. And I come to a very important step in the wizard, which is specifying a Web listener. The Web listener serves a few main functions. It listens for requests as they come into the environment, and as you can see here, with my authentication method of OWA forms-based authentication, I'm able to first pre-authenticate all requests before they reach the environment.

Second, I'm able to impede the caching of credentials on the user's machine, a very serious security risk for our users. So I click next, and it's currently set to default to all of my users. I'm actually going to remove that, because I only want this policy to apply to an Active Directory group that I've created for my full-time employees. I'm going to start that up and select no. And I've now finished enabling Outlook Web Access on the Internet, with ISA Server 2004 Enterprise Edition. I'm going to go ahead and apply the policies to the configuration.

Let's now go ahead and talk about the second scenario that we spoke of earlier, which is around safeguarding sensitive information. Now, Kintoso Pharmaceuticals, as a healthcare organization, has many sensitive documents. In fact, currently they're rolling out a new clinical drug trial, It's very sensitive information, and they want to make sure that only authorized users are able to access this information. Therefore, we've developed a solution, Rights Management Services with Service Pack 1, that allows customers to safeguard that sensitive information.

As you can see here, I have a Word document concerning this new clinical drug trial. I want to apply a policy to this word document to protect it. So I'm going to click on File>Permissions, and you'll notice that I have a few rights management policies applied to my desktop. My IT administrator has deployed these polices to me via Active Directory group policy. So I'm going to select the Research and Development policy, and apply that.

Now, I have a traveling executive. He's on the road, and he's going to need access to this document. So I'm going to go ahead and send it to him as an attachment, so he can go ahead and view the document. Let me go ahead and send that to him. Now, that was the end user experience of applying a policy to the documents.

Let's go ahead and show him accessing not only his e-mail on the road, via Outlook Web Access, but also that protected document. Let's go ahead and access that environment. One of the things that you'll see is although ISA Server is transparent to the user, it's pre-authenticating all requests, blocking that anonymous access, and it's also performing that advanced inspection.

So let's go ahead and log into the environment. And the great thing is, I'm able to use my existing Active Directory credentials to log into this environment. So now that I've logged in, I see the e-mail from Steve concerning the new clinical drug trial. Let's go ahead and open that attachment. And one of the things that you'll see that Rights Management Services is going to verify my credentials, and download permission so that I can view this document.

So now that I have it here, you'll notice a few things that Rights Management Services and Service Pack 1 allows me to do here. First off, if I select my formatting options, you'll notice my options for font, for paragraph are grayed out. In fact, if I try to type in the document at the bottom it says, this modification is not allowed because the document is locked.

Let's take a look at how that policy applies to me. I'm going to click on view my permissions, and you'll notice that my only options are to view the document. I can't edit, copy it, or print. With Rights Management Services I'm able to safeguard my sensitive information from unauthorized use.

Now that I've enabled all of these business scenarios, Kintoso wanted a solution that allowed them to proactively and effectively monitor this infrastructure. Therefore, they've deployed Microsoft Operations Manager 2005. You'll notice that Microsoft Operations Manager 2005 has management packs for the entire infrastructure that I've just enabled. As you can see here, I have management packs for Exchange, SQL, SMS, Active Directory, as well as Windows Rights Management Services. And we also have a newly released management pack for ISA Server 2004.

Now, one of the things that I want to monitor in this environment is any security exceptions that may occur. Therefore, you'll notice that I've made it send an alert to the IT administrator with any HTTP 400 security exceptions, which may be an issue with permissions or authentication that I want to make sure that I'm notified of. In fact, with the MOM report manager that's built on SQL Reporting Services, I can run a report on this environment. In this case, I want to run a report on my Windows 2003 IIS Web Service, and specifically the main server, because that server is enabling some key business applications on the Internet. One of the things you'll notice is that those security exceptions seem to be a growing trend in my environment. This is something I definitely want to pay attention to, and monitor more closely in my environment. In fact, if I look at my Outlook Web Access Mailbox, it tells me I have new mail. I'm getting alerts based on the alerts that I've already classified in MOM 2005. As you see here, that alert sent an alert to IT admin with 401 security exceptions. And the great thing is with MOM 2005, it gives me intelligent information that I can use to troubleshoot this issue. It gives me information on the client IP address that made the request, where it's going to, as well as that Web site.

I showed you how we helped Kintoso Pharmaceuticals with some key business scenarios with the power of Active Directory and the security and management solutions we've built around it. We've been able to ensure our software is updated, enabled key business applications on the Internet, ensured our sensitive documents are protected from unauthorized use, and centrally managed and monitored the environment effectively.

Thank you. (Applause.)

BILL GATES: Now, let's turn to a problem that emerged many years ago in a very big way, which is spam. This is something that's social-based engineering, where people are taking in mail that really wastes their time. And so, on their behalf, we need to make sure that that mail gets filtered out. This is an area where we have made substantial progress. For example, today, Hotmail sites, using the IP address blocking and the content filtering approaches, are intercepting well over 90 percent of the spam and deleting that automatically. Likewise, when you have Exchange Server connected into that profile service that we get for monitoring all the spam profiles, it, too, is able to do that type of deletion. We put the technology in the cloud server, in the enterprise mail server, as well as in the client software in the Outlook that is a part of Office here.

So, there's a big difference in terms of spam experience between people who are using the technology that's been updated, and people who are using the technology that hasn't been built with these capabilities. One new element in detecting spam is this approach called Sender ID, and we were pleased to get that standardized, we were pleased to get the big mail senders and receivers to agree that's an important approach, and that's just being rolled out now, so that will further help reduce the amount of spam. It will let you clearly identify mail that is from a legitimate sender, and make sure that that's never categorized as spam, and so you can put more energy into the things coming from domains that you can't trust, you don't know what it is, which are fortunately a fairly small percentage of the e-mail that comes in. So, Sender ID will strengthen things even further here.

I wouldn't say that we're at the end of spam. There's still a lot to be done. But we're past the peak, and we have the techniques rolling out which will bring this to be less of a problem than it has been.

Contrary to that, phishing, although it's still at a much lower level in terms of numbers compared to spam, is a more serious kind of attack, and it's definitely been on the rise. People are being fooled by URLs getting e-mail that they click on and provide sensitive information, and that is a big problem. How can we prevent this? Well, there are many tricks that involve making a URL look like something it is not. That means that at the software level we can block those tricks. We also need the same techniques that we're using with spyware and other things, where we have a database that is tracked and kept up to date that lets people know exactly what the bad types are and be able to block them from that.

There's also kind of authentication in terms of seeing how long the site has been around, had its certificate, and know that if you really think you want a very reputable company site, you'll see some telltale things that really tell you that somehow you're not where you think you are.

We need work in e-mail for this. We need work in browser. We need work in the platforms. This is also one where user education is going to come in and be very important. So, we need to get this one early on, and make sure that it's not a common thing.

I mentioned that, as well as the technology advances that I've gone through, really explaining to customers in a simple way how to use these things to audit their status, that's one of the big things that we've been able to improve over the last year. We have guidance on all the different target customer sites that's appropriate for IT, developers or home users. We have the policy around the second Tuesday of the month, which is when the security updates come along. Now, even in advance of that, we've been able to get some information to people who want to be on the advanced notification program given the sense of what we're seeing for that particular month of updates.

A lot of things are here where we're just getting smarter all the time. Unlike software that's some big major release, but every month, I would say, we've tuned what we do in terms of prescriptive guidance, and made that important. We do need even users to be aware of these things, and so there's a lot of broad techniques we're using to get the information out there.

In terms of industry leadership, you know, our industry really is on the line to reach out to government, to reach out to our broad customers and be clearer that we're setting the right standards, we've got the right level of cooperation, there's nothing that's impeding us in dealing with these problems. We've had various rewards programs for particular things where we've worked with law enforcement to actually catch people doing things that are illegal now. We have an association, which is called the Global Infrastructure Alliance for Internet Safety that's us and the major ISPs sitting down and sharing best practices and what's going on there. That's been a very fruitful relationship, particularly in making sure they understand do they have bots on their network, what should they be doing about that, how should they be doing filtering. And so a lot of improvements have come out of that.

Public policy is changing on these things to catch up with the new types of attacks. For example, on the spam front, there's work with Pfizer now to go after people who are, in particular, pretending to sell their products. There's been 120 different legal actions, and at least on paper $100 million of damages have been levied against these people. Most importantly, it is causing people to understand that spam, phishing, those are things that there will be a strong response to, and the level of sophistication in law enforcement in finding that and responding quickly is going up as it should.

Let me just close with our basic commitment. Our commitment to Trustworthy Computing started with a memo I wrote several years ago, and it said that this was the most important thing that we're doing, and that in every aspect -- in our field, in our development and even in our basic design -- this needed to be formal. Every new feature had to go through a process where we'd understand exactly what were its implications for broad substantive issues, not just the security, but privacy as well, which is very, very critical.

Our investments in the technology pieces have been making very good progress. I hope you got a great sense of that today, that we're taking each of those pillars, the different places you can isolate, the way you do updating, the way you track things, and both through acquisitions and a great focus of our internal R&D is able to do new things there. The updating isolation, and now access control is very important, and we're taking that and extending it out to the developers.

I would say that I am optimistic. It's a challenging area, and new threats seem to emerge all the time, but I'm optimistic that through these different efforts, what we're doing on our own, working with partners, working with customers, that we will be able to mitigate the security problems, and, therefore, let the advances of this digital infrastructure really allow for fantastic things to happen.

I want to thank everyone here who is involved in this quest, because it is a quest that there will be many, many different chapters in, but you know that we have a total commitment to the trustworthy computing area, and look forward to working with you.

Thank you.