Microsoft Tightens Digital Defenses with Sweeping Security Overhaul

Microsoft unveiled detailed security reforms Monday, five months after CEO Satya Nadella pledged to prioritize cybersecurity following major breaches. The 25-page Secure Future Initiative report [PDF] outlines technical and governance changes addressing criticisms in an April 2024 Cyber Safety Review Board report that deemed Microsoft's security culture "inadequate."

Microsoft said it implemented significant security upgrades to its Entra ID and Microsoft Account systems, introducing Azure-managed hardware security modules for access token signing keys. The company has also purged 5.75 million inactive tenants to minimize potential attack vectors and adopted a new testing system with secure defaults to prevent legacy-related security issues. Concurrently, Microsoft has enhanced its network tracking capabilities, now monitoring over 99 percent of its physical network through a centralized inventory system, which aids in firmware compliance and logging.

Internal security measures have been tightened, with engineering teams facing stricter access controls. Personal access tokens are now limited to seven days, SSH access has been disabled for internal engineering repositories, and access to critical engineering systems has been restricted to fewer groups. Additionally, Microsoft has extended its audit log retention period to a minimum of two years, bolstering its ability to investigate and respond to potential security incidents.

Skipping

[RitchCraft]

"Satya Nadella pledged to prioritize cybersecurity" - someone pick the needle up, the sound is skipping again and repeating the same old tune.

Re:

[GoTeam]

"Satya Nadella pledged to prioritize cybersecurity" - someone pick the needle up, the sound is skipping again and repeating the same old tune.

Maybe "cybersecurity" has a different meaning to Microsoft?

Re:

[gweihir]

It essentially means "Please do not force any kind of regulation or liability in us! We will put up a show for you if you if you do not!" Of course, they will just remain their crappy self. They cannot do anything else. Building up a real security culture takes decades and people they do not have.

Re:

[GoTeam]

That's Microsoft for you. Leading from the vague edges of corpo-speak.

Re:

[Bu11etmagnet]

> Maybe "cybersecurity" has a different meaning to Microsoft?

They keep using that word. I do not think it means what they think it means.

I think they're serious this time

[rsilvergun]

There's too many nation states fucking with insecure software right now. It's at the point where Microsoft is in danger of losing important contracts. You've got countries like Russia and North Korea running pretty large scale ransomware operations, in the case of North Korea financing a good chunk of their economy with it.

It's just like back in the day with viruses Microsoft cracked down on them with the help of the DOJ and they dried up. Yeah I know there's still a bunch of them out there but I knew

Re:

[PastTense]

Who are they going to lose these major business contracts to? Big business is locked into the Microsoft ecosystem and it would cost a great deal of money to get out.

Re:

[jacks smirking reven]

I would think any state agencies may have the highest risk (and I myself even as a fan of Windows would say government operations should operate on as much open source as possible) but all it takes is one or two places willing to take the leap to snowball. The perception of companies moving off MS is damaging enough to warrant a response.

I would agree with GP that Microsoft is one of those American firms that not only needs regulation but is important enough to warrant some degree of state ownership. Inte

Re:

[rsilvergun]

The servers Go Linux and the workstations go to Apple.

So what they're actually saying...

[VeryFluffyBunny]

...is that they'll wait until anything becomes such a serious problem that they draw the ire of government agency clients who then give them such a big kick up the arse that they have to put on a big PR & marketing show to at say they're doing something about it.

If only they'd put as much effort into securing their faulty software as they put into telling everyone that they're going to do it.

Re:So what they're actually saying...

[ebunga]

If only they put as much effort into that as they did into cramming unwanted AI, intrusive "it would be a felony for even a slightly smaller company to try this" intrusive spyware and adware, remote installation of software without authorization, unnecessary UI changes because we have to look "new", subscriptions for things that shouldn't require a subscription, forced use of online services that would reduce your attack surface if they weren't used, and pretty much anything else they've done post Windows 7, the world would be a better place.

Re:

[az-saguaro]

I was going to write the same thing, but you beat me to it. Makes me think that "a million" other people had the same thought. If only MS actually listened or cared.

Re:

[ebunga]

Microsoft, like many large corporations, no longer needs customers to survive. Sure, as an abstract concept we make certain good numbers go up, but as soon as that's no longer the case they'll stop having us as customers and exist as some weird paper entity that mints money.

Re:

[gweihir]

Indeed. But you do not get rich by selling a quality product. MS got rich by pretending to sell a quality product and no liability if somebody finds out what it actually is. And having tons of fanbois with zero insight.

Re:

[gtall]

Mostly they got to where they are by holding the anterior lobes of the posteriors of business CEOs, CIOs, etc. "Look it, all this computer crap is confusing for you, we'll hold your buns for you so you don't have to."

What self-respecting CEO, CIO, etc. could ignore a pitch like that, it allowed them to get on with what they do best, "boldly leading into a synergistic future" and not pay any mind to all that confusing computer crap.

Now they had accountants who could do it for them...sez so right on the ledge

While they will be leaving mass amounts

[xack]

Of unpatched Windows 10 systems from next October. Microsoft's solution is to either ewaste your computer or force you to learn Linux.

Re:

[gweihir]

They are just putting on a show. They do not mean these statements seriously. MS will never produce secure systems or software or clouds unless they face liability. The very point of this show is so that they can continue to make crappy software with no liability.

How about Windows?

[Torodung]

Great. Now fix your broken OS that allowed a single ClownStrike update to crater systems globally.

You know, do a sanity check on kernel extensions, and notify the systems operator whenever they are pushed. And make them easily disabled on boot. And make it clear that a new one has loaded before Windows shits the bed.

You're darned right security culture is inadequate.

Re:

[sconeu]

Uh, it happened to Linux too.

Re:

[gweihir]

No, it did not. Windows became inaccessible. On Linux you had a few minutes after boot to fix things. That is a difference like day and night.

Only for show

[gweihir]

Just wait a year or two and they will be heir crappy self again.

Users

[PPH]

Users are the weak link in Windows security. Eliminate them and Microsoft will go a long way towards its security goals.

Users are closely followed by the power plug. Just don't plug in a Windows box and it will be impervious to external attacks.