Under a new program, Microsoft is paying for security assessments of its customers" networks to help improve policies in areas such as software patch management and assuage fears about the security risks posed by Microsoft products. The Microsoft Patch Assurance Security Service was started in late 2003. As part of the program, Microsoft is offering free security audits to all of its enterprise customers and paying for the services of third party security consultants, including Internet Security Systems Inc., to do the audits, according to interviews with those involved in the program.
In many cases, Microsoft"s patch management products and services, including Systems Management Server (SMS) and Software Update Services (SUS), are recommended to customers as part of the audit, interviewees said. Figures on the total cost of the Patch Assurance Security Service were not available, but it is an extensive program to reach out to Microsoft"s entire enterprise customer base, defined as customers with 500 or more Windows desktops, said Peter Noelle, a partner account manager at Microsoft in Atlanta.