``With the virus attacks of late and the numbers of those and how vicious those attacks have been ... it's incumbent on Microsoft, being in the leadership position we're in, to help drive forward the industry in this area,'' Brian Valentine, senior vice president of the Windows Division at Microsoft, said in an interview.
The announcement follows a string of Internet worms and other security breaches, including the Code Red worm of August and Nimda worm in September.
Those worms, which are self-propagating viruses, exploited holes in Microsoft's Internet Information Services server software and installed ``backdoors'' that left infected computers vulnerable to future hacking.
IIS, which is used to run Web sites, is sold separately and comes bundled with Windows 2000 (news - web sites) and Windows NT.
In addition to repeated complaints over the years by security experts over what they say is lax security, Microsoft recently has also been singled out by a market research firm and an insurance underwriter.
Gartner Group urged Microsoft customers hit by the worms to switch to Apache or iPlanet Web servers. J.S. Wurzler Underwriting Managers' Safeonline division has also charged some companies using IIS as much as 15 percent more in premiums to make up for the increased risk of the software.
Valentine denied that the company was responding directly to those moves, but he said they illustrated a general problem of customer confidence that Microsoft hoped to address.
``LOCK DOWN'' BY DEFAULT
Signaling a change in long-standing policy for Microsoft, the company said it will deliver all of its software -- including the next version of IIS that will be bundled with Windows .Net Server next year -- in the ``locked down'' position by default.
That means the settings will be placed in the most secure configurations when shipped, rather than in the most ``open'' position, which can leave the computer more vulnerable to hacking, but can offer more immediate and advanced functionality.
Under the new initiative, too, Microsoft will offer a toll-free support line (1-866-727-2338) customers can call when they are hit by viruses and a free CD that contains fixes for all the vulnerabilities in Windows NT 4.0 and Windows 2000, as well as software to lock down IIS.
In coming months Microsoft plans to offer a free online service that will notify customers of security vulnerabilities and automatically download the fixes.
Microsoft is also training its technicians to help companies secure their networks before issues arise rather than merely respond to situations after they occur, Valentine said.
Although Microsoft's move is a step in the right direction, security experts said it was not enough.
``Too little, too late,'' said Russ Cooper of TruSecure Corp. in an email alert on the announcement.
Microsoft should fix the problem by improving its technology, said Bruce Schneier, chief technology officer of Counterpane Internet Security.
``Microsoft treats security problems as public relations problems and this initiative is a PR solution,'' he said.
Security exploits are common and affect all software, but Microsoft has born the brunt of them through the years.
The company contends that its software is targeted by malicious hackers because it is so ubiquitous. Critics have complained that Microsoft software is insecure by design.
``The problem is inherent in the way Microsoft develops and puts products on the market,'' said Michael Erbschloe, vice president of research at Computer Economics.
That firm analyzes the fiscal impact of technology issues and determined that Code Red will cost businesses worldwide $2.6 billion and Nimda $590 million.
Consumers would benefit from tighter security and product liability regulations like those that govern the automobile industry, Erbschloe said.