Microsoft Windows Vista Security Advancements

Introduction

 

In just three decades, the software that runs personal computers and digital devices has transformed the way millions of people around the globe work, communicate and enjoy their free time. Yet we're only beginning to realize the promise of the digital age.

 

The continued advancements in processing power, storage, networking and graphics are enabling a digital infrastructure with seemingly limitless possibilities. But it's the magic of software that connects these devices into a seamless whole, making them an indispensable part of our everyday lives.

 

There's really only one thing that could stand in the way. As computers and the Internet play an increasingly important role in business and in our personal lives, they also have become targets for malevolent hackers who infect unprotected PCs with viruses, spread spyware, distribute spam and launch malicious attacks, and for identity thieves who try to trick consumers into revealing valuable personal information.

 

Four years ago, Microsoft^® Chairman and Chief Software Architect Bill Gates signaled a dramatic shift in the company’s strategy, making a secure, private and reliable computing experience the company’s highest priority. In an increasingly interconnected world of PCs, devices and services, this commitment to Trustworthy Computing is more important than ever.

 

With the forthcoming release of Windows Vista, Microsoft is delivering innovations that help businesses and consumers maintain control over their computers in a world of constantly evolving security threats — to help end users become more secure and protect the privacy of their information, and to offer IT administrators new ways to make their companies’ networks more resistant to attack while preserving data confidentiality, integrity and availability.

 

Windows Vista brings a new level of confidence to computing through improved security, reliability and management. Building on these advances, Microsoft and the rest of the technology industry can work to make computing even more reliable and secure by doing the following:

 

·        Building a trust ecosystem in which people, organizations, device-makers and code authors can be properly identified and held accountable for their actions, while still protecting the privacy of end users.

·        Engineering for security by establishing, publishing and sharing best practices, security diagnostic tools and security-specific testing methods.

·        Simplifying security for consumers and IT professionals, through a combination of industry standards, common development tools, and unified practices across platforms, products and services.

·        Delivering a fundamentally secure platform that includes protection technologies that enable isolation, trust-based multifactor authentication, policy-based access control and unified audit across applications.

 

These principles are reflected in the design and development of Windows Vista, which embraces a holistic approach to security that makes it a significant milestone along the path to achieving Microsoft’s vision of Trustworthy Computing.

 

Windows Vista is the first version of the Windows^® client to be developed using Microsoft’s Security Development Lifecycle, which makes security a top priority from the start by defining a repeatable engineering process that every developer must follow, and then verifying that process before release.

 

To improve security at the architectural level, Windows Vista implements a new strategy called Windows Service Hardening that improves the security of system services. Windows Vista also reduces the risk of buffer overrun vulnerabilities through improved testing and development processes, and it adds a number of enhancements to security on 64-bit systems.

 

With User Account Control, Windows Vista makes it easier for everyday users to run accounts with standard permissions, reducing the “surface area” for attacks. The Windows logon architecture has also been redesigned to improve reliability and enable alternative strong authentication methods.

 

Network Access Protection helps preserve the security of corporate networks by giving network administrators the tools to keep “unhealthy” machines off the network. Improved support for smart cards makes it easier for organizations to supplement passwords with multifactor authentication.

 

Windows Vista provides better protection from malware, potentially unwanted software and intrusions through the integration of Windows Defender anti-malware technology, an enhanced, bidirectional Windows Firewall, and advances in Windows Security Center to simplify the process of monitoring and remediating the security status of a user’s Windows PC.

 

Windows Vista also features a number of enhancements that help protect sensitive data, including Windows BitLocker™ Drive Encryption to better protect data on lost, stolen or decommissioned PCs, expanded Windows Rights Management Services that help organizations control who has access to sensitive data, and improvements to the Encrypting File System. Group policies for IT administrators have been enhanced to restrict the installation of new hardware and the use of USB keys and other removable storage devices.

 

Microsoft Internet Explorer^® 7 in Windows Vista represents a major step forward in browser security and privacy protection. Its new browser architecture is designed to give users more confidence in the security of their browsing activity while also helping to protect their personal data from phishing attacks and fraudulent Web sites. Advances include a Protected Mode that enables a robust browsing experience while helping to prevent hackers from taking over a user’s browser and executing code. A new Fix My Settings feature helps users keep their security protections at the appropriate level when installing and using a variety of Internet applications. A Security Status Bar helps users quickly differentiate between authentic Web sites and suspicious or malicious ones, and the Microsoft Phishing Filter helps users browse more safely by advising them about suspicious or known phishing Web sites.

 

Windows Vista is designed not only to mitigate today’s threats, but to evolve to counter future threats. Updates will be distributed automatically, new malware and potentially unwanted software definitions will be released as necessary for Windows Defender, and Internet Explorer will warn users about the latest phishing sites. Advances in computer hardware — including unique capabilities in the new generation of 64-bit processors, as well as hardware solutions such as the Trusted Platform Module and No eXecute (NX) capabilities — have enabled security improvements that were not previously possible on the Windows platform.

 

The following pages provide detailed descriptions of these security enhancements as implemented in current testing versions of Windows Vista. As the development process continues, Microsoft expects to enhance and refine these features in response to testing and customer feedback. Future white papers will cover additional changes and provide a more comprehensive overview of these features.

 

Engineering for a Secure Platform

 

Security Development Lifecycle

Starting in 2003, Microsoft established strong internal security design and development processes to help engineering groups create more secure products. The Security Development Lifecycle (SDL) is an evolving process that helps ensure that the company’s software and solutions are built from the ground up to reduce security risk. The SDL implements a rigorous process of secure design, coding, testing, review and response for all Microsoft products that are deployed in an enterprise, that are routinely used to handle sensitive or personal information, or that regularly communicate via the Internet. The SDL helps remove vulnerabilities and minimize the “surface area” for attacks, improves system and application integrity, and helps organizations more securely manage and isolate their networks.

 

Although the SDL has been used extensively on several key Microsoft products, Windows Vista is the first client operating system to be developed from start to finish using this new approach. The engineering process took all the lessons from security reviews of previous versions of Windows, analysis of Microsoft Security Response Center (MSRC) bulletins, and engineering practices from the development cycles of Microsoft Windows XP SP2 and Windows Server™ 2003 SP1.

 

From the start, teams worked with a security advisor who served as a guide and point of contact for the project from initial conception to completion of the final security review. Security reviews and testing were built into every step of the shipping cycle.

 

The Secure Windows Initiative Attack Team (SWIAT) conducted extensive design reviews and penetration testing of Windows Vista, with the goal of identifying parts of the product’s code or design that needed additional work to achieve an acceptable level of resistance to attack. SWIAT’s team of “in-house hackers” was supplemented by security research contractors drawn from leading security research and penetration testing companies.

 

More than 1,400 threat models were developed for Windows Vista to ensure identification of risks that required mitigation, code that needed special attention, and parts of the operating system that required especially intensive testing. The Secure Windows Initiative (SWI) team provided product teams with training and tools to support the threat modeling process, and the team reviewed the threat models for completeness and depth.

 

Throughout the development process, Windows Vista was checked against vulnerabilities discovered in Windows XP. Both operating systems were patched at the same time, and the security processes and tools involved were re-evaluated and improved where possible.

 

Automation was a key focus in the engineering process. The product groups also used tools that Microsoft developed to find certain types of code vulnerabilities —including PREfix and PREfast, which are source code analysis tools that detect certain classes of errors not found by typical compilers. The tools integrate cleanly with the build process, reduce development time, streamline code review, and help improve overall quality and reliability.

 

The Windows team annotated all Windows Vista functions containing readable or writeable buffers using the Standard Annotation Language (SAL), which allows these automated code quality tools to evaluate the consistent use of variables and buffers, helping developers detect and remove exploitable coding errors.

 

The team extensively “fuzz tested” components of Windows Vista that parse or process inputs from potentially hazardous sources. Fuzz testing automates the process of supplying corrupt or malformed data to these components to see how they deal with potentially malicious inputs, and it is very effective at detecting vulnerabilities that an attacker could exploit to run malicious code or cause a software component to fail. Fuzz testing on particularly complex parsers was complemented by a security code review and a deeper level of SAL annotations.

 

Another Microsoft-developed tool, called FxCop, scans managed code applications for vulnerabilities and helps prevent malicious code from taking advantage of buffer overruns in applications. In addition, the Microsoft Visual C++^® 2005 C runtime library adds buffer checks to functions that are known to be vulnerable to attack. These tools were initially developed for internal use at Microsoft but are also available to the developer community in Visual Studio^® 2005.

 

The code base was scrubbed for a number of issues that commonly lead to security vulnerabilities. All instances of cryptographic algorithms were reviewed to assess any weaknesses in algorithm choice or key strength. More than 100 programming APIs that had been misused in the past were systematically removed from the code base and replaced with more secure versions. In addition, third-party components that ship with Windows Vista were reviewed against the SDL.

 

Microsoft also provides detailed guidance on the SDL for independent software developers and the worldwide security community, to enable others to improve the security of their products.

 

To help ensure a more secure end-to-end computing environment, Microsoft is also working toward Common Criteria (CC) certification. Windows Vista will be independently tested in third-party labs using criteria set by the International Standards Organization (ISO), with the goal of achieving EAL4 and Single Level OS Protection Profile certifications.

 

Windows Service Hardening

System services are background processes that are always running to support key functionality. They have been a major target for malicious software attacks because they typically run with the highest possible system privileges (referred to as LocalSystem). A malicious attack that exploits system services could cause problems by running arbitrary code with administrator privileges on the user’s machine. (The Slammer, Blaster and Sasser worms all targeted system services.)

 

To mitigate this threat, Windows Vista introduces the concept of “restricted services” that run under the least possible privileges and limit their activities to the local machine or network. A restricted service program runs from the start with minimal privileges and capabilities. The restricted service approach significantly reduces the number of services that are capable of doing unlimited damage to a user’s machine.

 

The personal firewall in Windows Vista is closely aligned with the Windows Service Hardening platform initiative, which allows the firewall to enforce inbound, outbound and protocol restrictions for networking operations. In addition, individual services can be uniquely identified, which enables tighter per-service usage of access control lists, such as allowing processes to write to only specific areas of the file system, registry or other system resources.

This helps prevent a compromised service from changing important configuration settings in the file system or registry, or infecting other computers on the network.

 

Core Windows services included in Windows Vista have service profiles that define the necessary security privileges for the service, rules for accessing system resources, and inbound and outbound network ports that the services are allowed to use. If a service tries to send or receive data on a network port that it is not authorized to use, the firewall will block the network access attempt. For example, the Remote Procedure Call service in Windows Vista is restricted from replacing system files, modifying the registry, or tampering with another service configuration in the system (such as the anti-virus software configuration and signature definition files).

 

A specific goal of Windows Service Hardening was to avoid introducing management complexity for users and system administrators. Every service included in Windows Vista has been through a rigorous process to define its Windows Service Hardening profile, which is applied automatically during Windows Vista installation and requires no ongoing administration, maintenance or interaction from the end user.

 

Windows Service Hardening is designed to be used by independent software vendors (ISVs). Microsoft is actively evangelizing the technology to developers so the service components they write will be more secure when running on Windows Vista. This infrastructure is used by system services on an “opt-in” basis, so there is no application compatibility impact with legacy system services (such as services that accompany third-party software).

 

Mitigating Buffer Overruns With Hardware Protection

Another way that malicious software makes its way onto a user’s machine is by taking advantage of buffer overruns — essentially, tricking software into executing code that has been placed in areas of the computer’s memory that are set aside for data storage. Many of these buffer overruns stem from design or implementation vulnerabilities that processes such as the SDL and related tools can prevent. An additional way to reduce the impact of such vulnerabilities is through the use of NX technologies at the hardware level. NX enables software to mark sections of the computer’s memory as exclusively for data, and the processor will prevent applications and services from executing any code there.

 

Many processors shipping today support some form of NX, and Microsoft has included support for NX-capable processors since Windows XP SP2 through the Data Execution Prevention feature. Windows Vista introduces additional NX policy controls that allow software developers to enable NX hardware protection for their code, independent of systemwide compatibility enforcement controls. An ISV can mark its program as NX-compliant when the program is built, which allows protection to be enforced when that program runs. This enables a higher percentage of NX-protected code in the software ecosystem —especially on 32-bit platforms, where the default system compatibility policy for NX is configured to protect only operating system components. On 64-bit versions of Windows, NX protection is the default.

 

Windows Vista also introduces improvements in heap buffer overrun detection that are even more rigorous than those introduced in Windows XP SP2. When signs of heap buffer tampering are detected, the operating system can immediately terminate the affected program, limiting damage that might result from the tampering. This protection technology is enabled for operating system components, including built-in system services, and can also be leveraged by ISVs through a single API call.

 

64-Bit Security Enhancements: Kernel Patch Protection and Mandatory Driver Signing

Some of the most dire security issues arise from malicious software that manipulates the operating system “kernel,” rendering malicious software undetectable to anti-virus software and running unnoticed on a user’s system. These “rootkits” are often used to cloak other potentially unwanted software, such as bots and spyware. Beyond the serious security implications of rootkits, this class of malicious software can reduce the stability, reliability and performance of the entire system, including all user programs.

 

Addressing these problems has been difficult because many 32-bit Windows drivers are not identified with a digital signature, or they modify the kernel for legitimate purposes but by unsupported means. Implementing stricter control over these modifications could create major compatibility and performance issues. Some 32-bit security products that provide behavior-blocking capabilities have these characteristics, which has led Microsoft to partner with third-party security vendors to investigate robust, secure and supported alternative platform mechanisms.

 

However, as computing moves from a 32-bit to a 64-bit architecture, the smaller installed base of 64-bit software makes it possible to make significant enhancements to the security of the kernel, reducing the potential for rootkits and similar types of malicious software to negatively impact users’ systems.

 

Kernel Patch Protection for x64. The 64-bit versions of Windows Vista support Microsoft kernel patch protection technology (sometimes referred to as PatchGuard), which prevents unauthorized software from modifying the Windows kernel. Kernel patch protection works by preventing kernel-mode drivers from extending or replacing operating system kernel services, and by prohibiting all software from performing unsupported patches in the kernel. In addition to improving security and making it more difficult for hackers to modify the kernel for malicious purposes, kernel patch protection also helps prevent other software from making unauthorized or unsupported modifications to operating system data structures (such as the interrupt dispatch table), thereby greatly improving the overall security, reliability and performance of Windows.

 

Kernel patch protection is not a guarantee of security, but by blocking unsupported and potentially malicious behavior in the kernel environment, it improves the security and reliability of Windows Vista and enables future improvements in the kernel environment that can address the evolving changes in the landscape of malicious software. More information about kernel patch protection is available at http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx.

 

Mandatory Kernel Module and Driver Signing for x64. To give users visibility into the source of drivers and other software running in the operating system kernel, Microsoft introduced the concept of “signed drivers” beginning with Windows 2000. Although it was possible to prevent unsigned drivers from installing, the default configuration only warned users if they were about to install an unsigned driver. IT administrators could also block installation of unsigned drivers via Group Policy, but the large installed base of unsigned drivers made this impractical in most situations. Malicious kernel software typically tries to install silently, with no user consent — and because no kernel load-time check existed before Windows Vista, malicious kernel software was likely to run successfully, assuming these actions were performed by a user with administrative privileges.

 

With Windows Vista on 64-bit systems, security at the kernel level has been greatly enhanced by requiring that all kernel-mode drivers be digitally signed. Digital signing provides identity as well as integrity for code. A kernel module that is corrupt or has been subject to tampering will not load. Any driver that is not properly signed cannot enter the kernel space and will fail to load.

 

Although a signed driver is not a guarantee of security, it does help identify and prevent many malicious attacks, while allowing Microsoft to help developers improve the overall quality of drivers and reduce the number of driver-related crashes.

 

Mandatory driver signing also helps improve the reliability of Windows Vista because many system crashes result from vulnerabilities in kernel-mode drivers. Requiring the authors of these drivers to identify themselves makes it easier for Microsoft to determine the cause of system crashes and work with the responsible vendor to resolve the issue. System administrators also benefit from digitally signed and identified drivers because they get additional visibility into software inventory and install state on client machines. From a compatibility perspective, existing Windows Hardware Quality Labs certified x64 kernel drivers are considered validly signed in Windows Vista.

 

 

Secure Access

 

User Account Control

With previous versions of Windows, most user accounts were configured as a member of the local administrator group — giving users all system privileges and capabilities needed to install and configure applications, run some background system tasks and device drivers, change system configuration, and perform many basic maintenance tasks.

 

Although this approach was convenient for users, it made computers and networks more vulnerable to malware that could abuse those privileges to damage files, make configuration changes such as disabling the firewall, and compromise sensitive data. It also increased maintenance costs for corporate desktops because users could make unapproved or accidental changes that could disrupt the network and make individual machines harder to manage. Although it was possible to deploy Windows accounts in a locked-down configuration with limited user privileges, this severely limited productivity — many basic tasks such as adjusting the clock, connecting to a secure wireless network or installing a printer driver still required administrator privileges.

 

To address this issue, Windows Vista includes User Account Control (UAC), a new approach that separates standard user privileges and activities from those that require administrator access, thereby reducing the surface area for attacks on the operating system while still giving typical users most of the capabilities they need every day.

 

The benefits of UAC are twofold: First, it redefines what a standard user can do by including many basic functions that pose no security risk but that previously required administrative privileges. To enable users to perform a limited set of administrative tasks without disruption, standard user accounts have additional capabilities to enable such tasks as changing the time zone or power management settings, installing new fonts or adding a printer.

 

When standard users attempt to perform a task that requires administrative access, such as installing a new application or modifying certain system settings, they are prompted for an administrator password. (IT administrators also have the option of “locking down” corporate desktops by configuring a policy setting that prevents users from encountering this prompt, thereby preventing unauthorized administrative actions.) This aspect of UAC helps reduce the risks for ordinary users.

 

Second, UAC makes user accounts with administrative privileges safer by limiting access to sensitive system resources and functions by default, and by prompting for approval when performing administrative tasks that require greater privileges.

 

For administrators who need to perform everyday tasks such as checking e-mail or using the Web in addition to their administrative duties, additional controls are needed to ensure that administrative privileges are in place only when they are actually needed. By default, administrator accounts will run in Administrator Approval Mode — most programs will run under standard user privileges, and when users need to perform an action that requires administrative privileges, they will be prompted for consent first. System administrators also have the option to configure the system to require an administrator password for such elevations.

 

The Windows Vista user interface includes a number of enhancements that make it easier for users to tell which activities require administrator privileges, including describing the requested action and marking administrative actions with a shield icon.

 

UAC also helps families with children protect their PCs from malware that might be hidden in programs that appeal to children. Parents can give each child an account with standard privileges and can require an administrative password provided by an adult before a child can install any software. This supplements other Parental Controls features in Windows Vista that can be used to limit the activities of children, including Web site “blacklists” and “whitelists” to limit access to violent games, and setting aside certain hours of the day when gaming or other activities are permitted.

 

UAC strikes a balance between enabling existing applications to work without modifications and providing a platform that helps evolve user applications to avoid the need for administrative privileges in common usage situations. Because many older applications were written on the assumption that users would have administrator privileges, Microsoft enables these applications to run as a standard user on Windows Vista.

 

For example, to help older applications function properly, Windows Vista includes file system and registry virtualization that redirects writes (and subsequent reads) from protected areas to a location inside the user’s profile, so the application can function properly without affecting other users’ resources or the system in general. This reduces security risk because the application never has access to interfaces or resources that require administrative access.

 

In addition, Microsoft provides a number of tools, technologies and resources that help developers write new code that works well under UAC. For example, Microsoft provides a Standard User Analyzer tool that helps determine whether applications will perform correctly when executed by a user with standard permissions.

 

In addition, Microsoft offers resources through MSDN^® to help developers adapt their software to this new model.

 

By making UAC available to Windows Vista beta users through its Community Technology Preview program, Microsoft received valuable feedback that resulted in further improvements to UAC in Windows Vista Beta 2, including these:

 

·        Further reducing the number of Control Panel applets that require administrator privileges, including Mouse and Keyboard, Infrared, and Bluetooth.

·        Eliminating the need for Task Manager to run with administrator privileges.

·        Applying fixes to hundreds of older applications so they can run without prompting for an administrator password.

·        Modifying the new Hardware Wizard so it does not automatically prompt for an administrator password every time it runs.

 

The UAC dialog boxes have also been redesigned so they more clearly state which program is requesting administrative privileges, and they also make it easier to identify programs that pose potential risks to the system. Microsoft will continue to improve the UAC experience and remove unnecessary dialog boxes until the final release of Windows Vista and beyond, by using data collected from customers who volunteer to provide this feedback to Microsoft.

 

This customer feedback is being used to fine-tune the number of prompts that will appear in the post-Beta 2 version of Windows Vista, known as Release Candidate 1. This release is expected to have even fewer prompts than Beta 2. For example, Microsoft expects to remove the consent prompt for administrators when they delete icons on the public desktop, as well as the prompt that appears when the user acquires critical updates from Windows Update. The number of actions and applications that require prompts will continue to be reduced throughout the remainder of the beta cycle. (More information on UAC is available at http://www.microsoft.com/technet/windowsvista/security/uacppr.mspx.)

 

New Logon Architecture

Many organizations and software vendors are choosing to supplement passwords or smart cards with additional authentication factors such as biometrics or one-time password tokens. In previous versions of Windows, implementing these factors often required developers to rewrite the Graphical Identification and Authentication (GINA) interface. This sometimes made it unduly difficult and expensive for companies using these methods. In addition, it was not possible to use multiple GINAs simultaneously.

 

Although passwords are still supported, the primary focus for strong authentication in Windows Vista is smart cards. That said, the logon architecture has been completely rewritten to make it easier to extend for new credential types. Supporting new credential types requires creating a new Credential Provider, and the Windows logon user interface can interact simultaneously with multiple Credential Providers to make use of different authentication methods, including biometrics and tokens from third-party credential providers. This not only makes it possible for customers to enhance their security by choosing the right combination of available authentication methods, but it also enables developers to easily implement future authentication methods into the existing architecture.

 

The new architecture also enables Credential Providers to be event-driven and integrated throughout the user experience. For example, the same code used to implement a fingerprint authentication scheme at the Windows logon screen can be used to prompt the user for a fingerprint when accessing a particular corporate resource. The same prompt also can be used by applications that use the new credential user interface API.

 

In addition to the security benefits noted above, the new architecture improves overall system reliability and stability because functions that were not essential to the logon process have been moved to separate processes in the Windows Vista system.

 

Easier Smart Card Deployments

Many organizations are further enhancing security by using smart cards as their preferred two-factor authentication method in place of passwords. Microsoft has provided native operating system support for smart cards since Windows 2000. However, previous versions of Windows required IT administrators to deploy and maintain additional components to support their smart card infrastructure, such as cryptography modules and communications support for card readers.

 

To make it simpler to deploy and maintain smart cards, Windows Vista includes new advances in its smart card infrastructure that enable a model that is dramatically simplified, more secure and less error-prone. A common cryptographic service provider (CSP) implements all the standard back-end cryptographic functions that hardware and software developers need. In addition, integrated third-party Card Modules make it easier to rapidly deploy a smart card solution and enable secure, predictable communications between the CSP and other components of the smart card infrastructure.

 

In addition to these infrastructure changes, Microsoft also is working with the partner community to ensure that most of the major smart card vendors are familiar with this new architecture and are developing card modules for Windows Vista. This effort includes a process to certify card modules to validate quality and ultimately to make these card modules available via Windows Update. This initiative will provide customers with better quality and ease of use for their smart card deployments.

 

These enhancements complement other improvements to the smart card infrastructure in Windows Vista, including improvements to the Kerberos authentication protocol that reduces the need for smart card users to sometimes re-enter their password when accessing certain resources.

 

Network Access Protection

One of the greatest challenges for IT administrators is ensuring that the machines on their network have all the necessary security updates and meet the network’s “health policy” requirements. As more networks encompass users’ laptops and home computers, which often are not under the administrator’s direct control, there is far greater potential exposure to viruses, malware and other security threats. (In fact, many hackers create malware specifically to target out-of-date computers.)

 

Network Access Protection (NAP) is a network access control system that lets IT administrators ensure that only “healthy” machines connect to their network, while enabling potentially “unhealthy” machines to get clean before they gain access. The NAP client in Windows Vista simplifies the enforcement of network health policies and protect against malicious network attacks by enabling organizations to establish requirements for client health status (such as current software updates and up-to-date virus scanner signatures) and enforcing those requirements when the client connects to the network. If a client machine does not meet the health requirements, NAP can automatically update the machine or direct it to a separate “quarantine” area where the user can remedy the situation.

 

NAP is an extensible platform that provides an infrastructure and API for health policy enforcement. Independent hardware and software vendors can plug their security solutions into NAP, so IT administrators can choose the security solutions that meet their unique needs — and NAP helps ensure that every machine on the network makes full use of those solutions.

 

NAP requires functionality and support from the Windows Server “Longhorn” operating system. Although the NAP client for Windows Vista is included in the operating system, Microsoft will also release NAP client support in Windows XP SP2.

 

Protection Against Malware and Intrusions

 

Windows Security Center

In response to customer concerns about security vulnerabilities and how to better protect their PCs, Microsoft undertook a worldwide information campaign in 2003 to educate customers about three essential computer security steps: having a firewall turned on, keeping their PC up to date with automatic updates, and installing and using up-to-date anti-virus and anti-spyware software.

 

Customers found this information helpful, but they indicated that it was still difficult to understand the security status of their PC and even harder to know how to change settings to make it more secure. In response, Microsoft included a new feature in the 2004 release of Windows XP SP2 called Windows Security Center (WSC).

 

Running as a background process, WSC in Windows XP SP2 constantly checks and shows the status of three important security components: an Internet firewall, anti-virus software and Automatic Updates. It also serves as a starting point for getting to other security-related areas of the PC and for finding security-related support and resources. For example, in the version of WSC that shipped with Windows XP SP2, Microsoft created a link to help customers without anti-virus software or with out-of-date anti-virus software to see offers from third-party anti-virus vendors.

 

In response to feedback from customers and third-party security vendors, Microsoft has made improvements to WSC in Windows Vista, including showing the status of anti-spyware software, Internet Explorer security settings and User Account Control. In fact, WSC can monitor multiple vendors’ security solutions running on a PC and indicate which are enabled and up to date — something other security center solutions do not do at all or do not do as well as WSC.

 

If a third-party anti-virus or anti-spyware solution is out of date, WSC provides a link to the third-party Web site so the user can activate or renew a subscription or get needed updates. These new capabilities are important when, for example, a trial subscription to a third-party anti-virus solution that came with a new PC expires. Knowing when security software is turned off or out-of-date, and being able to easily download updates, can mean the difference between being protected or being vulnerable.

 

Windows Defender

Over the past several years, spyware and other unwanted software such as adware, keyloggers, bots and rootkits have become major problems for computer users. Unwanted spyware is found on more than two-thirds of all computers, and it is putting users’ privacy and personal information at risk, as well as causing significant performance and reliability issues.

 

Usually installed without a user’s knowledge or consent through deceptive practices, spyware can surreptitiously transmit a user’s personal information and passwords to third parties without the user’s knowledge or permission. According to crash report data that Microsoft receives from tens of millions of Windows-based PCs, spyware is directly responsible for a substantial percentage of all system crashes.

 

System crashes cause substantial user frustration, impede productivity and cost computer manufacturers millions of dollars a year in support costs. Leading security vendors such as Symantec Corp. have noted that computers can become infected within the first few minutes of being connected to the Internet, and the risk increases as soon as the user begins to visit Web sites.

 

Microsoft believes it is important for users to have anti-spyware protection. As a matter of principle and customer choice, Microsoft supports users having choice about what software is installed and running on their PC, where it came from, what it does and how to remove it if they want.

 

In 2004, Microsoft acquired Giant Company Software with the intention of offering a fee-based anti-spyware blocking solution as well as a free online tool to scan and remove spyware infections for customers who did not want to pay for an anti-spyware blocking solution.

 

After the first beta release of Microsoft’s anti-spyware solution in 2005, it quickly became clear that other forms of potentially unwanted software often accompany spyware infections, and that scanning and cleaning was not nearly as effective as blocking the infection in the first place. It also became apparent that only a relatively small number of computer users had any anti-spyware protection.

 

Based on these factors and growing customer and partner concerns about spyware, Microsoft decided to integrate its anti-spyware solution — Windows Defender — into Windows Vista. Windows Defender helps protect against and remove spyware, adware, rootkits, bots, keystroke loggers, control utilities and some other forms of so-called “malware.” (Windows Defender does not provide preventive protection against malware that is classified solely as a worm or virus.)

 

The overwhelming demand for and success of Windows Defender is apparent, with more than 25 million active customers of the beta version for Windows XP, Windows 2000 and Windows Server 2003.

 

In Windows Vista, Windows Defender continually helps protect against unwanted application installation. It monitors aspects of the operating system commonly abused by malware, such as the Startup folder and the Run registry keys. If an application attempts to make a change to one of the protected areas of the operating system, Windows Defender prompts the user to either allow or reject the change.

Windows Defender also provides a feature called Software Explorer, which provides users with additional visibility into a PC’s software and system state. This is a significant improvement compared with the past, where stopping or disabling rogue software sometimes involved investigating the system registry or conducting other complex analysis. Windows Defender also logs activity such as cleaning and removal events to the Windows event log, which enables administrators to keep updated on the status of the system.

Microsoft designed Windows Defender to work well with other anti-malware products. Although Windows Defender provides comprehensive, world-class protection, some customers might want to use third-party anti-malware protection, and Microsoft supports that choice. Users who choose a third-party solution can keep Windows Defender enabled along with their preferred third-party solution, to provide added protection in the event one anti-spyware solution does not identify some spyware but the other one does. Also, if the user’s subscription to the third-party solution expires, the protection from Windows Defender will continue uninterrupted. Of course, users can turn off Windows Defender if they choose. Similarly, network administrators in an enterprise environment can use Group Policy to enable or disable Windows Defender, and computer manufacturers can turn it off by default on new PCs that they ship.

 

In addition to being integrated into Windows Vista, Windows Defender will be available as a free download for licensed customers of Windows 2000, Windows XP and Windows Server 2003. Windows Defender Beta 2 currently is available to users of Windows XP SP2 and SP1, Windows 2000 SP4, and Windows Server 2003 gold and SP1.

 

Windows Firewall

A properly configured personal firewall is a critical first line of defense against many kinds of malware before they can infect a user’s computer or other computers on a network.

 

When Microsoft prepared to ship the first version of Windows XP, some customers asked that the built-in firewall be turned off by default because of concerns about compatibility with applications or third-party firewall software. Based on this input, Microsoft shipped the original version of Windows XP with the firewall disabled by default. As a result, most customers did not benefit from firewall protection when network worms such as CodeRed, Nimbda, Slammer, and Blaster circulated.

 

To prevent the recurrence of such events, it was clear that the firewall in Windows Vista should be on by default and should be compatible with a broad set of user scenarios. Customers who choose to use a third-party firewall can always turn off the built-in firewall. Similarly, original equipment manufacturers that want to offer third-party firewalls can configure those firewalls to be on by default in place of the Windows Firewall.

Like the firewall functionality in Windows XP SP2, the firewall in Windows Vista is turned on by default and begins protecting a user’s computer as soon as Windows starts. The Windows Firewall now includes both inbound and outbound filtering. It helps protect users by restricting operating system resources if they behave in unexpected ways — a common indicator of the presence of malware. For example, if a system service component of Windows that is designed to send network messages over a given port on a user’s PC tries to send messages via a different port, the Windows Firewall can prevent that message from leaving the computer, thereby preventing possible malware from spreading to other users. The Windows Firewall in Windows Vista also allows IT administrators (or home users) to block applications such as peer-to-peer sharing or instant messaging applications from contacting or responding to other computers.

 

Malicious Software Removal Tool

In connection with the release of Windows XP SP2, Microsoft learned that many installation failures and system crashes were caused by spyware and other malware. To address this issue, Microsoft developed the Malicious Software Removal Tool. Since January 2005, this tool has been run more than 3.2 billion times, on more than 270 million computers each month. A user who upgrades a PC from Windows XP to Windows Vista will be invited to download and run the Malicious Software Removal Tool from Windows Update during installation. This tool removes malware from the user's computer before continuing the Windows Vista installation, thus ensuring a successful installation of Windows Vista and a positive initial computing experience with the new operating system. Every month, Microsoft releases a new version of the tool through Microsoft Update, Windows Update and the Microsoft Download Center. Because the Malicious Software Removal Tool is not a fully featured anti-virus product, Microsoft strongly recommends that users run anti-virus software that will continually detect and remove viruses.

 

Security Advances in Internet Explorer 7

 

To perform a broad range of functions in the computing environment, Web browsers must do many things well. They must be open and flexible enough to enable users to interact with multiple data sources across a global array of systems while simultaneously protecting users’ privacy and personal information and preventing unwanted application behaviors. Managing the balance between these objectives is a top priority for Microsoft’s customers and for Microsoft.

 

Microsoft Windows Internet Explorer 7 in Windows Vista represents a major step forward in browser security and privacy protection. Through a robust new architecture, Internet Explorer 7 offers security features that have two primary security objectives:

·         Giving customers more confidence in the security of their browsing activity and helping to prevent the installation of malicious software, including worms, viruses, adware and spyware.

·         Protecting users’ personal data from phishing attacks and fraudulent Web sites while enabling safe and secure legitimate e-commerce.

 

Protections Against Malware

 

Internet Explorer Protected Mode: Internet Explorer Protected Mode in Windows Vista enables a robust Internet browsing experience while helping to prevent malicious hackers from taking over a user’s browser and executing code through the use of administrator rights. In Protected Mode, Internet Explorer 7 runs with reduced permissions, so it cannot modify user or system files or settings without the user’s explicit permission. The new browser architecture also introduces a “broker” process that helps to enable existing applications to elevate out of Protected Mode in a more secure way. Any scripted actions or automatic processes are prevented from downloading data or affecting the system. Protected Mode also helps protect against malicious downloads by restricting the ability to write to any local machine resources other than temporary Internet files.

 

URL handling protections. Microsoft has significantly reduced the internal attack surface of Internet Explorer 7 by defining a single function to process URL data. This new data handler ensures greater reliability while providing more features and increased flexibility to address the changing nature of the Internet as well as the globalization of URLs, international character sets and domain names.

 

ActiveX^® Opt-In. Internet Explorer 7 in Windows Vista offers a powerful new security mechanism for the ActiveX platform to deter malicious developers from writing applications that steal users’ information and damage their systems. ActiveX Opt-In automatically disables all controls that the developer has not explicitly identified for use on the Internet. This mitigates the potential misuse of preinstalled controls. In Windows Vista, users are prompted by the Information Bar before they can access a previously installed ActiveX Control that has not yet been used on the Internet. This notification mechanism enables the user to permit or deny access on a control-by-control basis, further reducing available surface area for attacks. Web sites that attempt automated attacks can no longer secretly attempt to exploit ActiveX Controls that were never intended to be used on the Internet.

 

Protection against cross-domain scripting attacks. New cross-domain script barriers help ensure that user information is seen only by those to whom the user has intentionally provided it. This adds further protection against malware by limiting the ability of malicious Web sites to manipulate vulnerabilities in other Web sites and initiate the download of undesired content to a user’s PC.

 

Fix My Settings. Most users install and operate applications using the default configuration, so Internet Explorer 7 ships with security settings that provide the maximum level of usability while maintaining controlled security. There are rare instances when a custom application might legitimately require a user to lower security settings from the default, but it is critical that the user reverse those changes when the custom settings are no longer needed. The Fix My Settings feature warns users with an Information Bar when current security settings might put them at risk. Clicking the Fix My Settings option in the Information Bar instantly resets Internet Explorer 7 security settings to the Medium-High default level.

 

Advanced protection against spyware with Windows Defender. Windows Defender enhances security and privacy protections when used with Internet Explorer 7. Building on the protection against malware at the browser level, Windows Defender helps prevent malware from entering the machine via piggyback download, a common mechanism by which spyware is distributed and installed silently along with other applications. All downloads received through Internet Explorer 7 are run through Windows Defender’s spyware scanners, which look for malicious content in the download. Although the improvements in Internet Explorer 7 cannot stop nonbrowser-based spyware from infecting the machine, they help provide a solid defense on several levels, when used with Windows Defender.

 

Personal Data Safeguards

Most users are unaware of how much personal, traceable data is transmitted with every click of the mouse while they browse the Web. It is also difficult for most online users to discern a valid Web site from a bogus and potentially malicious imitator.

Security Status Bar. The new Security Status Bar in Internet Explorer 7 helps users quickly differentiate authentic Web sites from suspicious or malicious ones by enhancing access to digital certificate information that helps validate the trustworthiness of e-commerce Web sites. The new Security Status Bar also provides users with clearer, more prominent visual cues indicating the safety and trustworthiness of a Web site, and it supports information about High Assurance certificates for stronger identification of secure sites (such as banking sites).

 

Microsoft Phishing Filter. Phishing is a technique used by many malicious Web site operators to gather a user’s personal information without consent, by masquerading as a legitimate person or business. The Phishing Filter in Internet Explorer 7 helps users browse more safely by advising them about suspicious or known phishing Web sites. The filter works by analyzing Web site content for known characteristics of phishing techniques, and by using a global network of data sources to assess whether a Web site should be trusted.

 

Developers of phishing and other malicious activities thrive on lack of communication and limited sharing of information. Using an online service that is updated several times an hour, the new Phishing Filter in Internet Explorer 7 consolidates the latest industry information about fraudulent Web sites and shares it with Internet Explorer 7 customers to proactively warn and help protect them.

 

The Phishing Filter combines client-side scans for suspicious Web site characteristics with an opt-in online service. It helps protect users from phishing scams in three ways:

§         It compares the addresses of Web sites a user attempts to visit with a list of reported legitimate sites that is stored on the user’s computer.

§         It analyzes sites that users want to visit by checking those sites for characteristics common to phishing sites.

§         It sends the Web site address that a user attempts to visit to an online service run by Microsoft to be checked immediately against a frequently updated list of reported phishing sites.

 

Even if the site is unknown to the Phishing Filter service, Internet Explorer 7 can examine the behavior of the site and report to the user if that site is doing anything suspicious, such as collecting user information without an SSL certificate. In this way, the Phishing Filter helps to prevent a site from collecting user information before it has been officially reported.

 

The Microsoft Phishing Filter is already available as a free add-in to the MSN^® Search Toolbar and is included in the beta versions of Windows Vista and Windows Internet Explorer 7 for Windows XP.

 

Data Protection

 

BitLocker Drive Encryption

Each year, hundreds of thousands of computers without appropriate safeguards are lost, stolen or decommissioned. One of Microsoft’s top customer requests regarding security in Windows Vista was to address the threat of data theft or exposure on these machines. Data on lost or stolen machines can often be viewed by installing a different operating system, moving the disk drive to a new machine or using other “offline” attack methods. Recent legislation and government regulations aimed at safeguarding consumer information and privacy have made securing this data even more important.

 

BitLocker Drive Encryption is a hardware-enabled data protection feature in Windows Vista that helps protect data on a PC when the machine is in unauthorized hands. By encrypting the entire Windows volume, it prevents unauthorized users from accessing data by breaking Windows file and system protections or attempting the offline viewing of information on the secured drive.

 

BitLocker is simple to deploy and use, and it enables secure and easy recovery by an authorized administrator. It uses the Trusted Platform Module (TPM) version 1.2 for secure encryption key protection and to measure and test key components as the computer is booting up. The system and hardware integrity are checked early in the machine boot process, and the computer will not boot if system files or data have been tampered with. BitLocker features centralized storage and management of encryption keys in Active Directory^®, and it also allows IT administrators to store encryption keys and restore passwords onto a USB key or to a separate file for additional backup. BitLocker provides for system recovery even “in the field.” A user who needs to use BitLocker’s recovery mode can simply enter a recovery password, and Windows operation will continue normally.

BitLocker also offers the option to lock the normal boot process until the user supplies a PIN code or inserts a USB flash drive that contains the appropriate decryption keys. These additional security measures provide multifactor authentication and assurance that the computer will not boot or resume from hibernation until the correct PIN or USB flash drive is presented.

 

BitLocker Drive Encryption will be available in Windows Vista Enterprise and Ultimate editions for client computers, and also in the forthcoming Windows Server “Longhorn” release.

 

Integrated Rights Management Services Client

Many organizations are already using Microsoft’s Right Management Services (RMS) technology, which helps protect the security and integrity of sensitive information by making documents accessible only to authorized users, and by enforcing specific policies around forwarding, printing and sharing by those users.

 

Previous versions of Windows required the installation of additional components to enable this functionality. Windows Vista includes an integrated RMS client that helps further safeguard digital information. For businesses, this saves on deployment costs and ensures consistent application of usage policies. For end users, this means being able to work with RMS-protected documents without having to install or configure any additional software.

 

RMS also helps enterprise customers further control and protect their information by providing smart card integration and longer encryption key lengths. The Windows Server “Longhorn” release will introduce the integration of RMS with Active Directory Federation Services to support cross-company protected collaboration. This capability will allow companies to share sensitive information among themselves and with business partners, protected by the same mechanism that they now use to protect their internal information.

 

In addition, RMS is now integrated with the WinFX^® APIs and the new XML Paper Specification (XPS) format — an open, cross-platform document format that helps customers effortlessly create, share, print, archive and protect rich digital documents. With a new print driver that outputs XPS, any application can produce XPS documents that can be protected with RMS. This basic functionality will significantly broaden the range of information that can be protected by RMS.

 

The 2007 Microsoft Office system provides even deeper integration with RMS through new developments in Microsoft SharePoint^®. SharePoint administrators can set access policies for the SharePoint document libraries on a per-user basis that will be inherited by RMS policies. This means that users who have “view-only” rights to access the content will have that “view-only” access (no print, copy or paste) enforced by RMS, even when the document has been removed from the SharePoint site. Enterprise customers can set usage policies that are enforced not only when the document is at rest, but also when the information is outside the direct control of the enterprise.

 

Encrypting File System Enhancements

The Encrypting File System (EFS) is a powerful tool for encrypting files and folders on client computers and remote file servers. It enables users to protect their data from unauthorized access by other users, as well as by external attackers. In Windows Vista and the forthcoming Windows Server “Longhorn” release, EFS includes many new security, performance and manageability features.

 

In Windows Vista, EFS supports storing user keys as well as administrative recovery keys on smart cards. If smart cards are used for logon, EFS operates in a Single Sign On mode, where it uses the logon smart card for file encryption without further prompting for the PIN. New wizards guide users through the process of creating and selecting smart card keys, as well as the process of migrating their files from an old smart card to a new one. The command-line utilities for smart cards have also been enhanced to include these features.

 

EFS in Windows Vista can also be used to encrypt the system page file. (This feature can be enabled by the administrator through Group Policy.) The Client Side Cache, which stores offline copies of files from remote servers, can also be encrypted with EFS. When this option is enabled, files in the cache are encrypted to specific users, and even local administrators cannot read them without having access to the users’ private keys.

 

A number of new Group Policy options have been added to help administrators define and implement organizational policies for EFS. These include the ability to require smart cards for EFS, enforce page file encryption, stipulate minimum key lengths for EFS, and enforce encryption of the user’s Documents folder.

 

The Windows Server “Longhorn” release will also introduce a new design for EFS with remote files: Client Side Encryption. With this feature, Windows Vista clients will perform file encryption and decryption locally when storing files on “Longhorn” file servers. This will allow the use of file servers that are not Trusted for Delegation and will protect the user’s data against disclosure to file server administrators or attackers who are snooping the network.

 

EFS will be available in the Windows Vista Business, Enterprise and Ultimate editions, as well as in the Windows Server “Longhorn” release.

 

 

USB Device Control

The ability of users to add new hardware to their PCs or use USB keys or other removable storage devices creates significant issues for IT administrators. Not only can it make client PCs harder to maintain when users install unsupported hardware, but it can also create threats to data security: with a USB key or removable storage device, a company’s valuable intellectual property could just walk out the door. Also, a USB key with malware configured with an “autorun” script could be used by an attacker to install malicious software on an unattended machine.

 

Windows Vista enables IT administrators to use Group Policy to manage or block the installation of unsupported or unauthorized devices. These policy settings can be applied individually on a single computer, or across large numbers of machines throughout the network. Administrators have a great deal of latitude in setting these policies — for example, they can allow installation of entire classes of devices (such as printers), disallow any kind of removable storage device, or disallow all unsupported or unauthorized devices. They can also override these policies if necessary, by logging on to the client machine with administrator privileges and installing the hardware themselves. In addition, Group Policy settings are available to manage read/write access to removable storage devices on a per-user or per-machine basis.

 

Conclusion

 

With the forthcoming release of Windows Vista, Microsoft is delivering an operating system that brings clarity and focus to the desktop experience, enabling richer connections with people, devices and places, and bringing a new level of confidence to computing through improved security, reliability and management.

 

In designing and developing Windows Vista, Microsoft considered the needs of both consumers and businesses, and created a set of features that can be configured as appropriate for various customer segments.

 

Businesses will benefit from reduced desktop support costs, increased uptime and stronger protection of sensitive information. Consumers can enjoy the benefits of technology knowing that Windows Vista is helping protect their privacy and personal information. For all users, Microsoft has designed security safeguards to be as flexible and easy to use as possible, while offering them the confidence that Windows Vista is helping keep them protected.

 

Although there is no “silver bullet” that can address every current and future security threat, the security advancements in Windows Vista underscore Microsoft’s long-term commitment to enabling a trustworthy computing environment that helps people and businesses throughout the world to realize their full potential.