The RSA Security Conference is underway this week in San Francisco and Microsoft's own Scott Charney, Corporate Vice President Trustworthy Computing, delivered one of yesterday's keynote addresses: Creating a Safer, More Trusted Internet. The keynote centered on Microsoft's Trustworthy Computing initiative, our End to End Trust vision, and how we have been working to further protect the security and privacy of for all the users of the Internet.

The End to End Trust vision has not changed over the last couple of years and we don't anticipate it changing for some time. We continue to make progress along this vision and Scott outlined many areas where we are actively engaged and providing thought leadership. The keynote showcased how our vision for End to End Trust applies to cloud computing, detailed progress toward a claims-based identity meta-system, and called for public and private organizations alike to prevent and disrupt cybercrime.

One of the most interesting aspects from my perspective was the notion of creating a "World Health Organization" model for the Internet. We are calling on the governments and industry to creatively help prevent cybercrime by implementing technology and policy models that assess PC health before connecting the machine to the Internet. This is an ambitious vision and one I am proud to support.

If you want to know more about the things Scott talked about in his keynote and our End To End vision, I encourage you to visit the newly revamped End To End Trust website for more details.

Last week at the Black Hat DC conference a presenter showed how one manufacturer's Trusted Platform Module (TPM) could be physically compromised to gain access to the secrets stored inside. Since that presentation, I have had plenty of questions from customers wanting to know how this might affect Windows. The answer? We believe that using a TPM is still an effective means to help protect sensitive information and accordingly take advantage of a TPM (if available) with our BitLocker Drive Encryption feature in Windows 7.

The attack shown requires physical possession of the PC and requires someone with specialized equipment, intimate knowledge of semiconductor design, and advanced skills. While this attack is certainly interesting, these methods are difficult to duplicate, and as such, pose a very low risk in practice. Furthermore, it is possible to configure BitLocker in a way that mitigates this unlikely attack.

With our design for BitLocker in Windows 7, we took into account the theoretical possibility that a TPM might become compromised due to advanced attacks like this one, or because of poor designs and implementations. The engineering team changed the cryptographic structure for BitLocker when configured to use enhanced pin technology, discussed in the BitLocker Drive Encryption in Windows 7: Frequently Asked Questions. As a result, an attacker must not only be able to retrieve the appropriate secret from the TPM, they must also find the user-configured PIN. If the PIN is sufficiently complex, this poses a hard, if not infeasible, problem to solve in order to obtain the required key to unlock the BitLocker protected disk volume.

BitLocker remains an effective solution to help safeguard personal and private data on mobile computers. For more information on BitLocker best practices, we have published guidance in The Data Encryption Toolkit for Mobile PCs. This toolkit discusses the balance of security and usability and details that the most secure method to use BitLocker in hibernate mode and a TPM+PIN configuration. With the advancements in Windows 7, users that are worries about potential attacks such as this one should also enable the Allow enhanced PINs for startup group policy setting for their environment.

Windows 7 is seeing success in the marketplace which I am very happy about from a security perspective. The Microsoft Security Intelligence Report has shown us again and again that the more up-to-date a PC is, the less likely it is to be infected by malware and other potentially dangerous software. So Windows 7 making strides is helpful to the ecosystem overall from a security standpoint. Success comes at a price though, through greater scrutiny and misinterpretation of some of the technologies. One of those technologies is BitLocker.

I've seen numerous claims the past few weeks about weaknesses in BitLocker and even claims of commercial software that "breaks" BitLocker. One claim is from a product that "allows bypassing BitLocker encryption for seized computers." This claim is for a forensics product and has legitimate uses; however, to say it "breaks" BitLocker is a bit of a misnomer. The tool "recovers encryption keys for hard drives" which relies on the assumption that a physical image of memory is accessible, which is not the case if you follow BitLocker's best practices guidance. The product, like others used legitimately for data recovery and digital forensics analysis, requires "a physical memory image file of the target computer" to extract the encryption keys for a BitLocker disk.  Our discussions of Windows BitLocker have always been to communicate that it is intended to help protect data at rest (e.g. when the machine is powered off). If a forensics analyst or thief/adversary has physical access to a running system, it may be possible to make a copy of the computer's memory contents by using an administrative account on the system, or potentially through hardware-based methods such as direct memory access (DMA).

Another report discusses targeted attack vectors where the attacker must gain physical access to the computer, multiple times I might add. This research is similar to other published attacks where the owner leaves a computer unattended in a hotel room and anyone with access to the room could tamper with this computer. This sort of targeted attack poses a relatively low risk to folks who use BitLocker in the real world. Even with BitLocker's multi-authentication configurations, an attacker could spoof the pre-OS collection of the user's PIN, store this PIN for later retrieval, and then reboot into the authentic collection of the user's PIN. The attacker would then be required to gain physical access to the laptop for a second time in order to retrieve the user's PIN and complete the attack scheme. These sorts of targeted threats are not new and are something we've addressed in the past; in 2006 we discussed similar attacks, where we've been straightforward with customers and partners that BitLocker does not protect against these unlikely, targeted attacks.

Our customers are confronted with a wide spectrum of data security threats that are specific to their environment and we work hard to provide capabilities and information to help the customer achieve the right balance of security, manageability, and ease-of-use for their specific circumstances. BitLocker is an effective solution to help safeguard personal and private data on mobile PCs and provides a number of protection options that meet different end-user needs.  Like most full volume encryption products on the market, BitLocker uses a key-in memory when the system is running in order to encrypt/decrypt data on the fly for the drives in use.  Also like other encryption products, a determined adversary has significant advantages when they have physical access to a computer.

We recognize users want advice with regards to BitLocker and have published best practice guidance in The Data Encryption Toolkit for Mobile PCs. In the toolkit, we discuss the balance of security and usability and detail that the most secure method to use BitLocker in hibernate mode and a TPM+PIN configuration. Using this method, a machine that is powered off or hibernated will protect users from the ability to extract a physical memory image of the computer.

Windows 7 BitLocker continues to be a foundational component adding to any defense in depth strategy for securing systems, and specifically laptops.  Even with the great enhancements made in Windows 7 such as BitLocker To Go, it still remains that BitLocker alone is not a complete security solution.  IT professionals as well as users must be diligent when protecting IT resources and the best protection against these sorts of targeted attacks requires more than just technology: it requires end user education and physical security also play important roles.

Now that Windows 7 is available, a recent blog by Chester Wisnieski (who works at security vendor Sophos), entitled Windows 7 vulnerable to 8 out of 10 viruses, which has stirred some interest.

Here's a quick summary for those who missed Chester's blog. During a test SophosLabs conducted, they subjected Windows 7 to "10 unique [malware] samples that arrived in the SophosLabs feed." They utilized a clean install of Windows 7, using default settings (including the UAC defaults), but did not install any anti-virus software. The end result was 8 of the 10 malware samples successfully ran and the blog proclaims that "Windows 7 disappointed just like earlier versions of Windows." Chester's final conclusion? "You still need to run anti-virus on Windows 7." Well, we agree: users of any computer, on any platform, should run anti-virus software, including those running Windows 7.

Clearly, the findings of this unofficial test are by no means conclusive, and several members of the press have picked apart the findings, so I don't need to do that. I'm a firm believer that if you run unknown code on your machine, bad things can happen. This test shows just that; however, most people don't knowingly have and run known malware on their system. Malware typically makes it onto a system through other avenues like the browser or email program. So while I absolutely agree that anti-virus software is essential to protecting your PC, there are other defenses as well.

Let me recap some of the Windows 7 security basics. Windows 7 is built upon the security platform of Windows Vista, which included a defense-in-depth approach to help protect customers from malware. This includes features like User Account Control (UAC), Kernel Patch Protection, Windows Service Hardening, Address Space Layout Randomization (ASLR), and Data Execution Prevention (DEP) to name just a few. The result, Windows 7 retains and refines the development processes, including going through the Security Development Lifecycle, and technologies that made Windows Vista the most secure Windows operating system ever released.

Beyond the core security of Windows 7, we have also done a lot of work with Windows 7 to make it harder for malware to reach a user's PCs in the first place. One of my favorite new features is the SmartScreen Filter in Internet Explorer 8. The SmartScreen Filter was built upon the phishing protection in Internet Explorer 7 and (among other new benefits) adds protection from malware. The SmartScreen Filter will notify you when you attempt to download software that is unsafe - which the SophosLabs methodology totally bypassed in doing their test.

So while I'm not a fan of companies sensationalizing findings about Windows 7 in order to sell more of their own software, I nevertheless agree with them that you still need to run anti-virus software on Windows 7.  This is why we've made our Microsoft Security Essentials offering available for free to customers. But it's also equally important to keep all of your software up to date through automatic updates, such as through the Windows Update service. By configuring your computers to download and install updates automatically you will help ensure that you have the highest level of protection against malware and other vulnerabilities.

Volume seven of the Microsoft Security Intelligence Report (SIRv7) - part of Microsoft's  commitment to providing an unparalleled level of security intelligence to help keep individuals and organizations better informed and to maximize security investments - was released today and there are a couple of tidbits in the report that caught my attention that I thought I would pass on. As a reminder, the SIR is published by Microsoft twice per year and looks at the data and trends observed in the first and second halves of each calendar year.

The first thing that struck me while reading through the report is that for the first time, the SIR shares some high-level security best practices from countries that have consistently exhibited low malware infection. For example, Japan, Austria and Germany's infection rates remained relatively low during the first half of this year.

So how do these regions keep their customers and resources safe from cyber threats?  Japan's infection rates remain relatively low is due in large part to collaborations like the Cyber Clean Center. The Cyber Clean Center is a cooperative project between ISPs, major security vendors and Japanese government agencies aimed at educating users on how to keep their PCs infection free. Austria has implemented strict IT enforcement guidelines to lower piracy rates and this, along with strong ISP relationships and fast Internet lines, has helped ensure the ecosystem is kept up to date with security patches. Germany has also leveraged collaboration efforts with its CERT and ISP communities to help identify and raise awareness of botnet infections and, in some cases, quarantine infected computers.

The other thing that stood out to me was the graph below. This graph shows the effectiveness of automatic updating and shows what happened to the trojan downloader family Win32/Renos once Microsoft released a signature update for Windows Defender via Windows Update and Microsoft Update. Within three days, enough computers had received the new signature update to reduce the error reports from 1.2 million per day to less than 100,000 per day worldwide! To me this shows how important it is for users and organizations to utilize automatic updates to help prevent the spread of malware! 

The report also underscores some of the trends that we have seen from previous versions of the report: for example, the infection rate for Windows Vista is significantly lower than that of its predecessor, Windows XP. It also tells me that the higher the service pack levels of an OS, the lower the infection rate. Once again, these items help point out that you need to keep your software up-to-date. With Windows 7 now available it might be a good time to look at upgrading your OS!

Take a look at the full report at http://www.microsoft.com/sir and use the information to help protect yourself, your networks, and your users.

User Account Control is one of those Windows features that evokes a number of different responses from folks. Most people appreciate the enhanced security UAC offers, but we did hear complaints about the high number of UAC prompts in Windows Vista. This led some customers to turn off UAC, which concerns us from a security perspective. So in Windows 7, we've given a great deal of thought to how we marry enhanced security with ease-of-use. We have written extensively about the changes in UAC for Windows 7 on the Engineering Windows 7 blog (Post 1, Post 2, Post 3, Post 4).

Now, Technical Fellow Mark Russinovich weighs in on UAC with some great insight on the technology and some of our motivations around the decisions we have made. Check out Inside User Account Control now available online from TechNet Magazine.

We have been working in partnership with our independent software vendor (ISV) community to move the ecosystem to a set of new application programming interfaces (APIs) that many ISVs use to report status to Security Center (integrated within Action Center in Windows 7). The interfaces are used by many antivirus, antispyware, and firewall programs. Te interface changes were introduced in Windows Vista SP1. These new APIs supersede the ones originally shipped in Windows Vista.

From the release of Vista SP1, we jointly established with the security ISVs an 18 month grace period where they could use both the old and the new interfaces. After the 18 month grace period expires, a security application using the older interface will cause the Windows Security Center system tray icon to indicate a warning. In addition, the Security Center control panel will display a "<program name> is on but is reporting its status to Windows Security Center in a format that is no longer supported. Use the program's automatic updating feature, or contact the program manufacturer for an updated version" warning message, a sample screen shot is included below. The grace period begins at the time Vista SP1 is installed on a Windows Vista system. As a result, the grace period will begin expiring in September 2009, 18 months after Windows Vista SP1 was released on the Microsoft Download Center in March 2008.

Through our partner outreach and the Ecosystem Readiness Program, we have been working with the ISVs since October of 2007 to help them get ready for the final transition to this new interface. As a result, we have removed the old API from the Windows 7 RC.  Users who are running security software that does not use the newer API will see the "non-compatible" message shown below from the new Action Center, which instructs customers to contact their security software provider. 

Although you may receive this "non-compatible" message from your security software, it should continue to work and help protect your system even though it is not able to report its status through the Action Center UI.

If you encounter this message today on Window 7 or in the future on Windows Vista, I encourage you to check with your software vendor to see if they have an updated version of software available. Many of our partners already have products that use the new APIs and the others have committed to having compatible versions by the end of the Windows Vista grace period and for Windows 7. Having the latest, compatible software from your security vendors will help ensure that your system remains protected and that you are accurately informed when your security software is not running properly.

RSA was great last week - security was clearly top of mind for the attendees, and I fielded a number of different questions last week about how Microsoft protects our customers. Some are pretty straightforward around how the various Windows 7 security technologies work, but many have focused on how we actually deliver protection to customers on an ongoing basis.

One question that comes up more than I would have ever expected is: Who gets security updates?

There seems to be a myth that Microsoft limits security updates to genuine Windows users.

Let me be clear: all security updates go to all users.

Not only do all security updates go to all users' systems, but non-genuine Windows systems are able to install service packs, update rollups, and important reliability and application compatibility updates. In addition, the users of non-genuine Windows systems can also upgrade a lot of the other software on their computer. For example Internet Explorer 8 has numerous security- oriented features and improvements, and it is available to all users.

This isn't to say that all updates are available to non-genuine PCs. Other value-adding updates and software may or may not be blocked, at Microsoft's discretion. On Windows Vista, available updates can be accessed through the Windows Update control panel. On Windows XP, a non-genuine Windows system can access updates through Automatic Updates, but they cannot get to any of the optional updates which are only available through the Windows Update and Microsoft Update websites.

Keeping a machine up to date is one of the first steps in helping ensure that they remain reliable, compatible, and safe from threats when they are online. Some of the most famous incidents of malicious software infection have come after security updates were publicly available from Microsoft - Blaster, Zotob, Conficker and Sasser, just to name a few.

I hope this clears up some confusion. Rest assured that we at Microsoft are committed to making sure that security updates are available to all of our users to help ensure a safe online experience for everyone.

Here’s the last of the security stories from the RSA show floor. To wrap things up we asked John (JG) Chirapurath (Director, Identity & Security Business Group) to give us a quick rundown on Microsoft Forefront for Business Ready Security and how it fits in with Windows 7.

Here is another story from a Microsoft Program Manger discussing their favorite things in Windows 7. This time it is Eric Lawrence (Senior Program Manager on the Internet Explorer Team) to talk about his favorite security features in Internet Explorer 8, the browser that ships in Windows 7.

While walking the show floor here at RSA, I ran into Steve Riley, who’s an incredibly passionate and knowledgeable Security Evangelist (or officially “Senior Technical Evangelist”) in Microsoft’s Trustworthy Computing organization. He’s a well respected and sought out speaker on security topics. So I thought it would be great to get Steve’s take on his favorite two security features in Windows 7. Take a look at what Steve has to say about Windows 7 security!

The buzz at RSA around Windows 7 has been tremendous.

Yesterday, in his keynote, Scott Charney (Corporate VP Trustworthy Computing) talked about AppLocker and how it helps ensure that only known, trusted software is run within an organization’s desktop environment. Shortly after the keynote, I ran into Marcelo Birnbach - a Senior Program Manager in the Windows Security Technologies organization and works on AppLocker - on the expo floor. Since he’s an expert, we thought we would ask him for his perspective on AppLocker in Windows 7.

Marcelo Birnbach talks about Windows 7’s AppLocker Feature

And since Marcelo is originally from Argentina, we also asked him to share his thoughts in Spanish.

I attended Scott Charney’s keynote this morning at RSA – Moving Towards End to End Trust: A Collaborative Effort. I would assume that many of the readers of this blog are not familiar with the End to End Trust story. In a nutshell, End to End trust is Microsoft’s vision for creating a safer, more trusted Internet. It’s a great vision, but it’s also a big job that requires a commitment and focus on the fundamentals—fundamentals that will help deliver the most secure and privacy-enhanced versions of software and services that we have ever delivered. We’re also not going it alone. End to End Trust requires broad collaboration within the industry and Microsoft will continue to share our best practices with the IT communities of our customers.

Scott talked about how hard we are working across Microsoft to deliver technology innovations that move the needle towards a trusted stack, with security rooted in hardware and an identity metasystem (a big word that means a way of trusting people are who they say they are on the Internet). Even with progress, people still need strong defense in depth security technologies and Scott talked about how Microsoft’s Identity and Security Division is delivering integrated identity and security business solutions today to our customers. But maybe the most interesting thing he touched on was how technology innovations alone are not enough. Innovation also needs to align with political, economic and IT forces to enable the change that is truly needed.

End to End trust is a vision of what’s possible if we collectively work together, and it can help address real world problems that people face every day such as ID theft, online fraud and child safety. If you want to learn more about End to End Trust, visit http://www.microsoft.com/endtoendtrust to find out the entire story.

Now, let’s talk about Windows 7 and the progress we’re making to deliver End to End Trust in the Windows platform. In my blog post yesterday on how Windows 7 helps enable the mobile workforce, I wrote about technologies like DirectAccess, BitLocker To Go, and AppLocker. Each of these technologies plays a part in helping us enable End to End Trust, whether it is strong machine and user authentication with DirectAccess or limiting running software on a system to known, trusted applications with AppLocker. But there are other technologies that help us as well:

Biometric Framework
Fingerprint scanners are becoming more and more common in standard laptop configurations—my laptop came standard with one. Windows 7 helps ensure that fingerprint readers work well and that they are easy to set up and use. This is accomplished by taking the common code that everyone needs to write and standardizing it in the platform so that biometric hardware vendors can concentrate on the code they need to write to make their device work and not have to worry about how it ties into Windows. This new framework makes logging on to Windows using a fingerprint more reliable across different hardware providers and makes fingerprint reader configurations are easy to modify. This puts the user in control of how they log on to Windows 7 and manage the fingerprint data stored on their PC.

Improved Smart Card Support
Password-based authentication has well-understood security limitations; however, deploying strong authentication technologies like smart cards remains a challenge for many. Windows 7 enhances the smart card infrastructure advances made in Windows Vista through support of Plug and Play. This eases deployment of smart card infrastructures because drivers for both smart cards and smart card readers are automatically installed, without the need for administrative permissions or user interaction. I think this new behavior is going to ease the deployment of strong, two-factor authentication for many organizations.

BitLocker
I’m a big fan of BitLocker, it helps prevent a thief who boots another operating system or runs a software hacking tool from breaking into my laptop if they happen to get a hold of it. This holds true for both the operating system volume (C: drive) and my data volume (D: drive). Most customers I talk to love the encryption protection that BitLocker provides, but many are not aware that BitLocker also does integrity checking of early boot components to help ensure that the system has not been tampered with and that the encrypted drive has not been swapped out to another computer. This integrity checking ties back into the “security rooted in hardware” that is a part of End to End Trust. This integrity checking utilizes a Trusted Platform Module (a smart card like chip on the system motherboard) to help protect the encryption keys utilized by BitLocker. This is true for BitLocker in Windows 7 as well as Windows Vista.

We’ve also listened to feedback and made enhancements to Windows 7 BitLocker to provide a better experience for IT Pros and for end users. One of the simple enhancements we made is to right-click enable the BitLocker protection of a disk volume. Now I can go to Windows Explorer and right click any disk volume, including my removable BitLocker To Go volumes, and encrypt them right there without having to go to the Control Panel.

Another big change was the addition of Data Recovery Agent (DRA) support for all protected volumes. The DRA is a certificate-based data recovery agent that can be utilized to recover the contents of any BitLocker protected volume. Since the group policy settings are separate for Operating System Drives, Fixed Data Drives, and Removable Data Drives, customers have flexibility in how they want to configure their recovery options for the different threats that each separate drive type may experience.

With BitLocker and BitLocker To Go, enterprises can rest assured that their information and data is secure, no matter where their employees are working. I know I feel better knowing my laptop and all of my USB sticks are protected!

Internet Explorer 8

I know folks are more concerned than ever about protecting themselves while online, particularly form identity theft, malware, and other potentially dangerous online threats. I feel like we have done a lot in the platform and the security technologies we have been talking about this week (Firewall, DirectAccess, BitLocker To Go and AppLocker) are a part of the protection equation. But Internet Explorer 8 is also another huge piece of the equation as users spend more time online, in their browsers. IE 8 is the most secure web browser on the market and provides another, vital layer of defense against online threats.

We built upon the phishing protection in Internet Explorer 7 with the SmartScreen Filter, which now adds protection from malware – a threat that is growing significantly faster than phishing.

We also built in support for protecting users against type-1 (or “reflection) Cross-Site Scripting (XSS) attacks. XSS threats try to exploit vulnerabilities in the websites we visit and are quickly becoming one of the most prevalent ways web sites can be compromised. The bad news for you and I is that an XSS attack can help a bad guy steal our usernames and passwords for our online bank accounts or other confidential information. The XSS filter in IE 8 uses heuristics to detect such attacks and, when they are detected, prevent their execution. This should help you and I safe from the most common form of XSS attacks in use today.

Another innovation concerns ClickJacking. While a lot or people have heard of phishing attacks, a new kind of phishing attack called ClickJacking is on the rise. ClickJacking occurs where an attacker’s web page deceives a person into clicking on content from another website without realizing it – so they’re clicking on something that, for instance, buys something from the site, changes settings on their browser, or provides advertisements that these cybercriminals get paid for. ClickJacking Protection in IE is a feature that allows Web site content owners to put a tag in a page header that will help prevent ClickJacking.

I think the IE team has done a great job with the security in IE 8 and love that it puts people in control of their safety and privacy and helps protect them from new online threats. For those of you who are interested, there is a lot more security goodness in IE 8 on the IE blog and via these links:

• IE8 Security Part I: DEP/NX Memory Protection
• IE8 Security Part II: ActiveX Improvements
• IE8 Security Part III: SmartScreen® Filter
• IE8 Security Part IV: The XSS Filter
• IE8 Security Part V: Comprehensive Protection
• IE8 Security Part VI: Beta 2 Update
• IE8 Security Part VII: ClickJacking Defenses
• IE8 Security Part VIII: SmartScreen Filter Release Candidate Update
• IE8 Security Part IX - Anti-Malware protection with IE8’s SmartScreen Filter

Got To Run

I feel great about Windows 7 and the security enhancements we have been able to make. Hopefully as you learn more about the security work that we have put into it, you will reach the same conclusion that I have: Windows 7 is the most robust platform we have ever delivered, it helps support End to End trust, helps keep you and I safe, and was designed to prevent malware from getting onto our PCs to begin with.

There is a lot going on here at RSA and I want to go spend some more time seeing what’s new and exciting. I’ll be back with some of my impressions of RSA in a bit.

Along with 17,000+ other security- minded professionals, I’m at RSA in San Francisco this week. For those who are not familiar with the RSA Conference, it’s the premier information security conference of the year. It attracts the best and brightest security folks from around the world. In addition, it is a great place to keep up with what’s going on in the information security marketplace. I’m at RSA to not only see what’s going on in the industry, but to also talk about some of the cool new security features in Windows 7.

We’re really excited about Windows 7’s new security features. This next OS is built upon the proven security technologies in Windows Vista and provides a fundamentally secure computing platform. We not only utilized enhanced Security Development Lifecycle (SDL) process during planning, development and testing but we also have worked to make the security features more discoverable, usable and manageable. These enhancements give Windows 7 the expanded security offerings to provide the necessary security controls to help mobile workers access the information they need to be productive, wherever and whenever they need it.

There is a lot of new stuff in Windows 7, but let me highlight some of those things that go into helping the mobile worker…

Multiple Active Firewall Policies

In Windows Vista, firewall policy is based on the “type” of network connection established—such as Home, Work, Public, or Domain (the fourth, hidden type.) This can be a security problem for IT professionals since mobile users will connect to multiple networks while on the road. For example, let’s say I get connected to the Internet through a “Public” network. As a result, the “Public” firewall policy is applied to the computer. Now, if I want to connect to the Microsoft corporate network via my VPN, the IT configured firewall settings for accessing the “Domain” corporate network cannot be applied because the first network type (and thus the firewall settings) had already been set.

Windows 7 gets rid of this IT pain through support for multiple active firewall policies. This enables my PC to obtain and apply domain firewall profile information regardless of other networks that may be active on the PC. Now IT Pros can simplify connectivity and security policies by maintaining a single set of rules for both remote clients and clients that are physically connected to the corporate network and know that the rules are appropriately applied.

DirectAccess

When I travel or am day-extending by working from home, I tend to need a lot of access to the corporate Intranet. As you can imagine, we use SharePoint a lot and a large number of our Line of Business applications are all Web- enabled. The result: I have to use our corporate VPN a lot. Unfortunately, it’s always an interruption for me to stop what I am doing and to fire up my VPN connection.

Windows 7 works in conjunction with Windows Server 2008 R2 to make working outside of the office simpler and less frustrating with DirectAccess. DirectAccess works by automatically establishing a bi-directional connection from client computers to the corporate network. As a result, as a remote user I have seamless, secure access to the corporate network anytime I am connected to the Internet, without having to manually initiate a traditional VPN connection. This helps make me more productive and allows me to focus on my work and not the remote access technology. Now whenever and wherever I travel, I can not only access my corporate email, but also open Intranet sites, shared drives, use line-of-business applications, and have full access to corporate resources that I need to do my job without having to manually create my VPN tunnel.

From a security perspective, DirectAccess is built on a foundation of proven, standards-based technologies like IPv6 and IPSec. IPsec is utilized to authenticate both the computer and user. This allows IT the capability to manage the computer even before I log on. IT can also optionally require me to authenticate with a smart card. IPsec is also utilized to provide encryption for communications across the Internet with encryption algorithms such as AES.

DirectAccess also has a cool benefit for IT Pros as well, since it provides an always on, secure mechanism to remotely manage and update the PCs of their mobile workforce. Whenever my laptop has Internet connectivity it is directly connected to the Microsoft corporate network. This gives IT more opportunity to distribute software updates and policies to me and other mobile workers and helps keep our machines free of malware and other unwanted software.

BranchCache

DirectAccess is great for the mobile worker, but what about the remote worker who works out in a branch office location? I’ve worked in many a branch office and the one thing they all seem to have in common is limited network bandwidth. Accessing large files in a branch office is always a slow, frustrating affair for me. I, like most users, prefer a snappy network and quick downloads. All the waiting that I have to do-- or you have to do -- is just lost productivity that, at the end of the day, can hurt the company’s bottom line.

Windows 7 incorporates BranchCache, another technology that works in conjunction with Windows Server 2008 R2, which helps make network responsiveness of applications and data housed within your data center feel snappy. This gives users in remote, branch offices the experience of working as if they were on the local area network (LAN) of the server they are accessing.

BranchCache also helps reduce the utilization of the wide area network (WAN). When BranchCache is enabled, a copy of any data accessed from Intranet Web sites and/or file servers is cached locally within the branch office. When another client on the same network requests the file, the client downloads it from the local cache without downloading the same content across the WAN.

The key thing for me is that it makes access to static data quick and it is all done without decreasing the security of that data. Access controls are enforced on cached files in the same way they are on original files.

BitLocker To Go

While here at RSA, it is inevitable that I will need to share data with one of my trusted partners or customers. My primary method of transferring data is to use one of the half dozen or so USB sticks I carry around in my backpack. Over time, these USB sticks end up with all sorts of different data and documents on them. As a security guy, I worry about what would happen if I lost one of these USB sticks. What if I have some confidential or customer data on one of them?

Windows 7 helps address the continued threat of data leakage with introduction of BitLocker To Go: an extension to BitLocker in Windows Vista that allows me to encrypt the disk volume of removable storage devices with a password and/or a digital certificate stored on a smart card.

BitLocker To Go was designed to facilitate the secure sharing of data on removable storage devices and was designed to work on any standard removable storage device. No special, proprietary hardware is required. So now, whether you are traveling with your laptop, sharing large files with a trusted partner, or taking work home, you can feel secure that your data is safe. Both traditional BitLocker and BitLocker To Go protected devices help ensure that only authorized users can read the data, even if the media is lost, stolen, or misused.

One last thing worth mentioning -- I can use BitLocker To Go to share data with a Windows user who is running Windows Vista or Windows XP through the BitLocker To Go Reader. This application is installed by default on removable storage volumes and allows read-only access on older versions of Windows while still allowing you to help protect your USB sticks.

AppLocker

While I feel good about protecting my data with BitLocker in case it is lost or stolen, data can still be lost due to malware or other unwanted software. When I talk to customers about keeping malware off of their systems, we always end up talking about desktop lockdown and the first topic of desktop lockdown is always removing administrative access from a majority of users. This is a great first step for any organization to take; however, workers today bring software from home, download applications from the Internet (intentional and unintentional), and access new programs through email. Many of these applications don’t need system- wide, administrative access to install or run. The result is a higher incidence of malware infections, more help desk calls, and difficulty in ensuring that only approved, licensed software is installed and utilized.

Windows 7 has a new application control solution in AppLocker. AppLocker gives control back to IT administrators and helps them eliminate unknown and unwanted software in their environment. AppLocker can be configured through Group Policy and can help manage those applications that run on corporate PCs, helping keep your organization’s data safe and your enterprise PCs manageable. AppLocker works by intercepting kernel calls that try to create new processes or load libraries and making sure that the code in question has been allowed to execute.

AppLocker just might be my favorite security feature in Windows 7, for it not only provides security protections but as an ex-IT Pro I really appreciate the operational and compliance benefits as well. Things like:

• Keeping unlicensed, vulnerable software from running in the desktop environment, including stopping workers from running applications that needlessly use consumer network bandwidth or otherwise impact the enterprise computing environment.
• Easing enterprise software deployments and maintenance through effective desktop configuration management.
• AppLocker allows users to install and run approved applications and software updates based upon their business needs.
• Helping ensure a company’s desktop environment is in compliance with corporate policies and industry regulations such as PCI DSS, Sarbanes-Oxley, HIPAA, Basel II, and others.

More to Come

This is just a small part of what’s in Windows 7 from a security perspective, and just the tip of the iceberg for the features I’ve described. Stay tuned for more information on what’s going on at RSA and more information on the cool new security technologies in Windows.

I got into the office this morning and noticed that volume six of the Microsoft Security Intelligence Report (SIRv6) was released earlier today. For those of you who are not familiar with the report, the SIR is published by Microsoft twice per year. Each volume of the SIR looks at the data and trends observed in the first and second halves of each calendar year with a focus on malware data, software vulnerability disclosure data, vulnerability exploit data, and related trends.

A trend that the SIR calls out right up front was around rogue security software. The second half of 2008 saw a clear rise in prevalence of rogue security software (software which poses as  anti-malware or anti-spyware protection but in reality does little or nothing, and may even be malware!). While I knew the issue was out there and even had to help a good friend clean his system after being duped, the rise was eye-opening for me. The take away:  be careful out there! Get your software from a trusted source and keep it up-to-date with the latest Windows Updates. Be cautious not to follow advertisements for unknown software that pretends to provide protection. Access the sites of reputable vendors directly for information or subscription to their products and services.

Another piece of data I that I wanted to pass along deals with the infection rates of Windows, as shown in the graph below:

What this graph tells me is that the infection rate for Windows Vista is significantly lower than that of its predecessor, Windows XP, in all configurations. It also tells me that the higher the service pack level of an OS, the lower the infection rate. Once again, this really points out that you need to keep your software up-to-date!

I encourage you to download the full report and hope that you find the data, insights, and guidance provided in the SIR useful in helping you understand today’s threat landscape and ultimately help you protect your networks and users.