Windows Security Blog : Announcement

New Microsoft Security Intelligence Report Released

Paul Cooke — Mon, 02 Nov 2009 19:00:00 GMT

Volume seven of the Microsoft Security Intelligence Report (SIRv7) - part of Microsoft's commitment to providing an unparalleled level of security intelligence to help keep individuals and organizations better informed and to maximize security investments - was released today and there are a couple of tidbits in the report that caught my attention that I thought I would pass on. As a reminder, the SIR is published by Microsoft twice per year and looks at the data and trends observed in the first and second halves of each calendar year.

The first thing that struck me while reading through the report is that for the first time, the SIR shares some high-level security best practices from countries that have consistently exhibited low malware infection. For example, Japan, Austria and Germany's infection rates remained relatively low during the first half of this year.

So how do these regions keep their customers and resources safe from cyber threats? Japan's infection rates remain relatively low is due in large part to collaborations like the Cyber Clean Center. The Cyber Clean Center is a cooperative project between ISPs, major security vendors and Japanese government agencies aimed at educating users on how to keep their PCs infection free. Austria has implemented strict IT enforcement guidelines to lower piracy rates and this, along with strong ISP relationships and fast Internet lines, has helped ensure the ecosystem is kept up to date with security patches. Germany has also leveraged collaboration efforts with its CERT and ISP communities to help identify and raise awareness of botnet infections and, in some cases, quarantine infected computers.

The other thing that stood out to me was the graph below. This graph shows the effectiveness of automatic updating and shows what happened to the trojan downloader family Win32/Renos once Microsoft released a signature update for Windows Defender via Windows Update and Microsoft Update. Within three days, enough computers had received the new signature update to reduce the error reports from 1.2 million per day to less than 100,000 per day worldwide! To me this shows how important it is for users and organizations to utilize automatic updates to help prevent the spread of malware!

The report also underscores some of the trends that we have seen from previous versions of the report: for example, the infection rate for Windows Vista is significantly lower than that of its predecessor, Windows XP. It also tells me that the higher the service pack levels of an OS, the lower the infection rate. Once again, these items help point out that you need to keep your software up-to-date. With Windows 7 now available it might be a good time to look at upgrading your OS!

Take a look at the full report at http://www.microsoft.com/sir and use the information to help protect yourself, your networks, and your users.

Windows 7 Security: Helping Enable the Mobile Workforce

Paul Cooke — Mon, 20 Apr 2009 19:15:24 GMT

Along with 17,000+ other security- minded professionals, I’m at RSA in San Francisco this week. For those who are not familiar with the RSA Conference, it’s the premier information security conference of the year. It attracts the best and brightest security folks from around the world. In addition, it is a great place to keep up with what’s going on in the information security marketplace. I’m at RSA to not only see what’s going on in the industry, but to also talk about some of the cool new security features in Windows 7.

We’re really excited about Windows 7’s new security features. This next OS is built upon the proven security technologies in Windows Vista and provides a fundamentally secure computing platform. We not only utilized enhanced Security Development Lifecycle (SDL) process during planning, development and testing but we also have worked to make the security features more discoverable, usable and manageable. These enhancements give Windows 7 the expanded security offerings to provide the necessary security controls to help mobile workers access the information they need to be productive, wherever and whenever they need it.

There is a lot of new stuff in Windows 7, but let me highlight some of those things that go into helping the mobile worker…

Multiple Active Firewall Policies

In Windows Vista, firewall policy is based on the “type” of network connection established—such as Home, Work, Public, or Domain (the fourth, hidden type.) This can be a security problem for IT professionals since mobile users will connect to multiple networks while on the road. For example, let’s say I get connected to the Internet through a “Public” network. As a result, the “Public” firewall policy is applied to the computer. Now, if I want to connect to the Microsoft corporate network via my VPN, the IT configured firewall settings for accessing the “Domain” corporate network cannot be applied because the first network type (and thus the firewall settings) had already been set.

Windows 7 gets rid of this IT pain through support for multiple active firewall policies. This enables my PC to obtain and apply domain firewall profile information regardless of other networks that may be active on the PC. Now IT Pros can simplify connectivity and security policies by maintaining a single set of rules for both remote clients and clients that are physically connected to the corporate network and know that the rules are appropriately applied.

DirectAccess

When I travel or am day-extending by working from home, I tend to need a lot of access to the corporate Intranet. As you can imagine, we use SharePoint a lot and a large number of our Line of Business applications are all Web- enabled. The result: I have to use our corporate VPN a lot. Unfortunately, it’s always an interruption for me to stop what I am doing and to fire up my VPN connection.

Windows 7 works in conjunction with Windows Server 2008 R2 to make working outside of the office simpler and less frustrating with DirectAccess. DirectAccess works by automatically establishing a bi-directional connection from client computers to the corporate network. As a result, as a remote user I have seamless, secure access to the corporate network anytime I am connected to the Internet, without having to manually initiate a traditional VPN connection. This helps make me more productive and allows me to focus on my work and not the remote access technology. Now whenever and wherever I travel, I can not only access my corporate email, but also open Intranet sites, shared drives, use line-of-business applications, and have full access to corporate resources that I need to do my job without having to manually create my VPN tunnel.

From a security perspective, DirectAccess is built on a foundation of proven, standards-based technologies like IPv6 and IPSec. IPsec is utilized to authenticate both the computer and user. This allows IT the capability to manage the computer even before I log on. IT can also optionally require me to authenticate with a smart card. IPsec is also utilized to provide encryption for communications across the Internet with encryption algorithms such as AES.

DirectAccess also has a cool benefit for IT Pros as well, since it provides an always on, secure mechanism to remotely manage and update the PCs of their mobile workforce. Whenever my laptop has Internet connectivity it is directly connected to the Microsoft corporate network. This gives IT more opportunity to distribute software updates and policies to me and other mobile workers and helps keep our machines free of malware and other unwanted software.

BranchCache

DirectAccess is great for the mobile worker, but what about the remote worker who works out in a branch office location? I’ve worked in many a branch office and the one thing they all seem to have in common is limited network bandwidth. Accessing large files in a branch office is always a slow, frustrating affair for me. I, like most users, prefer a snappy network and quick downloads. All the waiting that I have to do-- or you have to do -- is just lost productivity that, at the end of the day, can hurt the company’s bottom line.

Windows 7 incorporates BranchCache, another technology that works in conjunction with Windows Server 2008 R2, which helps make network responsiveness of applications and data housed within your data center feel snappy. This gives users in remote, branch offices the experience of working as if they were on the local area network (LAN) of the server they are accessing.

BranchCache also helps reduce the utilization of the wide area network (WAN). When BranchCache is enabled, a copy of any data accessed from Intranet Web sites and/or file servers is cached locally within the branch office. When another client on the same network requests the file, the client downloads it from the local cache without downloading the same content across the WAN.

The key thing for me is that it makes access to static data quick and it is all done without decreasing the security of that data. Access controls are enforced on cached files in the same way they are on original files.

BitLocker To Go

While here at RSA, it is inevitable that I will need to share data with one of my trusted partners or customers. My primary method of transferring data is to use one of the half dozen or so USB sticks I carry around in my backpack. Over time, these USB sticks end up with all sorts of different data and documents on them. As a security guy, I worry about what would happen if I lost one of these USB sticks. What if I have some confidential or customer data on one of them?

Windows 7 helps address the continued threat of data leakage with introduction of BitLocker To Go: an extension to BitLocker in Windows Vista that allows me to encrypt the disk volume of removable storage devices with a password and/or a digital certificate stored on a smart card.

BitLocker To Go was designed to facilitate the secure sharing of data on removable storage devices and was designed to work on any standard removable storage device. No special, proprietary hardware is required. So now, whether you are traveling with your laptop, sharing large files with a trusted partner, or taking work home, you can feel secure that your data is safe. Both traditional BitLocker and BitLocker To Go protected devices help ensure that only authorized users can read the data, even if the media is lost, stolen, or misused.

One last thing worth mentioning -- I can use BitLocker To Go to share data with a Windows user who is running Windows Vista or Windows XP through the BitLocker To Go Reader. This application is installed by default on removable storage volumes and allows read-only access on older versions of Windows while still allowing you to help protect your USB sticks.

AppLocker

While I feel good about protecting my data with BitLocker in case it is lost or stolen, data can still be lost due to malware or other unwanted software. When I talk to customers about keeping malware off of their systems, we always end up talking about desktop lockdown and the first topic of desktop lockdown is always removing administrative access from a majority of users. This is a great first step for any organization to take; however, workers today bring software from home, download applications from the Internet (intentional and unintentional), and access new programs through email. Many of these applications don’t need system- wide, administrative access to install or run. The result is a higher incidence of malware infections, more help desk calls, and difficulty in ensuring that only approved, licensed software is installed and utilized.

Windows 7 has a new application control solution in AppLocker. AppLocker gives control back to IT administrators and helps them eliminate unknown and unwanted software in their environment. AppLocker can be configured through Group Policy and can help manage those applications that run on corporate PCs, helping keep your organization’s data safe and your enterprise PCs manageable. AppLocker works by intercepting kernel calls that try to create new processes or load libraries and making sure that the code in question has been allowed to execute.

AppLocker just might be my favorite security feature in Windows 7, for it not only provides security protections but as an ex-IT Pro I really appreciate the operational and compliance benefits as well. Things like:

Keeping unlicensed, vulnerable software from running in the desktop environment, including stopping workers from running applications that needlessly use consumer network bandwidth or otherwise impact the enterprise computing environment.
Easing enterprise software deployments and maintenance through effective desktop configuration management.
AppLocker allows users to install and run approved applications and software updates based upon their business needs.
Helping ensure a company’s desktop environment is in compliance with corporate policies and industry regulations such as PCI DSS, Sarbanes-Oxley, HIPAA, Basel II, and others.

More to Come

This is just a small part of what’s in Windows 7 from a security perspective, and just the tip of the iceberg for the features I’ve described. Stay tuned for more information on what’s going on at RSA and more information on the cool new security technologies in Windows.

Now Available - Microsoft Security Intelligence Report

Paul Cooke — Wed, 08 Apr 2009 19:18:00 GMT

I got into the office this morning and noticed that volume six of the Microsoft Security Intelligence Report (SIRv6) was released earlier today. For those of you who are not familiar with the report, the SIR is published by Microsoft twice per year. Each volume of the SIR looks at the data and trends observed in the first and second halves of each calendar year with a focus on malware data, software vulnerability disclosure data, vulnerability exploit data, and related trends.

A trend that the SIR calls out right up front was around rogue security software. The second half of 2008 saw a clear rise in prevalence of rogue security software (software which poses as anti-malware or anti-spyware protection but in reality does little or nothing, and may even be malware!). While I knew the issue was out there and even had to help a good friend clean his system after being duped, the rise was eye-opening for me. The take away: be careful out there! Get your software from a trusted source and keep it up-to-date with the latest Windows Updates. Be cautious not to follow advertisements for unknown software that pretends to provide protection. Access the sites of reputable vendors directly for information or subscription to their products and services.

Another piece of data I that I wanted to pass along deals with the infection rates of Windows, as shown in the graph below:

What this graph tells me is that the infection rate for Windows Vista is significantly lower than that of its predecessor, Windows XP, in all configurations. It also tells me that the higher the service pack level of an OS, the lower the infection rate. Once again, this really points out that you need to keep your software up-to-date!

I encourage you to download the full report and hope that you find the data, insights, and guidance provided in the SIR useful in helping you understand today’s threat landscape and ultimately help you protect your networks and users.

Data Privacy Day

Paul Cooke — Wed, 28 Jan 2009 20:00:00 GMT

As a security guy, I get all sorts of questions from people about privacy. A lot of folks really think about online privacy as the same thing as computer security. Others see it as a pure tradeoff between one or the other. I don’t necessarily think that giving up privacy results in greater security; nor do I believe that greater security requires a loss of privacy. No matter what your thoughts are on security and privacy, I hope there is one thing we can all agree on: both are important.

That’s why I’m glad to report that Microsoft, along with other key players in the safety ecosystem, is once again participating in today’s global event, Data Privacy Day. A lot of you have probably never heard of Data Privacy Day, so here’s the skinny: it is a day intended to increase awareness of privacy and data protection issues that we all face. I’m proud of Microsoft’s commitment to protecting consumer privacy, and on a personal level, I’m happy to have been involved in campaigns promoting child safety and preventing identity theft.

I’m also proud of our work on Windows Vista. It’s built and tested to allow users to connect to whomever and whatever they want while providing the confidence that personal information is safe. The Windows Security Center in Windows XP SP2 and Windows Vista is one of the innovative tools that helps protects users from security risks. The program informs users if key security capabilities are turned on and updated and if a problem is detected, customers receive a notification and are given recommended actions to help protect their information. IE Protected Mode in Windows Vista also helps protect users from attack by running the Internet Explorer process with greatly restricted privileges. Protected Mode significantly reduces the ability of an attack to write, alter, or destroy data on the user's machine or to install malicious code. These are just a few of the ways that Microsoft is working to keep its customers safe. We are also continuing our commitment to security in Windows 7 by building upon the strong foundation created in Windows Vista.

Like me, many of us at Microsoft are passionate about helping to ensure that you have the safest, most secure computing experience possible. If you’re passionate about online safety or if you just want to learn more about the topic, check out the Data Privacy Day 2009 website to see how we’re working to raise awareness about online privacy and safety issues.

Secure Your Windows and Office 2007 Installations

Paul Cooke — Mon, 15 Dec 2008 22:20:00 GMT

I noticed over the weekend that Microsoft's Solution Accelerator team has just released a Beta of Project Codename Sundance. This Solution Accelerator builds on previous Microsoft security guidance and is aimed at helping you configure and deploy security settings for both Windows and Office 2007. With more than 700 security setting recommendations, the guidance and tools included should help fine-tune the security posture of your Windows and Office 2007 deployments.

After deploying the security settings, you can even verify the settings and monitor policy changes by using one or more of 18 new configuration packs designed for the Desired Configuration Management (DCM) feature of Microsoft System Center Configuration Manager 2007.

This solution accelerator can help you in a number of ways:

Accelerate and secure deployments
Predefined templates and automated tools enable you to greatly reduce the time required to deploy security settings and monitor security baselines.
Provide higher reliability
Eliminate a number of manual steps and get faster, more reliable security results.
Comprehensive solution
Includes information about hundreds of security and privacy setting options, as well as recommendations for each one based on best practices.
Manage risk
Manage security setting changes in Windows operating systems and Office applications that otherwise could place the integrity of your IT systems at risk.
Right Price
It's free from Microsoft Connect.

I invite you to join the Beta Program for Project Codename Sundance and take a look at how it might help you secure your Windows and Office 2007 installations.

To join the Beta Program for Project Codename Sundance, please click on the following link:
https://connect.microsoft.com/InvitationUse.aspx?ProgramID=2682&InvitationID=SUN-698V-PYJF&SiteID=715

After you have joined the program, add the following link to your favorites
https://connect.microsoft.com/site/sitehome.aspx?SiteID=715

[Edited on 12/17/2008 to provide best user experience for beta program links.]

Welcome

Paul Cooke — Thu, 11 Dec 2008 20:30:00 GMT

Good day, Paul Cooke here.

It’s great to be hosting the all new Windows Security Blog. For the last couple of years, we have been talking about what has made Windows Vista the most secure client operating system Microsoft has ever delivered over on the Windows Vista Security Blog. Now, as we start talking about Windows 7 and look for opportunities to discuss relevant security topics in a broader sense, we felt it was a good time to re-launch and re-locate the blog here as part of the Windows Blog.

The purpose of this blog is to make you aware of all the things that go into having a secure Windows environment. This will cover the gamut from Windows XP all the way through the upcoming Windows 7. We plan to post updates regularly and add some variety with guest posters throughout the security space here at Microsoft.

No matter if you are making the move from our old Windows Vista Security Blog or you are joining us for the first time, we welcome you and look forward to your comments. We will work hard to carry on great discussions with all of you!