Security Features vs. Convenience

One of the most basic conundrums in computer security is the constant trade-off between security and usability.  At the end of the day, if security is too complicated to use, then it simply won't be used.  Even if a feature offers a good level of security protections, if it is complicated or has poor usability it will likely be disabled by the end-user or network administrator, which doesn't benefit anyone.  The same issue with safety and security exists in the physical world.  I remember when car alarms were first available (as an aftermarket product) -- you had to remember to set the alarm after you locked your car and half the time people forgot.  Today, many cars come with alarms from the factory and the task of setting the alarm is usually just part of locking the car -- and as a result, alarms get set.

When we set off to make sure that Windows Vista was the most secure version of Windows ever, we had to create security capabilities that we could enable by default and be usable enough to be left on when the system was deployed.  There is clearly a balance here because if we lock the system down too tightly, then we risk the majority of customers turning key features off, or even worse, staying on older versions of Windows and thus not realizing the great security benefits of the new system.  It's a great irony when you realize that one of the risks of adding more security in the name of making people safer is that users might stay on older  versions that, in some ways, appear easier to use but are much less secure than the new system.

While we greatly improved the security of Windows Vista and we believe it is the best system available, I have always been clear that the system is neither fool-proof nor unbreakable -- no software I have seen from anyone is.  Moreover, there are defense-in-depth security capabilities that some may mistakenly believe are impenetrable security boundaries, when they are not.  This was the hard balance that we dealt with:  How many applications would be impacted with a harder security boundary and how many users might turn off a security feature if the usability was perceived to be worse?

One great illustration of this challenge in Windows Vista is User Account Control (UAC).  In the simplest terms, you can think of UAC as "standard user that works" or "non-administrative user that can actually do things."  Prior to Windows Vista, there were key scenarios that were important to a standard (non-administrator) user that couldn't be completed as a standard user.  So to do things like change the local time zone on the system or many other things, you had to have local administrator privileges.  As a result, almost everyone used a logon account that was a member of the local administrators group -- the secondary effect being that most software developers (including at Microsoft) developed their software assuming that the user would be an administrator.  There were indeed some corporate customers that deployed their environments with their users as standard user, but this was typically an expensive task, and often with some loss of functionality.

So for Windows Vista, the primary goal of User Account Control was to help protect users from inadvertently doing things that require administrative privileges whether that privileged function was initiated by either malware or the user.  Remember that prior to Windows Vista, when the user was logged on as an administrator, they (and typically all software) basically had full run of the system with the ability to override any local security checks.  To achieve our goals for Windows Vista, we not only had to make standard user work well for an end-user who just wanted to get their work done, but also to protect someone who really needed to be an administrator from accidently doing something bad.  The primary goal was to protect the system from both people with malicious intent and users who might inadvertently perform administrative tasks without knowing the full consequences of the task.

To do this, we had to go through the various system tasks that users perform and for each one ask the question:  "should the user have to be an administrator to complete this task?"  What we found was that in Windows XP there were many cases where we required the administrative privilege if the user was making a change that impacted the entire system (rather than just their user account).  We subsequently learned that this was too broad a distinction and in fact, with some common sense rules, we could protect the system while still making it usable.  We also found that there were many cases in previous versions of Windows where we had lumped things together when instead only part of the task really should have required the user to be an administrator.  For example, in Windows XP you had to be an administrator in order to change the time or the time zone of the system. The reason that time functions are usually restricted is that you can do some pretty sneaky things if you can change the system time -- like trick system logs or backdate emails.  But as it turns out, changing the time zone of the machine so that a business traveler based on the West Coast goes to their meetings at the right time when they are visiting New York really doesn’t need to be protected -- so in Windows Vista, we split that out and now allow a standard user to change the time zone.

As a result of this work, in Windows Vista you will find that once you get beyond the setup phase on most systems, you can work just fine as a standard user.  The problem was what to do when the user needs to complete a task that does require the administrator privilege.  To address this need, we created a new capability in Windows Vista so that when a standard user tries to do something that requires the administrator privilege, the system prompts the user to have an administrator authorize the task by entering their credentials (or confirm the task if you are an administrator).

When we first designed this functionality in Windows Vista, we required that the user enter the CONTROL-ALT-DELETE (C-A-D) sequence (known as a secure attention sequence due to its capability to resist interception) prior to prompting the administrator for their username and password.  The reason for this functionality was that entering this sequence is the only way for the user to know for sure that it is really the system (and not some phishing exploit) asking for your credentials -- in much the same way that you never want to give personal information to someone who calls your house claiming to be your bank:  You only want to give your password to the system when you know for sure that it's the system asking for it.  So just like you only give your bank information if you called them yourself (so you know it's them), C-A-D is the high-assurance way to interact with the system directly and know with confidence it is the system on the other end.  When the user hit the C-A-D sequence, we brought up the Secure Desktop, a restricted mode where only the system can run, and then asked the user for their credentials from that desktop.  The benefit of the secure desktop is that it is more difficult for malware to run in that context, and the user knows that they are on the Secure Desktop because the running applications are grayed out in the background, highlighting the dialog box running on the secure desktop.

When we conducted usability testing, we quickly learned two things:  The first was that that the system asked for permission way too frequently; and the second was that C-A-D was confusing to most users, especially home users, most of whom associate C-A-D with bringing up the Task Manager.  To address the first issue, we examined the system and carefully analyzed each situation to make sure that we were only asking for permission when it was really necessary.  We also worked with application vendors to make sure that they do not require elevation to administrators except when it is really necessary.  We looked at cases where an application tried to elevate to administrator mode when it wasn't really necessary and created compatibility updates that made the application think they were elevating without actually evaluating them, thus eliminating an elevation prompt.

The second issue was more difficult to address, since C-A-D is really the only way to make sure that you aren't being spoofed by malware.   With that said, at the end of the day, we came to the conclusion that if we did not eliminate the need to hit C-A-D, then most users would likely just run as an administrator all the time, which was more of a security risk than the potential risk of a credential spoof.  While C-A-D was disabled by default, we still ask for consent on the secure desktop so that the user knows that this is a special request from the system.  In the end, while we left the C-A-D integration with UAC in the system, we disabled it by default.  If a user wants to require the C-A-D sequence for UAC elevations, they can easily turn it on via group or local policy.  Network administrators can also mandate C-A-D for UAC elevations via group policy.  So, if you want to be more secure than the Windows Vista default, just turn on C-A-D for UAC elevations.

GP Editor

Note that UAC may not help you if you already have malware on your machine -- one more reason why we view it as a defense-in-depth security feature and not a hard boundary.

As I discussed above, we also wanted to allow users who wanted to be a local administrator to have that flexibility, but at the same time be safer than Windows XP.  To do this, we created a mode of UAC called admin approval mode.  In this mode (which is on by default for all members of the local administrators group), every user with administrator privileges runs normally as a standard user; but when an application or the system needs to do something that requires administrator permissions, the user is prompted to approve the task explicitly.  Unlike the "super user on" function from UNIX that leaves the process elevated until the user explicitly turns it off, admin approval mode enables administrator privileges for just the task that was approved, automatically returning the user to standard user when the task is completed.

However, it should be noted that this functionality is primarily a convenience feature for administrators and not an explicit security boundary between processes that can be absolutely isolated.  If an administrator performs multiple tasks on the same desktop, then malware may potentially be able to inject or interfere with an elevated process from a non-elevated process.  Thus, the most secure configuration for Windows Vista is to run processes in two separate accounts, with only administrator tasks performed using an administrator account and all other tasks performed under the standard user account.

When we first designed admin approval mode as part of UAC, the default was to require the user to type in their password.  (This was in addition to the CONTROL-ALT-DELETE (C-A-D) sequence I discussed above.)  The feedback from usability testing here was the same -- essentially, users felt that having to type in their password for each elevation was too complex, as was having to hit C-A-D prior to provide consent.  Again, the risk of having this complex (although more stringent) UI was that some customers might simply turn off admin approval mode and then use administrative rights without any protection or warning.  Clearly the security risk with admin approval mode off was greater than the risk of the system being spoofed.  So, although this is not foolproof, if someone is going to run in admin approval mode, it is clearly much better than Windows XP.  In the end, while it's possible to require a password in admin approval mode, it is not required by default.  It can be enabled by an end-user or set by a network administrator using group policy.  See below.

LP Editor

Another great example of convenience vs. security is our strategy on enabling Data Execution Prevention (DEP) in Windows Vista.  In simple terms, DEP treats data as data and code as code, and then blocks execution of any data content.  The benefit of this is that if there is a vulnerability in the system (or in an application) that allows a data buffer to be overrun, with DEP enabled, it is harder for the attack to execute the malicious code that was placed in the data buffer -- thus blocking the attack.  DEP is turned on by default for the kernel and it is a great way of protecting other parts of the system (like Internet Explorer) and applications from buffer overruns.  Here is the problem:  it turns out that there are some third-party add-ons that generate code dynamically and store the code in the data region (sometimes referred to as "jitting"), and there is no method for DEP to distinguish between these add-ons and malware.  So you either have more security or potential application compatibility issues.

Here is the default for Windows Vista.

DEP 1

Note that you can turn on DEP for all programs and services if you want.  This is clearly a more secure state, but it could create some application compatibility issues.  I certainly recommend that businesses test to see if they can use DEP for all programs and services.  In some cases it might be possible; in others it won't be (yet).  There’s that tradeoff again!

Internet Explorer was a particularly difficult case because we certainly wanted IE to benefit from the protection afforded by DEP.  But prior to the Windows Vista release there were compatibility issues with several well known third-party IE add-ons, so by default we could not enable IE to run with DE.  It turns out that there are two pieces of good news here.  The first is that it is possible for dynamically generated ("jitted") code to be DEP-compatible -- it just takes a few lines of new code (and an upgrade to the new code).  We expect most third parties to update their add-ons to support this.  The second piece of good news is that Adobe, whose Acrobat and Flash Player add-ins were previously incompatible with DEP, has updated their software to be compatible with DEP.  (Be sure to get these updates.)

So although it is not the default today, you can turn on DEP for IE for the additional protection.  Michael Howard wrote a great blog post on how to enable DEP in Internet Explorer 7 on Windows Vista.

DEP 2

I personally have enabled IE to use DEP on all my Windows Vista PCs and I would recommend that you do also if you want the added security.  (Again, be sure to get the Windows Vista updates from Adobe.)  I won't promise that all sites will work, but in my typical usage pattern everything works fine.  Over time, as we work with more third parties to make their software DEP-compliant, I expect we will be able to turn on DEP by default for everything.

While we have configured the system to balance usability and security, as I noted above, we've also made it possible for home users and network administrators to make the system even more secure by enabling the features that we ended up turning off by default -- something that wasn't possible on previous versions of Windows.  So what's my advice?  I tend to think of this in terms of a good, better and best approach for both home users and enterprise customers.

For home users:

  • Good strategy:  Make the first user account a parental account (even on a kid's machine) and protect it with a good password -- by default, this first account is in the local administrators group with administrator approval mode enabled.  Subsequent user accounts -- especially for kids -- should be standard users.  If a standard user (for example, a child) encounters the need to complete an admin task, the administrator (for example, mom or dad) can enter the proper credentials to complete the task.  With the advent of fingerprint readers on most laptops, this may be as simple as swiping a finger.  You should also use the Parental Controls feature in Windows Vista to help protect and restrict any accounts that kids use.
  • Better strategy:  In addition to the steps for "good strategy," also require the password to be entered when an administrator elevates themselves to complete a task using admin approval mode.  This makes it harder to spoof the system and also makes it extremely difficult for an unauthorized person to complete an admin task on a PC that is left unattended.  By default, Windows Vista will lock the desktop after inactivity (if you leave the machine), and if you have a password, then it will be required to unlock the system -- one more reason why we recommend that you have a password on accounts in the administrator group.  You may want to adjust the period of inactivity to be shorter if necessary.  I also recommend that you enable DEP for Internet Explorer.  In most cases, if you get the latest add-ins from Adobe, you will likely not have too many problems.  If you do, it's easy to turn it back off if necessary.
  • Best strategy:  If you are extremely concerned about security, then in addition to "better strategy," also require the C-A-D sequence for consent to complete admin tasks.  This will provide additional protection to the system when an administrator is elevating him or herself using admin approval mode and also when a standard user needs consent from an administrator.

For business deployments:

  • Good strategy:  The most basic step is to require all users who need administrator privileges for their roles or application compatibility requirements to run with admin approval mode enabled (which is the default).  This provides a good transition to standard user, but provides a little leeway through the transition.  (Note that I personally strongly encourage businesses to move to a "better" or "best" strategy instead of staying at a "good" strategy.
  • Better strategy:  Require all (or most) users to be standard user.  Many customers should move their end-users to standard user over time.  When elevation must occur, require C-A-D before the administrator enters their credentials to complete a task.  Also require administrators to enter their credentials in admin approval mode.  As in the home user case, I also recommend that you enable DEP for IE, provided the appropriate testing is done before doing this.  If you have internally-developed add-ons that don't work with DEP, consider updating them to make them compatible.
  • Best strategy:  In addition to having most users run as standard users with C-A-D and passwords required for administrators using admin approval mode, do not allow over-the-shoulder elevations for end-users on the theory that any tasks that require local elevations (such as software installs or configuration changes) could be completed more securely using centralized management including group policy.  For changes that must happen locally, the administrator can log on to a separate session (either at the system or remotely using Remote Desktop).

The true test of how secure any system will be in practice has as much to do with how it is deployed as it does with its architecture and code quality.  And how the system is deployed has a lot to do with usability and convenience.  (If you don’t lock your doors at night because it is too much of a hassle, the locks don't offer much security.)  Our goal is that the most generally applicable security configuration (remember, this is a combination of architecture, code quality and usability) is deployed by default.  We sometimes use defense-in-depth approaches when designing security measures instead of hard boundaries for this reason.  We also know that there are certain customers who, even with a deep understanding of the usability issues, may choose to enable a more locked down system than we could ever ship by default.  For these people, we provide great flexibility to turn on even more protections.  What makes this even more complex is that given how broadly a product like Windows Vista will be used, some people may try to create sensationalist headlines by calling out some apparent "weakness."  Before they do, it is important to remember that the design was more likely a deliberate design choice that was balancing some other factor such as usability or application compatibility, rather than an oversight.

jim

Tags: , , ,

Comments

  1. hitmouse
    Posted on: January 24, 2007 at 3:35AM  

    The experience of many of us who have NTFS data partitions (say on a D: drive) is that when Vista is installed, you can no longer save to (some or all) folders on those drives because of the way that Vista plays with the ACLs.

    There is no easy way to clean up the user rights for the drive except by stripping the entire drive   of current rights and starting over. This is not even easy for experienced Windows users (as the beta indicated), and will be a real trial for home users since so many OEM machines come with data partitions out of the box.

  2. zapbuzz
    Posted on: January 24, 2007 at 4:40AM  

    DRM Genuine advantage product activation restricted licensing.

    These are issues of mine hindering my attempts to secure windows.

    It just makes it harder and pointless to support windows at home, work and on a grand scale its just gonna fail. It has already.

  3. Darragh
    Posted on: January 24, 2007 at 4:45AM  

    Very interesting stuff indeed however no one has yet to talk about the accessibility of UAC.  Narrator for example still doesn't give blind users access to this screen.  It just shuts down.  

  4. mscrivo
    Posted on: January 24, 2007 at 9:01AM  

    Jim,

    Just wanted to say that I really appreciate your posts .. they are very well written and extremely informative.

    Thanks!

  5. Jonathan
    Posted on: January 24, 2007 at 3:23PM  

    This is Jonathan from the UAC development team, responding to the earlier question about UAC and Accessibility.

    UAC was designed with Accessibility in mind – the infrastructure actually provides programs with the ability to mark themselves as accessibility applications, which may need special access to various user interface elements.

    In the case of Narrator, it’s possible that it's in a state where it won't run after a transition to the secure desktop.  I’d recommend the following – I had success with it on my Vista machines:

    1. Lock the computer – this brings you to the secure desktop, so if Narrator is turned off (for the secure desktop), it should be silent here as well.

    2. If that’s the case, unlock the machine, press “Windows + U” to bring up the Ease of Access Center, and select “Start Narrator” to refresh it.

    If that doesn’t help, please let us know at http://support.microsoft.com/contactussupport/?ws=support, and we’ll make sure that the appropriate people are notified of the problem.

  6. NTBugtraq
    Posted on: January 24, 2007 at 3:49PM  

    My questions are from a corporate environment context.

    Does UAC distinguish between a Domain Admin and a member of the Local Administrators Group?

    If I want "admin approval mode" to only function for members of the Domain Administrator's group, how can that be done?

    If I want the SAS to expect Domain Admin credentials only (and not local Administrators), how can that be done?

    Hopefully the answer isn't to add the Domain Administrators group to the Local Administrator's group.

  7. Minkus
    Posted on: January 24, 2007 at 4:55PM  

    'Unlike the "super user on" function from UNIX that leaves the process elevated until the user explicitly turns it off, admin approval mode enables administrator privileges for just the task that was approved, automatically returning the user to standard user when the task is completed.'

    It seems to me as if this is where the primary mistake was made with UAC. There should be an option to make an app run as administrator until further notice. Less secure? Slightly, although if you click OK once you'll probably click it again. More usable? You bet.

  8. DarrenC
    Posted on: January 24, 2007 at 8:42PM  

    This is Darren from the UAC Program Management team, responding to an earlier post by “hitmouse” regarding NTFS permissions on data drives.

    Thanks “hitmouse” and yes the old XP ACL was causing access issues in the Vista Beta 2 timeframe.  

    What was the problem with the previous XP system ACL?

    When creating a new folder in XP, “Users” were only given Read permission while Administrators were given Full Control.  Since most users logged onto Windows XP as Administrator, everybody was able to “collaborate” or edit the pictures and therefore did not see the access problems.

    To mitigate this access issues we did the following:

    In Windows Vista (RTM) the default System drive ACL was modified to enable data sharing and collaboration in data directories and outside of users' protected directories.  These ACL changes ensure that users can share and edit files without having to provide approval to a User Account Control dialog box.  The Vista ACL is applied during installation and migrated to all detected non removable drives that do not contain a Windows OS and are formatted with the default XP root ACL.

    Note: Under the following conditions we will not automatically migrate the data drive ACL:

    1) Running non RTM version of Vista

    2) Data drive was not present or detected at time of install and therefore the ACLs did not migrate.

    3) Data drive had old OS installed

    4) Data drive or Folder in question has a custom ACL and therefore the migration was blocked

    Workaround: If your data drive was not converted for either reasons (1 or 2) then perform the following:

    Start a command windows with administrative rights:

    A) Click: Start --> All Programs --> Accessories

    B) Rclick: on cmd.exe “Command Prompt” and Select: “Run as Administrator”

    C) From within the administrator command window run: “Cacls D:\ /s:D:(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;SDGXGWGR;;;AU)(A;OICI;GXGR;;;BU)”  

    Note: “D:\” is the data drive being converted

    If for any reason we have not covered your specific scenario please feel free to contact datasec@microsoft.com

  9. leafly
    Posted on: January 24, 2007 at 8:46PM  

    Perhaps hitmouse might find Jesper's (http://msinfluentials.com/blogs/jesper) Jan. 16th post useful.  It's about granting standard user's write access to what was previously a Windows XP NTFS drive.  All objects that inherit permissions from their parent containers ought to get the new User ACE once you add it to the drive's root.  So, as Jesper states "As long as you have not broken inheritance somewhere along the directory hierarchy of the drive you will not need to modify any more ACLs on this whole drive."  Hopefully home users will get some help with this issue through Vista's new online help system.

  10. Corrine
    Posted on: January 24, 2007 at 9:46PM  

    Excellent article. Highly recommended.  

    In fact, I strongly recommend it to InformationWeek and an unnamed Symantec spokesperson.  See http://securitygarden.blogspot.com/2007/01/sensationalism-irresponsible-journalism.html

  • Page:
  • 1
  • 2
  • 3

Trackbacks

  1. Posted by: Robert McLaws: Windows Vista Edition on January 24, 2007 at 2:17AM

    If there was any blog post that Jim needed to make, it was this one . In Jim's longest post to date,

  2. Posted by: PuntoRete on January 24, 2007 at 4:32AM
  3. Posted by: Michael Howard's Web Log on January 24, 2007 at 1:19PM

    Jim Allchin has a great blog post about some of the design issues we went through and tradeoffs we made

  4. Posted by: Robert Burke's Weblog on January 24, 2007 at 3:42PM

    This is excellent explanation and commentary by Jim Allchin on some of Vista's new security features

  5. Posted by: Chris Szurgot's Blog on January 24, 2007 at 5:09PM
  6. Posted by: Robert Hensing's Blog on January 25, 2007 at 9:44AM

    Jim Allchin in his longest blog post to date explains the security trade-off's we had to tackle with

  7. Posted by: David Ziembicki on Infrastructure Architecture on January 25, 2007 at 11:38AM

    Jim Allchin has a great post over on the Vista Team's blog about the tradeoffs and choices made in terms

  8. Posted by: Roger's Security Blog on January 25, 2007 at 4:09PM

    With 4 days to go until Windows Vista General Availability launch, Jim Alchin wrote a pretty interesting

  9. Posted by: Microsoft Switzerland Security Blog on January 26, 2007 at 9:24AM

    "One of the most basic conundrums in computer security is the constant trade-off between security and

  10. Posted by: E-Bitz - SBS MVP the Official Blog of the SBS "Diva" on January 27, 2007 at 2:36AM

    Vista is at 10:30 a.m.....but not at noon where it was earlier in the beta ... what am I talking about?

  11. Posted by: The Security Wizard on February 08, 2007 at 7:39AM

    Jim Allchin writes in the Windowsvistablog.com about o ne of the most basic conundrums in computer security

  12. Posted by: Mark's Blog on February 12, 2007 at 8:58AM

    I introduced the -l switch to PsExec about a year and a half ago as an easy way to execute processes

  13. Posted by: Blog Team TechNet Italia on February 16, 2007 at 7:55AM

    Ciao a tutti. Dopo qualche giorno passato a Seattle ad imparare cose nuove ritorno per segnalarvi alcuni

  14. Posted by: Robert Burke's Weblog on February 20, 2007 at 9:06AM

    [Default] Spotlight on: Windows Vista Innovate on Windows Vista Innovate on Windows Vista helps fast-track

  15. Posted by: Segurança na Microsoft on February 22, 2007 at 10:09AM

    "Fronteira de segurança" (ou security boundary ) é alguma barreira pela qual código ou acesso não podem

  16. Posted by: Segurança na Microsoft on February 22, 2007 at 10:10AM

    "Fronteira de segurança" (ou security boundary ) é alguma barreira pela qual código ou acesso não podem

  17. Posted by: 盆盆的博客 on February 25, 2007 at 9:36PM

    首先祝大家新年快乐!本文是Mark Russinovich最新的博客文章,由盆盆所翻译。不过并不是泛泛地进行翻译,为了加深大家对文章的理解,盆盆还特地加注了自己对内容的理解和难点注释。从本文我们可以看出,不管是UAC、IE保护模式、完整性级别,都没有定义安全边界,黑客们还是可以制造出针对Windows Vista的病毒,只是迟早的问题。不过正如Mark所说的,有总比没有好,可以让用户和应用软件走入一个标准用户的时代。

  18. Posted by: Mark's Blog on March 06, 2007 at 2:05PM

    I introduced the -l switch to PsExec about a year and a half ago as an easy way to execute processes

  19. Posted by: Mes ramblings du travail on March 26, 2007 at 3:44PM

    Ca fait longtemps que je voulais faire un petit billet sur UAC. Mi-janvier, je pensais (naïf) que tout

  20. Posted by: zyrtec 10mg antihistamine tablets on October 07, 2007 at 1:02PM

    zyrtec 10mg antihistamine tablets

  21. Posted by: zyrtec dosage children on October 07, 2007 at 1:35PM

    zyrtec dosage children

  22. Posted by: ultracet narcotic on October 08, 2007 at 6:21AM

    ultracet narcotic

  23. Posted by: PowerShell Team Blog on September 30, 2008 at 2:12PM

    One of most common issues we face with PowerShell comes from users or ISVs misunderstanding PowerShell’s

  24. Posted by: Microsoft non corregger?? i problemi di sicurezza di Windows 7 « Guiodic Blog on June 18, 2009 at 7:14PM

    Pingback from  Microsoft non corregger?? i problemi di sicurezza di Windows 7 « Guiodic Blog

  25. Posted by: Windows 7 UAC security thoughts « BurgerMinds on June 29, 2009 at 4:00PM

    Pingback from  Windows 7 UAC security thoughts « BurgerMinds

  26. Posted by: Inside Windows 7 User Account Control « Vangelis Solutions Intranet on October 16, 2009 at 11:11AM

    Pingback from  Inside Windows 7 User Account Control « Vangelis Solutions Intranet

Recent Posts

Tags

View more
© Copyright 2009 Microsoft Corporation. All Rights Reserved.   |   Privacy Statement