Windows Vista Team Blog : Featured News, Security

Video Demo: Identifying Security Vulnerabilities for Your Desktop Infrastructure

Baldwin Ng — Thu, 14 Aug 2008 20:20:00 GMT

Whether you are planning to deploy Windows Vista or already did, it is important that you keep security high on your list and make sure that all of your desktops are secured. So, how do you know if your desktops have Windows Firewall settings turned off? What if some desktops do not have Anti-Virus or Anti-Spyware software installed?

To quickly get an answer, please check out the new Security Center assessment feature that we have added to the Microsoft Assessment and Planning Toolkit 3.1 released in June. It auto-generates a security assessment report on your existing desktops as part of the "Windows Vista hardware assessment" migration report.

What's Next?

Start identifying these security vulnerabilities today with a free download of the Microsoft Assessment and Planning Toolkit. You may also view the new MAP Toolkit demo video and learn how to get the Security Center assessment report as well as the hardware compatibility assessment report for Windows Vista migration.

Cheers,

Baldwin Ng

Sr. Product Manager, Microsoft Solution Accelerators Team

"Keep Everything Clear of the Doors"

Nick White — Fri, 28 Dec 2007 18:22:00 GMT

As we wind up 2007, I thought I'd share with you an emailed security communiqué sent last week by Ed Gibson, Chief Security Advisor at our Microsoft UK office in Reading, providing a gentle reminder to take the necessary precautionary measures to ensure you're safe when using the Web. As Ed mentions, if you're running Windows Vista, you already have numerous tools at your disposal to help keep your PC and data safe when you're online. Nevertheless, it's always a good idea to ensure those apps and tools are up-to-date, and now is as good a time as any. So until 2008 ...

"Keep Everything Clear of the Doors"

You've seen it, read it, heard it so many times you've blocked it out...routine, mundane...but instinctively you take the necessary precautions. And the idiots who think they can beat the doors for gosh sakes...some make it, most don't...when will they learn. Even though, I suspect the next time you hear this spoken over the intercom in the Underground, or read the warning label on the inside of the carriage you'll take just that extra second to really make sure everything is clear of the doors. "Why?", you ask. "Because you've just read this!" No different than the many times you've looked at your watch, and then someone else asks you what time it is; you can't remember, so you look again.

Unremarkably, the same applies when it comes to being more safe online. This past year you bought a brand-new state-of-the art, 2g of RAM, 600g hard drive PC that will hold more stuff than you or I could ever fill up in a lifetime. It's loaded with free anti-spam, anti-virus software and everything is going very well, so well in fact that you don't update your software (Windows Vista has 'updates' turned on by default, so unless you mess with it, you're okay), run a periodic anti-malware scan, and the wireless is working fine so no need to check that. You've read about the [UK] Government's GetSafeOnline.org campaign that e-Bay, Microsoft, HSBC, Home office, SOCA, and others participate in, you've seen the constant news articles about loss or theft of data from the largest of companies and government agencies (and if you're a victim of HMRC 'datagate', you have every right to be angry) but hey, you've not been affected...why do anything. Victims of online crime...not me, happens only to those people who go to the 'wrong sites'...who tried to make it thru the doors for gosh sakes, they should have known better.

Not so fast Mr ItAin'tGonnaHappenToMe. That 'other person' is going to be you if you don't take a few moments to make sure your operating system and software are up to date, that your firewall is turned on (both are already done for you if you are operating Windows Vista) your anti-spam and anti-virus software are installed and updated (don't forget to renew your subscription to the anti-malware software if it is about to expire).

Organized criminals are 'green', 'socially conscious agnostics', they want what is best for you - NOT!! Just like machines, THEY DON'T CARE who you are, where you grew up, what kind of accent you have, whether you're beautiful (or like me, a face made for radio); they operate without regard to your sex or religious affiliations - I call them "THE EQUALIZERS". They want what is yours - from your bank account, your identity, or even a bit of your bandwidth - oh yes, they can quite happily use your computer while you do and you may not ever know.

As we approach the Holidays, don't let the Grinch of Christmas Past ruin your holidays online. Possibly, 'just because you read this', you will take a moment and run the Microsoft Malicious Software Removal Tool, will visit GetSafeOnline.org, or possibly even give the most important cyber gift of all - a trip to the wild side, WindowsMarketplace.com (click on Security Downloads) for free anti-malware. It will take you a few minutes; but a few minutes now might just save you months of hassle down the road.

Do you really want to be calling your credit card companies, bank, credit agency, DVLA, DWP, on New Year's Eve. Or worse, worry whether someone will be showing up at your doorstep because you couldn't be bothered to spend a measly 10 minutes with your kids to talk to them about social networking sites (oh yea, they just told their friends on their Facebook site when you were going to be away)...and you didn't tell them how to prevent outsiders from accessing their pages. Nor did you tell them in no uncertain terms that even when they close their site everything they put on the Internet IS THERE FOREVER. Oh yes, some make it thru the doors, most don't...when will THEY learn.

I wish you a very happy holiday season - and a safe online journey.

Edward P Gibson
Chief Security Advisor
Microsoft Ltd-UK

Upgrade to Next Version of Windows Live OneCare Announced for All Subscribers

Nick White — Thu, 15 Nov 2007 06:09:00 GMT

The new version of the Windows Live OneCare service is being made available today, running on both 32- and 64-bit Windows Vista systems (32-bit Windows XP SP2 is also supported).

We built OneCare because we know that most homes have more than a single computer (surely not news to you if you're a reader of this blog), with PC security and maintenance being needs consistently expressed by both home users and small business owners. A lot of these customers run PCs without basic anti-virus and anti-spyware protection, and even fewer perform performance-enhancing tasks such as disk defragmentation and regular system back-ups. Furthermore, the plethora of digital photos stored on PCs means that more and more people are trusting their systems to archive digital memories, but given the general consumer's lack of understanding of archival software, doing so becomes a risky proposition indeed. And, when you factor in the prevalence of wireless networks in use in homes and small-businesses, you quickly get the picture that there is a lot of data at risk out there and customers are ill-prepared to take the necessary precautions to ensure it.

It's not a question of being lazy, but rather having the right tool for the job. That's where easy-to-use OneCare comes in. As a subscription service, all OneCare subscribers benefit from new updates as they are made available, including major releases such as this one.

The latest version of OneCare affords users these advantages:

Home Network Management now further simplifies management of multi-PC environments, including support for printer sharing and one-click wireless network security implementation.
Performance Plus enhancements consist of proactive system recommendations designed to improve the computing experience, as well as a monthly reporting regimen tallying the actions taken by OneCare in the last month plus recommended actions for all covered PCs.
Back-up and Restore now enables central configuration and monitoring of back-ups for all covered PCs, with all data being archived to a central location.

A free 90-day trial of OneCare can be downloaded http://onecare.live.com/standard/en-us/default.htm. A 1-year subscription and maintenance for up to 3 PCs costs only US$49.95. All current Windows Live OneCare subscribers benefit from new features as they are made available, including major updates such as this one.

Click here to also read PressPass's Q&A with Windows Live OneCare Director Amy Barzdukas.

Stay tuned tomorrow for more information on receiving the new Windows Live OneCare release.

How to Download the Localized Version of Windows Vista Hardware Assessment 2.1?

Baldwin Ng — Mon, 27 Aug 2007 03:53:00 GMT

Hello Windows Vista Team Blog readers,

We've heard that some of you are very interested in getting the localized version of the Windows Vista Hardware Assessment 2.1 but was not sure how the download process works for this globalized integrated download. To clarify, the Windows Vista Hardware Assessment 2.1 is available in any of the SEVEN languages from a single download (not just English). That includes North American English, French, German, Japanese, Korean, Latin American Spanish and Brazilian Portuguese. No more hunting around for 2 different localized versions of the download. This is especially convenient for those of you who are multi-lingual in US, Europe and Latin America!!

Here's how the download and installation process work:

Download the globalized integrated version of the tool here (please ignore the fact the language field says English, trust me, it has all 7 localizations in it :-) ): http://go.microsoft.com/fwlink/?LinkId=83115
Decide on which language you want the Windows Vista Hardware Assessment to operate in (e.g. Japanese)
Install this globalized integrated download on a computer with the matching localized operating system (i.e. Japanese version of the 32-bit Windows Vista, Windows XP Professional or Windows Server 2003 R2 OS)
Double-click the download and complete the installation process
When you are ready to use Windows Vista Hardware Assessment in Japanese, make sure that your DISPLAY LANGUAGE is set in Japanese in this case
(Optional Step) If you want to switch to a different language and, for example, create readiness assessment report in English, you may change the display language from Japanese to English and then re-launch Windows Vista Hardware Assessment.

To read more about the details of this tool, visit the localized sites here:

Don't forget to check out the various blog posts and web pages on many of the Windows Vista Solution Accelerators we've produced in the past few months! My colleague Jeremy Chapman just wrote about the Windows Vista Service Life-cycle Management solution accelerator - you definitely should check it out!

Thank you and enjoy!

Baldwin (Baldwin.Ng@microsoft.com)

Get Microsoft Solution Accelerators: http://www.microsoft.com/technet/solutionaccelerators

Windows Vista Security Center

Nick White — Wed, 08 Aug 2007 00:56:00 GMT

In a recent meeting with my colleagues Mike Burk, a Security Center Program Manager, and Austin Wilson, a Director from Windows Client Marketing, I had the opportunity to find out more about how and why the Windows Vista Security Center evolved. If you've used Windows Vista, I’m sure you've noticed that the Firewall, Automatic Updating, Antivirus, Antispyware, Internet Security Settings and User Account Control settings are all located in one easily accessed place: the Security Center.

Although the Security Center was originally introduced with Windows XP SP2, Windows Vista has improved on almost every feature found there. A lot more "under the covers" features have been included for Windows Vista. If any of these safeguards are out of date or in an unsecure state, the Security Center will warn you so that you can make adjustments or changes.

Some of the other improvements to the Windows Vista Security Center include:

Showing the status of software designed to protect against spyware (such as Windows Defender) that helps to keep your computer safe with the latest downloads and updates
Security settings for Internet Explorer 7
Notification if User Account Control has been changed or is no longer enabled

The Windows Security Center can also monitor security products from other security companies and will show you if they're current with the latest virus definitions and other updates.

Windows Security Center monitors the following security components for Windows Vista:

Firewall

Windows Security Center monitors your system to see if you have a firewall installed and if it's the Windows Firewall or a firewall product from another company.

Many users prefer to use a couple of different firewalls with the hope that two are twice as good as one. Yet, this is definitely not the case. A secondary software firewall is not recommended, as it will usually cause more conflicts and problems than it prevents. For example, exceptions must be set up for each firewall. If there is a problem, which firewall is the one causing it?

Most firewalls will disable any other firewall it discovers to avoid these types of issues. The only exception to this is a hardware firewall in conjunction with a single software firewall. A hardware firewall is still the best way to stop unsolicited traffic.

Automatic updating

Windows Security Center checks that the auto-update feature is enabled and is using the recommended settings. If it's not enabled or configured differently than recommended, Windows Vista Security Center alerts you to that fact.

Antivirus

Windows Vista Security Center checks for antivirus software and warns you if your settings are not configured correctly. If you prefer to run an additional antivirus application, the Security Center will give the status of both if the third-party application uses the underlying API that allows such reporting.

Another improvement over Windows XP SP2 is that Windows Vista can re-enable your antivirus program if it has been disabled. Windows XP SP2 only warned you and required you to access the actual application to re-enable it.

Anti-spyware and other malware protection

In Windows Vista, newer features and the prevalence of spyware required additional refinements to the Security Center. Windows Security Center now checks and reports if Windows Defender or another company's anti-spyware software is running. When you're using both Windows Defender and third-party anti-spyware software, Windows Security Center will monitor definitions for both as well as warn you if there are any irregularities in your settings.

Unlike a secondary firewall or antivirus application, running a second anti-spyware program doesn't affect your computer's overall performance nearly as much.

Internet Security Settings

Internet Explorer 7 has its own security settings. Windows Vista Security Center will alert you whenever these settings may be configured other than as recommended. Windows Security Center makes it easy to change the settings back to their default state by providing a button you can use to restore the settings automatically; or, you can access the Control Panel to change them manually.

Although you may fall into the habit of thinking you're always secure whenever you're browsing with IE7, there may still be times when you've disabled a particular setting for one reason or another and then become distracted and forgotten you'd changed it. Luckily, Security Center is there to remind you.

User Account Control

In order to help keep your computer safer, the User Account Control service should be enabled. Window Security Center monitors the status of User Account Control and lets you know if User Account Control has been changed or disabled. (You may have reason to disable it similar to the IE7 example above.) You can restore User Account Control to its recommended settings with a single mouse click.

-----

One of the challenges in developing the Windows Security Center was working with various ISVs (Independent Software Vendors) and figuring out the best methods for reporting an application's status to Security Center. As users are becoming more security-aware, and malware producers become more proficient, users want more protection from malicious sites and users. Windows Vista Security Center is there to help users keep their computers and data more secure. One way of allowing for this is Security Center's standardized API "hook" that any ISV can use to report their application's status, even if the application has been newly installed or is invoked after boot-up. In other words, there's no need for the user to check the status of each security product separately, as Security Center will track the status of all anti-malware and antivirus programs that make use of its standard API.

As an additional security measure protecting Windows Vista users, before a third-party antivirus or anti-malware application can be included in (i.e., tracked by) Windows Security Center, the company producing it must be formally approved by Microsoft. In order to accomplish this, that company must be under NDA (non-disclosure agreement) and in good standing with the community. If you are using a third-party program that makes use of Windows Security Center, it should be designed to inform you if it uses its own end-user warning system rather than making use of the Security Center notification feature.

As you surely know, it's a whole new ballgame when it comes to computer and Internet security. Regardless of how, where or for what you use your computer, I suggest you visit this link to learn more about Windows Vista Security Center and security in Windows in general.

10 Things - Using BitLocker, even without a TPM

Nick White — Thu, 26 Jul 2007 19:15:00 GMT

While you may have heard of BitLocker, what you may not know is that you don't need Trusted Platform Module to use it on your system.

BitLocker Drive Encryption is a new security feature integrated into the Windows Vista operating system that provides considerable protection to the OS and data stored on the operating system volume. BitLocker ensures that data stored on a computer running Windows Vista remains encrypted even if the computer is tampered with when the operating system is not running. This helps protect against "offline attacks" -- those made by disabling or circumventing the installed operating system, or by physically removing the hard drive to attack the data separately. In other words, attacks made when the system is not running.

Windows BitLocker Drive Encryption provides increased security by encrypting everything on your hard drive: data, programs and even Windows itself. When you use BitLocker, your system is more difficult to tamper with, and thus you are better protected if your computer is ever lost or stolen. BitLocker does not replace the need to use a strong password and other vital security features, but it does make it much harder for anyone else to read the information stored on your hard drive.

BitLocker is designed for systems that have a compatible TPM microchip and BIOS. (A compatible TPM is defined as a version 1.2 TPM.) A compatible BIOS must support the TPM and the Static Root of Trust Measurement as defined by the Trusted Computing Group. When available, BitLocker uses a system's Trusted Platform Module (TPM) to provide enhanced protection for your data and to assure early boot component integrity. The chip performs a system integrity check -- a process that verifies your computer system has not been tampered with -- before unlocking your drive and allowing access to the data stored on it. This helps protect data from theft or unauthorized viewing by encrypting the entire Windows volume. Although the TPM interacts with BitLocker at system startup, its protection is transparent and the user logon experience is unchanged. However, if the TPM is missing or altered, or if the start-up information has changed, BitLocker will enter recovery mode and the user will be required to enter a recovery password to regain access to the data. For more information about TPM specifications, visit the TPM Specifications section of the Trusted Computing Group's Web site.

A great thing about BitLocker is that even if you do not have a TPM 1.2 chip, you can still use the encryption it provides, but the system integrity checking enabled by the TPM will be unavailable.

For information about how to enable BitLocker on your computer without using a TPM 1.2 chip, see the BitLocker Drive Encryption Step-by-Step Guide. You can also find more information about the requirements for BitLocker Drive Encryption, including partitioning, start-up options and recovery options.

Sting! The biggest software counterfeiting bust in history

Nick White — Tue, 24 Jul 2007 20:00:00 GMT

[This is a post originally penned by Alex Kochis over on the WGA blog.]

Earlier today the Chinese Public Security Bureau and the FBI announced the largest bust of counterfeit software manufacturing or distribution ever. The bust took place in the southern Chinese province of Guangdong and includes arrests that took place over the last couple of weeks. While the value of the software actually seized is estimated at about five hundred million dollars, we're estimating that the value of software produced and distributed over the last few years by this particular group is closer to two billion dollars.

Beyond the sheer size of the bust, the most exciting aspect for MS' WGA (Windows Genuine Advantage) team is knowing that WGA played a role in it. More than 1,000 customers in 12 different countries who had purchased counterfeits from this particular source used WGA to learn their software was counterfeit, submitted the counterfeits to Microsoft, and forensic and intelligence specialists then traced the counterfeits back to the criminal syndicate in China. Windows customers using WGA actually helped bring down the biggest software counterfeiting operation in history, as without their help, it's possible that this piracy operation would never have been apprehended.

The goal of WGA goal is not to punish the people who purchased these programs -- they are in fact victims -- but rather to give them a tool that both lets them know they have been victimized and a way to do something about it.

A little cloak-and-dagger for your afternoon :). The one on the left is the genuine article.

Check out the Windows Live OneCare 2.0 Beta

Nick White — Wed, 11 Jul 2007 21:55:00 GMT

The Windows Live OneCare team today released the Beta version of OneCare 2.0 -- you can download it here. Windows Live OneCare 2.0 is designed to make it easier to secure and maintain multiple PCs on a network so that households and small businesses alike can manage their PCs from a single control panel. Aside from multiple-PC management, new to OneCare 2.0 is:

Wi-Fi connection security: Secure your home Wi-Fi connection and protect the privacy of wireless data transfers.

System start-up time optimizer: Check for ways to shorten PC boot time.

Online photo backup: Back up photos to Windows Live Folders (additional cost).

Printer sharing support: Connect printers to a network so that all users in the vicinity can access the same printer.

OneCare 2.0 was designed specifically with Windows Vista in mind (for instance, it now supports the x64 architecture!). Try it out and let the Windows Live team know what you think.

Keeping it real

Nick White — Wed, 04 Jul 2007 05:58:00 GMT

In a recent post to his blog, Alex Kochis, Senior Product Manager for Windows Genuine Advantage, discusses the on-going work on anti-piracy features incorporated into many of the products Microsoft releases. Part of the job is to communicate advances that keep pace with those of pirates, so his team has updated their How to Tell website -- a site dedicated to helping customers tell whether their MS software is legitimate. The site's updated look-and-feel can take advantage of higher screen resolutions; a further addition is an RSS feed to inform customers of changes to anti-piracy features in our products.

Alex also mentions the story behind the holography on Windows Vista DVD's (and other Microsoft product media), which we covered last month. The technology is called edge-to-edge holography and consists of a variety of objects embedded into the holograms integrated into product media, designed to help prove legitimacy of products consumers may purchase from various sources. Our story on the three men depicted in a microscopic photo on the Windows Vista DVD is an example of this technology.

If you've not visited the How To Tell site, I think you'll find it entertaining as well as eye-opening: entertaining because of what some people try to pass off as legitimate MS products, and eye-opening because other pirates have produced some extremely sophisticated fakes. Check it out.

Taking a detailed look at Windows Vista DVD hologram

Nick White — Thu, 14 Jun 2007 00:00:00 GMT

An astute Windows user was intrigued by the holographic image on the face of the Windows Vista Business DVD and decided to take a much closer look, discovering in the margin a microscopic photograph of three men. Just who they could be? The user posted a blog entry mentioning the discovery, which was noticed by a few others in the community and has prompted a number of people to contact us in Windows to find out just exactly what is going on.

The real story is interesting, but conspiracy theorists will be disappointed to learn that it is not the result of a deliberate attempt to deceive. The photo displays members of the team who worked on the Windows Vista DVD hologram design. Microsoft’s Anti-Piracy Team designed a counterfeit-resistant digital "watermark" for the non-encoded surface of Windows Vista DVDs. The photo in question is only one of multiple images contained in the hologram design, all of whose inclusion serves to make it more difficult to replicate a Windows Vista DVD. The other images are of old master works of art that are in the public domain. These images are part of numerous other security measures that have been designed into our media, packaging and certificates of authenticity. Hence, even though this image has been reproduced on the Web, there are many other features providing further security.

The images are less than 1mm in size and are not visible to the naked eye, so must be viewed using optical magnification. Their presence does not affect the contents of the DVD any more than would applying a label to the front of an audio CD you may have created at home. These security measures were never intended to be impossible to find, but rather difficult to reproduce. While it's extremely difficult to replicate a holographic design in general, the inclusion of original images makes it that much more so.

Incorporating optical security into our physical media is just one of many efforts to ensure that Microsoft customers get what they paid for. You can learn more about Microsoft’s anti-piracy measures at our How To Tell site; the holographic images used on the Windows Vista Ultimate DVD are discussed here.

Teched 2007 Finale: Data Encryption Toolkit for Mobile PCs

Alex Heaton — Mon, 11 Jun 2007 17:39:00 GMT

One more thing we announced at TechEd last week was the release of the Data Encryption Toolkit for Mobile PCs. The Toolkit is the newest in a suite of Windows Vista Solution Accelerators, and provides tested guidance and powerful tools to help you protect your most vulnerable information - the data residing on your laptops. The toolkit shows you how to use two key encryption technologies: BitLocker^TM Drive Encryption, which is included with specific versions of Windows Vista^TM, and the Encrypting File System, which is included with Microsoft® Windows® XP Professional and Windows Vista.

My favorite part of this year's TechEd was talking to the IT pros that are using Windows Vista. Last year at TechEd 2006, Windows Vista Beta 2 was just released and for many of the people that I talked to at our booth, this was the first time they've seen Windows Vista running with their own eyes. Contrast it to this year where I'm talking with IT pros that have already deployed Windows Vista to hundreds of users, in addition to running it on their own PC.

If you missed TechEd this year, don't despair. You can see some of the highlights at http://www.virtualteched.com/Pages/default.aspx. You can also attend one of the 10+ worldwide TechEd events happening in the next year in, see http://www.microsoft.com/events/teched2007/worldwide.mspx. Or mark your calendar for TechEd 2008, which will be back in Orlando June 9-13, 2008.

- Alex

Accessible UAC Prompts

James Senior — Thu, 25 Jan 2007 18:20:00 GMT

There have been some comments on the blog recently suggesting that the UAC dialog boxes in Windows Vista are not accessible and I just wanted to clear up the confusion here.

First, to set the scene though. When a user attempts to access an application or setting that requires elevated privileges to run, they are presented with a UAC prompt, the appearance of which will vary depending on the type of user they are or the type of application that is trying to run. This diagram shows the types of dialog boxes that you might see and the process flow that triggers each type:

There is also a credential prompt which will be displayed if the current user is not an administrator:

These prompts are protected from receiving communications from other applications so that malicious software cannot simulate the actions of users. This is obviously a problem for screenreaders or other applications that need to use UI Automation in order to provide interaction with the User Interface. This problem has a solution though.

In order to gain access to the UAC prompts - or other processes running at a higher privilege level - an application must be trusted by the system and run with special privileges. To make this happen the application should be built with a manifest file that includes the following elements and attributes:

<trustInfo xmlns="urn:0073chemas-microsoft-com:asm.v3">

<security>

<requestedPrivileges>

<requestedExecutionLevel

level="highestAvailable"

UIAccess="true" />

</requestedPrivileges>

</security>

</trustInfo>

The important tag to note is the UIAccess, which must be true in order for the application to gain access to the UAC prompts.

There is an MSDN article which you should refer to for more information: http://msdn2.microsoft.com/en-us/library/ms742884.aspx

Security Features vs. Convenience

JimAll — Tue, 23 Jan 2007 23:32:00 GMT

One of the most basic conundrums in computer security is the constant trade-off between security and usability. At the end of the day, if security is too complicated to use, then it simply won't be used. Even if a feature offers a good level of security protections, if it is complicated or has poor usability it will likely be disabled by the end-user or network administrator, which doesn't benefit anyone. The same issue with safety and security exists in the physical world. I remember when car alarms were first available (as an aftermarket product) -- you had to remember to set the alarm after you locked your car and half the time people forgot. Today, many cars come with alarms from the factory and the task of setting the alarm is usually just part of locking the car -- and as a result, alarms get set.

When we set off to make sure that Windows Vista was the most secure version of Windows ever, we had to create security capabilities that we could enable by default and be usable enough to be left on when the system was deployed. There is clearly a balance here because if we lock the system down too tightly, then we risk the majority of customers turning key features off, or even worse, staying on older versions of Windows and thus not realizing the great security benefits of the new system. It's a great irony when you realize that one of the risks of adding more security in the name of making people safer is that users might stay on older versions that, in some ways, appear easier to use but are much less secure than the new system.

While we greatly improved the security of Windows Vista and we believe it is the best system available, I have always been clear that the system is neither fool-proof nor unbreakable -- no software I have seen from anyone is. Moreover, there are defense-in-depth security capabilities that some may mistakenly believe are impenetrable security boundaries, when they are not. This was the hard balance that we dealt with: How many applications would be impacted with a harder security boundary and how many users might turn off a security feature if the usability was perceived to be worse?

One great illustration of this challenge in Windows Vista is User Account Control (UAC). In the simplest terms, you can think of UAC as "standard user that works" or "non-administrative user that can actually do things." Prior to Windows Vista, there were key scenarios that were important to a standard (non-administrator) user that couldn't be completed as a standard user. So to do things like change the local time zone on the system or many other things, you had to have local administrator privileges. As a result, almost everyone used a logon account that was a member of the local administrators group -- the secondary effect being that most software developers (including at Microsoft) developed their software assuming that the user would be an administrator. There were indeed some corporate customers that deployed their environments with their users as standard user, but this was typically an expensive task, and often with some loss of functionality.

So for Windows Vista, the primary goal of User Account Control was to help protect users from inadvertently doing things that require administrative privileges whether that privileged function was initiated by either malware or the user. Remember that prior to Windows Vista, when the user was logged on as an administrator, they (and typically all software) basically had full run of the system with the ability to override any local security checks. To achieve our goals for Windows Vista, we not only had to make standard user work well for an end-user who just wanted to get their work done, but also to protect someone who really needed to be an administrator from accidently doing something bad. The primary goal was to protect the system from both people with malicious intent and users who might inadvertently perform administrative tasks without knowing the full consequences of the task.

To do this, we had to go through the various system tasks that users perform and for each one ask the question: "should the user have to be an administrator to complete this task?" What we found was that in Windows XP there were many cases where we required the administrative privilege if the user was making a change that impacted the entire system (rather than just their user account). We subsequently learned that this was too broad a distinction and in fact, with some common sense rules, we could protect the system while still making it usable. We also found that there were many cases in previous versions of Windows where we had lumped things together when instead only part of the task really should have required the user to be an administrator. For example, in Windows XP you had to be an administrator in order to change the time or the time zone of the system. The reason that time functions are usually restricted is that you can do some pretty sneaky things if you can change the system time -- like trick system logs or backdate emails. But as it turns out, changing the time zone of the machine so that a business traveler based on the West Coast goes to their meetings at the right time when they are visiting New York really doesn’t need to be protected -- so in Windows Vista, we split that out and now allow a standard user to change the time zone.

As a result of this work, in Windows Vista you will find that once you get beyond the setup phase on most systems, you can work just fine as a standard user. The problem was what to do when the user needs to complete a task that does require the administrator privilege. To address this need, we created a new capability in Windows Vista so that when a standard user tries to do something that requires the administrator privilege, the system prompts the user to have an administrator authorize the task by entering their credentials (or confirm the task if you are an administrator).

When we first designed this functionality in Windows Vista, we required that the user enter the CONTROL-ALT-DELETE (C-A-D) sequence (known as a secure attention sequence due to its capability to resist interception) prior to prompting the administrator for their username and password. The reason for this functionality was that entering this sequence is the only way for the user to know for sure that it is really the system (and not some phishing exploit) asking for your credentials -- in much the same way that you never want to give personal information to someone who calls your house claiming to be your bank: You only want to give your password to the system when you know for sure that it's the system asking for it. So just like you only give your bank information if you called them yourself (so you know it's them), C-A-D is the high-assurance way to interact with the system directly and know with confidence it is the system on the other end. When the user hit the C-A-D sequence, we brought up the Secure Desktop, a restricted mode where only the system can run, and then asked the user for their credentials from that desktop. The benefit of the secure desktop is that it is more difficult for malware to run in that context, and the user knows that they are on the Secure Desktop because the running applications are grayed out in the background, highlighting the dialog box running on the secure desktop.

When we conducted usability testing, we quickly learned two things: The first was that that the system asked for permission way too frequently; and the second was that C-A-D was confusing to most users, especially home users, most of whom associate C-A-D with bringing up the Task Manager. To address the first issue, we examined the system and carefully analyzed each situation to make sure that we were only asking for permission when it was really necessary. We also worked with application vendors to make sure that they do not require elevation to administrators except when it is really necessary. We looked at cases where an application tried to elevate to administrator mode when it wasn't really necessary and created compatibility updates that made the application think they were elevating without actually evaluating them, thus eliminating an elevation prompt.

The second issue was more difficult to address, since C-A-D is really the only way to make sure that you aren't being spoofed by malware. With that said, at the end of the day, we came to the conclusion that if we did not eliminate the need to hit C-A-D, then most users would likely just run as an administrator all the time, which was more of a security risk than the potential risk of a credential spoof. While C-A-D was disabled by default, we still ask for consent on the secure desktop so that the user knows that this is a special request from the system. In the end, while we left the C-A-D integration with UAC in the system, we disabled it by default. If a user wants to require the C-A-D sequence for UAC elevations, they can easily turn it on via group or local policy. Network administrators can also mandate C-A-D for UAC elevations via group policy. So, if you want to be more secure than the Windows Vista default, just turn on C-A-D for UAC elevations.

Note that UAC may not help you if you already have malware on your machine -- one more reason why we view it as a defense-in-depth security feature and not a hard boundary.

As I discussed above, we also wanted to allow users who wanted to be a local administrator to have that flexibility, but at the same time be safer than Windows XP. To do this, we created a mode of UAC called admin approval mode. In this mode (which is on by default for all members of the local administrators group), every user with administrator privileges runs normally as a standard user; but when an application or the system needs to do something that requires administrator permissions, the user is prompted to approve the task explicitly. Unlike the "super user on" function from UNIX that leaves the process elevated until the user explicitly turns it off, admin approval mode enables administrator privileges for just the task that was approved, automatically returning the user to standard user when the task is completed.

However, it should be noted that this functionality is primarily a convenience feature for administrators and not an explicit security boundary between processes that can be absolutely isolated. If an administrator performs multiple tasks on the same desktop, then malware may potentially be able to inject or interfere with an elevated process from a non-elevated process. Thus, the most secure configuration for Windows Vista is to run processes in two separate accounts, with only administrator tasks performed using an administrator account and all other tasks performed under the standard user account.

When we first designed admin approval mode as part of UAC, the default was to require the user to type in their password. (This was in addition to the CONTROL-ALT-DELETE (C-A-D) sequence I discussed above.) The feedback from usability testing here was the same -- essentially, users felt that having to type in their password for each elevation was too complex, as was having to hit C-A-D prior to provide consent. Again, the risk of having this complex (although more stringent) UI was that some customers might simply turn off admin approval mode and then use administrative rights without any protection or warning. Clearly the security risk with admin approval mode off was greater than the risk of the system being spoofed. So, although this is not foolproof, if someone is going to run in admin approval mode, it is clearly much better than Windows XP. In the end, while it's possible to require a password in admin approval mode, it is not required by default. It can be enabled by an end-user or set by a network administrator using group policy. See below.

Another great example of convenience vs. security is our strategy on enabling Data Execution Prevention (DEP) in Windows Vista. In simple terms, DEP treats data as data and code as code, and then blocks execution of any data content. The benefit of this is that if there is a vulnerability in the system (or in an application) that allows a data buffer to be overrun, with DEP enabled, it is harder for the attack to execute the malicious code that was placed in the data buffer -- thus blocking the attack. DEP is turned on by default for the kernel and it is a great way of protecting other parts of the system (like Internet Explorer) and applications from buffer overruns. Here is the problem: it turns out that there are some third-party add-ons that generate code dynamically and store the code in the data region (sometimes referred to as "jitting"), and there is no method for DEP to distinguish between these add-ons and malware. So you either have more security or potential application compatibility issues.

Here is the default for Windows Vista.

Note that you can turn on DEP for all programs and services if you want. This is clearly a more secure state, but it could create some application compatibility issues. I certainly recommend that businesses test to see if they can use DEP for all programs and services. In some cases it might be possible; in others it won't be (yet). There’s that tradeoff again!

Internet Explorer was a particularly difficult case because we certainly wanted IE to benefit from the protection afforded by DEP. But prior to the Windows Vista release there were compatibility issues with several well known third-party IE add-ons, so by default we could not enable IE to run with DE. It turns out that there are two pieces of good news here. The first is that it is possible for dynamically generated ("jitted") code to be DEP-compatible -- it just takes a few lines of new code (and an upgrade to the new code). We expect most third parties to update their add-ons to support this. The second piece of good news is that Adobe, whose Acrobat and Flash Player add-ins were previously incompatible with DEP, has updated their software to be compatible with DEP. (Be sure to get these updates.)

So although it is not the default today, you can turn on DEP for IE for the additional protection. Michael Howard wrote a great blog post on how to enable DEP in Internet Explorer 7 on Windows Vista.

I personally have enabled IE to use DEP on all my Windows Vista PCs and I would recommend that you do also if you want the added security. (Again, be sure to get the Windows Vista updates from Adobe.) I won't promise that all sites will work, but in my typical usage pattern everything works fine. Over time, as we work with more third parties to make their software DEP-compliant, I expect we will be able to turn on DEP by default for everything.

While we have configured the system to balance usability and security, as I noted above, we've also made it possible for home users and network administrators to make the system even more secure by enabling the features that we ended up turning off by default -- something that wasn't possible on previous versions of Windows. So what's my advice? I tend to think of this in terms of a good, better and best approach for both home users and enterprise customers.

For home users:

Good strategy: Make the first user account a parental account (even on a kid's machine) and protect it with a good password -- by default, this first account is in the local administrators group with administrator approval mode enabled. Subsequent user accounts -- especially for kids -- should be standard users. If a standard user (for example, a child) encounters the need to complete an admin task, the administrator (for example, mom or dad) can enter the proper credentials to complete the task. With the advent of fingerprint readers on most laptops, this may be as simple as swiping a finger. You should also use the Parental Controls feature in Windows Vista to help protect and restrict any accounts that kids use.
Better strategy: In addition to the steps for "good strategy," also require the password to be entered when an administrator elevates themselves to complete a task using admin approval mode. This makes it harder to spoof the system and also makes it extremely difficult for an unauthorized person to complete an admin task on a PC that is left unattended. By default, Windows Vista will lock the desktop after inactivity (if you leave the machine), and if you have a password, then it will be required to unlock the system -- one more reason why we recommend that you have a password on accounts in the administrator group. You may want to adjust the period of inactivity to be shorter if necessary. I also recommend that you enable DEP for Internet Explorer. In most cases, if you get the latest add-ins from Adobe, you will likely not have too many problems. If you do, it's easy to turn it back off if necessary.
Best strategy: If you are extremely concerned about security, then in addition to "better strategy," also require the C-A-D sequence for consent to complete admin tasks. This will provide additional protection to the system when an administrator is elevating him or herself using admin approval mode and also when a standard user needs consent from an administrator.

For business deployments:

Good strategy: The most basic step is to require all users who need administrator privileges for their roles or application compatibility requirements to run with admin approval mode enabled (which is the default). This provides a good transition to standard user, but provides a little leeway through the transition. (Note that I personally strongly encourage businesses to move to a "better" or "best" strategy instead of staying at a "good" strategy.
Better strategy: Require all (or most) users to be standard user. Many customers should move their end-users to standard user over time. When elevation must occur, require C-A-D before the administrator enters their credentials to complete a task. Also require administrators to enter their credentials in admin approval mode. As in the home user case, I also recommend that you enable DEP for IE, provided the appropriate testing is done before doing this. If you have internally-developed add-ons that don't work with DEP, consider updating them to make them compatible.
Best strategy: In addition to having most users run as standard users with C-A-D and passwords required for administrators using admin approval mode, do not allow over-the-shoulder elevations for end-users on the theory that any tasks that require local elevations (such as software installs or configuration changes) could be completed more securely using centralized management including group policy. For changes that must happen locally, the administrator can log on to a separate session (either at the system or remotely using Remote Desktop).

The true test of how secure any system will be in practice has as much to do with how it is deployed as it does with its architecture and code quality. And how the system is deployed has a lot to do with usability and convenience. (If you don’t lock your doors at night because it is too much of a hassle, the locks don't offer much security.) Our goal is that the most generally applicable security configuration (remember, this is a combination of architecture, code quality and usability) is deployed by default. We sometimes use defense-in-depth approaches when designing security measures instead of hard boundaries for this reason. We also know that there are certain customers who, even with a deep understanding of the usability issues, may choose to enable a more locked down system than we could ever ship by default. For these people, we provide great flexibility to turn on even more protections. What makes this even more complex is that given how broadly a product like Windows Vista will be used, some people may try to create sensationalist headlines by calling out some apparent "weakness." Before they do, it is important to remember that the design was more likely a deliberate design choice that was balancing some other factor such as usability or application compatibility, rather than an oversight.

jim

Family Safe Computing & Microsoft

Nick White — Wed, 17 Jan 2007 20:03:00 GMT

Hi all: I'd like to introduce you to David George, Director of Trustworthy Computing for Windows Vista and one of the individuals responsible for the Family Safe Computing initiative. David in this article gives an overview of the new Parental Controls and also a little insight into the philosophy behind their design. I hope it gives you a good idea of the span of control now available in Windows Vista and helps in putting the new features to work for you. -- Nick

As both a Microsoft employee and a parent, I am impressed with the focus on safe computing for families that Microsoft has adopted across our product platforms and services. With the release of the consumer versions of Windows Vista, Microsoft will have parental controls tools, family settings, or content controls across all of our major platforms (Windows Vista, Xbox 360, Xbox On-Line, Windows Live/MSN, MSTV, & Zune).

In my job as a Director of Family Safe Computing, I am lucky to have the opportunity to interact and work with child safety experts, law enforcement agencies, governmental leaders, family safety software providers, parents, and many private concerns on a global basis. Most believe that the family safe computing tools we already have released will have a very positive effect on empowering parents to manage their home computing environment based on their own family values, and will have the net effect of providing a safer computing environment for children.

In my discussions with thousands of parents on the topic of family settings or parental controls in their home computing environment, a common theme arises in two areas: safer interactions and safer content for their children. Much as in the real world, parents want to generally understand and know about the friends or contacts with which their children are interacting and monitor content that their children might view, interact with in a video game, or get access to through communications programs such as IM or email. That said, a very low percentage of the parents I have spoken with like the feeling of acting as the family cop – they simply want to understand their children’s interactions online, help them navigate the opportunities that come with computing today and maintain their own personal family values in the process. While most parents – about 80% according to studies -- have historically stated they have wanted parental controls on their home computers, actual adoption and use of these tools has hovered around the 10% - 15% range. There are many reasons why this could be the case, but it’s the lack of ease-of-use that has been the most common theme for not using the tools, even when they are already installed on the computer.

This is one of the main reasons I am excited about the release of family settings and the inclusion of parental controls with the consumer launch of Windows Vista. Ease of use, choice and flexibility will be apparent as the parental controls will actually be resident as a part of the account set-up process. As a parent is setting up their children’s user accounts on the computer they are asked if they would like the account to be “parentally controlled.” If the parent says yes, they will be taken to a parental controls “hub” to apply the settings for the account.

Here’s a walk-through of how Parental Controls works in Windows Vista:

Once you decide to apply the controls to the account you have the option to apply many different controls to the account including:

- Web filtering and content controls

Parents have the ability to set web restriction levels by high, medium, none, or custom all of which carry an explanation of the sites blocked as you click on the level. You can also custom block by 1 of 10 categories. It is easy to use as well as customizable to the parents needs. Parents also have the ability to block file downloads to the computer which can cause security, performance, or licensing issues.

- Games controls (tied into prescriptive guidance from the Entertainment Software Ratings Boards, or other global ratings boards or by single category)

The parent can block by the recommended levels of the rating board or custom block categories from blood and violence to nudity based on their own family needs.

- Time of use controls that control when a managed user can access and use the computer

If parents want to set a block of time that their children can use the computer for gaming or homework, etc., they can schedule this hour by hour for each day of the week.

- Auditing & monitoring

Parents can view the activities that their children are using the computer for from web sites visited to web sites blocked to most utilized applications. Also important is amount of time spent on the computer if you haven’t applied the times controls so that you can manage the amount of time your children are spending on the computer.

Parents will also have control over the applications that the parentally controlled account will use, so an example would be, if a parent would like to block their child from having access to P2P programs or IM, they could block that particular account from access to these applications.

A point to mention with all these tools is that they are readily apparent to the children and young adults that might be using one of the parentally controlled accounts. If a child goes to a website that has been blocked, they will receive a message on the screen that tells them they have been blocked from the site. We like to say that “Overt is better than Covert” in the case of family settings so as to drive better and more frequent conversations between the parents and their children in these regards.

Another important point to mention is that Microsoft has created an open development environment that let’s partners develop on top of our own parental controls platform, creating an even more robust solution set overall for consumers. At the consumer launch of Window’s Vista we will have four partners that are have solutions designed specifically to be ready to interact with the Windows Vista Parental Controls. The partners will be:

Safe Eyes - www.safeeyes.com
Contentwatch - www.contentwatch.com
IMSafer - www.imsafer.com
Pix Alert - www.pixalert.com

We fully expect dozens of partners in this area over the next 12-18 months with some very innovative solutions developed to help empower parents.

As education and awareness in this area is of utmost importance, Microsoft is also working with organizations globally to educate parents on how to better manage their home computing environments, protect their children in their computing endeavors, and educate themselves on how to best establish a safe computing environment for their families. From NCMEC, I-SAFE, FCC, Child Exploitation Online Protection Agency, Chamber of Commerce, GetNetWise.com, StaySafe.org, ECPAT.org, Microsoft is working with experts globally to educate parents and provide tools to keep families safe.

This is the first time that family settings and parental controls have been available in a Microsoft operating system and I hope that parents are as excited about the availability of the tools from Microsoft as I am about working to develop and introduce them to the market.

David A. George - Director, Family Safe Computing - Microsoft

Positive progess on security APIs

Nick White — Sat, 23 Dec 2006 00:12:00 GMT

Back in September, several of our security partners expressed concern over certain key technologies in Windows Vista such as Windows Security Center and Windows PatchGuard, a technology designed to protect the Windows kernel from advanced attacks such as rootkits. We were quick to respond to these concerns by providing our partners the needed APIs to enable their applications to affect the Security Center on Windows Vista PCs, thus giving them the option to pre-empt the appearance of multiple security pop-ups, which could have been confusing to some users.

Recently, we shared new plans for APIs again with our security partners, receiving positive feedback in regard to the original concerns they had expressed. eWeek’s Matt Hines reports on the positive feedback we've received this week. According to McAfee's chief scientist George Heron, much of the recommendations he submitted outlining McAfee’s concerns were given due consideration: "Microsoft included some of the recommendations we had submitted, and it appears they did a good job on those. Overall, McAfee is quite pleased with the path that Microsoft is taking."

Part of the impetus for this development was a push to be more open with our partners and to ensure that a dialogue occurred. Our Senior Program Manager Stephen Toulouse from the Security Technology Unit explained that MS and our partners were ultimately able to find common ground on concerns over PatchGuard once the technology's benefits were better understood.

As I've said before, we take feedback from our partners and customers seriously -- they came to us with concerns, we addressed them, and progress is being made that benefits both sides.