Microsoft appears to be taking security far more seriously with the successor to Windows XP. But has it done it right? Mark Mayne reports.
After a long wait, the successor to Microsoft's Windows XP operating system is nearly here, and it's certainly making a lot of noise after being quiet for so long. Initial beta testers report funky new graphics and enhanced user-friendly functionality, but what of the security? Microsoft solemnly pledged to upgrade its security after years of bad press and worse exploits, but even the software giant concedes there is no “silver bullet that can address every current and future security threat”. So what has Microsoft actually done, and how does the industry view the changes?
The new Vista is a very different animal to the familiar XP, a dramatically altered architecture giving a noticeably larger OS footprint, with more than a nod in the promised security direction.
Microsoft has clearly paid attention to its critics and really gone to town on security. Features such as User Account Control (UAC), which stops users from constantly running as administrators, and Windows Service Hardening, which performs a similar task with the services themselves, have both been well received.
“UAC is a really useful means of tying down user privileges, which has not been addressed fully before. UAC is the company's big push to reduce the platform's overall attack surface and enforce the principle of least privilege,” says Alan Coburn, managing consultant at dns.
The move from 32-bit to 64-bit should also bring security gains for Vista users, because Kernel Patch Protection and Mandatory Driver Signing should render rootkits useless by demanding a genuine, easily checkable digital signature – a good move if it works in practice.
One addition has caused controversy in the industry. The inclusion of anti--spyware and intrusion detection in the Windows Security Center – the so-called Windows Defender and Windows Firewall – has been interpreted by some analysts as a death-knell for third-party desktop security applications.
Yankee Group Research recently reported that: “Vista's built-in spyware capabilities will be more than sufficient for the vast majority of enterprises… the functionality provided by Microsoft will be good enough to obviate the need for most third-party firewalls.”
But, as ever with Microsoft, the proof will be in the pudding.
The recent US launch of OneCare, a subscription-based, managed anti-viral, anti-spyware and firewall package, shows Microsoft's future intentions in this area for home users, but has the enterprise been fully satisfied? Microsoft itself admits that this might not be the case at first: “Home users are more likely to become excited about this technology; the security benefits to them are fairly clear,” says Microsoft's IT professional evangelist, Stephen Lamb.
“Businesses will take a ‘look and see' attitude,” agrees Andrew Jaquith, the analyst behind the Yankee Group report. “Both Firewall and Defender have a home-user focus, and will really impact on this market. The SME market might also see some uptake.”
The third-party security companies in question, such as Kaspersky Labs, seem less concerned. David Emm, senior technology consultant, believes that businesses will be fairly cautious about installing Microsoft security as their sole defence. “Enterprises will be wary of end-to-end Microsoft solutions, just as they are currently inclined not to use just one third-party provider. I'm not convinced of the import of this move, but to say it will have no impact is ridiculous. It will set the bar for the security market higher, and will force existing vendors to shape up.”
Graham Cluley, a senior technology consultant at Sophos, also takes a philosophical view: “Vista will certainly make our job easier. It's well worth remembering that the top ten viruses at the moment are all fairly old ones. This is because some home PC users haven't updated their virus checkers, or run the latest OS patches. This is an issue for enterprises, however, because these machines flood business networks with useless traffic. Vista should help stop a large proportion of this.”
After some neglect, Internet Explorer 7+ has finally been revamped, with a new phishing filter, sandboxing, ActiveX opt-in and visual warnings of trusted sites. Critics say it is now very similar in functionality to Mozilla's Firefox. Microsoft's Lamb admits there has been a delay between releases, and that Explorer was “behind other browsers”, but points to the now-increased security with pride.
Cluley thinks Microsoft might have a winner here: “We have seen Firefox penetration slowing, holding steady at around 15 per cent. Those that are going to adopt it have done so, but the ‘great unwashed' simply haven't. This market is likely to be impressed with the functionality of IE 7+ when they get their hands on it.”
Vista has built-in BitLocker Drive Encryption, a drive encryption tool designed for use on hardware using the Trusted Platform Module (TPM).
Coburn is very keen on the TPM: “Microsoft is beginning to implement some of the features of the much-touted Next-Generation Secure Computing Base (NGSCB) that it made a lot of noise about a couple of years ago. I can see this being really useful for companies with mobile workers using laptops. Mobility can be a very serious issue in security terms – Microsoft is moving towards providing something genuinely useful here. That said, any company with very sensitive data on their laptops should already have sourced a highly specialised third-party solution, which will probably suit them more than Microsoft.”
It is also worth pointing out that full-volume encryption might be a dangerous tool in the hands of non-technically savvy users. Although BitLocker does produce an emergency data recovery key during the initial set-up, this key must be stored off-PC, for obvious reasons. Failure to do so will cause serious problems, and Microsoft itself admits there is a balancing act here.
BitLocker will only be available to enterprise customers and those home users running the ‘Ultimate' edition Vista – designed for those who understand the technology under the hood. Lamb points out that the feature should be used with a certain amount of care: “This is very much a compromise between how much security you have and need, versus how much time you have to administer and manage it.”
Overall, the OS is likely to divide the industry both before and after its enterprise release date of November 2006, and consumer release in the first quarter of 2007. In spite of the time and effort Microsoft has obviously invested in security, it is possible to go too far in this direction, as Simon Heron, technical director at Network Box, points out: “The constant opt-in/opt-out pop-ups are a real pain to live with – it's the boy who cried wolf all over again. I fear one issue is that Microsoft won its giant market share by being very easy to use, but not particularly secure. Now it has tried to go the opposite way, becoming less easy to use, but safer – it's a call for social change, and I wonder if customers will still buy into it?”
There are more weighty issues too – the sandboxing features in Internet Explorer 7+ are doubtless secure, but will also take a chunk of processing power to run. Norton has a sandboxing product, which is said to take up 10 per cent of the processor – a sizeable weight to carry.
Additionally, the BitLocker technology, while it is impressive in theory, will cause hardware problems. The TPM hardware required for BitLocker is version 1.2 – on public release less than six months ago. This adds a large hardware cost to any enterprise considering a Vista upgrade in order to use that functionality.
Jaquith points to a related issue with Vista itself: “Vista's required hardware footprint in itself is very hefty, and many enterprises will need to invest in new hardware to implement it. This changes the decision criteria somewhat, and will play its part in limiting the initial adoption of Vista. Microsoft predicts 400m versions will be rolled out in the first 24 months – I think this is a rather optimistic estimate.”
Hardware costs aside, there are bound to be glitches and fixes with a totally new OS, especially in one this large and complex. This should slow business adoption in the short term until the platform is seen to have stabilised.
Heron points out: “It makes good business sense to let other people do your beta testing for you as much as possible. I believe that business users will wait until late 2007 at least, certainly until a full-service pack has been delivered. Vista will be particularly vulnerable to patching – it's just so big. We'll be seeing a lot of patches during the coming months.”
Graham agrees: “Many business users are happy running XP with Service Pack 2 (SP2), and some are still using 98 or NT. It will take a lot to convince these companies to institute a major upgrade to Vista. We'll see home users adopting in the short term, due to the enhanced security features. Business will wait a while – they will need to evaluate the whole package properly.”
As Microsoft says, there can be no silver bullet for security, and although Vista's security seems a useful step, you can be certain that there will be flaws, as there are in any software of similar size and complexity. The trouble with Vista is that literally millions of desktops will be running it within the next year or two, thus making it the most obvious target for purely theoretical crackers and financially motivated hackers alike.
Home users will be easily convinced by the new functionalities and “safer” tags, while businesses will lag behind, maybe waiting until their hardware needs to be refreshed and the software is generally accepted to be bug-free. Remember, many businesses have only recently adopted XP SP2, which most in the industry regard as a reliable and relatively secure package.
Change for these companies will be much longer coming. Eventually, though, most current Windows users, both enterprises and individuals, will find themselves upgrading to Vista simply because it is the new Microsoft OS, and support for older versions of Windows will gradually fade away. It only remains to see just how long that upgrade process will take.
How Microsoft has built in security to Vista
The Security Development Lifecycle
Windows Vista is the first version of Windows to be developed from start to finish using Microsoft's Security Development Lifecycle. The SDL is a process of secure design, coding, testing, review and response which MS claims will help remove vulnerabilities and minimise the “surface area” for attacks, improving system and application integrity. Key features of this are marking up all buffers in the code to assist automated analysis tools and extensive fuzz testing.
System services typically run with the highest--possible system privileges, and have been targeted in the past by worms such as Slammer, Blaster and Sasser. Vista's Windows Service Hardening restricts services to run with the minimum system privileges possible, reducing the number of high-level exploitable services for malicious code.
Data Execution Protection (DEP)
Buffer overflows have been a popularly exploited weak point, but are becoming harder to exploit due to greater availability of systems that support DEP, which uses hardware to determine that a program is attempting to inject code into a running process. This facility has been in Windows since XP SP2, but is likely to take a prominent role in Vista.
64-bit security enhancements: kernel patch protection and mandatory driver signing
As Windows moves from 32-bit to 64-bit (Vista onwards), kernel-level code will have to be signed by a traceable certificate authority. This will only be active in 64-bit versions, but should render most current rootkits redundant.
User account control
The basic user account in Vista will be restricted, so it cannot authorise the installation of applications. If higher privileges are required, the user will be prompted for the credentials of a sufficiently elevated account.
New log-on architecture
All-new architecture should support stronger authentication systems, such as biometrics and smartcards.
Internet Explorer 7+
Comes with a slew of improvements, such as visual warnings of unsafe sites/settings, a phishing filter, protected mode (where most dangerous permissions are removed), and ActiveX opt-in.
Windows Security Center
Microsoft's bundled security centre now includes anti-spyware application Windows Defender and a firewall. The Vista firewall is turned on by default and now includes both inbound and outbound filtering. It also restricts OS resources if they behave in unexpected ways, which is one common indicator of the presence of malware.
BitLocker Drive Encryption
BitLocker Drive Encryption can encrypt the entire Windows volume, using Trusted Platform Module (TPM) encryption key protection, and allowing the storage of keys on a USB key or to a separate text file. BitLocker can also lock the boot process until the user supplies a PIN code or inserts an appropriate USB drive.
Case Study: Johnson King PR
As the managing director of Johnson King PR, Mike King currently runs Windows XP SP2 for his 20 London employees, as well as a further 12 in Paris and Munich. What's his reaction to Microsoft's newest baby? “I'm pretty happy with XP SP2 – it's certainly one of the best versions of Windows so far, in that it doesn't fall over all the time! It's what I'd call ‘business quality' – it's robust and does what it's supposed to do the vast majority of the time.
“Unsurprisingly, having said that, I'm fairly resistant at the moment to upgrading to Vista. It's hard to make a business case for doing so. XP does what we want at the moment, so why bother? I realise eventually we will have to, but I'm very keen not to be an early adopter. Microsoft has a bad reputation for shipping buggy software to begin with.”
Mike is unswayed by the promised security functionality in Vista. “It's one thing having the functionality, and another to actually trust it in the real world. We currently use a range of different third-party providers for our anti-virus, spyware, anti-spam and firewalls, mainly because this is the way historically it has always been – why chuck all these tried-and-tested solutions out the window for Microsoft?”
Although he confesses to liking some of the more user-friendly front-end Vista apps, he is less keen on the inevitable hardware toll these will exact. “It's a bit annoying to sit here surrounded by working machines knowing that soon they will all need to be replaced along with the software. The cost of machine upgrades isn't the real issue, as prices have dropped so much, but it's a real investment in time and effort to do. I think it's best avoided until absolutely necessary.”
Overall, Mike reckons he might consider the upgrade “sometime in the next few years”, but will wait until the new OS has been proved stable and relatively tried and tested.
“I'd certainly wait until the security aspect has been fully tested in the public domain. Microsoft will have to really get it sorted, and prove the security enhancements effective, before I'd consider upgrading. I'd have thought anyone making a business decision about upgrading would think the same way,” he says.
The SC View: Security or usability?
Much has been made of the security pop-up messages that have plagued betas of Vista, requiring constant admin permission for even basic tasks. It is likely Microsoft will address this in some way before the final RC is cut, but we have already seen one iteration of this play out, and badly.
If you have done an email mail merge using contemporary versions of Microsoft Word and Outlook, you will have encountered this very phenomenon. Office takes steps to prevent viruses and spam bots: first it pops up a warning that Word is, possibly suspiciously, trying to control Outlook, and offering the user options to deny this or to allow it for up to ten minutes, no more. Then, every single email pops up another message with a similar warning, requiring confirmation. What's more, the OK button in those warnings is disabled for five seconds, presumably so the user can think carefully about what they are about to do. And trust me, after you've waited five seconds for each of a thousand messages, you will have thought long and hard about it.
This is a perfect example of a security mechanism becoming a hindrance to productivity. And so, of course, users will find ways around it. They might download ClickYes, a tool that defeats the Office warnings and allows unhindered mail merges via Word and Outlook but, of course, may also open the door to malware doing exactly the same thing (and if ClickYes can do it, why can't malware?). In other words, the security mechanism has forced people to become less, not more, secure, simply in order to do their job. From every angle, it is a total failure.
If Vista ships with its current slew of security pop-ups, it will surely be only a very short time until someone ships a tool to bypass them. This comes on top of the existing concern that users are being trained to just click yes to every security warning, because otherwise something breaks (like that mail merge), or it keeps popping up.
Microsoft is between a rock and a hard place on this one. Clamours for strong security cannot be ignored, but this is one tactic that could play out badly, from both a usability and security perspective.