“Some of what we’ve done with Vista is really about getting the fundamentals right to build an inherently more secure product,” says Scott Charney, vice president of Trustworthy Computing for Microsoft.
Though there is little doubt among security insiders that Vista is Microsoft’s best effort to date when it comes to securing a platform, some experts have reservations about whether the improvements will be enough to truly impact the state of security within the enterprise. And others have complained about some of Microsoft’s methods to achieve a higher level of security. Even before the release of the OS, debate has brewed over a kernel patch protection mechanism that has locked security companies from the operating system’s kernel code. And overall, security experts are quick to point out that no matter how many improvements are made to Vista’s security, there will always be vulnerabilities and a need for third-party security solutions.
“Microsoft Vista is never going to be the end-all security solution,” says Richard Jacobs, CTO of Sophos. “Vista is not going to be without its own vulnerabilities, which will be identified over time.”
In spite of the early battering, Microsoft remains confident that Vista’s improvements will speak for themselves once the migrations from older Windows versions begin.
“With Vista what we are delivering is what the feedback has asked for — the most secure and reliable version of Windows yet,” says Stephen Toulouse, senior product manager of Microsoft’s Security Technology Unit. “There’s a number of these features that are fundamental to the baseline security of the operating system. We’re completely changing the way we’re engineering our products.”
Most security practitioners understand that securing anything — be it a network, a facility or an application — is never a speedy process, so it probably comes as no surprise that the improvements made in Vista have been a long time coming. At their root, the changes made to Windows have their origins in a company-wide email Bill Gates sent out five years ago this month. The now famous missive laid the philosophical groundwork for what would become Microsoft’s Trustworthy Computing initiative.
Microsoft brought Charney on board just a month after Gates sent that memo with the express purpose of breathing life into the initiative. Since then, he has lead the cultural revolution at the company to improve in the four pillars of Trustworthy Computing: security, privacy, reliability and business integrity.
“We’ve done a lot of work in all four pillars, but I can say quite clearly that security has gotten the most focus,” Charney says. “I think we’ve made a lot of progress. People have a lot more faith in our products than they did five years ago when I started. I think people understand that Microsoft has a lot of commitment in trustworthy computing, and they are seeing changes in our products and in our services.”
Charney believes that Vista will be the most visible indicator of his work so far. “Vista brings a lot of security, privacy and reliability — classic TWC features — to the client operating system.”
Trustworthy Computing is the initiative that made the culture at Microsoft ripe for a new change in the underlying processes that produce flagship products like Windows. Executives say that critical to Vista’s improvement was the development several years ago of the Security Lifecycle Development (SDL), a process developed by Microsoft security experts, such as Michael Howard, to embed security concerns in the product lifecycle.
“Vista is the first client operating system to go through the SDL and be focused on threat mitigation throughout development,” Charney says.
Logistically, SDL put security at the forefront from the earliest stages of Vista development. At its root, the idea behind the improved process was not to chase the impossibility of perfect code, but instead to mitigate risks by lowering the number of bugs in the code and the severity of those bugs that remained.
“The product itself underwent basically the largest penetration testing effort of any commercial software product in history,” Toulouse says. “And security researchers have had unprecedented input into the design of the product. But having said all that, we certainly understand there’s going to be updates to Vista. As a result of the whole cultural shift of Trustworthy Computing, the goal is that to the extent that there are updates, there are fewer, and those have far less impact to the customers.”
Charney explains that the SDL’s fundamental tenet is what Microsoft calls SD3: secure by design, secure by default and secure by deployment.
The first aspect is most fundamental, and includes the rigorous testing of code and the creation of threat models during development. The second aspect relies on architecting the software so that default settings are less vulnerable — for example, Vista is the first iteration of Windows that sets user access controls so that machines aren’t set at administrator levels by default. And the third aspect includes improvements in the automatic patching process and management of security within the OS.
All of this, says Toulouse, should help create multiple layers of defense that should have a synergistic security effect.
“There is no one silver bullet, and that was the approach we took with Windows Vista,” he says. “There’s a lot of people out in the security space that say, ‘Oh, if you just do this,’ or ‘If you just do that, customers will be protected.’ What we decided with Windows Vista is that knowing full well that you can’t ever get the code 100 percent right — no one does — to make the software more resilient across multiple layers.”
Security as a value add
Though sometimes jaded against Microsoft security practices due to past traumas, many IT practitioners and analysts believe that Vista truly will mark a turning point for Microsoft.
“The bottom line is that we think that Vista is going to bring about fairly dramatic security benefits to Windows users,” says Andrew Jaquith, the program manager for Yankee Group’s Enabling Technologies Enterprise group. “They’ve really put a lot of effort into improving the operating system in a very basic way.”
In a recent poll conducted by CDW Corp., a leading provider of technology products and services, the majority of IT decision-makers familiar with Vista rank security as their biggest driver for adopting the new version of Windows. Even the security community, which is known to rarely pull punches on Microsoft, has responded relatively favorably to Microsoft’s overall approach to Vista.
“It’s a very good thing that Microsoft has spent a lot of effort on security in Vista,” says Ari Hyppönen, CTO of F-Secure, a Helsinki-based vendor of products to ward off computer viruses and other threats coming through the internet or mobile networks. “Vista will be much more secure out of the box than any previous version of Windows. The biggest improvements are not very visible as they spent a lot of time securing their code. But the system is more secure.”
Controversies over PatchGuard
However, all of this early enthusiasm does come with some reservations. Jaquith, for instance, worried that new features, such as the User Access Control, are onerous to use and could prompt users to turn them off. And many security professionals, such as Hyppönen, are quick to remind anyone who will listen that Vista’s bolstered security is no replacement for strong third-party security solutions.
“Vista will be the most secure Microsoft operating system today, but it won’t be good enough without a security package,” he says.
Even Microsoft executives concur with this sentiment. Charney cites the need for additional security solutions as one of the reasons why Microsoft threw its hat into the security ring last year with its own offering, Windows Live OneCare.
This entrée into the niche has not been without some controversy, as some security vendors have complained that Microsoft has already thrown roadblocks up for its competitors with a new feature in Vista. In its effort to protect against the growing threat of rootkits, Microsoft integrated a new feature called PatchGuard into its 64-bit version of Vista. The mechanism acts to block access to the kernel’s code and prevent applications from changing the kernel while it is running.
But many high profile security companies, such as Symantec and McAfee, have complained vociferously that not only is Microsoft blocking the baddies with this new feature, they’re keeping security software vendors out as well. Some executives believe the locking down of the kernel is part of Microsoft’s gambit to corner the security software market now that it has launched OneCare. Ultimately, they claim, the move will hurt users.
“In the enterprise scenario, PatchGuard ultimately prevents us from getting deep into the core of the operating system,” says George Heron, chief scientist for McAfee. “By not being able to monitor some of the data in the critical memory areas and the operation of that core, we’re not able to detect a certain class of malware that Microsoft is frankly not able to do now.”
Though Microsoft has offered to provide application programming interfaces (APIs) to grant limited access to the kernel, vendors have received no timeline for delivery, and Gartner predicts that they won’t be delivered until 2008. Once delivered, Heron worries that they will be too little, too late.
“I worry because offering up a token API or two or three is very likely not going to be enough,” Heron said. “It might sound OK to the public, but from a technical perspective, visibility through one peephole to the kernel is not going to suffice because malware has the tendency to hide in all of the dark corners of the basement of the operating system.”
Some security vendors, however, don’t understand what the fuss is all about. Ross Brown, the CEO for eEye Digital Security — a leading developer of endpoint security and vulnerability management software solutions, and a company that often hammers Microsoft during zero day incidents — said that Microsoft is simply delivering extra value with PatchGuard. He believes that McAfee and Symantec not only need to learn to deal with the new system that Microsoft is delivering, but that their old methods of protection were never delivered the right way in the first place.
“They cheated with their anti-virus because they used kernel hooking,” Brown says. “That’s not the way to do it. They have to go wide and figure out how to add value, not sit around and complain about antitrust implications.”
Readjusting to the ecosystem
Ultimately, Charney believes that the complainers need to readjust to the new ecosystem that Microsoft is providing for users. He says that these security vendors are putting Microsoft in a difficult position by asking for things to be reverted back to the way they used to be.
“Do you leave it open and leave the world at risk, or do you make one of these fundamental shifts in security, recognizing that there will be some backward compatibility issues, and that the ecosystem will have to adjust?” Charney said. “It seems to me that just leaving everyone at risk isn’t the answer. At the end of the day, we have a fundamental choice and it doesn’t seem [Symantec and McAfee] are thinking about how the security model has to change to reflect the threat models.”
Toulouse concurs that Microsoft is doing what it believes is right for the users, even in the face of some resistance from the vendors. The initial complaints are to be expected, they’re growing pains, he says. But he believes that as the industry matures the complaints will die down.
“I think there is just some resistance to change, but the reality is that the world is evolving. The threat model is evolving, our products are evolving to be more secure, and security software is going to have to evolve. We believe there is a lot of great opportunity out there.”
Some industry experts say, however, that the true opportunity remains to be seen. According to Helmuth Freericks, CTO of Authentium, a Palm Beach Gardens Fla.-based developer of security software-as-a-service (SAAS) technologies and systems, comments like Charney and Toulouse’s smack of condescension.
“Right now they claim there is room for everybody, but as long as you play by Microsoft’s rules,” Freericks says. “We don’t want to play by Microsoft’s rules, we want to play by general industry rules. Just give us an environment, then we’ll protect it. Don’t tell us how to do it. We have many, many years of experience in the security space, much longer than Microsoft. We are responsible people. We know how to do this and we know how to do it well.”
Vista security features
1 User Account Control: Users are no longer given administrator rights by default.
2 PatchGuard: In Vista’s 64-bit version, the kernel is locked down and protected from changes while running.
3 Bitlocker: Whole disk encryption capability may prevent a lot of lost-laptop heartache — keys can be stored on Trusted Computing Module-enabled hardware or on USB drives.
4 Address Space Layout Randomization: By default, Vista randomizes the location of certain bits of code that were susceptible to attack due to hackers being able to predict their addresses.
5 Windows Security Center: Akin to Device Manager, Security Center is designed to help users manage the security software on their systems — designed with the consumer market in mind.
— Ericka Chickowski
HYPE VS. REALITY:
Does it really matter yet?
Both the positive and negative hype surrounding Vista security has reached fever pitch on the eve of the product’s final release to market. But some wonder whether most IT managers should even pay much attention to the circus atmosphere just yet. According to some experts, until Vista is widely deployed within the enterprise, its security isn’t going to matter a heck of a lot.
Microsoft has projected brisk adoption rates — up to 20 percent by the beginning of next year. But the analysts aren’t biting. Those with IDC predict that at the one-year mark, 11 percent of businesses running Windows will adopt Vista.
The projection by Gartner analysts is even more conservative, expecting only a 10 percent adoption rate in a year-and-a-half’s time.
— Ericka Chickowski