In 2002, Bill Gates announced the Microsoft Trustworthy Computing initiative, a companywide effort to make the Windows platform a fundamentally secure computing platform. On the client side, Windows XP Service Pack 2 (SP2) took an important step toward making Windows client platforms more secure by default. Windows Vista—the next version of the client OS, scheduled for release early this year—takes another major next step forward in this ambitious project.
Since the initiative began, effectively protecting and securing computers and their data has become more challenging and more important. Over the past few years, Microsoft platforms and applications have remained favorite targets for malicious software (aka malware) attacks. The recently published Symantec Internet Security Threat Report shows, in fact, that in the first half of 2006, Microsoft Internet Explorer (IE) was the most frequently targeted Web browser, accounting for 47 percent of all Web browser attacks. (To get more information from the report, go to http://www.symantec.com/enterprise/threatreport/index.jsp.)
Adequately protecting a computer system from malware is a big task: It involves preventing malware from entering a Windows system, isolating malware if it intrudes, and, in case of an infection, limiting and remedying malware’s harmful effects. Currently, malware includes not only viruses, Trojan horses, and worms, but also spyware and rootkits. Table 1 presents an overview of the Vista security-related features that armor the OS against malware. In addition to built-in features, you’ll also need additional software—such as virus scanners—to appropriately protect your Vista platform from malware. (I don’t discuss these additional software products in this article.)
In this article, I look briefly at how Vista’s development increases its security and discuss some of its fundamental protections. I then explore specific features that isolate the OS, services, and data. I describe an important least-privilege feature that will surprise many Windows users and conclude with a review of additional new and updated security tools.
Building In Fundamental Protections
In Vista, Microsoft pioneers some malware-protection measures based not only on new features included in the OS, but also on how the company developed the OS. Let’s look at development first.
Vista is the first OS Microsoft developed according to its Security Development Lifecycle methodology. The Security Development Lifecycle’s primary goal is to improve the overall security of Microsoft software and make it more resistant to malware attacks. The Security Development Lifecycle defines a formal and repeatable methodology that all developers can leverage before they release code. Among its key elements are techniques for attack surface reduction analysis and measurement and guidance for least privilege and security testing. You can find more information about the Security Development Lifecycle at http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp.
A Vista malware-protection feature linked to software development and particularly to the development of Vista drivers is driver signing. Even though earlier Windows versions have had an unsigned driver detection mechanism to warn users when they’re about to install an unsigned driver, there were no driver signature checks on the kernel level. The new Vista driver signing can protect Vista from crashes and vulnerabilities that occur when malware installs or loads malicious drivers to run in kernel mode. Driver signing provides both identification and integrity protection for kernel mode drivers. Only properly signed and unmodified drivers are allowed to run in the kernel.
Another Vista malware protection feature that operates at the kernel level is Patchguard, which offers kernel patch protection. Patchguard can prevent kernel-mode drivers from extending or replacing OS kernel services and prohibit software from executing unsupported patches in the kernel.
Both driver signing and kernel patch protection are implemented only in the 64-bit versions of Vista. Microsoft found that implementing these protection features in the 32-bit Vista versions was difficult and potentially problematic for legacy systems. One factor in this decision was that most legacy 32-bit Windows drivers aren’t identified by digital signature. Also, quite a few legacy 32-bit drivers modify the Windows kernel for legitimate purposes (e.g., to detect buffer-overflow attacks) but in doing so use an unsupported interface or method. Implementing stricter control over these modifications in the 32-bit Vista versions could create major compatibility and performance problems for legacy systems. At the same time, the smaller installed base of 64-bit software and the fact that most drivers and applications for that base are still under development also let Microsoft make significant enhancements to the security of the 64-bit kernel.
Data Execution Protection (DEP) is a memory-protection feature that guards against buffer-overflow attacks, a type of attack that malware often uses to compromise a computer system. During a buffer-overflow attack, malware tries to insert and execute code from nonexecutable memory locations. DEP lets Windows mark certain memory locations as no-execute (NX). NX memory locations can contain data only, and the processor will prevent applications or services from loading executable code into them. DEP relies not only on OS-level support but also on a processor feature known as NX page protection. As of this writing, DEP is supported only on AMD Opteron processors for 32-bit and 64-bit Windows and Intel Xeon processors for 32-bit and 64-bit Windows. (Microsoft supports DEP in Windows Server 2003 R2 and XP SP2.) To check whether your system supports DEP, follow the procedure outlined in the Microsoft article “How to determine that hardware DEP is available and configured on your computer” at http://support.microsoft.com/kb/912923.
Address Space Layout Randomization (ASLR) is a related OS-level feature that makes it harder for malware to exploit a system function loaded in memory. Each time a Vista system boots, ASLR randomly assigns DLLs and executables that implement systems functions to different memory locations. This randomness helps keep malware from predicting where a certain system function actually resides.
Vista includes important new features that isolate the OS, its services, and its data, making the platform more resilient to malware attacks. These features are the enhanced Windows Firewall, service hardening, and the inclusion of the Network Access Protection (NAP) client.
A properly configured personal firewall is an important first line of defense for isolating an OS and keeping malware from infecting computers and spreading across the network. Vista’s personal firewall—the Windows Firewall—is enabled by default and now provides both inbound and outbound filtering (earlier versions supported only inbound filtering). Outbound filtering can effectively prevent malware from communicating with other computers and fanning out to other systems across the network.
Windows services have always been a favorite malware target. Many services are always on and run in a highly privileged security context (e.g., by using the LocalSystem account). In Vista, Microsoft incorporates the notion of restricted services—that is, services restricted and isolated to a maximum extent. Vista’s services are restricted to using the fewest possible privileges: exactly what they need to do their job and nothing more. Vista’s services are also constrained in their communications. Vista implements service-specific ACLs on system resources (e.g., the registry, the file system) and per-service inbound/outbound access restrictions on the Windows Firewall.
NAP is Microsoft’s network admission architecture. NAP technology can ensure that only healthy machines connect to an organization’s IT infrastructure. In this context, a healthy system is one that isn’t infected by malware, has the latest antivirus and spyware-protection signatures installed, has the latest security patches installed, and has properly configured security settings. In addition, NAP can require strong user and machine authentication before letting a user and machine connect to a corporate network. NAP can also isolate unhealthy and unauthorized machines and heal them. For example, NAP can install the latest security patches, remove malicious code, and lock down a system’s security settings. The NAP client component is included in Vista and will be made available for Windows 2003 and XP SP2 clients. The NAP server component will be bundled with Windows Longhorn (code name of the next Windows server OS, to be released this year). In September 2006, Microsoft and Cisco jointly announced that they would work on an interoperability architecture for NAP and Cisco’s Network Admission Control (NAC), an architecture similar to NAP that’s built into Cisco’s network infrastructure products. For more information about the interoperability agreement, go to http://www.microsoft.com/technet/community/columns/secmgmt/sm0906.mspx.
Honoring Least Privilege
User Account Control (UAC), a least-privilege feature bundled with Windows Vista, is one of Vista’s most important security changes. UAC ensures that any user account that logs on to Windows (even accounts with administrator-level privileges) initially has only plain user privileges. Only when the account needs to perform a task that requires administrative privileges does Vista temporarily expand the account’s privileges. For more information about UAC, see my previous article, “Windows Vista’s Take on Least Privilege,” October 2006, InstantDoc ID 93300.
An important UAC property that significantly reduces the Vista attack surface is User Interface Privilege Isolation (UIPI). This property provides process isolation by ensuring that processes running in the security context of a limited account can’t interfere with processes running in the security context of a privileged account. UIPI protects against shatter attacks, during which malware that runs in the security context of a limited account leverages the Windows interprocess messaging system to inject malicious code into a process that runs in the security context of a privileged account. Shatter attacks have been possible in previous Windows versions because any process can send a message to any other process running on the same desktop, and Windows hasn’t provided source authentication for interprocess messages. And, too frequently, applications have been written to run in the security context of privileged accounts.
Another Vista UAC-related feature significantly reduces malware’s capability to execute in the security context of an account with administrator-level privileges: The built-in Administrator account is by default both hidden and disabled. Be aware that the task of making the Administrator account reappear, which is based on registry changes, isn’t trivial. This feature will definitely be a shock to many Windows users.
Adding and Updating Tools
In Vista, Microsoft adds and enhances a set of important malware-protection tools: Windows Defender, the Malicious Software Removal Tool (MSRT), the Windows Security Center, Automatic Updates (AU), and IE protection features.
Windows Defender is the real-time spyware-protection solution bundled with Vista. It’s a rebranded version of the GIANT AntiSpyware solution that Microsoft acquired in 2004. Defender continuously monitors OS resources (e.g., the registry, the file system) that spyware commonly abuses. If an application attempts to make changes to one of the monitored resources, Defender blocks the application and prompts the user to reject or allow the change.
MSRT is a small executable that scans a Windows system for occurrences of spyware and malware and automatically removes them. MSRT, which has been available as a separate download on the Microsoft Web site for a while, is now integrated with Vista, Windows Update, and AU. During an upgrade from XP to Vista, users will be invited to run MSRT. (Also, new versions of MSRT are now distributed through Windows Update and AU.)
AU is the Windows client-side component that ensures that a Windows platform stays tuned to the latest software and security patches. In Vista, AU is enabled by default, which means that it will automatically download the latest patches from the Microsoft Windows Update Web site. In Vista, AU also ensures the downloading and updating of two other key malware-protection technologies: the Windows Defender spyware-protection utility and MSRT.
The Windows Security Center, an engine Microsoft introduced in XP SP2, constantly checks the status of the Windows Firewall (is it enabled?), AU (is it turned on?) and the antivirus software (are the latest signatures installed?). In Vista, the Windows Security Center also monitors the spyware-protection software (are the latest signatures installed?), UAC (is it turned on?), and IE security settings (are they set to recommended levels?). The Windows Security Center also informs and prompts the user if a security item isn’t properly configured.
Finally, Microsoft added several new malware-protection features to IE 7.0, which is bundled with Vista. These features include a phishing filter and better protection against malicious ActiveX controls. For more information about the new IE 7.0 features, see Jeff Fellinge’s article “Get Ready to Bump Up Security with IE 7.0,” February 2006, InstantDoc ID 48822.
Investing in Security
Microsoft is taking security in general and the battle against malware in particular seriously, as the many malware-protection features and enhancements in Vista show. Vista has already become a favorite target for malicious attackers. If any security features in Vista can be circumvented, attackers will discover ways to do so. (For an example of this phenomenon, see http://www.internetnews.com/security/article.php/3624861.) Nevertheless, Microsoft’s investment in methodologies such as the Security Development Lifecycle will make attackers’ lives more difficult.