Your Vista Game Plan
An early, well-planned move to Microsoft’s new OS could be the answer to enterprise security challenges.
May 2007 • by Peter Varhol
Regardless of your personal or professional opinions of Windows Vista, you know you’ll be running it sooner or later. Uptake on new desktop operating systems tends to be slow, with just over 50 percent of enterprise desktops running them in the first five years, according to industry analyst firm Forrester Research Inc. Most may choose to upgrade gradually, in line with new client hardware, while some may wait until the next planned upgrade cycle.
In Vista’s case, there may be good reasons to accelerate adoption, rather than waiting for the next scheduled upgrade cycle. Security and integrity are two of the most prominent reasons. Enterprises that are at a significant risk, given the value of their applications or data, may be attracted to its ability to provide better safeguards. Vista’s higher levels of integrity are also likely to make it more resistant to attack.
Still, there are doubters. Forrester security analyst Natalie Lambert says that the security features are a boon for consumers. While helpful in the enterprise, they will still be supported by third-party products. “Enterprises will still use virus checkers and spam blockers to supplement Vista,” she explained. “The new security features have to be weighed against the cost of upgraded hardware. For many, it makes sense to move to Vista with the next hardware upgrade, not sooner.”
So when does it make sense to upgrade? Vista will almost certainly be the mainstream OS within a few years. Is it worth the hardware and administrative costs to achieve higher levels of security or integrity, or should migration occur on the same schedule as previous OS upgrades?
Stephen Toulouse, Senior Product Manager, Trustworthy Computing Group, Microsoft
The Keys to Lockdown
Microsoft has undertaken a formidable task trying to secure Vista. Security is not achievable in an absolute sense, and you don’t achieve added security without cost. That cost is typically measured in the quality of the user experience. Microsoft’s ambitious — some would say unrealistic — goal is to improve both security and user experience.
Microsoft has also labored under legacy burdens that aren’t easily swept aside. Those burdens include the sizeable Windows code base itself. The company builds new Windows versions from the source of the current one. While large parts are modified or replaced entirely with every new release, starting from scratch would mean throwing away a lot of perfectly good technology.
Another legacy burden is applications, both those produced by Microsoft and those from third-party developers. There are thousands of applications out there whose required permissions level is above that of users, or is unknown altogether. Prohibiting these applications from executing would greatly slow Vista adoption, because users would stay with the OS where their applications ran.
That’s not the end of it. An unknown number of custom enterprise applications were written in the same fashion, requiring administrator rights to the local machine to execute. Some enterprises fixed their applications when they went to a locked-down environment over the security issues of the past several years. Others still have many applications that have to run, at least some of the time, in a more privileged mode.
With Vista, Microsoft attempted to build an OS that eases users, administrators and developers into thinking about security in a different way. No one at Microsoft would declare that Vista is 100 percent bulletproof, but it’s no exaggeration to say that Vista is the most secure Windows OS to date. But is it secure enough for you to deploy on hundreds or thousands of desktops?
What Microsoft Does for Enterprises
Windows Vista is the first OS Microsoft has built under the laws laid down by its Security Development Lifecycle (SDL), which were defined several years ago during the intense security training conducted after the release of Windows XP. According to Stephen Toulouse, senior product manager for Microsoft’s Trustworthy Computing Group, the SDL consists of processes encompassing security engineering, reviews by security experts and protection within the OS itself.
The first phase of this lifecycle involves designing features and implementing code more resistant to attack. Toulouse describes a process whereby each proposed feature was scrutinized for its security implications prior to being included as a requirement. “If a feature required a port to always remain open, or for a high level of access to be maintained, it would get a lot of pushback,” he explained. “It might have to be implemented in a different way, or not at all.”
The second phase of the security lifecycle is review and testing by industry security experts. A part of this effort, called BlueHat, involves turning over working code to experts for analysis and exploitation, as well as follow-on meetings between those experts and Microsoft developers. In addition to providing a significant test for the OS code, it also provides an interaction between Microsoft OS engineers and security experts that almost invariably results in better code in the future.
Last, Microsoft incorporates security features that make the OS more difficult to hack and exploit. Features like User Account Control (UAC) and user notifications of unusual activities make Vista more resistant, but not impenetrable. The goal is not to provide a fully hack-proof system, but to buy time for other mechanisms to identify and turn away an attack.
Windows Defender, Windows Firewall and an overhauled Security Center make a difference here. Windows Defender helps protect against and remove spyware, adware, root kits, bots, keystroke loggers, control utilities and some other forms of malware. The Windows Firewall includes both inbound and outbound filtering, protecting users by restricting OS resources if they behave in unexpected ways.
Natalie Lambert, Security Analyst, Forrester Research Inc.While the Security Center has been around since Windows XP SP2, Microsoft has made improvements, including showing the status of anti-spyware software, Internet Explorer security settings and UAC. The Vista Security Center can monitor security solutions from third-party vendors running on a PC and indicate which are enabled and up-to-date.
Before shipping, Vista also underwent final security reviews, peer reviews and testing via automated attacks. Automated attacks typically involve code written to emulate actual attacks from the wild, to determine the ability of the OS to repulse them or at least slow them down.
Patches and Promises
One of the accepted practices in OSes in recent years has been the concept of the security patch. Hackers, researchers or even vendors themselves identify vulnerabilities. The OS vendor, such as Microsoft, Apple or Red Hat, then analyzes the vulnerability and prepares one or more patches.
Much has been made of the fact that Vista has had fewer security patches in its first 90 days of availability than comparable OSes from Apple or Red Hat. While this appears to be a reasonable standard for a new OS, Microsoft disingenuously included the time before general availability when the OS was only available to enterprises and MSDN subscribers.
Forrester analyst Jen Albornoz Mulligan notes that the ranking is very different when only critical flaws are considered. Her conclusion is that there are too many variables to consider. For those on the front lines, however, the question for now is: What does it take to keep the machines up-to-date on patches? The jury is still out on that question, but Windows Vista looks much more promising than previous versions of Windows.
Ironically, at press time there were news reports of a Vista vulnerability surrounding .ANI files. According to those reports, .ANI files are used to change the cursor into an hourglass while a program works, or into a cursor animation on Web sites. The vulnerability was allowing hackers to break into computers and install malicious software. Because of a rapidly increasing number of reported exploits, Microsoft released the patch for this vulnerability early.
There is also security from a physical breach. Many of us have received notification of a lost or stolen computer containing data on our identity, credit, or buying habits, and were outraged that the data was not better protected. Here’s where BitLocker, Vista’s full volume encryption, comes into play. BitLocker uses hardware-enabled protection to prevent unauthorized users from accessing data by breaking Windows file and system protections.
BitLocker incorporates centralized storage and management of encryption keys in Active Directory, and lets IT administrators store encryption keys and restore passwords onto a USB key or to a separate file for backup. The encryption system also enables system recovery in the field, providing a means for users to enter the restore password and restore their own systems.
The Price of Privilege
There has been a dichotomy between application developers and their users that has become significant over the past several years. Many enterprise developers have absolute access to their systems, but they tend not to consider whether or not their users do. In some cases, they raise privileges because a given operation won’t work unless the process has a high set of privileges.
Developers tend to be philosophical about security issues. At a recent Visual Studio developer conference, Sam Restead, a senior software engineer for a large insurance provider, shrugged and said, “I care about security and don’t intentionally write bad code. But the hackers move so fast that no one can keep up with all the emerging techniques to break into systems.”
Restead’s colleague Richard Guest added: “It’s mostly an OS problem anyway.”
Not surprisingly, both perception and bandwidth have led to the lack of motivation by developers in addressing security more rigorously in their applications. That said, developers don’t intentionally write insecure code and are keenly interested in making sure that an application isn’t the cause of a security breach. The real problem is that there are just too many other things for developers to do at the same time.
Vista will help most developers write more secure code. It does so, in part, through the use of UAC. The UAC separates standard user privileges and activities from those that require administrator access. It changes the definition of a standard user by including many basic functions that pose no security risk but that previously required administrative privileges.
Many applications require local machine administrator privileges, so users can end up with administrative access, invoked only when installing software or executing an application that requires admin rights. Vista displays a dialog box requesting the local administrator password, which the user must enter in order to complete the activity.
If the enterprise locks down desktop systems, UAC can also help there. Admins have the option of configuring a policy setting that prevents users from encountering the access dialog, in order to prevent administrative actions entirely.
Alternatively, UAC lets IT admins give desktop users administrative rights, but normal operations occur using lower privileges. If an application requires admin rights to continue, it will prompt the user for an OK.
UAC helps users better understand how their system is being used by applications. After an initial training period, users will come to know the normal behavior patterns of their applications, enabling them to question unusual or unexplained requests to upgrade system privileges.
And over time, UAC will help developers. Because those operations requiring admin privileges are right out there in the open, any inadvertent upgrade in privileges will become apparent during unit and functional testing.
Microsoft’s Toulouse admits that UAC got a bad reputation during early community releases of Vista. “We had the right idea,” he explains, “but we failed to consider usability. Since that early feedback we’ve made significant strides in usability, and believe we have a system that makes more sense to Vista users.”
One unyielding principle is that users are still informed whenever an application attempts to do something out of the ordinary. This means that many computer users will be seeing more messages concerning application privileges than they have in the past. To those who install software on their own systems, the dialog will be a constant reminder of the Vista security strategy.
The upshot is that users will have to better understand the security implications of their activities. This may cause confusion unless users are trained in their security responsibilities. In many enterprises such training is problematic, as users generally receive only the training they need to perform their job activities — and sometimes not even that.
According to BeyondTrust CEO John Moyer, this will be a problem in enterprises. “Users are focused on their jobs, not on the security messages that pop up on their screens,” he claims. UAC has the potential to cause confusion for users and increased workload for administrators. It’s not going away, though, so sooner or later developers will have to make their applications run in more secure environments and users will have to understand what to do when the UAC dialog box appears.
You can get your hands on most, if not all, of these and other less significant security features from third parties to use with Windows XP. BeyondTrust, for example, provides a way to manage user privileges in the IT shop, rather than on the user’s desktop. Adding third-party point solutions does mean a more complex configuration for installed systems, the need for better management of software licensing and upgrades, greater costs and perhaps a greater potential for system conflicts.
Building a More Secure Enterprise
Advocates for one OS over another tend to get viscerally involved in their opinions on security and usability. The debate among client OSes in enterprises tends to settle around what version of Windows is best, rather than non-Windows alternatives. If an enterprise is at risk, either by making regular and common use of high-value or highly sensitive data, or by losing significant business if systems are taken offline by attacks, then Vista can help immediately.
There seems to be little question that security is improved with Windows Vista. Toulouse calls Vista the “best possible baseline for the broadest set of users.” While there’s nothing particularly revolutionary about its features, it’s useful to have them aggregated into a single product and used in consistent ways.
For enterprises, this means that “install and go” is no longer a reasonable strategy for running a Windows OS. System administrators, application developers and even end users have to take increasing responsibility in an environment where known exploits are combined with valuable data to provide ample opportunities for security violations.
The tradeoff required for better security is greater involvement by users, administrators and developers in the security process. In deciding whether or not to accelerate a migration to Vista for security purposes, managers have to first perform a classic risk analysis. If your clients access data of significant value to the organization, or your infrastructure has vulnerabilities that put clients at greater risk of intrusion, then the additional security features of Vista should be high on your priority list.
But — and it’s a big but — that means both your staff and users have to get more involved in security. Users have to understand and take action based on security messages sent by the OS. Vista will tell them a great deal about the security state of their desktop, but only if they speak the same language.
Administrators have to make sure that desktops are configured with the applications, policies and security settings required by users to perform their jobs. Blasting all desktops with a single image and pushing blanket policies probably won’t cut it if you want to move to Vista today. Using features such as UAC, policies and the Security Center, administrators have to configure the OS to the precise security parameters needed to ensure protection of data and systems. Admins will be on the front lines of helping users understand their new security responsibilities.
Last, developers can no longer assume that users are local machine admins. Relying on Vista privilege elevation for applications to work will be confusing to users and show a lack of OS understanding by developers. While it may not be possible to get rid of privilege elevation entirely, developers have to build and test with the same security settings as their users.
With a commitment from these three constituencies, Windows Vista will help an enterprise at risk be measurably more secure. But there’s also a word of caution: Without that commitment, along with training in security policies and implementation, the equation falls apart, likely resulting in greater confusion and lost productivity.
There’s no going back. All parts of the enterprise will have to have greater involvement in information security in the future. Vista represents an important first step in that direction
