The Vista Security Philosophy
Last week at the MVP global summit in Redmond, I had the opportunity to hear from a number of Microsoft insiders, the guys who actually wrote the code, about their goals and philosophy in creating the new OS and included components such as Internet Explorer 7.0. I was encouraged by what I heard: defense in depth was a concept that kept coming up over and over again. Multi-layered security is the only way to provide real protection, and MS’s commitment to making fundamental changes in the architecture to support that type of protection will give Vista a big security edge over older Windows operating systems.
Another philosophical position we’re hearing a lot out of MS employees has to do with “integration of the edge,” or the idea that the Internet is the network. This goes along with the well publicized “death of the DMZ” concept promulgated by Steve Riley, one of the senior program managers in Microsoft’s Security Business Unit (you can download Steve’s presentation on this topic from his Web site at http://www.steveriley.ms/default.aspx). This theme, in one form or another, ran throughout a number of the MS presentations.
Taken together, these philosophies indicate a whole new way of looking at security, which incorporates strategies such as server and domain isolation and network access protection (NAP) enforcement. Another big focus is on identity authentication and management. We see this everywhere, from proposed anti-spam technologies such as Sender ID to enterprise/federation level products like MIIS. We also see it in Vista’s improvements to such technologies as IPsec and better smart card support.
Running with least privilege
A question that kept coming up at the summit was “Do you run as admin on your desktop?” From IT pros to MS execs, most of those questioned answered (sometimes sheepishly) “yes.” And there’s a good reason for that – with pre-Vista operating systems, it’s hard to get anything done if you don’t log on as an admin. Vista addresses this in two ways:
- By making it easier for non-administrators to perform necessary tasks such as installing printers and application updates, setting up VPNs, etc. in specific contexts, and
- By running most apps with limited permission even if you do log on as an admin.
For years, Windows has been compared unfavorably with UNIX in relation to security. UNIX, unlike Windows, was designed as a network OS from the beginning, and has long had commonsense security features such as running processes with least privilege. Microsoft introduces this same idea in Vista and calls it User Account Protection or UAP. This feature is covered in depth in Derek Melber’s article titled Windows Vista and Principle of Least Privilege, so we won’t go into the details of how it works here – but it’s an important improvement to the RunAs capability in Windows XP.
More built-in protections
There are plenty of third party products on the market designed to protect against specific threats (viruses, spyware, attacks). For enterprise customers, the ability to choose from among these products is an advantage. For home and small business users, however, it’s an added expense that many of them feel they can’t afford. They want the protection built into the operating system.
That resulted in a host-based firewall being included in XP/2003, and with Vista, Microsoft goes a step further and includes the ability to clean up many viruses and worms and a built-in anti-spyware component. To make management easier, these functions will be integrated into the Security Center interface.
Although the details of the version of anti-spyware that will end up in Vista are still under NDA, we know that it will be part of an overall threat mitigation strategy aimed at a three-pronged approach to protect the client, server and network. Microsoft’s anti-spyware beta 1, built on technology from Giant, has been an extremely popular download and already has millions of users. It’s a good start, but major improvements are coming up in beta 2.
Protecting the network
As part of that three pronged approach mentioned earlier, Vista’s developers weren’t concerned exclusively with protecting the Vista computer from the network – they were also concerned with protecting the network from the Vista computer. The Network Access Protection (NAP) component in Vista is comprised of an agent that reports the Vista client’s health status to the NAP server (a component included in Longhorn server).
This gives administrators the ability to deny access to client computers that don’t meet their standards (such as having current service packs and security updates applied, having anti-virus software enabled and up to date, and so forth).
NAP is similar to Windows Server 2003’s Network Access Quarantine Control, but it’s a different technology and it extends protection a step further. NAQC is used to enforce health policies on remote access and VPN clients, but NAP can do this and also enforce policies on computers directly connected to the LAN, including mobile computers that are plugged into the LAN periodically. As with NAQC, computers that aren’t in compliance are isolated on a restricted network, where they can be automatically updated to meet your requirements.
Quarantine can be provided through a number of different network components (separately or in conjunction with each other):
- DHCP, in which the DHCP server (running a DHCP quarantine enforcement server component) enforces policies when clients lease or renew and IP address (IPv4 only).
- VPN, in which the VPN server (running a VPN QES) enforces policies on clients that attempt to connect to the network through a virtual private network.
- 802.1x, which uses an Internet Authentication Service (IAS) server to enforce policies on wireless clients.
- IPsec, which uses a health certificate server that issues x.509 certificates used to authenticate NAP clients when they try to establish an IPsec-secured connection with other NAP clients within the intranet.
NAP is configurable so that administrators can create exceptions to the policy rules, and it also includes APIs so third party developers can create policy compliance and isolation solutions that work with NAP.
These are only a few of the security enhancements that are coming with Vista. Many are still covered by NDA, but what we’ve seen so far looks promising, and we’ll keep you updated here as more of the information is officially made public.