Windows Vista is the first Windows client operating system to be developed using Microsoft’s Security Development Lifecycle (SDL), which makes security a top priority throughout the development cycle by mandating a repeatable engineering process that every developer must follow, and then verifying that process before product release.
Starting in 2003, Microsoft established strong internal security design and development processes to help engineering groups create more secure products. A special internal team—called the Secure Windows Initiative (SWI) team—was formed to create, oversee, evangelize, and enforce the process.
The SWI team, which comprises security experts from the Windows group and from across Microsoft, helps the company’s product groups focus on potential security threats and acts as a central internal security consulting group.
The SWI team developed the SDL to ensure a consistent framework for integrating security broadly across the company’s products. The SWI team operates at every level of the company, including helping executives understand current and future threats and working with Microsoft Research to help develop new defensive technologies and security analysis tools. The SWI team is also working with many independent software vendors (ISVs) to help them make their products more secure by applying SDL principles and tools.
The SDL is an evolving process that implements rigorous standards of secure design, coding, testing, review, and response for all Microsoft products. The SDL helps remove vulnerabilities and minimize the surface area for attacks, improves system and application integrity, and helps organizations more securely manage and isolate their networks.
Building on lessons learned from applying the SDL to other Microsoft products, security reviews and engineering practices associated with previous versions of Windows, and analysis of Microsoft Security Response Center (MSRC) bulletins, Windows Vista was the first Microsoft client operating system to be developed from start to finish using this approach.
Microsoft created more than 1,400 threat models for Windows Vista to ensure identification of risks that required mitigation, code that needed special attention and parts of the operating system that required especially intensive testing. The SWI team provided product teams with training and tools to support the threat modeling process, and the team reviewed the threat models for completeness and depth.
Throughout the development process, Windows Vista was checked for vulnerabilities that were previously discovered in Windows XP, and security processes and tools for both operating systems were reevaluated and improved.
Automation was a key focus in this engineering process. For example, the product groups used two tools developed by Microsoft—known as PREfix and PREfast—to identify source code vulnerabilities not found by typical compilers. The tools integrate cleanly with the build process, reduce development time, streamline code review, and help improve overall quality and reliability.
The Windows team annotated all Windows Vista functions containing readable or writeable buffers using the Standard Annotation Language (SAL), which allows these automated code quality tools to evaluate the consistent use of variables and buffers and helps developers detect and remove exploitable coding errors.
The team extensively “fuzz tested” components of Windows Vista that parse or process inputs from potentially hazardous sources. Fuzz testing automates the process of supplying corrupt or malformed data to these components to see how they deal with potentially malicious inputs.
Fuzz testing is effective at detecting vulnerabilities that an attacker could exploit to run malicious code or cause a software component to fail. Fuzz testing on particularly complex parsers was complemented by a security code review and a deeper level of SAL annotations.
Another Microsoft-developed tool, called FxCop, scans managed code applications for vulnerabilities and helps prevent malicious code from taking advantage of buffer overruns in applications. In addition, the Microsoft Visual C++® 2005 C runtime library adds buffer checks to functions that are known to be vulnerable to attack. These tools were initially developed for internal use at Microsoft but are also available to the developer community in Visual Studio® 2005.
The Windows Vista code base was also scrubbed for issues that commonly lead to security vulnerabilities. All instances of cryptographic algorithms, for example, were reviewed to assess weaknesses in algorithm choice or key strength. More than 100 programming APIs that had been maliciously exploited in the past were systematically removed from the code base and replaced with more secure versions. In addition, non-Microsoft components in Windows Vista were reviewed against the SDL.
Microsoft also provides detailed guidance on the SDL for ISVs that are creating products to run on Windows Vista and for the worldwide security community, to enable others to improve the security of their products.
The impact of the SDL
Microsoft’s in-depth analysis of vulnerabilities in Windows XP, several Linux versions, and Mac OS X Tiger has provided a solid context in which to view the first 90 days of Windows Vista.
Security is a process
Complementing the SDL is Microsoft’s unparalleled worldwide security response process operated through the Microsoft Security Response Center (MSRC). When a security incident poses a threat to customers—whether it is an Internet-based attack or narrower in scope—the MSRC quickly mobilizes teams across the company and around the world, including affected product teams, Microsoft’s Product Support Services (PSS), Microsoft IT, and external partners. The goal is to respond quickly to security threats and to provide customers with the information, guidance, and mitigation tools and measures they need.
As soon as a potential vulnerability is reported, the MSRC works to establish a strong communications channel with independent security researchers. The MSRC provides regular updates to individuals and organizations that report vulnerabilities. In the bulletins that accompany vulnerability updates, the MSRC publicly recognizes many security researchers for their vigilance and responsibility. Relevant security findings and responses are integrated into the SDL. Because detailed public disclosure of a vulnerability before an update is available can lead to malicious activity and expose customers to security threats, the MSRC encourages security researchers to report their findings responsibly to minimize the potential impact on customers.
In Windows Vista, engineering for security also means supporting technologies that help non-Microsoft developers write more secure code and help protect the operating system kernel from malicious software.
Windows service hardening
System services are background processes that are always running, to support key functionality in the operating system. Because of their importance, and because they typically run with high system rights, they have been a major target for malicious software attacks. A malicious attack that exploits system services can cause problems by running arbitrary code with administrator rights on the user’s computer. The Slammer, Blaster, and Sasser worms all targeted system services.
To mitigate this threat, Windows Vista has introduced the concept of restricted services, or service hardening. Restricted services can run under only the most restrictive rights possible, and they limit their activities to the minimum local machine or network resources they require to fulfill their task.
Windows service hardening is also designed to be used by ISVs. Microsoft is actively evangelizing the technology to ISVs to help ensure that the service components they write will be more secure when running on Windows Vista. The Windows service hardening infrastructure is used by system services on an opt-in basis, so there is no application compatibility impact with previous system services, such as services that accompany non-Microsoft software.
More defense-in-depth: NX and ASLR
Another way that malicious software can install onto a user’s computer is by taking advantage of buffer overruns—essentially, tricking software into running code that has been placed in areas of the computer’s memory that are set aside for data storage.
A way to reduce the impact of such vulnerabilities is through the use of no-execute (NX) technologies at the hardware level. NX enables software to mark sections of the computer’s memory as being exclusively for data, so the processor will prevent applications and services from executing any code there.
Many of the newest processors support some form of NX, and Microsoft has included support for NX-capable processors since Windows XP SP2 through the Data Execution Prevention feature. Windows Vista introduces additional NX Group Policy controls that allow software developers to enable NX hardware protection for their code, independent of system wide compatibility enforcement controls. An ISV can mark its program as NX-compliant when the program is built, which allows protection to be enforced when that program runs. This enables a higher percentage of NX-protected code in the software ecosystem.
Address Space Layout Randomization (ASLR) is another defense capability in Windows Vista that makes it harder for malicious code to exploit a system function. ASLR randomly assigns executable images, such as DLLs and EXEs, to one of 256 possible locations in memory. This makes it harder for malicious code to locate and take advantage of functionality inside the executables.
Windows Vista also introduces heap buffer overrun detection that is even more rigorous than that found in Windows XP SP2. When the operating system detects signs of heap buffer tampering, it can immediately terminate the affected program, limiting the damage that might result. This protection technology is enabled for operating system components, including built-in system services, and can be used by ISVs through a single API call.
64-bit security enhancements: Kernel patch protection and driver signing
Some of the most serious security issues can arise from malicious software that manipulates the operating system kernel to render itself undetectable to anti-virus software and to run unnoticed on a user’s system. This type of malicious software is known as a rootkit. Rootkits are often used to cloak other potentially unwanted software, such as bots and spyware. Beyond the serious security implications of rootkits, this class of malicious software can reduce the stability, reliability, and performance of the entire computer.
Kernel patch protection. The 64-bit versions of Windows Vista support Microsoft’s kernel patch protection technology (sometimes referred to as PatchGuard), which prevents unauthorized software from modifying the Windows kernel. Kernel patch protection works by preventing kernel-mode drivers from extending or replacing operating system kernel services through unsupported means and by prohibiting all software from performing unsupported patches in the kernel. In addition to improving security and making it more difficult for hackers to modify the kernel for malicious purposes, kernel patch protection also greatly improves the security and reliability of Windows Vista and enables future improvements in the kernel environment that can address the evolving landscape of malicious software.
Mandatory kernel module and driver signing. To give users visibility into the source of drivers and other software running in the operating system kernel, Microsoft introduced the concept of “signed drivers” with Windows 2000. Unsigned drivers could be prevented from installing, but the default configuration merely warned users if they were about to install an unsigned driver. IT administrators could also block installation of unsigned drivers with Group Policy, but the large installed base of unsigned drivers made this impractical in most situations. Malicious kernel software typically tries to install “silently,” without notifying the user or asking for approval, so malicious kernel software was still likely to run successfully.
With Windows Vista on 64-bit systems, security at the kernel level has been significantly enhanced by requiring that all kernel-mode drivers be digitally signed. Digital signing provides identity as well as integrity for code. A kernel module that is corrupt or has been subject to tampering will not load. Any driver that is not properly signed cannot even enter the kernel space.
Signed drivers help identify and prevent many malicious attacks, while allowing Microsoft to help non-Microsoft developers improve the overall quality of drivers and reduce the number of driver-related crashes.
Windows Vista provides a rich set of customizable new user, network, and application security options that administrators can configure to balance their security needs with their usability requirements. These provide security oriented choices for controlling user accounts, defending against malicious software, and supporting multiple authentication methods.
User Account Control (UAC) in Windows Vista provides a way for IT administrators to separate standard user rights and tasks from those that require administrative rights. UAC increases security by establishing a standard user account with an improved user experience as the default user access level. Standard users can perform a wide range of tasks and enjoy high application compatibility without the need to be logged in with administrative rights. This helps reduce the effect of malicious software, the installation of unauthorized software, and unapproved system changes—all of which helps to reduce the cost of desktop management.
When a standard user attempts an action that requires administrative rights, the User Account Control dialog box prompts the user for administrator account credentials. Administrator account credentials include the user name for a user account that is a member of the Administrators group on the local computer or in a domain and that user’s password. This dialog box prompt is known as a credential prompt because it requires credentials from another account to proceed. Much has been written about credential prompting and UAC, but the bottom line is that, when best practices are followed, standard users will rarely see the credential prompt after they install their favorite applications.
UAC best practices can be summed up as follows:
Run all users as standard users. Enterprise environments should require all (or most) users to be standard users. Home users should make the first user account a parental account (even on a child’s computer) and protect it with a strong password. All other user accounts for the family—especially for children—should be standard user accounts.
Enable administrator approval mode and consider the use of Ctrl-Alt-Delete. Enterprises should require a password for the use of administrator approval mode. This makes it harder for malicious users to “spoof” the system and also makes it difficult for an unauthorized person to complete an administrative task on a computer that is left unattended. Another option is to require that the Ctrl-Alt-Delete key sequence be used before an administrator can enter credentials to complete a task.
Over the past several years, malicious software has become a major problem for computer users. Unwanted malicious software is found on more than two-thirds of all computers, and it is putting users’ privacy and personal information at risk, as well as causing significant performance and reliability issues.
Windows Defender, built into Windows Vista, helps protect against and remove a wide range of malicious software, including spyware, adware, rootkits, bots, keystroke loggers, and control utilities. (Windows Defender does not provide protection against malicious software that is classified solely as a worm or a virus.)
In Windows Vista, Windows Defender helps protect against unwanted application installation and monitors aspects of the operating system commonly abused by malicious software, such as the Startup folder and the Run registry keys. If an application attempts to make a change to one of the protected areas of the operating system, Windows Defender prompts the user to either allow or reject the change. Windows Defender also provides a feature called Software Explorer, which provides users with additional visibility into a computer’s software and system state. This is a significant improvement over previous versions of Windows, in which stopping or disabling malicious software sometimes involves investigating the system registry or conducting other complex analysis. Windows Defender also logs activity, such as cleaning and removal events to the Windows event log, which enables administrators to keep updated on the status of the computer.
Windows Vista provides firewall functionality that is turned on by default and begins protecting a user’s computer as soon as Windows starts. The Windows Firewall includes both inbound and outbound filtering and can prevent unexpected data messages from leaving the computer. It also allows IT administrators and home users to block applications, such as peer-to-peer sharing or instant messaging applications, from contacting or responding to other computers. In response to feedback from customers and third-party security vendors, Microsoft has made improvements to the Window Security Center in Windows Vista, including displaying the status of anti-spyware software, Internet Explorer security settings, and User Account Control.
In fact, Windows Security Center can monitor multiple ISV security solutions running on a computer and indicate which are enabled and up-to-date. If a non-Microsoft anti-virus or anti-spyware solution is out-of-date, Windows Security Center provides a link to the program’s Web site so that the user can activate or renew a subscription or get the necessary updates. This new capability is important when, for example, a trial subscription to an anti-virus solution that came with a new computer expires. Knowing when security software is turned off or out-of-date, and being able to easily download updates, can mean the difference between being protected and being vulnerable. One of the biggest challenges IT administrators face is ensuring that the computers on their network have all the necessary security updates and meet the network’s health requirements.
As more networks encompass users’ laptops and home computers, which often are not under the administrator’s direct control, the risk of exposure to viruses, malicious software, and other security threats grows. In fact, many attackers create malicious software specifically to target “out-of-date” computers. Network Access Protection (NAP) is a network access control system that lets IT administrators ensure that only “healthy” computers connect to their network, while enabling potentially unhealthy computers to get clean before they gain access. The NAP client in Windows Vista simplifies the enforcement of network health policies and protects against malicious network attacks by enabling organizations to establish requirements for client health status, such as current software updates and up-to-date virus scanner signatures, and enforcing those requirements when the client connects to the network. If a client computer does not meet health requirements, NAP can automatically update the computer or direct it to a separate “quarantine” area where the user can remedy the situation. NAP can be extended and provides an infrastructure and API for health policy enforcement. Independent hardware and software vendors can plug their security solutions into NAP, so IT administrators can choose the security solutions that best meet their needs. NAP also helps ensure that every computer on the network makes full use of those solutions. NAP requires functionality and support from the Windows Server Code Name “Longhorn” operating system.
Many organizations and software vendors are choosing to supplement passwords or smart cards with additional authentication factors, such as biometrics or one-time passwords. In previous versions of Windows, implementing these factors often required developers to rewrite the Graphical Identification and Authentication (GINA) interface—a difficult and expensive process. It also was not possible to use multiple GINAs simultaneously. In Windows Vista, the logon architecture has been redesigned to make it easier to support new types of credentials. Supporting new credential types requires creating a new credential provider; the Windows logon user interface can interact simultaneously with multiple credential providers to make use of different authentication methods, including biometrics and tokens from non-Microsoft credential providers. Customers can enhance their security by choosing the appropriate combination of authentication methods. Developers can also easily implement future authentication methods into the existing architecture. The new logon architecture also enables credential providers to be event-driven and integrated throughout the user experience. For example, the same code that is used to implement fingerprint authentication at the Windows logon screen can be used to prompt for a fingerprint when the user tries to access a particular resource.
The same prompt also can be used by applications that use the new credential user interface API. In addition to these security benefits, the new logon architecture improves overall system reliability and stability since functions that were not essential to the logon process have been moved to separate processes in the operating system. Many organizations are further enhancing security by using a smart card with a personal identification number (PIN) as their preferred two-factor authentication method in place of passwords. Microsoft has provided native operating system support for smart cards since Windows 2000. However, previous versions of Windows required IT administrators to deploy and maintain additional components to support their smart card infrastructure, such as cryptography modules and communications support for smart card readers. Windows Vista includes new advances in its smart card infrastructure that make the process dramatically simpler, more secure, and less error-prone. A common cryptographic service provider (CSP) implements all the standard back-end cryptographic functions that hardware and software developers need. In addition, integrated non-Microsoft smart card modules make it easier to rapidly deploy a smart card solution and enable secure, predictable communication between the CSP and other components of the smart card infrastructure.
Microsoft is also working with partners to ensure that major smart card vendors are familiar with this new architecture and are developing smart card modules for Windows Vista. This effort includes a process to certify smart card modules to validate their quality, and to ultimately make them available with Windows Update. This initiative will provide customers with better quality and ease of use for their smart card deployments. These enhancements complement other improvements to the smart card infrastructure in Windows Vista, including improvements to the Kerberos authentication protocol, which reduces the need for smart card users to reenter their password when accessing certain resources. The customizable security features in Windows Vista also include new and improved technologies for advanced data protection, rights management, and data encryption on client computers.