Vista Security Check: This Time Microsoft Means Business

By Larry Seltzer  |  Posted 2006-05-29 Print this article Print

Opinion: We've heard it before, but Microsoft has a lot more security credibility these days than it had a few years ago.

Its true Microsoft says it every time, but the software maker paid particular attention to security in Windows Vista. The company took more advice and more risks than ever before, deprioritizing many other concerns that were heretofore paramount. Were still only in beta, but does it look like Microsoft has delivered? Luckily the company just published a document titled "Microsoft Windows Vista Security Advancements," so we have a list of its own claims to evaluate. And just last week we heard of a significant advance in Vista that didnt make the PR document.

The Security Development Lifecycle. Three years ago Microsoft created a security group to be involved with development at all stages, but Vista is the first product to be designed from the ground up with such consideration. (Actually, it sounds remarkable that such a development is so recent, but at least Microsoft finally did it.)

Has this made a difference? The jurys still out. But its encouraging to hear some of the measures used. All buffers in the code are marked up to assist automated analysis tools. Fuzz testing is used extensively throughout development. Microsoft says it is pursuing Common Criteria certification.

Restricted Services. This is an excellent example of how Vista takes the "least-privileged" philosophy seriously. Windows services are programs that run prior to user log-on. Many parts of Windows itself, such as the plug-and-play manager, run as services, as do many third-party programs such as anti-virus programs.

Do your machines meet Vistas requirements? Click here to read more.

The previous approach has been to log on services with a special account called the LocalSystem account, which is a relatively privileged account, often having access to system resources completely irrelevant to the services task. Not so in Vista, Microsoft claims:
    Core Windows services included in Windows Vista have service profiles that define the necessary security privileges for the service, rules for accessing system resources, and inbound and outbound network ports that the services are allowed to use. If a service tries to send or receive data on a network port that it is not authorized to use, the [integrated Windows personal] firewall will block the network access attempt. For example, the Remote Procedure Call service in Windows Vista is restricted from replacing system files, modifying the registry, or tampering with another service configuration in the system (such as the anti-virus software configuration and signature definition files).
Good example. The RPC service has an unfortunate history, being at the center of the Blaster worm event. In fact, some of the other more famous and damaging network worms—Sasser, for example—have targeted services. What they do is find some overflow that can be triggered through network protocols and use that overflow to run exploit code. In Vista, these overflows will be far harder to find and exploit (more about this below), and restricted services will make it harder to do anything useful with them.

Next page: Buffer protection.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel