Microsofts Fathi: Vista Security Is Becoming Reality

Q&A: Having taken over Microsoft's Security Technology Unit in March 2006, Corporate Vice President Ben Fathi is guiding the software giant's bid to improve its standing with customers and the software community.

BOSTON—After taking on the responsibility of leading Microsofts efforts to secure its much-awaited Vista operating system, Ben Fathi, corporate vice president of the Redmond, Wash., companys Security Technology Unit, is in town at the Security Standard Conference to evangelize to the firms progress in those efforts.

While critics continue to say that Microsofts next-generation operating system will likely carry as many vulnerabilities as its predecessors and some of the software giants partners in the security applications markets have called the firm out for some of the new features present in preview versions of Vista, Fathi maintains that the companys Trustworthy Computing initiative is moving forward, and that the new OS will be the most secure Windows product the company has ever produced.

eWEEK Senior Writer Matt Hines sat down with Fathi at the conference on September 6th to get his perspective on where things stand with Vista at present, and in preparation for its launch in November 2006.

What do you think are the most significant advancements in the first Release Client (RC1) version of Vista, compared to the beta versions of product?

Overall, I would say that the biggest improvements you will see are related to performance and reliability; its significantly faster than Beta 2 and much more reliable. I use it on two or three machines constantly and Ive had no problems with it.

In terms of security the biggest advancements are around User Account Control [UAC]; there are significantly fewer pop-ups, and the Active X install service that allows administrators to provide away for extended users to install things. Those are the big changes—there are lots of small fit and finish changes also.

One of the things that was in Beta 2 and we purposefully didnt talk about, and it got press afterwards, was ASLR—address space layout randomization, which helps with a whole class of attacks on system libraries.

If users tried out BitLocker in the Beta 2 release, the installation process was very complicated. We got feedback on that telling us that you needed a Ph.D. to install it. We spent a lot of time with usability engineers to really simplify the experience. Its a simple wizard now, with a few clicks you can encrypt your entire drive.

We also put a lot of investment in Windows Security Center; we want it to be open and available to all our partners so we worked with the vendors and took their feedback to make sure that its totally unbiased in terms of what it presents to the user.

It gives the vendor who has [security] software on a machine the ability to remediate if the end user runs out of subscription or the signatures are old. The first thing you get is the opportunity to fix the problem without hearing about other vendors. Or users can see other offers on a Web page that has a complete list of all the solutions available based on best cost of ownership for the user over a two year period.

But there are still lots of ways we can improve the system.

Weve heard some of your partners complain about Microsofts decision to employ PatchGaurd and restrict access to the Vista kernel. They contend that the tools Microsoft has offered in replacement wont allow them to build products that are as effective as when they had kernel access. How are you working to quell those fears?

Kernel patch protection isnt new to Vista. It has been shipping for over a year in the 64-bit versions of XP, so its not something new. Secondly, we have never endorsed or supported anyone patching the kernel in any way.

/zimages/4/28571.gifVista RC1 tests: The migration road may be rocky. Click here to read more.

Its something people have done just because it was possible to do. But I like to use the analogy of the computer as your car, and patching the kernel is like trying to work on the engine while driving the car, its not a smart thing to do.

Now that we have all these multi-processor systems, patching the kernel is one processor modifying the instructions or data while the other is trying to execute them. Its just something you dont want to be doing. These third-party projects are changing instructions on the fly.

So you think some of the concerns that have been expressed are a bit overstated?

Its only on 64-bit versions of Vista. The security products involved, not anti-virus or anti-spyware, dont use this functionality. Its really behavior blocking applications and intrusion protection systems that do kernel patching.

For 32-bit systems, which will represent the majority of machines for an unknown number of years, the products will still work. But we dont endorse or support it. On 64-bit were saying this is a new ecosystem, a chance for us to start fresh and do things cleanly, so lets work together to come up with those APIs to do the extensions you want without hacking and patching the kernel.

Next Page: Not the end of Patch Tuesday.