Two Ways Microsoft Is Improving Security in Longhorn
by Alex Woodie
There's been a lot of talk of late about new user interface features in the upcoming Longhorn release of Windows, things designed to elicit a "gee-whiz" response among users, like transparent windows and icons that display the content of the file. Eye candy aside, Microsoft executives have gone on the record saying if they could just get security right with Longhorn that would be enough. Two ways that Microsoft is following through on that pledge is better control over administrative privileges and the Trusted Platform Module (TPM) microchip.
Security improvements in the upcoming release of the Windows Vista client and the Windows Longhorn server will be delivered through hardware and software. Let's take a look at both.
Hardware-based Security Enhancements
Windows Longhorn will use a hardware-based security mechanism, called the Trusted Platform Module (TPM), to ensure only authorized applications are accessing system resources. The TPM itself is a cryptographic microprocessor that is installed on the motherboard, and is used to generate matching keys. If a requesting application or service does not have a key that matches the master key stored on the TPM, the program is denied access.
There are several advantages to using a hardware-based security mechanism like TPM compared to software-based security mechanisms. Because the master key is held on the TPM device and is separate from the operating system and the computer system's memory, the TPM system is not susceptible to underlying flaws or vulnerabilities in the operating system or attacks on the memory. TPM systems are vulnerable to attack, Microsoft says, but it requires having physical access to the TPM microchip, something that is not possible over the Internet.
Microsoft is writing software that will allow developers and users to deploy TPM in Longhorn, predominantly as a way to make it easier for administrators to manage a large numbers of clients. The TPM Base Services (TBS) service will control access to the TPM, while Microsoft's TPM driver will work with TPM chips that conform to the Trusted Computing Group's (TCG) TPM version 1.2 specification, according to a white paper that Microsoft published this April called "Trusted Platform Module Services in Windows Longhorn."
The market for TPM technologies is practically non-existent today, but that will change, especially with the advent of the Longhorn client, concludes IT industry researcher IDC in a recent report. IDC predicts TPM device shipments will grow from about 20 million units in 2005 to more than 50 million in 2006 and about 120 million by 2007.
Software-based Security Enhancements
One of the important security enhancements Microsoft is building into Vista and Longhorn is that the computer's default access level will no longer be set to administrator. Because many of today's Windows vulnerabilities can only be exploited when the computer is operating under administrative privileges, this single change is expected to have a far-reaching effect in clamping down security exposures.
Chris Jones, a corporate vice president with Microsoft, discussed the significance of this change during a July interview by Microsoft's PR firm and posted to Microsoft's Web site. "We've increased the protection so that by default people don't run as administrator," Jones says. "In the past, you ran as administrator, which means that any code that got to your system had full privileges to the box. And we're preventing that in Windows Vista. It's a great change for us."
Microsoft hopes to prevent the spread of spyware, adware, and other malware by keeping user privileges as low as possible. In the Windows Vista beta, there's a new feature called User Access Protection, or UAP, designed to allow users to switch back and forth between user and administrator privileges as applications demand it.
Of course, moving the Windows world from administrator privileges to regular user privileges is a lot easier said that done. Besides eliminating the administrator setting by default, Microsoft is going to require a lot of help from the development community to make sure applications keep running in regular user mode. Jones called on developers to start writing programs to run with regular user privileges.
"For almost every developer, I want them to make sure their application runs as standard user. You can actually do that today without Windows Vista. Take Windows XP, turn on standard user, and make sure your application runs," Jones says. "Developers really have to get that right."
There are other things that Microsoft can do to prevent third-party applications (such as spyware) from altering the registry and making changes to other areas of the operating system. Some people in the community have called for Microsoft to implement full operating system-level application sandboxing. Sandboxing would restrict applications' access to certain resources. These restrictions could take the form of preventing an application from reading or writing to files outside of the directory in which it was installed, and preventing read and write access to the Windows registry.
Certain elements of Windows and Microsoft's development tools already use a form of sandboxing. With the .NET Framework version 1.1, for example, the developer could configure an ASP.NET program to run in a "partial trust" mode that prevented it from accessing system-level resources and resources owned by other applications. We'll take a closer look at Microsoft's sandboxing options in a future issue of The Windows Observer.