Microsoft senior vice president Bob Muglia opened up TechEd 2006 in Boston Sunday evening by proclaiming that Windows Vista was the most secure operating system in the industry. But a bold statement can only go so far, and much of this week's conference has been spent reinforcing that point.
From the network perimeter to deep inside the Windows client, the significance of security has permeated into every facet of technology. Norman Mailer said that 20th century man's default status was anxiety. We have barely dipped our toes into the 21st, and our default status has already been elevated to outright fear.
Consumers are being plagued with spam, phishing attacks and spyware, while the corporate world fends off data and identity theft. Microsoft believes its new wave of software will be the panacea for such problems, thanks to the Security Development Lifecycle (SDL) and technologies such as BitLocker and smart cards.
Windows Vista is the first operating system from Microsoft to be built from the ground up using the SDL development model. Every bit of code is scrutinized for Common Criteria Certification and security compliance checkpoints must be met along the way.
Services are now run with reduced privileges that contain profiles specifying allowed file system, registry and network activities. Further below the surface, the Vista kernel makes it harder for rootkits to elude detection, while better protecting against unauthorized patches.
Spyware and malware threats, meanwhile, are contained by the operating system's built-in scanning engine that is based upon Windows Defender. In addition, the Vista firewall extends the functionality added in Windows XP Service Pack 2 to provide full directional filtering and application blocking.
Potentially malicious applications are also restricted with Vista's new User Account Control feature, which has spurred a great deal of complaints from beta testers. UAC forces programs to run in a specific Integrity Layer, with a default of medium, and request elevated privileges from the user when performing system commands or writing to sensitive directories.
Internet Explorer 7 in Vista runs in a low Integrity Level known as "Protected Mode" in order to prevent malicious Web sites from compromising an entire system. Features such as a phishing filter and security status bar add further safety checks for users.
UAC additionally enables file and registry virtualization for programs needing administrator access. This capability will ensure backwards compatibility without sacrificing the security of Windows Vista. For example, a program trying to write files to the root of the hard drive will actually be writing to a special folder called the virtual store.
On the hardware level, Microsoft has implemented BitLocker full disk encryption. Using a TPM chip located on the motherboard or USB stick, BitLocker literally encrypts data while it is being written to the disk. If a laptop were stolen, the hard drive would be inaccessible without a recovery key.
Microsoft says the 256-bit AES encryption technology only causes a single-digit slowdown when communicating with the disk, and the majority of users would never notice it was running.
Vista will also support smart cards with its user-based file and folder encryption technology known as EFS. Moreover, integrated rights management (RMS) enables organizations to enforce access policies for individual documents, which would prevent them from falling into the wrong hands.
But Microsoft acknowledges that nothing is infallible when it comes to computer security. In turn, the company has employed black hat hackers for what is called a penetration, or pen, test team. This group has only one duty: to break the security in Windows Vista and help the company develop fixes for the vulnerabilities.
Microsoft is also looking outside to shore up its defenses. The Redmond company at TechEd 2006 announced the formation of the Microsoft Security Response Alliance. MSRA builds upon five other alliances currently helping to organize security efforts, and will offer a portal for collaboration along with a communication framework for sharing security response information.
All of these security changes won't be easy on application compatibility, but Microsoft says it is doing its best to mitigate any problems by the time Windows Vista ships early next year. The company is working closely with developers to add custom "shims" that will ensure their programs are compatible with User Account Control.
Still, Microsoft admits that antivirus software, games and some applications will continue to have problems. Work to streamline the experience for consumers will not stop with the final release, however, as Microsoft already has compatibility improvements planned through Windows Vista Service Pack 1.