In-Depth
10 Years of Trustworthy Computing: The Current State of Windows Security
A decade after launching its Trustworthy Computing initiative, Microsoft has come a long way but faces new challenges.
Bill Gates was famous for sending e-mails when he was in command at Microsoft. Most were minutia. Some were game changers such as the message he sent Jan. 15, 2002, pledging to spend the next 10 years making Microsoft products as secure as possible.
Critics scoffed. After all, Microsoft software was a powerful magnet and open target for hackers who spread malicious worms and viruses, and the company was more known for features than lock down. Windows clients and servers, Office, Exchange and SQL Server and all the rest regularly succumbed to vicious attacks. Users and pundits felt Microsoft just didn't do enough about it.
Gates' 10-year deadline has recently passed, and by most accounts Microsoft software today is far more secure and trustworthy. That said, the company remains the No. 1 target of hackers.
Microsoft has done a lot. When it builds software, security is job one. It also releases patches on the now famous Patch Tuesday, more frequently if need be. It has its own free software through Defender and Security Essentials, funds research through its labs, works with keys organizations and third parties, and supports law enforcement.
Law enforcement efforts are paying public dividends. The recent takedown of command and control servers in Scranton, Pa., and Lombard, Ill., set up by a ring spreading the Zeus botnet, is evidence Microsoft software is still a key target, but also that cyber criminals can at least be stymied. But while Microsoft led the FBI to shut down the command and control servers for the fourth time, security experts agree it's only a matter of time before the Zeus botnet or variants resurface.
Experts say Microsoft has made remarkable strides in improving the safety of its software, and many now regard the company as a leader in security-related initiatives. Nonetheless, it faces numerous challenges, such as:
- Increased number of cyber criminals who have more sophisticated skills and can build on the past work of others
- Growth of attack points such as smartphones, tablets and cloud services
- Users who continue to engage in unsafe practices
- The pending release of new client and server platforms including Windows 8 and Windows Server 8.
In assessing Microsoft's progress over the past decade, it's important to recall how terribly insecure its software used to be.
String of Malicious Attacks
Six months before Gates' directive, the Code Red worm wreaked havoc on more than 300,000 hosts running Microsoft IIS. Code Red, which exploited an IIS vulnerability, caused buffer overflows that overwhelmed the memory in the servers. It also unleashed distributed denial of service (DoS) attacks on its targets. Among its notable victims: the server farm running the White House Web site.
Another variant of the worm, Code Red 2, surfaced a month later. Code Red worms were so massive experts worried such attacks threatened the very stability of the Internet. The Code Red worms followed a string of attacks in prior years, including Melissa in 1999, a worm that took advantage of flaws in Microsoft Word and Outlook and erased files. Another one, the ILOVEYOU virus, spread by e-mailing an executable Visual Basic program to the first 50 addresses in a victim's Outlook address book.
The final straw came in 2001, a week after the September 11 attacks, when the Nimda exploit struck. Like Code Red, it also took advantage of vulnerabilities in IIS, and not only was it able to spread itself via e-mail but it also infected files via open network shares and back doors left open from prior worms. Some at the time wondered if Nimda was unleashed by terrorists, a myth that was quickly dispelled.
Nimda left Microsoft's reputation at an all-time low as the attacks left some of the world's largest corporations and government agencies hamstrung. "Their software was full of holes from a security standpoint," notes Philippe Courtot, chairman and CEO of Qualys Inc., a provider of malware detection, policy compliance and vulnerability assessment tools.
With so many flaws in Microsoft's software, critics had no faith the company could ever change its stripes. Among those fed up was Alan Levine, chief information security officer at Alcoa Inc., a large industrial provider of aluminum with $23 billion in revenues at the time.
"I made no bones about the fact I thought they were failing in their mission. They were putting out software that contained exploitable vulnerabilities," Levine recalls. "They were causing lots of large companies like mine to go through lots of work and rework and more rework. Every time Microsoft identified a problem, they appeared to be identifying it a day late and a dollar short. And when they issued a patch to fix a vulnerability, it was bad, so they had to come out with a patch to fix the bad patch, which was costly. It left us in a mode where we were less secure."
The Gates Ultimatum
After the September 11 attacks and the Nimda outbreak, Gates knew Microsoft and customers could no longer stand for the status quo. "Computing is already an important part of many people's lives. Within 10 years, it will be an integral and indispensable part of almost everything we do," Gates wrote in his January 2002 memo. "Microsoft and the computer industry will only succeed in that world if CIOs, consumers and everyone else sees that Microsoft has created a platform for Trustworthy Computing."
No one would say Gates went out on a limb predicting computing would be ubiquitous by now. But few believed Microsoft's software would be dramatically more secure 10 years later, or that the company would be seen as a true leader in security.
"Microsoft's reputation for security was best classified as a laughingstock; their security was simply not respected at all," remembers Jeremiah Grossman, founder and CTO of WhiteHat Security, a Santa Clara, Calif., consulting firm that works with large enterprises to combat Web site attacks.
"Most people were skeptical when the whole notion of Trustworthy Computing came out," recalls Art Coviello, who was CEO of RSA Security Inc. at the time and is now executive chairman of the EMC Corp. division that manages RSA assets. "I remained relatively unconvinced until I saw what they were doing."
Coviello recalls when Gates gave a keynote address at RSA's widely followed annual conference in early 2004. "If anyone ever went into a hostile environment and showed a lot of courage, it was Bill," Coviello says. "He did a very credible job helping people understand what Microsoft was attempting to do. It was at that point that people started to give Microsoft a little bit more of the benefit of the doubt."
When Gates issued his Trustworthy Computing initiative, Microsoft invited Alcoa's Levine and a few dozen other top IT pros to join the Microsoft Security Council, which still gathers in Redmond twice a year. Levine agreed to join but admits he didn't think it would do much. "I was worse than skeptical -- I was their worst critic. I thought it was mostly public relations," Levine says, adding he was later surprised at Microsoft's progress. "Over the last 10 years the change has been dramatic, remarkable and unbelievably positive. They took on the really important job of fixing what was wrong."
At RSA's most recent annual conference in San Francisco in February, Scott Charney, Microsoft corporate VP for Trustworthy Computing, said the company had set out to reduce vulnerabilities in code by developing and adopting its Security Development Lifecycle (SDL), a blueprint for the development of all software from cradle to grave to ensure vulnerabilities wouldn't be introduced anywhere along the process.
"We knew we weren't going to get vulnerabilities down to zero, so we had to think about, 'How do you
make a user safe, even if there are vulnerabilities in products?'"
Scott Charney, Corporate VP, Trustworthy Computing, Microsoft
"We did threat models at design time, and coded and tested to remove vulnerabilities in a systematic way across our products," Charney said in his RSA keynote address. "We knew we weren't going to get vulnerabilities down to zero, so we had to think about, 'How do you make a user safe, even if there are vulnerabilities in products?' So we started to focus on defense-in-depth and reducing exploitability."
In the ensuing years, Microsoft realized it had to become more granular in addressing security across its entire stack. In 2008 it issued new tools that would help partners and customers build end-to-end trust into software using the principles of the SDL. This new approach of striving to build bug-free code was critical in making Microsoft software impervious to actions that would compromise security, experts say.
"Compilers and developer tools all really changed with regard to pushing developers to create better code," says Philip Lieberman, president and CEO of Lieberman Software Corp., a provider of security and systems management software. "They provided gentle but relentless pressure, saying you should do certain things in your code. And they changed out the libraries, and the insecure versions aren't there anymore."
While many third-party ISVs and partners have utilized the Microsoft SDL tools and best practices, many have not, warns analyst Rich Mogull, CEO of security research and advisory firm Securosis LLC. "Honestly, the biggest issue Microsoft faces is getting all the third-party developers to spend more time not only hardening their code, but fully leveraging the tools Microsoft provides to do that," Mogull says.
The next big milestones came in 2004, first with the launch of Patch Tuesday: the company's methodical approach to issuing fixes -- some critical, some minor -- with an eye toward adding predictability around the release of security updates for all of its products on the second Tuesday of each month. The patches come from the Microsoft Security Response Center (MSRC), the company's 24-hour security alerting service. Security vendors and customers have come to rely on the MSRC and Patch Tuesday, and laud Microsoft's emphasis on its approach to providing updates and bulletins.
Another important highlight that year was the release of Windows XP SP2, when Microsoft turned on the firewall by default and likewise turned on auto update by default, enabling the near-touchless installation of patches. The service pack also introduced Data Execution Prevention (DEP), a feature also found in Linux and the Mac OS, designed to protect memory from malicious executable code.
How Windows Vista
Changed PC Security
Many think of Windows Vista as a failure because of compatibility problems. But Windows Vista was the first Microsoft OS to implement the SDL, and also introduced several key security features. Among them were PatchGuard, which prevents malware from overwriting the OS kernel; address space layout randomization, which blocks buffer overruns by randomly shuffling the location of code and data in memory to make attacks more difficult to pull off; BitLocker Drive Encryption, which, as the name implies, encrypts data on the drive; Windows Defender, the Microsoft anti-malware scanning program built into the OS (it was also made available as a download for Windows XP); and User Account Control (UAC), requiring user permission before allowing a process that requires administrator privileges.
UAC was not a welcome addition to Windows Vista, as users were constantly badgered by prompts for permission to allow application changes. In Windows 7, Microsoft addressed UAC complaints by extending the tasks that a typical user might conduct without prompting for administrator permission, letting users with admin privileges configure UAC parameters in the Control Panel and offering expanded local security policies that let IT pros reduce UAC messages sent to users.
In addition to a revamped UAC, Windows 7 gained improvements to BitLocker, which extends support for removable drives and offers auditing, and DirectAccess, which allows remote connectivity to enterprise servers and applications without connecting to a virtual private network (VPN). Experts say the encapsulation technique used by DirectAccess offers more secure remote access (see the January 2010 Security Advisor column, "Can DirectAccess Replace Your VPN?" at Redmondmag.com/Wettern0110). DirectAccess, also introduced in Windows Server 2008 R2, uses IPv6-over-IPsec to encrypt communications for secure, remote network sessions.
While Microsoft improved security in Windows Vista and Windows 7, observers point out the client OS still has its share of flaws. "There're plenty of vulnerabilities in Windows 7 -- it's not perfect software. We'll never have that," says Chester Wisniewski, senior security advisor at Sophos Inc., a provider of enterprise security software and services.
"There're plenty of vulnerabilities in Windows 7 -- it's not perfect software. We'll never have that."
Chester Wisniewski, Senior Security Advisor, Sophos Inc.
Locking Down Windows 8
Microsoft is promising the pending arrival of Windows 8 will bring more security improvements. An oft-discussed security feature in Windows 8 is the new version of Windows Defender, the anti-malware tool. Microsoft says Windows Defender added to the new OS will fend off a gamut of malware, bots and rootkits by knowing all of the malware signatures discovered by the Microsoft Malware Protection Center, which will be passed along through Windows Update.
The move by Microsoft to step up the antivirus and anti-malware protection offered with the OS is controversial. Some say it's about time that Microsoft provided better protection for its software, while others are concerned the company is stepping into territory that will cut off third-party security vendors. "Certainly every vendor would like to feel it's on a level playing field, and that we have an equal chance to protect all of the users with the best possible choices," says Vincent Weafer, senior vice president of the McAfee Labs unit of McAfee Inc., a subsidiary of Intel Corp.
Microsoft is also adding SmartScreen filtering technology to Windows 8. Introduced in Internet Explorer 7, SmartScreen has played a key role in combating social engineering by using what Microsoft calls reputation-based technologies, which can use its cloud-based service to determine the reputation of a URL or app. The addition of SmartScreen to Windows 8 will apply those same principles of assigning reputations to software apps.
But the Windows 8 security story is more complex. With Windows 8 support for both the new Metro-style interface and the traditional Windows UI, and two hardware platforms (x86/x64 and ARM), there are two new hardware dynamics and two opposing software dynamics.
For example, in the Internet Explorer 10 implementation of Windows 8 running the Metro interface, the browser will not allow plug-ins such as Adobe Flash or Microsoft Silverlight, with the objective of cutting off the chance of malicious code executing.
"Most malware is written to x86, so for ARM they're kind of starting with a clean slate, pardon the pun," Wisniewski says. "There's no existing Windows ARM malware, so that platform will launch malware-free, and obviously Microsoft made additional improvements to the OS itself to be more resilient against attack."
Another feature in Windows 8 aimed at protecting users from attack is AppContainer, which introduces a new security sandbox that Microsoft says offers more fine-grained security permissions and blocks read and write access to most of the system. All of the Metro apps will run in AppContainer.
Vetting App Distribution
It appears Microsoft will require providers of Windows 8 Metro applications to deliver them through the Windows Store, the company's online marketplace. This lets Microsoft make sure applications meet security requirements, much like Apple Inc. does through its iTunes App Store. "If they lock down the way Apple has, I think that can have some dramatic security advantages," Securosis' Mogull says.
"I'll be curious to see if they're as restrictive as Apple, where you can only get software from the market," Wisniewski wonders. "If they do that, they may be able to reduce the amount of crust out there that targets that platform and be able to keep it largely malware-free -- at least comparative to the existing Windows environment, where the numbers are huge."
Internet Explorer 10 Gains Enhanced Protected Mode
While the Metro version of Internet Explorer 10 won't allow plug-ins, both versions of the new browser will support a feature called Enhanced Protected Mode.
Enhanced Protected Mode advances Protected Mode, a capability introduced in Internet Explorer 7 that blocks attackers' ability to install software or change system settings. Enhanced Protected Mode adds new restrictions such as ensuring malicious code can't saturate the address-space in memory. It also introduces a "broker process" that shields access to personal information by granting temporary access to files from the browser only when enabled by the user.
Protecting the Endpoints
While PC and mobile clients are the most frequent targets of attacks, most experts agree Microsoft has effectively reduced many of the threats that plagued its server products -- including Windows Server, Exchange, SQL Server and IIS -- by applying the SDL model, which resulted in cleaner code and fewer vulnerabilities. Most see Windows Server as a much more secure platform thanks to the evolution of the user-authentication model in Active Directory and add-on offerings such as Active Directory Federation Services (ADFS) and Forefront Identity Manager. For example, Active Directory in Windows Server 2008 permitted IT pros to implement fine-grained password polices and added auditing capabilities. ADFS, a free add-on to Active Directory, provided the basis for single sign-on to enterprise systems.
Windows Server 8, now in beta, will offer improved security on a number of fronts. Dynamic Access Control (DAC) will provide a centralized way to provide policy management and governance to files. DAC allows IT pros to manually or automatically classify files, control access, add Rights Management Services encryption for sensitive Office documents and conduct audits.
"It's a completely different way of doing authorization for Windows files, and it provides a way to actually use external authorization," says Gartner Inc. analyst Mark Diodati.
Microsoft is also upgrading Active Directory Domain Services in Windows Server 8 by offering simplified access to both the datacenter, virtual machine and cloud services, allowing a single set of credentials.
"Right now, I'm skeptical because Microsoft has purely been an on-premises vendor," says Forrester Research Inc. analyst Andras Cser. "Obviously, their vested interest still lies with keeping things on-premises because that's where most of their revenue comes from. But this is a step in the right direction."
As Microsoft looks to tie Windows Server 8 and Active Directory to its cloud services, the company is also looking to avoid any miscues. It goes without saying that security breaches with its flagship Office 365 and Windows Azure cloud platforms could be devastating -- and could scare customers away from using cloud services.
In a sign of the times, in March Microsoft released a technology preview of its Microsoft Endpoint Protection for Windows Azure. The plug-in, an extension of the SDK, allows IT pros and developers to embed anti-malware into their Windows Azure instances. The company says the tool allows IT pros to import the anti-malware module into their roles definitions.
By deploying the anti-malware app into a Windows Azure service, users can have real-time protection, scanning, malware remediation, signature updates and active production. The latter feature issues reports about discovered threats to Microsoft.
The Pinnacle of Security?
It's hard to dispute that Microsoft has come a long way over the past 10 years in improving the security of its products, even if no one -- including Microsoft -- is saying "mission accomplished." With new threats evolving every day, coupled with advances in computing and new uses of technology, the next 10 years could be more challenging for Microsoft than the decade that just passed. Its key challenge will be getting its partners and customers to become more vigilant.
"I don't see any sign of Microsoft coming close to delivering the silver bullet that will solve the security problems the world is struggling with."
Paul Kocher, President and Chief Scientist, Cryptography Research
"I don't see any sign of Microsoft coming close to delivering the silver bullet that will solve the security problems the world is struggling with," says Paul Kocher, president and chief scientist of security consulting firm Cryptography Research. "They started out with the vision that they would make computers trustworthy, which was replaced by the realization that these are really hard problems and more difficult than people anticipated 10 years ago."