News

Reinventing Windows Security

• By Ed Scannell and Peter Varhol
• 05/01/2007

Stephen Toulouse, senior product manager for the Trustworthy Computing Group, is one of Microsoft's key people thrust into the middle of this perpetual war against hackers. During Vista's development process he worked on a number of security features including kernel patch protection, the Windows Security Center and Windows Defender, as well as working with partners to ensure their products would work smoothly with the new security technologies. Toulouse sat down with Redmond Editor Ed Scannell and Peter Varhol, executive editor, reviews, to talk about some of the processes Microsoft went through in deciding what technologies to incorporate, and the new testing procedures those new technologies went through in order to make it into the final product.

Redmond: How did you determine what security features were going into Vista? What sort of feedback did you get from enterprise customers about that?
Toulouse: By the end of 2004 Vista underwent a fundamental reset in terms of what it was going to be. Part of that reset was what we learned from the development of [Windows XP] Service Pack 2 [SP2]. In fact, the first steps toward understanding the larger security picture of Vista were with SP2. In SP2 we did things like the Internet Explorer lock-down for the local machine zone. Feedback from users [on SP2] was really around a couple of things. First, they wanted the code to be fundamentally more resistant to attack. Making sure the operating system was resistant gave us time to evaluate whether or not we should apply the update. Second, better security features in the product helped us tune it to different environments that would help it protect itself.

When in the development cycle did you incorporate new technologies like BitLocker? Did that come out of SP2 research or independently of it?
That was separate. It was done as part of what we could do to take advantage of some cool technology coming out on the Trusted Platform Modules. At that time, we were seeing this rash of laptops left in taxicabs with databases of 1 million customers' personal information on [them]. One of the things we thought we could do was full volume drive encryption to alleviate that problem. But the problem with encryption systems is they aren't full volume, so [hackers] can just pull the drive out of the machine and try to brute-force decrypt it. But BitLocker helps prevent that. That was driven more as a privacy feature and really intended mainly for corporate laptop users.

As you collected and incorporated feedback from SP2 users plus your own ideas, how did you determine what security features would work for millions of users?
It's all about hitting a confidence level, striving to define that confidence level and employing the metrics that determine where you are relative to that confidence level. With Windows Vista there were three things going on in reaching that confidence level. Number one, how do we evaluate what we are putting in. Number two, when do we get to the point where we can share that and trust that sharing gives us the feedback we need. Number three, what is our safety net that helps us understand that [feedback] even if we miss something -- are there still things within the product that can help.

So how did you evaluate what you decided to put in?
How [we] evaluate what goes into a product is what I call the security engineering part. That's where we use our Security Development Lifecycle [SDL]. Vista is unique in that it's our first client OS that went through the SDL from beginning to end. The SDL is now the process under which Microsoft develops all software. So when a developer is sitting down in his office, he's no longer thinking just cool feature, cool feature, cool feature. He's thinking as much about the misuse of the feature as he is the use of it. This is an important mindset change. Before people were just rushing to make a great feature work well and be stable. Now they have to think about what an attacker can do with it. It's called Threat Modeling. If we can't go through this process successfully, then features get cut.

Was this hard to develop as a discipline for longtime developers?
Well, we started back with SP2 and I think people learned some very hard lessons thanks to [the] Slammer, Blaster and Sasser [viruses]. Thankfully, the mindset change had already occurred. But a second piece of all this is BlueHat, which is independent of the SDL, where we bring in security researchers to poke holes in functionality right there in front of the same people who developed it. It's also a good punch in the stomach, as opposed to getting feedback on an intellectual level.

Were any other fundamental changes made to the development process since Windows XP?
Another change from Windows XP is when a developer now needs to check in code by merging it with the main source tree, that code is run against a variety of tools that scan it. This scanning is looking for banned APIs and unsafe coding practices. It's not meant to be a catchall, but more of a safety check. If any code contains these things it gets kicked back out and is not allowed to merge. Another big change from Windows XP is the sheer, unprecedented number of security researchers and security companies that we brought into Microsoft to do code review and penetration testing on the product.

Looking back, do you feel there's anything you missed?
After all the reviews and security testing, it was clear to us and the public [that] we missed the usability of things like User Account Control. There was just a wave of criticisms after beta 2. I don't think that feature has fully recovered from the initial criticism. Even though we spent the next two beta releases addressing it, it still carried a bad rep in the final product. You have to assume there are some things you're not going to see. It's a constant battle between usability and security.

It is a tradeoff. The most secure OS is one running on a computer with no I/O connectivity inside a vault.
I'll go you one better: The most secure OS is the one still on the DVD and that hasn't been installed anywhere. Let's be clear -- this is the most secure version of Windows we've done but that does not mean it's hack-proof. We have great faith in this product and it's only going to get better from here, but delivering the finished version of Vista doesn't mean we're all taking vacations now.