Technical White Paper

Published: July 18, 2006 | Updated: May 8, 2007

On This Page

Executive Summary

Introduction

BitLocker Drive Encryption

User Account Control

Internet Explorer and Protected Mode

Windows Vista Security Settings

Conclusion

For More Information

Executive Summary

Microsoft Information Technology (Microsoft IT) has the unique responsibility of managing security for the management, storage, and transmission of information across an enterprise, while deploying prerelease versions of its own software products. From the many campuses throughout the world, to the tens of thousands of remote access users, the Microsoft environment presents an evolving security landscape full of potential vulnerabilities to identify, analyze, and address. Microsoft IT requires the ability to continuously reduce vulnerabilities and mitigate the risks of unauthorized, damaging, or accidental threats against the corporate network. In addition to ensuring a high standard of security, Microsoft IT must accomplish these goals by using cost-effective solutions.

Through all of its efforts to achieve these continuously evolving, high standards of information security, Microsoft is under the observation of companies all over the globe that will also implement these leading-edge technologies—by taking advantage of Microsoft experiences and lessons learned. This public scrutiny is well deserved because the Microsoft® Windows® operating system is the foundation for 95 percent of all corporate laptop and desktop computers.

The purpose of this white paper is to share design, planning, and deployment best practices that Microsoft IT identified during its planning and deployment of security features included in the Windows Vista™ operating system. This paper reviews past, present, and future security considerations addressed within the global Microsoft infrastructure. The basis for the information in this paper is the experience of Microsoft IT, which is at the forefront of rolling out the new features and technologies in the latest Microsoft operating systems and server products.

The ideal audience for this technical publication is the IT professional who has experience and familiarity with Windows XP Professional, Windows Vista, and security concepts like authentication, authorization, and encryption. This paper also assumes that the reader has a basic understanding of Group Policy and Group Policy Management Console.

To manage risk, any organization can employ many of the principles and techniques that this paper describes. However, this paper is based on Microsoft IT's experience and recommendations as an early adopter. It is not intended to serve as a procedural guide. Each enterprise environment has unique requirements; therefore, each organization should adapt the plans and lessons learned described in this paper to meet its specific needs.

Introduction

From small businesses to global enterprises, finding any organization that does not place a priority on the security of confidential information and information systems would be difficult. Security is a global concern that affects all users at all levels of the corporate ladder—interns to executives. No company is immune to hackers looking for a new challenge or a chance to exploit an exposed vulnerability that can lead to acquiring confidential information. The prevalence and necessity of the Internet within a daily work environment has only added complexity to the adversarial relationship between hackers and security administrators.

While network and information security evolves, so does the process of finding and exploiting security weaknesses. This evolution of the process has led to an exponential growth in the types of attacks. Common attacks include:

• Address resolution protocol (ARP) spoofing
• Denial of service (DoS)
• Distributed denial of service (DDoS)
• IP spoofing
• Man in the middle
• Misdirection
• Smurf
• Social engineering
• SYN flooding

While administrators work to prevent these common attacks, they must also fight the viruses, Trojan horses, and spyware that are so prevalent across the Internet and across corporate networks.

Windows Vista was designed to provide a high level of security. This paper describes some of the most significant improvements made to the operating system and Microsoft IT's experience deploying the operating system within the corporate network. Windows Vista security-oriented features discussed include:

• Microsoft BitLocker™ Drive Encryption helps protect data from being compromised on a lost or stolen computer by using encryption and access control technologies in Windows Vista.
• User Account Control (UAC) enables people to do their data-to-day work as standard users. It helps protect client computers and corporate assets against malicious software—which includes viruses, worms, and Trojan horses—by providing a method of separating standard user rights and tasks from those that require administrator access.
• Windows Internet Explorer® Protected Mode adds more defenses to help enable a safer Internet browsing experience for users and to help prevent malicious users from taking over a user's browser and executing code through elevated rights.

Increasing security too much to protect a system will inhibit users from accomplishing their tasks. Focusing on ease of use by opening settings too broadly will expose the system to attack. Factoring in the need to satisfy multiple classes of users—IT professional, business, administrative, etc.—adds several levels of complexity to finding the right balance.

At the time of this writing, Microsoft IT supports 11 data centers and more than 90,000 users in 230 cities across 77 countries or regions. Microsoft employees and contractors connect on any one of 350,000 wide area network (WAN) ports or via one of the 4,000 wireless access points. With more than 150,000 managed desktop computers and 24,000 wireless devices, Microsoft IT must follow prescriptive business processes that will help ensure availability, reliability, and security across the entire enterprise.

In making Windows Vista the most secure version of Windows, Microsoft worked hard to define security settings that help protect users while keeping their system usable. This document will discuss out-of-the-box security capabilities as well as discuss ways to increase system security by taking advantage of the many options available to the IT professional based on the experiences of Microsoft IT as an early adopter of Windows Vista. While it does offer best practices and information about how “Microsoft does IT”, this document it is not intended to be used as a deployment guide as all organizations and their individual security needs are very different. For information specific information about the security topics that an organization needs to plan for, please visit the Windows Vista Security Guide at http://www.microsoft.com/technet/windowsvista/security/guide.mspx.

BitLocker Drive Encryption

BitLocker Drive Encryption is an integral security feature of Windows Vista that provides considerable offline protection for data and the operating system. BitLocker helps ensure that data stored on a computer running Windows Vista is not revealed if the computer is tampered with when the installed operating system is offline. It optionally uses a Trusted Platform Module (TPM) to provide enhanced protection for data and to help ensure the integrity of early startup components. This can help protect data from theft or unauthorized viewing by encrypting the entire Windows volume.

Reduction of Security Risks and Threats

"Over 750,000 laptops lost in US in 2006."

Safeware Insurance

BitLocker is a response to one of the top requests of Microsoft customers: Address the very real threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computer hardware with a tightly integrated solution in Windows Vista.

A thief who steals a computer may attempt to access data on the computer by starting another operating system or by running a software attack tool. BitLocker helps mitigate unauthorized data access by enhancing Windows Vista file and system protections. BitLocker provides both mobile and office information workers in an enterprise with enhanced data protection if their systems are lost or stolen. BitLocker also provides an enhanced data management process for decommissioning assets.

Enhanced Information Protection and Regulatory Compliance

Data security on lost or stolen computer devices is a growing concern among security experts and corporate executives. The data stored on a computer asset is often significantly more valuable to a corporation than the asset itself, and the loss, theft, or unwanted revelation of that data can be very damaging.

Recent government regulations focus on data protection and privacy to safeguard consumer information. This legislation has a strong impact on organizational storage policies, especially for computer devices that have a relatively short lifespan and are easily lost or stolen.

The more important U.S. regulations include the following:

• Health Information Portability and Accountability Act (HIPAA)
• Sarbanes-Oxley Act
• Personal Information Protection and Electronic Documents Act
• Gramm-Leach-Bliley Act
• California Senate Bill 1386
• Securities and Exchange Commission (SEC) Rule 17a

These laws are complex and difficult to interpret. However, one thing is invariably clear—the unregulated release of the data that each law or policy covers can be damaging. Some of the regulations demand fines and the potential for imprisonment for offending executives. Many executives and board members are looking for solutions that increase protections for data and provide compliance.

BitLocker is tightly integrated into Windows Vista and provides a seamless, security-enhanced, and easily manageable data protection solution for the enterprise. For example, BitLocker optionally uses an enterprise's existing Active Directory® directory service infrastructure to remotely escrow recovery keys. BitLocker also has a recovery console integrated into the early startup components to provide for in-the-field data retrieval.

Overview of BitLocker Drive Encryption Functionality

BitLocker offers a seamless end-user experience with systems that have a compatible TPM microchip and basic input/output system (BIOS). A compatible TPM is defined as a version 1.2 TPM with the appropriate BIOS required to support the Static Root of Trust Measurement, as defined by the Trusted Computing Group (https://www.trustedcomputinggroup.org). The TPM interacts with BitLocker to help provide seamless protection at system startup.

BitLocker also offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a universal serial bus (USB) flash drive that contains a startup key. These additional security measures provide multifactor authentication and higher assurance that the computer will not start or resume from hibernation until the user presents the correct PIN or USB flash drive.

Figure 1 shows a summary of the BitLocker components.

Figure 1. Summary of components in BitLocker

BitLocker enhances data protection by bringing together two major functions: full drive encryption and the integrity checking of early startup components.

Full Drive Encryption

Drive encryption helps mitigate unauthorized data access by unauthorized users from breaking the Windows Vista file and system protection on lost or stolen computers. This protection is achieved through the encryption of the entire Windows Vista volume. With BitLocker, all user and system files are encrypted, including the system memory paging and hibernation files.

Integrity Check of Early Startup

An offline attack is a scenario in which an attacker starts an alternative operating system to gain control of a computer system. Integrity checking the early startup components helps to ensure that data decryption is performed only if those components appear unmodified and that the encrypted drive is located in the original computer. BitLocker stores measurements of core startup components in the TPM chip. Every time the computer is started, Windows Vista verifies that the startup components have not been modified. If the files have been modified, Windows Vista alerts the user and refuses to release the key required to access the Windows partition. The system then goes into a recovery mode, prompting the user to provide a recovery key to allow access to the startup volume.

The system also uses recovery mode if a disk drive is transferred to another system. Recovery mode requires a recovery key that is generated when BitLocker is enabled, and that key is specific to one computer. As a result, BitLocker is intended for enterprises with a management infrastructure in place to store the recovery keys, such as Active Directory. Otherwise, the potential exists for data loss if a computer enters recovery mode and the recovery key is unavailable.

BitLocker can also be used on computers without a compatible TPM. Using BitLocker in this way provides the volume encryption capabilities but not the added security of integrity validation on early startup files. Instead, a USB flash drive provides the encryption key at startup.

Deployment of BitLocker Drive Encryption at Microsoft

Prior to developing a deployment plan for corporate-wide adoption of BitLocker Drive Encryption, teams across Microsoft IT, including support, client hardware, and infrastructure, completed a pilot to gain experience in using the feature, tools, and hardware. During each phase of the pilot, these teams worked closely with the product group to provide feedback and drive feature development in the product.

The final output from the pilot was a defined security position that expanded the scope and direction for BitLocker implementation. The position focuses on three deciding factors that are vital to managing security risk, and how BitLocker can help remediate:

• Data management. Architecturally, all systems have digital asset value. Applying this policy uniformly releases both users and administrators from the untenable task of trying to maintain classifications on data containers such as computers. 
• Environment controls. Physical access to the location where a system resides defines the scope of the threat to that device. Whereas locations such as labs and data centers have levels of managed access, offices and open locations offer a greater threat to data and devices.
• Provisioning and enforcement. Active Directory, Group Policy, Microsoft Systems Management Server (SMS), and tools such as Windows Deployment Services and Business Desktop Deployment (BDD) provide methods for managing and provisioning to a multi-tiered environment. Because BitLocker mitigates offline attacks, enforcement across the user base is directed to drive user adoption and not network-based remediation.

BitLocker As a Corporate Standard

Microsoft has chosen to enable BitLocker Drive Encryption on all of its corporate workstation and laptop computers for security and asset management purposes. Microsoft created a data-handling and classification policy to outline the corporate standard for encryption on corporate systems. Microsoft actively encourages internal users whose computers are running Windows Vista to adopt BitLocker as their standard platform.

Table 1 lists BitLocker policies and configurations at Microsoft.

Table 1. BitLocker Policies and Configurations

Phased Deployment Plan

The deployment planning process resulted in the development of a three-year phased adoption plan that coincided with hardware refresh cycles. Aligning the BitLocker deployment to hardware provisioning and procurement will enable Microsoft IT to convert all capable systems to the TPM platform.

Table 2 lists the activities in each phase.

Table 2. Phased Adoption Plan

Hardware and Software Requirements

Microsoft has identified a standard TPM platform for all mobile and desktop computers. As of December 2006, all computers purchased through standard Microsoft IT procurement channels are TPM-capable devices. As Windows Vista production BIOS versions become available, Microsoft IT has instructed the OEMs to enable and activate the TPM by default.

The hardware and software requirements for TPM are as follows:

• The system must have a version 1.2 TPM.
• The hardware platform must be Windows Vista compliant.
• A TPM device should:

A.     Be turned on by the hardware manufacturer with all features available.

B.     Have an owner password for future management of the TPM set by Microsoft IT, using the BitLocker deployment script. The TPM owner password is stored in Active Directory.

Provisioning

Because BitLocker has become part of the corporate enterprise standard across the Windows Vista platform, Microsoft IT is currently working with OEM and imaging solutions to transition Windows Vista users to the BitLocker platform. The BitLocker image has been prepared and is available through all servers running Windows Deployment Services.

Long term, BDD will integrate the BitLocker functionality and automate configuration. Configuration of BitLocker will include two different profiles. Users will rebuild or receive new computers that will require a new build on the BitLocker platform, or current Windows Vista users will enable BitLocker functionality on existing computers. Microsoft IT modified existing build processes for in-house deployment and OEM pre-installation of Windows Vista to ensure that BitLocker is successfully installed on both new and existing hardware.

BitLocker Configuration

BitLocker Authentication Modes

The Microsoft IT preferred authentication model is TPM plus PIN. In the absence of a TPM-based hardware platform, users can use a startup key that can be stored on a USB flash drive that must be inserted every time the computer starts. Users should consider added protection based on the physical location of the device and device access.

Password and Key Management Policies

Microsoft IT has implemented best practices and policies to manage the recovery information for BitLocker. Some of the policies include:

• Require backup of recovery passwords to Active Directory Domain Services.
• Require backup of key package data to Active Directory Domain Services.
• Require backup of TPM owner information to Active Directory Domain Services.
• Encourage users to change PIN or USB startup keys on a regularly scheduled basis.
• Change the BIOS administrator password on TPM-enabled computers after they are built to prohibit unauthorized access to TPM administrative functions.
• Instruct users to not store key material, such as USB startup keys, with the system that it unlocks.

BitLocker and Active Directory Integration

BitLocker integrates with Active Directory so that administrators can control the user experience in the BitLocker from Control Panel and control the backup of recovery data for each BitLocker-enabled computer. To take advantage of this integration, Microsoft IT extended and configured this schema for BitLocker-specific Group Policy objects.

Microsoft IT has set the following Group Policy settings for BitLocker and TPM configuration in the WW-BDEADBackupSettings-IdM policy:

• Power management. Microsoft has not set the power management object specifically for BitLocker; the default Windows Vista settings are in place. As a security best practice, Microsoft IT recommends the hibernate mode for any scenario where the system may leave a person's physical possession. When a computer transitions to sleep mode, open programs and documents persist in memory. When resuming from sleep, BitLocker does not require users to re-authenticate by using a PIN or USB startup key to access encrypted data. 
• Partition visibility. BitLocker creates the system partition on the S\ partition. Microsoft IT can create a custom ADM template to hide this drive with a Windows Management Instrumentation (WMI) filter for computers running BitLocker. The template can be deployed via Group Policy, hiding the drive from Explorer view. Users can see the drive via Disk Management snap-in tools. Microsoft IT has chosen not to currently implement this policy to minimize any possible impacts within the Microsoft IT environment.
• User interface visibility. To enable users of the TPM-plus-PIN functionality within BitLocker, Microsoft IT has currently enabled the user interface via Group Policy. The Group Policy setting allows the user interface to appear in the BitLocker in TPM-plus-PIN and non-TPM modes. Microsoft IT has implemented this functionality to address the transition of its existing population of Windows Vista users to a Windows Vista/BitLocker platform. The decision was to implement the Group Policy as follows:
  • BitLocker on non-TPM computers (USB only): Allow
  • BitLocker TPM plus PIN: Allow
  • BitLocker TPM plus startup key: Disallow
  • BitLocker TPM only: Disallow

Support and Tools

Microsoft currently uses standard support and escalation processes to support BitLocker in the enterprise, although desk-side support has had to create processes that ensure that BitLocker is turned off before the remediation of hardware failures.

To help facilitate the deployment, support, and management of BitLocker, Microsoft IT uses the tools listed in Table 3.

Table 3. Tools for Deployment, Support, and Management of BitLocker

User Account Control

UAC provides a method of separating standard user rights and tasks from those that require administrator access. UAC increases security by enabling an administrator to make "standard user" the default user account for everyday use. Users can now perform more tasks and enjoy higher application compatibility without the need to be logged on with administrative-level rights. UAC also reduces the total cost of ownership (TCO) through the enablement of the standard user account, because it helps reduce the impact of malicious software, the installation of unauthorized software, and unapproved system changes.

UAC also enables users to perform common tasks as standard users and as administrators, without having to log off, switch users, or use the Run as command. A standard user account is synonymous with a user account in Windows XP, although in Windows Vista it is less restrictive. In Windows Vista, even accounts that are members of the Local Administrators group run most applications as a standard user by default. This helps prevent the installation of malicious software and other unwanted processes. By separating user and administrator functions while improving productivity, UAC is an important enhancement for Windows Vista.

Reduction of Security Risks and Threats

Standard Users

In Windows Vista, standard user accounts have additional rights that users require to perform common tasks, without requiring elevated permissions or help-desk support. These rights have minimal system impact and potential for risk, although administrators also have the ability to restrict these rights if they prefer. New rights for standard user accounts in Windows Vista include:

• View the system clock and calendar.
• Change the time zone.
• Install Wired Equivalent Privacy (WEP) to connect to security-enhanced wireless networks.
• Change power management settings.
• Add printers and other devices that have the required drivers installed on the computer or that are provided by an IT administrator.
• Install approved ActiveX® controls.
• Create and configure a virtual private network (VPN) connection.

Additionally, disk defragmentation is now an automatically scheduled process in Windows Vista, so users do not need to initiate that action.

Many earlier applications that were not designed to support standard user accounts can run without modification in Windows Vista because of the built-in file and registry virtualization features. File and registry virtualization gives an application its own view of a resource that it is attempting to change by using a copy-on-write strategy. For example, when the application attempts to write to a file in the Program Files directory, Windows Vista gives the application its own private copy of the file in the user's profile so that the application will function properly.

Administrators

Before Windows Vista, an administrator account received one access token, which included credentials to grant the user access to all Windows resources. This access control model did not include fail-safe checks to ensure that users truly wanted to perform a task that required their administrative access token. As a result, malicious software could have installed itself on users' computers without notifying the users (a silent installation). Furthermore, because it was executed within the administrative context, the malicious software could cause significant, widespread damage, such as infecting core operating system files, and then become increasingly difficult to remove.

To help prevent the silent installation of malicious software and computer-wide infection, Microsoft developed the feature of administrator approval mode for Windows Vista. When an administrator logs on to a computer running Windows Vista, the user's full administrator access token is split into two access tokens: a full administrator access token and a standard user access token. During the logon process, authorization and access control components that identify an administrator are removed or disabled, resulting in a standard user access token. The standard user access token is then used to start the desktop computer—for example, the Explorer.exe process. Because all applications inherit their access control data from the initial startup of the desktop computer, they all run as a standard user as well. Contrasting with this process, when a standard user logs on, only a standard user access token is created. This standard user access token is then used to start the desktop computer.

Enhanced Information Protection and Regulatory Compliance

By organizing a pilot of Windows Vista with UAC enabled (out of the box), Microsoft IT was able to collect valuable feedback regarding any impacts to user experience, line-of-business applications, and overall productivity. Through this early adoption and testing, Microsoft IT established a list of initial policy settings for UAC to promote the greatest protection possible while accommodating usability requirements.

Administrators in Administrator Approval Mode

Most environments—especially those that strive for high security—should use the prompt-for-consent option. Disabling the UAC prompt behavior removes the ability of a user to approve an application before it runs. As a result, any application can then use the administrator's access token, including malicious software, without the user's approval.

Standard Users

Standard users should be prompted for administrator credentials. If an organization configures computers not to prompt standard users for administrator credentials, standard users will be able to perform administrative tasks only if they use Run as or log on with an account that is a member of the Local Administrators group.

Secure Desktop

In addition to the recommendations for administrators and standard users, the UAC Switch to the secure desktop when prompting for elevation setting should be kept enabled for higher levels of security. Displaying UAC elevation requests on the secure desktop helps protect the user from unknowingly allowing a program to run with elevated rights without his or her consent. Without this protection, it is much easier to create malicious software that tricks the user into approving an elevation request that the user really wanted to deny. The Secure Desktop helps protect against this because other software running on the computer is blocked from interacting with the user interface. This is especially true if the organization requires the CTRL-ALT-DELETE key sequence prior to credential entry.

Overview of New Functionality

With UAC enabled, Windows Vista prompts for consent or for credentials for a valid administrator account before starting a program or task that requires a full administrator access token.

Credential Message

When UAC is enabled, the credential message appears when a standard user attempts to perform a task that requires a user's administrative access token, as shown in Figure 2.

Figure 2. User Account Control credential message in Windows Vista

The default message behavior for standard user is also configurable. In addition, an organization can require administrators to provide their credentials by setting the behavior of the elevation message for administrators to prompt for credentials.

Consent Message

The consent message appears when an administrator attempts to perform a task that requires the user's full administrative access token, as shown in Figure 3.

Figure 3. User Account Control consent message in Windows Vista

An organization can configure this default prompting behavior for administrators by using the local Security Policy Manager snap-in (Secpol.msc) and via Group Policy. These technologies are discussed later in "Deploying User Account Control" and "Windows Vista Security Settings."

Considerations for Line-of-Business Applications

There is an ongoing effort within Microsoft IT to help Microsoft and independent software vendors (ISVs) redesign their applications to limit requests for a user's administrative access token. The application development message is, in essence: Require the user to be an administrator only when it is absolutely necessary.

Developers have often performed an access check to ensure that the user is an administrator when the application is initially started. Many of these applications, however, do not have functions that actually require the user to be an administrator. Another common reason that applications fail for non-administrators is that they attempt to write to protected areas, such as the Program Files directory or the HKLM registry tree. File and registry virtualization automatically resolve most of these issues by automatically redirecting write requests from protected areas to a location inside the user's profile.

Some programs, such as disk partitioning software, always require an administrator access token. Programs that do require the user to be an administrator can be started in Windows Vista with the user's full administrator access token. However, the user is first notified of the application's request to elevate the user from an administrator in Admin Approval Mode to a full administrator, and the user must choose to either approve or deny the elevation.

In preparations for enabling UAC, Microsoft IT used the Microsoft Application Compatibility Toolkit (ACT) version 5.0. ACT 5.0 contains code specifically designed to detect and report possible compatibility issues with UAC. The ACT is available at: http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/default.mspx.

Deployment of User Account Control

Because the user experience is configurable through Secpol.msc and through Group Policy, there is no requirement for any single UAC user experience. When an organization is creating an image of Windows Vista for enterprise deployment, it has the option to leave the default UAC settings. However, each enterprise environment has unique requirements; therefore, each organization should review and determine appropriate initial settings based on its own experiences with UAC. The following sections describe important settings for an enterprise to consider when it is deploying UAC.

UAC Is Enabled

With UAC enabled, an organization might encounter some compatibility problems with different applications that have not yet been updated for Windows Vista UAC compatibility. However, an organization should keep UAC enabled unless a specific reason exists for disabling it, such as a critical line of business application incompatibility.

All Subsequent User Accounts Are Created As Standard Users

Both standard user accounts and administrator user accounts can take advantage of the UAC enhanced security. On new installations, by default, the first user account created is a local administrator account in Admin Approval Mode (UAC enabled). All subsequent accounts are then created as standard users.

Built-in Administrator Account Is Disabled

The built-in administrator account is disabled by default in Windows Vista.

Elevation Prompts Are Displayed on the Secure Desktop

The consent and credential messages appear on the Secure Desktop by default in Windows Vista. Displaying UAC elevation messages on the Secure Desktop helps protect the user from unknowingly allowing a program to run with elevated rights without his or her consent.

In an enterprise deployment of Windows Vista, reducing the risk that users can change system settings, install malicious software, and compromise data is paramount. As a result, enterprises should configure their workstations to run as standard users. Using the following configuration will help mitigate potential problems:

• UAC is enabled throughout the environment and maintained centrally through Group Policy.
• The built-in administrator account is kept disabled and a password is set to prevent any offline attacks.
• Every user of the desktop computer runs with a standard user account.
• Domain administrators have two accounts: a standard user account and an administrator account in Admin Approval Mode.
• Applications are deployed centrally through SMS, Group Policy software installation, or another similar application deployment technology.
• A help desk or an IT staff member approves administrator access by either using Remote Assistance or physically entering the credentials at the user's computer.

Internet Explorer and Protected Mode

Windows Vista builds upon the User Account Control initiative to provide Windows Internet Explorer enough rights to browse the Web, but not enough to modify user files or settings by default. This Windows Vista-only feature is known as Protected Mode. As a result, even if a malicious site attacks a potential vulnerability in Internet Explorer, the site's code will not have enough rights to install software, copy files to the user's Startup folder, or hijack the settings for the browser's home page or search provider.

Reduction of Security Risks and Threats

Through a robust new architecture, Windows Internet Explorer 7 offers security features that help defend against malicious software, as well as new ways to protect users from unintentionally providing personal data to fraudulent Web sites that use deceptive practices to gather information.

Protection Against Cross-Domain Scripting Attacks

Cross-domain scripting attacks involve a script from one Internet domain manipulating content from another site. For example, a user might visit a malicious page that opens a new window that contains a legitimate page (such as from a banking Web site) and prompts the user to enter account information, which the hacker then extracts.

Internet Explorer 7 helps deter this malicious behavior by appending the domain name from which each script originates and allowing that script to interact only with windows and content from that same domain. These cross-domain script barriers help ensure that only the intended recipients see user information. This control further protects against malicious software by limiting the potential for a malicious Web site to manipulate flaws in other Web sites and initiate the download of some unwanted content to a user's computer.

Fix My Settings

Most users install and operate applications by using the default configuration, so Internet Explorer 7 offers default security settings that provide the maximum level of usability while maintaining controlled security. A custom application might legitimately require a user to lower security settings from the default, however. In such cases, a user must reverse those changes when he or she no longer needs the custom settings.

Internet Explorer 7 introduces the Fix My Settings feature to prevent users from browsing with unsafe settings. This feature warns a user through an Information bar when current security settings might put the user at risk. When the user makes changes in the Security Settings dialog box, the user also sees red highlighting if he or she tries to modify certain critical items. In addition to getting dialog boxes that warn about unsafe settings, the user is reminded by the Information bar as long as the settings remain unsafe. The user can instantly reset the security settings to the medium-high default level by clicking Fix My Settings on the Information bar.

Protected Mode

Available only to users running Internet Explorer 7 in Windows Vista, Protected Mode provides new levels of security and data protection for Windows users. Designed to defend against elevation-of-privilege attacks, Protected Mode provides the safety of a robust Internet browsing experience while helping to prevent hackers from taking over the browser and executing code through the use of administrator rights.

In Protected Mode, Internet Explorer 7 in Windows Vista cannot modify user or system files and settings without user action. All communications occur via a broker process that mediates between the Internet Explorer browser and the operating system. The broker process cannot be scripted to act without user input, thereby reducing the likelihood of unwanted software downloads or installation. The highly restrictive broker process prohibits workarounds from bypassing Protected Mode. Scripted actions or automatic processes cannot download data or affect the system.

Internet Explorer Protected Mode helps protect against malicious downloads by restricting the ability to write to any local computer zone resources other than temporary Internet files. Writing to the Windows registry or other locations requires the broker process to have the necessary elevated rights. Protected Mode also offers tabbed browsing security by opening new windows—rather than new tabs—for content contained outside the current security zone.

Enhanced Information Protection and Regulatory Compliance

Personal Data

Most users are unaware of how much personal, traceable data is transmitted with every click of the mouse while they browse the Web. The extent of this information continues to grow as browser developers and Web site operators develop technologies to enable user features that are more powerful and more convenient. With some basic Web site development tools, malicious Web site operators can build near replicas of well-known and trusted Web sites. Most online users are likely to have trouble discerning a valid Web site from a bogus copy.

Online Purchases

The extent to which convenience and discount pricing are available online gives users an attractive reason to click and buy. The Internet enables any large or small business to easily create an online storefront for selling goods and thereby reach a consumer audience well beyond traditional physical and geographic boundaries. Search-engine marketing efforts enable these Web sites to establish instant consumer credibility and reach millions of users through some of the largest search engines and portal Web sites. These factors lead to situations in which consumers are dealing with distant businesses and have few concrete mechanisms to differentiate legitimate businesses from those that seek to collect their personal information for improper gain. Another challenge facing users is the ability of operators of malicious Web sites to attract unsuspecting consumers by mimicking the appearance and function of well-known and trusted businesses.

Increase in Phishing

Operators of malicious Web sites also use a technique known as phishing, which is masquerading online as a legitimate person or business to acquire users' personal information. Over the past two years, phishing attacks have been reported in record numbers, and identity theft is emerging as a major threat to personal financial security.

Unlike direct attacks in which hackers break in to a system to obtain account information, a phishing attack does not require technical sophistication. Instead, it relies on users willingly divulging information such as passwords to financial accounts or Social Security numbers. These socially engineered attacks are among the most difficult to defend against because preventing them requires user education and understanding rather than merely issuing an update for an application. Even experienced professionals can be fooled by the quality and details of some phishing Web sites as hackers become more experienced and learn to react more quickly to avoid detection.

Internet Explorer 7 offers a range of enhancements and solutions to better protect users from malicious Web sites and confusing URLs. The Security Status bar, located next to the Address bar, helps users quickly differentiate authentic Web sites from suspicious or malicious ones. One way that it does this is by enhancing user access to digital certificate information that helps validate the trustworthiness of e-commerce Web sites. Internet Explorer 7 also provides a simple file cleanup tool that deletes the browsing history for better protection of privacy and passwords.

Security Status Bar

In recent years, encrypted communications and Secure Sockets Layer (SSL) technologies have been introduced to better protect users' information. Many Internet users remain overly trusting when Web sites ask for their confidential information. With the profusion of home-based and small-business Web sites selling goods that span the pricing spectrum, users are even more likely to encounter unknown entities that ask for their financial information. The combination of these factors creates a situation ripe for abuse. Internet Explorer 7 addresses this issue by providing users with clear, prominent, color-coded visual cues that indicate the safety and trustworthiness of a Web site.

Earlier versions of Internet Explorer placed a gold padlock symbol in the lower-right corner of the browser window to designate the trust and security level of the connected Web site. Because of the importance and inherent trust value associated with the gold padlock, the Security Status bar in Internet Explorer 7 displays the padlock icon more prominently.

Users also can view a Web site's digital certificate information by clicking the symbol. Digital certificates, issued by recognized entities known as certification authorities, serve two functions:

• They provide third-party validation of the authenticity or trustworthiness of a business or Web site.
• They provide cryptographic encryption of data communications to help keep information safe and secure as it passes between the Web site and browser.

The Security Status bar also supports information about High Assurance certificates for stronger identification of security-enhanced sites, such as banking sites. These sites can use High Assurance SSL certificates, also known as Enhanced Validation, which help protect consumers from identity theft. Internet Explorer 7 highlights these validated sites with a green-shaded Address bar and prominently displays the associated business or entity name.

To provide users with another visual cue for recognizing questionable Web sites, the padlock symbol appears on a red background if Internet Explorer 7 detects any irregularities in the site's certificate information.

By contrast, for Web sites that bear certificates with proper credential data, the Address bar clearly displays the name of the certificate owner and a gold background to indicate the higher level of safety and trustworthiness.

Phishing Filter

Developers who engage in phishing and other malicious activities thrive on lack of communication and limited sharing of information. The new Phishing Filter feature in Internet Explorer 7 uses an online service that is updated several times an hour with the latest industry information about fraudulent Web sites, and it warns Internet Explorer 7 users about suspicious sites. The filter is designed around the principle that early warning systems must derive information dynamically and update it frequently to be effective.

Phishing Filter combines client-side scans for suspicious Web site characteristics with an opt-in online service. It helps protect users from phishing scams in three ways:

• It compares the addresses of Web sites that a user attempts to visit with a list of reported legitimate sites that is stored on the user's computer.
• It analyzes sites that users want to visit by checking those sites for characteristics common to phishing sites.
• It sends the Web site address that a user attempts to visit to an online service run by Microsoft to be checked immediately against a frequently updated list of reported phishing sites.

If the destination is confirmed as a known phishing site, Internet Explorer 7 signifies the threat level (in red) and automatically opens a neutral page that contains a warning. If a site is not confirmed as a phishing site but is behaving in a way that is similar to a phishing site, the Address bar appears as yellow and warns the user of the suspicious behavior. The user can report any phishing sites or false positives to Phishing Filter directly from the browser. Disabling Phishing Filter requires only a click in the browser as well.

URL Display Protections

Hackers commonly attempt to mislead users into thinking they are looking at information from a known and trusted source. A valuable hacking tool has been the ability to hide true URL information and domain names from users. Internet Explorer 7 contains two powerful visual tools to help prevent users from being deceived:

• Address bar in every window. With Internet Explorer 7, all browser windows require an Address bar. Hackers often abuse valid pop-up window actions to display windows that have misleading graphics and data to convince users to download or install malicious software. The requirement of a read-only Address bar in each window helps ensure that users know more about the true source of the information they are seeing.
• Internationalized Domain Name (IDN) display protections. The Internet encompasses a global community, and browsers must be able to handle non-English characters and domain names. Operators of malicious Web sites have used international character display issues as a mechanism for phishing attacks against users and as a way to hide the true Web site domain name. The problem derives from international alphabets: many characters in certain languages (for example, the letter a in English) can resemble entirely different characters in other languages (for example, the letter ä in Cyrillic). As a result, an individual who has malicious intent might register a domain name similar to a legitimate one to fool users into submitting their content to a false site. Previous versions of Internet Explorer did not have IDN support and thus were vulnerable to this kind of attack.

Internet Explorer 7 natively delivers full IDN functionality and display protections. It also provides extensive security mechanisms to help protect users from attack. One of the core security features of IDN support in Internet Explorer 7 is the multiple-language display in the Address bar.

Overview of New Functionality

To help protect a user's personal information, Internet Explorer:

• Highlights the Security Status bar when the user is visiting an SSL-encrypted site and enables the user to easily check the validity of a site's security certificate.
• Has a phishing filter, which helps users browse more safely by advising them when Web sites may be attempting to steal their confidential information. The filter works by analyzing Web site content, looking for known characteristics of phishing techniques, and using a global network of data sources to determine whether the Web site should be trusted. Filter data is updated several times an hour, which is important given the speed with which phishing sites can appear and potentially collect a user's data.
• Clears all cached data through a single click.

Deployment of Internet Explorer Protected Mode

Internet Explorer 7 contains significant enhancements to assist in deployment and ongoing management. A new version of the Internet Explorer Administration Kit (IEAK) simplifies the creation of customized deployment packages, with specific improvements to the overall wizard. Virtually all Internet Explorer 7 settings are configurable as preferences in the new IEAK.

Administration Improvements

With Internet Explorer 7, administrators have centralized control over settings via Active Directory Group Policy, which makes the browser more manageable. All previous and new features are manageable via Group Policy, including Phishing Filter and all browser add-ins, to help administrators ensure that browser users comply with company standards. Further, the enhanced IEAK makes possible fully customized deployments of Internet Explorer. Customers can confirm compatibility of their key applications with Internet Explorer 7 by using an updated version of the Application Compatibility Toolkit that Windows XP Service Pack 2 (SP2) includes.

Configuration of Internet Explorer settings via Group Policy has also been dramatically improved. Essentially, all new Internet Explorer features are policy enabled, and important preference settings that were originally unavailable can be set through Group Policy.

IEAK vs. Group Policy

An enterprise environment can benefit from a combination of IEAK for initial deployment and Group Policy for ongoing management. IEAK is a deployment tool, and it can only set preferences.

Windows Vista Security Settings

Knowing when security software is turned off or is out of date, and being able to easily download updates, can mean the difference between being protected and being vulnerable. Understanding and reducing the need for administrator rights can also affect the overall health of computers, enabling users to be productive while removing the ability to make unauthorized configuration changes, such as disabling the firewall. Windows Vista provides several enhancements to the overall management and enforcement of security components.

Management and Enforcement

Windows Security Center

In response to customers' concerns about security vulnerabilities and how to better protect their computers, Microsoft undertook a worldwide information campaign in 2003 to educate customers about three essential computer security steps: having a firewall turned on, keeping computers up to date through Automatic Updates, and installing and using up-to-date antivirus and antispyware software.

Customers found this information helpful, but they indicated that it was still difficult to understand the security status of their computers and even harder to know how to change settings to make their computers more secure. In response, Microsoft included a new feature in the 2004 release of Windows XP SP2 called Windows Security Center.

Running as a background process, Windows Security Center in Windows XP SP2 constantly checks and shows the status of an Internet firewall, antivirus software, and Automatic Updates. It also serves as a starting point for getting to other security-related areas of the computer and for finding security-related support and resources. For example, in the version of Windows Security Center that ships with Windows XP SP2, Microsoft created a link to help customers without antivirus software or with out-of-date antivirus software to see offers from third-party antivirus vendors.

In response to feedback from customers and third-party security vendors, Microsoft has made improvements to Windows Security Center in Windows Vista, including showing the status of antispyware software, Internet Explorer security settings, and User Account Control. In fact, Windows Security Center can monitor multiple vendors' security solutions running on a computer and indicate which are enabled and up to date.

Group Policy

Expanding on the foundation established in Windows XP, Group Policy now provides greater coverage of policy settings and extensions, better network awareness and reliability, and easier administration. Also, the number of Group Policy settings has increased from approximately 1,700 in Windows XP Professional SP2 to approximately 2,400 in Windows Vista.

For a summary of new or expanded Group Policy settings, go to: http://www.microsoft.com/technet/windowsvista/library/gpol/2bcf3a91-08bb-4a74-b4b1-674367a1b8b6.mspx?mfr=true.

The following sections focus on enhancements to Group Policy that help improve overall security in Windows Vista.

Group Policy Service

Group Policy processing no longer exists within the Winlogon process but is hosted as its own service. The new Group Policy service has undergone significant security hardening and delivers a new architecture for how Group Policy performs notification and processing. The Group Policy service provides better reliability for Windows and Group Policy, is more efficient in the application of policies, and allows computer policies to take effect without requiring a restart of the operating system.

Network Location Awareness

The Network Location Awareness feature enables Group Policy to respond better to changing network conditions. One main benefit of Network Location Awareness is the end of the reliance on the Internet Control Message Protocol (ICMP, or PING protocol) for policy application. Organizations can therefore provide security on their networks by using firewalls, filter the ICMP protocol, and apply Group Policy.

Network Location Awareness ensures that client computers are both aware of and responsive to varying network conditions and resource availability. With Network Location Awareness, Group Policy can access resource detection and event notification capabilities in the operating system, such as recovery from hibernation or standby, establishment of VPN sessions, and moving in or out of a wireless network. With Network Location Awareness, the Group Policy client will apply policy settings whenever domain controller availability returns. This capability can potentially increase the level of security on the workstation by more quickly applying Group Policy changes.

For example, when a mobile user connects to the corporate network, the Group Policy client detects the availability of a domain controller. If the Group Policy refresh cycle has elapsed or the previous policy application has failed, Group Policy initiates a background refresh over the VPN connection, updating both the computer policy and the user policy. The user does not need to restart or log off before connecting to the corporate network over a VPN.

The Group Policy processes location information even if an organization has removed the ability for computers to respond to the ICMP protocol (PING). In the past, Group Policy settings would fail in this situation because slow-link detection relied on ICMP. The Group Policy client in Windows Vista now uses Network Location Awareness to determine the network bandwidth and successfully continues to process Group Policy.

Events and Logging

The Group Policy service no longer relies on the trace logging in the Userenv.dll component. Much of the troubleshooting and auditing for Group Policy in earlier versions of Windows relied on logging being enabled inside Userenv.dll. This reliance created a log file named Userenv.log in the %WINDIR%\Debug\Usermode folder. This log file contained function trace statements with supporting data. In addition, profile load and unload functions shared this log file, making the log sometimes difficult to diagnose. This log file, used in conjunction with the Resultant Set of Policy (RSoP) snap-in, was the primary way to diagnose and resolve Group Policy problems.

The new Group Policy service includes changes to event reporting. Group Policy event messages, previously appearing in the application log, now appear in the system log. Event Viewer lists these new messages with an event source of Microsoft-Windows-GroupPolicy. The Group Policy operational log replaces previous Userenv logging. The operational event log provides improved event messages specific to Group Policy processing.

Auditing and Compliance

Audits help ensure that an organization's procedures are supporting policies and that employees are following the procedures. Audits also help measure the overall security health of the organization. Security event logs are a critical part of effective auditing. To be valuable, the event logs must adequately address event collection, aggregation, and storage. Microsoft Audit Collection Services (ACS), a component of System Center Operations Manager 2007, helps manage audit logs for operating systems by collecting Windows security events so that they can be analyzed for real-time and forensic reporting services.

ACS collects security audit events after they are written to the local event log. The client computer uses a client service called the Forwarder to read and send each event to the ACS server computer (known as the Collector). When the Collector receives audit data, it applies a user-configured filter and writes it to the ACS Microsoft SQL Server™ database for storage. The audit data can also be accessed for real-time analysis. ACS provides a consistent schema for events received.

Conclusion

The cost of a security compromise can be huge; confidential data can be exposed, users can lose data, and productivity can decrease. In fact, IT departments are exhausting their valuable resources solving some of the problems caused by malicious software alone.

Windows Vista is the most secure and trustworthy Windows operating system yet, and it will help organizations achieve their business and computing goals with confidence. With new features such as User Account Control and Internet Explorer Protected Mode, users can be productive and receive protection from system-wide malicious software installations, while still being able to run most applications. With BitLocker Drive Encryption, confidential information on a lost or stolen computer can remain confidential.

Although addressing all current and future security threats may seem like an insurmountable task, the security advancements in Windows Vista underscore the long-term commitment of Microsoft to enabling a trustworthy computing environment.

For More Information

For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information through the World Wide Web, go to:

http://www.microsoft.com

http://www.microsoft.com/technet/itshowcase

This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. <INCLUDE THIS DISCLAIMER ONLY WHEN APPLICABLE TO YOUR CONTENT>

© 2007 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveX, BitLocker, Internet Explorer, Windows, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.