End to End Trust and Windows 7

I attended Scott Charney’s keynote this morning at RSA – Moving Towards End to End Trust: A Collaborative Effort. I would assume that many of the readers of this blog are not familiar with the End to End Trust story. In a nutshell, End to End trust is Microsoft’s vision for creating a safer, more trusted Internet. It’s a great vision, but it’s also a big job that requires a commitment and focus on the fundamentals—fundamentals that will help deliver the most secure and privacy-enhanced versions of software and services that we have ever delivered. We’re also not going it alone. End to End Trust requires broad collaboration within the industry and Microsoft will continue to share our best practices with the IT communities of our customers. Scott talked about how hard we are working across Microsoft to deliver technology innovations that move the needle towards a trusted stack, with security rooted in hardware and an identity metasystem (a big word that means a way of trusting people are who they say they are on the Internet). Even with progress, people still need strong defense in depth security technologies and Scott talked about how Microsoft’s Identity and Security Division is delivering integrated identity and security business solutions today to our customers. But maybe the most interesting thing he touched on was how technology innovations alone are not enough. Innovation also needs to align with political, economic and IT forces to enable the change that is truly needed. End to End trust is a vision of what’s possible if we collectively work together, and it can help address real world problems that people face every day such as ID theft, online fraud and child safety. If you want to learn more about End to End Trust, visit http://www.microsoft.com/endtoendtrust to find out the entire story. Now, let’s talk about Windows 7 and the progress we’re making to deliver End to End Trust in the Windows platform. In my blog post yesterday on how Windows 7 helps enable the mobile workforce, I wrote about technologies like DirectAccess, BitLocker To Go, and AppLocker. Each of these technologies plays a part in helping us enable End to End Trust, whether it is strong machine and user authentication with DirectAccess or limiting running software on a system to known, trusted applications with AppLocker. But there are other technologies that help us as well: Biometric Framework Fingerprint scanners are becoming more and more common in standard laptop configurations—my laptop came standard with one. Windows 7 helps ensure that fingerprint readers work well and that they are easy to set up and use. This is accomplished by taking the common code that everyone needs to write and standardizing it in the platform so that biometric hardware vendors can concentrate on the code they need to write to make their device work and not have to worry about how it ties into Windows. This new framework makes logging on to Windows using a fingerprint more reliable across different hardware providers and makes fingerprint reader configurations are easy to modify. This puts the user in control of how they log on to Windows 7 and manage the fingerprint data stored on their PC. Improved Smart Card Support Password-based authentication has well-understood security limitations; however, deploying strong authentication technologies like smart cards remains a challenge for many. Windows 7 enhances the smart card infrastructure advances made in Windows Vista through support of Plug and Play. This eases deployment of smart card infrastructures because drivers for both smart cards and smart card readers are automatically installed, without the need for administrative permissions or user interaction. I think this new behavior is going to ease the deployment of strong, two-factor authentication for many organizations. BitLocker I’m a big fan of BitLocker, it helps prevent a thief who boots another operating system or runs a software hacking tool from breaking into my laptop if they happen to get a hold of it. This holds true for both the operating system volume (C: drive) and my data volume (D: drive). Most customers I talk to love the encryption protection that BitLocker provides, but many are not aware that BitLocker also does integrity checking of early boot components to help ensure that the system has not been tampered with and that the encrypted drive has not been swapped out to another computer. This integrity checking ties back into the “security rooted in hardware” that is a part of End to End Trust. This integrity checking utilizes a Trusted Platform Module (a smart card like chip on the system motherboard) to help protect the encryption keys utilized by BitLocker. This is true for BitLocker in Windows 7 as well as Windows Vista. We’ve also listened to feedback and made enhancements to Windows 7 BitLocker to provide a better experience for IT Pros and for end users. One of the simple enhancements we made is to right-click enable the BitLocker protection of a disk volume. Now I can go to Windows Explorer and right click any disk volume, including my removable BitLocker To Go volumes, and encrypt them right there without having to go to the Control Panel. Another big change was the addition of Data Recovery Agent (DRA) support for all protected volumes. The DRA is a certificate-based data recovery agent that can be utilized to recover the contents of any BitLocker protected volume. Since the group policy settings are separate for Operating System Drives, Fixed Data Drives, and Removable Data Drives, customers have flexibility in how they want to configure their recovery options for the different threats that each separate drive type may experience. With BitLocker and BitLocker To Go, enterprises can rest assured that their information and data is secure, no matter where their employees are working. I know I feel better knowing my laptop and all of my USB sticks are protected! Internet Explorer 8 I know folks are more concerned than ever about protecting themselves while online, particularly form identity theft, malware, and other potentially dangerous online threats. I feel like we have done a lot in the platform and the security technologies we have been talking about this week (Firewall, DirectAccess, BitLocker To Go and AppLocker) are a part of the protection equation. But Internet Explorer 8 is also another huge piece of the equation as users spend more time online, in their browsers. IE 8 is the most secure web browser on the market and provides another, vital layer of defense against online threats. We built upon the phishing protection in Internet Explorer 7 with the SmartScreen Filter, which now adds protection from malware – a threat that is growing significantly faster than phishing. We also built in support for protecting users against type-1 (or “reflection) Cross-Site Scripting (XSS) attacks. XSS threats try to exploit vulnerabilities in the websites we visit and are quickly becoming one of the most prevalent ways web sites can be compromised. The bad news for you and I is that an XSS attack can help a bad guy steal our usernames and passwords for our online bank accounts or other confidential information. The XSS filter in IE 8 uses heuristics to detect such attacks and, when they are detected, prevent their execution. This should help you and I safe from the most common form of XSS attacks in use today. Another innovation concerns ClickJacking. While a lot or people have heard of phishing attacks, a new kind of phishing attack called ClickJacking is on the rise. ClickJacking occurs where an attacker’s web page deceives a person into clicking on content from another website without realizing it – so they’re clicking on something that, for instance, buys something from the site, changes settings on their browser, or provides advertisements that these cybercriminals get paid for. ClickJacking Protection in IE is a feature that allows Web site content owners to put a tag in a page header that will help prevent ClickJacking. I think the IE team has done a great job with the security in IE 8 and love that it puts people in control of their safety and privacy and helps protect them from new online threats. For those of you who are interested, there is a lot more security goodness in IE 8 on the IE blog and via these links: IE8 Security Part I: DEP/NX Memory Protection IE8 Security Part II: ActiveX Improvements IE8 Security Part III: SmartScreen® Filter IE8 Security Part IV: The XSS Filter IE8 Security Part V: Comprehensive Protection IE8 Security Part VI: Beta 2 Update IE8 Security Part VII: ClickJacking Defenses IE8 Security Part VIII: SmartScreen Filter Release Candidate Update IE8 Security Part IX - Anti-Malware protection with IE8’s SmartScreen Filter Got To Run I feel great about Windows 7 and the security enhancements we have been able to make. Hopefully as you learn more about the security work that we have put into it, you will reach the same conclusion that I have: Windows 7 is the most robust platform we have ever delivered, it helps support End to End trust, helps keep you and I safe, and was designed to prevent malware from getting onto our PCs to begin with. There is a lot going on here at RSA and I want to go spend some more time seeing what’s new and exciting. I’ll be back with some of my impressions of RSA in a bit.