In this first part of a series I’m going to start on Microsoft’s approach to security, I thought I’d take a look back at the great steps Microsoft made to enhance trust and security across it’s Office, Windows, and other products. There’s a lot to cover here, and a lot of it isn’t all great news, but I thought I’d start with the positives of the where this all began.
In 2002, Bill Gates announced a new direction for Microsoft: A change in culture, process, and a fundemental shift in product design, and this was known as the Trustworthy Computing (TwC) initiative. With this, we witnessed an end to cheeky easter eggs – hidden noticies, features, or messages within products – and a newfound focus on security, privacy and reliability. Microsoft developed the new Security Developoment Lifecycle (SDL), and became an industry advocate for improved security and privacy across the IT ecosystem, and these approaches were adoped by other industry leaders such as Adobe and Cisco. Microsdoft decided to take security seriously, and as a company, it was all in.
One of the first, obvious, consumer-facing changes Microsoft introduced, was the removal of the aforementioned easter eggs in order to increase trust in Microsoft products: As customers included enterprise, government and defence, it was rightly found that these environments weren’t too keen on the idea of “undocumented features”, and the hidden code within a product that performs untersted functions outside the scope of the product. Examples of this, just in the Microsoft Office 97 and Office 2000 suite of products as an example, included a “flight simulator” within Microsoft Excel 97, a pinball game within Microsoft Word 97, a simulation of a Magic 8-Ball hidden within Microsoft Access 97 and 2000, as well as a clone of Spy Hunter (called “Dev Hunter”) hidden within Excel 2000. While some in the community enjoyed finding these hidden features, you can imagine how the various security teams at customer sites took to hearing about hidden code that can execute from within products they trusted. The answer is “not well” in case you were wondering, and that is why all of the easter eggs were removed for the release of Office 2003 (and Office 2004 for the Mac).
The next hint that Microsoft was serious about security came with the release of the second service pack for Windows XP. Windows XP (SP2) released in August 2004 and shipped with hundreds of security fixes, the removal of a number of legacy features that were known to be exploited, and more. Unusual for a Service Pack at the time, which typically weren’t designed to add features and were meant to be suecurity roll-ups only, Microsoft also took the opportunity to ship a much-improved Windows Firewall which was now enabled by default, added important security features to protect Wi-Fi (WPA) and prevent memory from buffer overflow attacks (DEP and NX Bit Support), as well as a new Security Center that made reviewing the security of devices easier for users.
Microsoft continued this trend for years, earning back trust, winning large contracts, and they ultimately succeeded in developing new software that, through their SDL and telemetry, were more secure and reliable. Well, mostly. In 2007, after one of the most problematic development periods in the companies public history, the world was given Windows Vista. Vista included a lot of new security features that were designed to both secure the end user, and strangely, drag the whole IT industry forwarding by enfocring some bafflingly complex and disruptive technologies that impact user account permissions and drivers. Some suggest that Microsoft knew how much friction Vista was going to cause, and that it was ultimately just a stepping stone to the next Operating System, but this is unlikely to be the reality of the situation: The OS was just, bad.
But Vista wasn’t all bad. Despite what was ultimately released, Windows Vista was the first real release that was developed under the Trustworth Computing initiative, the motto of which was “Secure by design, secure by default, secure in deployment”. Some of the features introduced to help this motto become a realist are listed below with a short description of each. This is by no means an exhaustive list, but it should illlustrate the effort Microsoft was putting into security and reliability:
- First up, we can’t start a Viista list without talking about the now-infamous initial implementation of User Account Control (UAC), which was rightly ridiculed by Apple in their “I’m a Mac” advertising. Great in theory, this solution was designed to notify a user ever time they attempted to make a system-wide change or access protected folders, it ultimately ended up nagging users so much that it was either disabled, or users became complacement and learned to just click on the accept button whennever asked… and that wasn’t great for security. In fact, it undermined the entire UAC intention. Apple was right to parody this feature.
- Another important feature that was brought visibly into Windows Vista was BitLocker – formerly known as Secure Startup – which offered a way to perform secure, hardware-backed, full drive encryption to protect the contents of a drive even if the drive/device is lost or stolen. Notably, this marked the first time that most IT professionals had heard of the Trusted Platform Module, or TPM, which is now a big part of the conversation around the upcoming Windows 11 system requirements.
- Probably the most discussed “failing” of Windows Vista, as far as most customers experiences, was the requirement for 64-bit system Kernel mode drivers to be signed AND meet specific Windows Hardware Quality Labs Testing (WHQL) specifications, which unfortunately were updated just prior to launch and meant that a lot of existing consumner hardware didn’t work at launch. Oops.
- The Windows Firewall got a major update and a new UI known as “Windows Firewall with Advanced with Security”. This new firewall added support for IPv6, IPSec, outbound packet filtering, and advanced packet filter rules that allowed admins/users to specify source, destination, IP addresses and port ranges, as well as select pre-defined services. This marked a significant improvement in the out of box security of systems, and took the work of Windows XP (SP2) to a new level.
- The introduction of Address Space Layout Randomization (ASLR), for a period at least, allowed systems to be more secure because system files were now able to be loaded into random addresses in memory so that a number of common memory attacks would not be able to inject and execute code like they were able to under previous Operating Systems.
- Windows Service Hardening enabled the compartmentalising of services, such that if one service is compromised, it cannot easily attack other services on the system.
- Mandatory Integrity Control and User Interface Privilege Isolation meant that processes executed under the standard user context – again based on UAC – can not hook into system level processes which run in high integrity level.
- Windows Vista also changed the user authentication process and replaced it with the concept of secure Credential Providers. While this improved overall system security, it also allows for more secure methods to authenticate such as using Smart Cards or a combination of passwords and Smart Cards (Two-factor authentication). This marked Microsoft’s first steps towards the passwordless solutions which are currently – in 2021 – what security and technology enthusiasts are finally getting excited over.
- And finally, for this list at least, but by no means the least controversial, we have Windows Defender. While this move initially caused a lot heat, from unhappy third party anti-malware vendors, Amy Barzdukas – Senior Director of Product Management for Online Services and Windows Division at Microsoft – was very clear in the messaging: This product would not compete with commercial AV software, it was just a solution to help secure the nearly 60% of PC users who did not have any AV protection at the time, and were unlikely to purchase commercial AV solutions.
Windows Defender is worth a little more text, though, because this was a big deal. As you can imagine, AV vendors were not too pleased with being shown up by Microsoft, and some attempted to launch legal action against Microsoft allegeding anti-compatative behaviour from the software giant. However, these were quickly dismissed, as the case was made that – at least in the court of opinions – that Microsoft created the Operating System with the issues that were leading to malware, so the company creating tools to protect it’s own users on those systems was fair. So in June 2009, Microsoft took things a step further and released Microsoft Security Essentials (MSE) to the world as a free download for Windows XP (SP3). While initially hesitant, customers grew to appreciate how Microsoft Security Essentials (MSE) was able to provide real-time protection, licensed for free to home and small business PCs, and provided reliable protection against viruses, spyware, malicious and potentially unwanted software, all while being simple to keep updated and without negatively impacting device performance like most AV solutions would at the time. Microsoft’s three supported Operating Systems were now covered by one default – or easily installable – security solution: Windows XP (SP3) could download and install MSE for free, and Windows Vista and Windows 7, which was released later in 2009, included Windows Defender by default.
From here, Microsoft continued to make great strides with security and reliability, and used this new trust to launch their cloud services. But that’s a story for another time. Keep an eye out for part two of this series where we… dig a little deeper, into the darker side of Microsoft’s security.