Thursday, December 13, 2007

UAC: Is Windows Vista secure?

It's the question everyone's been asking. Is Windows Vista secure? The short answer is - "NO". A more fair question is, "Is Windows Vista more secure than XP?". It also happens to be a much harder question to answer.

The short answer is, "Maybe, maybe not.".

Want to watch a senior Microsoft architect attempt to answer that question? This is a one hour interview with Mark Russinovich, Technical Fellow with Microsoft's Core OS team (I have a lot of respect for this guy - he has a lot to teach us.). The Vista security discussion starts at the 18 :45 mark. The topic of rootkits comes up at 31:30. If want to skip the deep architectural discussions or need to cut to the chase quickly, start watching at 39:40.

I have asked the question of security here because it gives me a chance to talk about UAC and Vista security at a more general level before my future articles just deal with individual pieces of technology. There are some important things for you to think about if you plan to deploy Vista in an enterprise.

I should mention that you will want to have some understanding of UAC before reading this article. For a primer on UAC, read my article UAC: An introduction to User Account Control and follow one of the first links.

To be fair, Vista has been built from the ground up with an eye to security. It isn't just User Account Control (UAC) - there are many, many features which combine in an attempt to provide security. Vista has architectural details like the integrity levels that separate the kernel, system, and users or the Address Space Library Randomization (ASLR) which makes system calls harder to find. Microsoft has also added features like Bitlocker and Windows Defender to help protect Vista. Even applications like Outlook and Internet Explorer do their part to lock down the OS.

One of the problems keeping Windows Vista from being secure is that it is the evolution of an insecure product. All new technologies must accommodate the architectures that came before. Vista must remain compatible with past applications developed for XP or risk alienating all of their customers. Not only has Microsoft had to add features like Virtualization and UAC to aid Vista with backward compatibility, but it has had to make fundamental accommodations in its architecture as well. Let's face it, Windows operating systems are general purpose platforms that try to meet the needs of home and enterprise users on countless hardware platforms - the OS must be pliable and customizable in order to make it work in each environment. It is the customizable element of Windows Vista that makes it vulnerable.

I feel strongly that Vista is not where Microsoft wants to be with security. Rather, it is a transitional OS that is leading the industry to where Windows must go. Currently, Vista must allow many program installers administrator access so they can reconfigure the OS. Vista must allow unsigned drivers to execute. Vista is unable to cordon itself off behind security boundaries but must instead put up numerous walls and gates in an attempt to confuse and slow the advance of rogue elements. Although Vista has separated itself between system and user environments, there are few applications that currently respect this division.

Let's expand this last point as an example of insecurity. Microsoft's marketing would have you believe that Vista is secure because it now makes it possible for users to operate without administrator privileges. This may be true someday, but the reality is that it isn't feasible now. While it is true that Vista can run some applications with Standard User rights instead of the Administrator rights required under XP, the truth is that there are still a high percentage of applications that require full administrator rights in order to install - or even function. Every time an installer must be elevated to admin or a user must be given local administrator rights permanently in order to use an application, rogue elements are given an opportunity to flourish. The opportunities may be fewer than with XP, but I think they are still too numerous to make any real difference today. I do expect this situation to improve in the future as applications are redesigned to accommodate the way Vista wants to lock down the OS.

It has been argued that the UAC prompts one receives when the core system is being accessed by a process will limit the power of a rogue element to function within the system. I don't give this argument much credit. I think well written trojans will arrive that can skirt many of these protections. I think a user's ability to know when to disallow elevation of a process will be spotty at best. But the biggest problem that I have is with access to data. All of Microsoft's discussions about security are very much focused on the protection of the OS. Although that is well and good, I can rebuild an OS automagically within hours - my real concern is for my data. UAC will not give me any prompts if an existing trojan begins to send all of my database files on the network to a remote pirate's server.

In my view, it is UAC itself that causes Vista security to lose points to Windows XP. In many cases, UAC requires users to enter their admin credentials (username/password) in a dialog box. The appearance of the elevation dialogs can feel unpredictable to most users. This dialog box can be easily spoofed. If a trojan creates a real looking dialog box and presents it to the administrator at plausible times, it can harvest username and password combinations and send them out to the web. This really wasn't a problem in XP because elevation to an alternate account was much more rare and in those situations it was always a user initiated action with one predictable dialog appearing.

UAC also has people and process problems that may lead to reduced security. Most of Microsoft's UAC documentation speaks of splitting the user's token between user and admin functions as a way of protecting the system. People can't be faulted if they begin to believe that one account for administrative users will be sufficient - but this isn't the case. Heed Microsoft's warning in Chapter 2 of the Windows Vista Security Guide that discusses the need for admin and user accounts to separate out an administrator's tasks. This is about the only place you will find this discussion. The process problems come when you learn how UAC elevation works. You will find that UAC wasn't really designed with Microsoft's security ethos in mind. UAC can really fight you in some situations when you use a two account model. (There will be lots of future discussion on this.) Functionally, the biggest roadblock is the loss of the Run As context menu action to the "smarter" Run as Administrator context menu action (I'll talk more about this in the future as well).

The thing that I think helps Vista score the most security points against XP, is the support it gets from Outlook and Internet Explorer. These two products are the entry points for the bulk of the attacks against our systems. These products work very hard with Vista to limit the power of rogue elements that come from either of these sources. It is Vista's architecture that makes this possible. But there are problems even here. Outlook and Internet Explorer have become so restrictive that it can be difficult for internally developed scripts to send messages or display html info. In fact, I have seen instances where Outlook and Internet Explorer have been elevated to full administrator status in order for systems to continue functioning - kind of defeats the purpose doesn't it?

In the end, I grudgingly give the security trophy to Vista for three reasons. Vista can be customized to mitigate some of its weaknesses (i.e. forcing CTRL+ALT+DELETE before every elevation). Microsoft will adjust Vista as they learn how we enterprise administrators wish to use it and we'll adapt our security policies and procedures to it as well. But the main thing Vista has going for it is that it is new and there aren't many trojans and spyware programs written to work against it yet. It will be interesting to see what the future holds.

No comments: