Introduction

Overview

Computers hooked up to the Internet are attacked and compromised every day. There is no doubt that attackers are moving further up the software stack and attacking software installed on computers. This may in part be due to software vendors spending more time shoring up the defenses of their operating systems. Between the release of Windows XP in 2001 and Windows Vista in 2006, the security landscape evolved dramatically: while attacks are much more common, more troublesome is the rise in system compromises. You often hear that Windows is the most attacked platform. That’s true, so the next comment may seem alarming: we, the authors, are not overly concerned about attacks, attacks will always happen. It is compromises that people ought to be worried about. And this made people at Microsoft think long and hard about how to make Windows Vista a considerably more secure product.

Windows Vista is the most secure operating system released by Microsoft. The sheer magnitude of defensive engineering added to the operating system is staggering, and we were actively involved in many of these defenses. Even with all this work, attacks will continue. We’re not saying Windows Vista will have no security bugs, it will; but numerous defenses have been added to the operating system to reduce the likelihood that attacks successful and to reduce the chance that a vulnerability can be exploited in the first place. The goal of these defenses is to reduce the likelihood of compromise.

So what are you doing to secure your application in light of the increased attack potential? Remember, attacks will happen! Just because your application may not have the word “Microsoft” in its title does not mean it won’t be attacked! What makes security a fascinating subject is that unlike, say, computer performance or reliability, which are disciplines that focus on person vs. computer issues, security is all about person vs. person. Security issues will never completely go away because there will always be the malevolent human influence.

In addition to tidying up the code, and fixing design problems, Microsoft has also made a huge amount of new functionality available that everyone can use to make applications more secure. Unlike our previous books, which largely covered fundamentals, this book outlines how your applications that run on top of Windows Vista can take advantage of these defenses to protect shared customers. This book goes beyond the basic defensive strategies you can employ to also cover the some of the new security features you can use to add defenses to your applications to help you meet business you or your customer’s objectives.

Microsoft has spent over five years adding defenses and new, modern security features to Windows Vista, and you can use these defenses and security features within your application to reduce the chance your application is compromised. You can reduce the chance of attack in three ways:

• Reduce affected users – if no one uses your application, you’re not worth attacking.

• Reduce the attack surface – components that have fewer points of entry (especially by default) are attacked less often.

• Harden your attack surface – to the point that something else becomes the path of least resistance.

We really don’t advise taking the first approach, but this is what will happen if you don’t pay attention to security and stay current. The last two approaches are what we’d like to help you with, to you can- protect your customers by taking advantage of operating system defenses and features, and that is the simple goal of this book – to explain how you can use these Windows Vista features.