Foreword


2003 was a turning point year for the Internet. In January of that year, the Slammer worm crippled many systems all over the world. A few months later Windows Server 2003 was released. It was the first operating system to have gone through an entirely new model for developing secure software-what was later to become known as the Security Development Lifecycle (SDL).

A year prior to the release of Windows Server 2003, Microsoft made a concerted effort in the Windows division to find as many security bugs in the new operating system as possible by assigning most of the engineers in the Windows division to a six-week task of finding and fixing bugs. This was the now infamous "security push." Many bugs were found in this effort but the current set of tools and the manual efforts involved also meant that some were missed. In addition, the bad intentioned people were increasing their efforts exponentially on finding new exploits. New ways to exploit systems were being discovered almost weekly.

The security push taught Microsoft that:

  1. security was no longer optional in products,

  2. Microsoft needed to take a leadership position in delivering more secure products,

  3. tools and processes needed to change to find more of the bugs upfront in the development cycle,

  4. taking an entire division offline to hunt for them was not the most effective method as software continually evolves.

We learned that security improvements are a journey that never ends; therefore we cannot treat this issue as a destination that can be reached in six weeks.

In August 2003, the Blaster worm was unleashed. Although Windows Server 2003 was affected by the bug, changes made during the security push stopped the Blaster worm itself from spreading through that version of the operating system. This was proof positive that focusing on security made a difference although it also proved that more work needed to be done.

By late summer 2003, Microsoft knew something had to be done differently because reacting to each exploit individually was not going to scale and we needed to proactively build defenses into our existing OS products and "change the game" as we called in our next release of the OS. A decision was made to retrofit significant changes into the existing OS releases and shore up Windows XP and Windows Server 2003. We had to make it much harder for those with bad intentions to exploit the installed base of Windows. This resulted in the creation of Windows XP Service Pack 2 (XPSP2) and Windows Server 2003 Service Pack 1 (W2003SP1). Although these releases were called Service Packs, very significant changes were made to both of these releases focused on "getting ahead in the game" by using generic solutions to proactively render whole classes of exploits useless. Two simple examples of this are turning the Windows firewall on by default and configuring the system to automatically download and install fixes to known exploits.

It was decided while XPSP2 was under development that there needed to be additional "game changing" efforts to not just get ahead in the current game, but to change the game on those people in the world wishing to do digital harm by exploiting vulnerabilities in software. Because of the extensive architectural changes needed, these changes had to be done in the new version of the operating system under development, which eventually became Windows Vista. Broad security efforts within the Windows division were redoubled and many people were hired or reorganized to work on the security of the new operating system. Forums were created to look at all new ideas and architectures, existing processes were changed to include security check points throughout, testing processes were enhanced to include threat models and security testing in all stages of development, new static code analysis tools were developed to scan code looking for vulnerabilities, new features were added, and the strategy for the operating system was changed. All in all, it was a huge effort and a new way of building more secure systems at Microsoft.

These changes were not free. On November 8, 2006, Windows Vista was finally released; several years delayed but a much better product security-wise than had it shipped when it was originally supposed to. This book is about the product that resulted.

The authors are well suited to writing this book. Roger is a long-time Windows analyst, a former Microsoft Security MVP, and a current member of the ACE Team at Microsoft-a team focusing on internal secure software development consulting. Jesper is a veteran of the original Windows Security Push, and a former member of the Secure Windows Initiative, the team that worked on Windows Server 2003 and Windows Vista to find and fix security issues.

Even though I have since left Microsoft, I am immensely proud of the accomplishments of the Windows Division during my tenure there. Windows Vista is the best operating system Microsoft has ever produced, and it is produced by one of the most dedicated teams I have ever had the privilege to manage. Vista is not just about security but also includes many new amazing features in all aspects of the operating system. Never once did I have to question the team's commitment to security in the product and I was honored to work with some of best security professionals in the industry. Every day I was amazed by the team's creativity in coming up with solutions that would truly enable Windows Vista to change the game.

I wouldn't trade anything for the opportunity I had to be part of all those meetings, putting in all that effort, living through all that pain, and attending all those reviews with my manager, Jim Allchin, where he consistently challenged us to build great security solutions in his own unique way. The result was worth it for the millions of Windows customers, and the memories I have are priceless.

In my opinion, Windows Vista is certainly the most secure operating system Microsoft has ever produced. Quality and security really do go hand in hand and Vista has both. The book you are holding in your hand gives you the knowledge you need to harness the security of the new flagship operating system from Microsoft. Now stop reading this, and get on with the exploration!

COSD Rocks!

Brian Valentine
Senior Vice President, http://www.Amazon.com
Formerly:
Senior Vice President, Core Operating Systems Division, Microsoft



Windows Vista Security. Securing Vista Against Malicious Attacks
Windows Vista Security. Securing Vista Against Malicious Attacks
ISBN: 470101555
EAN: N/A
Year: 2004
Pages: 163

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net