ORLANDO -- One of Windows Vista's primary selling points, in Microsoft's eyes, is its improved security model. From the identity metasystem that is Windows CardSpace to the sometimes frustrating User Account Control, there are numerous new security measures for .NET developers to consider for both client and Web applications.
At Tech Ed 2007, Rafal Lukawiecki, a strategic consultant for Project Botticelli, outlined the Windows Vista security model and explained how developers can get the most out of it.
The feature to attract the most attention since Vista's release has, by and large, been the User Account Control. This stems from the fact that the UAC reverses a longstanding practice of developing and even running applications in the administrator role, Lukawiecki said.
If developers see the content prompting that denotes an admin log-in, he continued, "Please go back and change your log-in. You should never, ever see this dialog box unless…you are genuinely trying to do something administratively."
To break developers from the habit of working in the admin role all the time, Lukawiecki presented eight hints for effectively using the UAC in Windows Vista applications:
- Decide right away whether an app needs administrator privileges at all. "This should not be done as an afterthought," he said.
- Test the app as though you are a standard user.
- Decide whether you wish to store binaries and per-user configuration data, and keep in mind that storing this data on disk is not that secure.
- Outline your security needs as explicitly as possible.
- If end users must be prompted to elevate their privileges, make sure the dialog box is very explicit about what this means.
- Learn more about the Windows Integrity Mechanism, which is a new way to enhance the security of interprocess communication.
- Be careful how your application checks to see if the user is an administrator, especially when he is opening files or objects.
- Finally, Lukawiecki said, "Max_allowed is not a good thing; this is something some of used for convenience in the past but now it is costing us."
These UAC best practices touch upon another important Windows Vista security change: the logon experience. This manifests itself in two ways.
First, the need to custom-build multiple iterations of GINA has been eliminated. Microsoft has recognized that there are many ways to log onto an application, from biometrics to smart cards to voice, and has introduced the Credential Service Provider UI. This can interact with multiple plug-in credential providers and offers direct support for multi-factor authentication, Lukawiecki said.
Second, Microsoft has taken the concept of the identity metasystem to heart by introducing Windows CardSpace, in which end users create cards to manage their multiple online identities.
Along with transmitting information as part of a WS-Trust- and WS-MetadataExchange-compliant Security Token Service, CardSpace addresses the "cruel joke" that is password fatigue, Lukawiecki noted: "If you want to offer this alternative to usernames and passwords…all you need to do is build a really small layer to recognize CardSpace as an authentication system."
CardSpace, combined with IE 7, Windows Communication Foundation and the WS-* Security Guidelines that WCF supports, secure data as it transmitted across the proverbial wire. On top of this developers will find a few network security improvements.
For starters, TCP/IP is a fully rewritten, and now multithreaded, protocol stack in Windows Vista and Windows Server 2008.
In addition, the new Windows Server supports something called Network Access Protection, which, in relative relation to its acronym, identifies clients that have been asleep (or shut down) for so long that they lack the latest software updates. In such cases, Lukawiecki said, "[the client] is only given access to the restricted network where it can fix itself up. Once it does that, it has to go through the process again," and once it passes it receives a security token that gives it network access.
Windows Vista also introduces a set of three tools for data protection on the client, an important consideration given the recent proliferation of laptop thefts.
Bitlocker provides per-volume encryption and signs the entire hard drive, the rights management services offers per document enforcement of policy-based rights, and the encrypted file system covers per-file or per-folder encryption of data for confidentiality.
These tools, it must be noted, all presume that a client contains Trusted Platform Module v1.2, which Lukawiecki described as a "non-removable smart card" that protects keys and cryptographs and maintains code integrity.
Finally, and fundamentally, these Windows Vista security features are best implemented as part of a security development lifecycle.
Along with making sure security is an integral part of the software development lifecycle, this concept consists of five considerations:
- Periodic, and mandatory, mandatory security training
- The assignment of security advisors for all components being developed for an application
- The incorporation of threat modeling into the design phase
- The inclusion of security reviews and testing into the development schedule
- The establishment of security metrics for product teams
Microsoft has begun advocating the security development lifecycle in response to the fact that few developers pay attention to security, Lukawiecki said. He added that the company has identified the tenets of the Common Criteria Project as a key metric for addressing security.