Jim Allchin talks Vista Security

After taking some flak from other security vendors on the security features in upcoming Windows Vista Jim Allchin has written an open letter to customers addressing some of the points that the competition has raised.  I'll start by quoting his conclusion, which gives a good take on our attitude to customer security in Windows:

"In short, we are committed to providing the best operating system we can for you – one that you can depend on and feel safe using. With this goal in mind we will continue to work very constructively with others in the industry consistent with our Windows Principles."

He highlights how the following changes have been made after consultation with governmental bodies and security vendors:

• Redesigned Security Center so that security vendors can plug in and display the status from their particular security product.  This allows the user to see all of their security settings and statuses regardless of vendor in one place - rather than going to a different dashboard for each vendor.  No other vendor provides this plug-ability.
• In RC1 we provided the ability for security vendors to turn off Security center
• Ability for security vendors to replace alerts from Security Center (APIs were available October 16th 2006)
• More APIs and documentation to allow security vendors to monitor kernal level activity on 64bit versions so they don't have to bypass Kernal Patch Protection

Definition: Kernal Patch Protection

"Kernel Patch Protection helps protect the integrity and reliability of the Windows kernel, the core of the operating system. Kernel Patch Protection also makes PCs more secure by helping protect against potentially malicious software known as rootkits, which modify the kernel in an attempt to hide from detection."

"Kernel Patch Protection is not new. Last year it was built into the 64-bit versions of Windows XP and Windows Server 2003. With Windows Vista, Kernel Patch Protection will likewise be incorporated into 64-bit versions only. We have been exploring ways to implement Kernel Patch Protection on 32-bit Windows systems, but have not done this yet, although some customers have requested it, because of limitations of the 32-bit architecture and because it will cause compatibility issues for some applications and devices that are already in use. In adapting applications and devices to take advantage of 64-bit Windows, on the other hand, developers have an opportunity to resolve these compatibility issues."

Future Plans

• Contrary to some media reports, Microsoft will not weaken the security of 64-bit Windows by enabling some applications to modify the kernel of the operating system.
• We have applied our no-exceptions policy against kernel patching to Microsoft applications as well as third party applications, consistent with our Windows Principles. No application can bypass or weaken Kernel Patch Protection—this is essential to improving security and reliability for you. Note that many third-party security companies provide highly competitive products without modifying the Windows kernel in unsupported ways.
• For legitimate third-party applications that have intentionally patched the 32-bit Windows kernel in unsupported ways, Microsoft will continue to work with these third-parties to identify, prioritize, design and develop new interfaces for 64-bit Windows that will help their applications perform needed tasks, without directly modifying, bypassing or weakening Kernel Patch Protection. We have already begun discussions with the engineering teams of major third-party security vendors about the functionality they are seeking.
• Microsoft will continue to work closely with others in the software industry to resolve any interoperability issues that may arise, particularly any issues that arise from our efforts to ensure that Windows Vista is more secure and reliable by design.

*** Update ***

In my haste I forgot to include the link to the open letter from Jim Allchin.  My apologies, here it is: Jim Allchin Open Letter to Customers

Comments

• Anonymous
  January 01, 2003
  Sorry Paul - i've updated the post with the link.

• Anonymous
  January 01, 2003
  Dave - yes it does. It's a smart move.  We're moving onto Symmantec et al's turf and they don't like it one bit.

• Anonymous
  November 01, 2006
  Where's the link to the open letter? We can't discuss is if we can't read it.

• Anonymous
  November 01, 2006
  This compromise keeps the integrity of the improved security features inside Vista while keeping gov't regulators off their backs and 3rd party vendors happy that they can sell their products.