Windows Speech Recognition - A little known security "feature"
We take security seriously here at Microsoft. For example, every single developer, program manager, and tester that I know has taken several security training courses in the last few years. In fact there's even an online system here at Microsoft that shows who has taken security courses recently, and more importantly who hasn't. Then, as a manager, I can direct people that haven't taken a "refresher" course to go do so.
Because of that intense attention to security, it should be no surprise that we've thought about how Windows Speech Recognition (WSR) interacts with security features in the operating system. As a result there's a cool security "feature" for securing your workstation if you're not going to be around and you're worried that somebody might interact with your PC while you're away. It's also a feature that's been in Windows for a long time. And, now, in Windows Vista, it works with WSR.
Have I got you interested yet? :-)
"What's the feature?" Good question. It's the secure screen saver. Yeah, that's right. The secure screen saver.
"How's that a speech recognition security feature?!" – Ah, my young reader... You shall soon see... :-)
OK. Let's consider the keyboard and mouse and their interaction with screen savers on Windows.
When the screen saver kicks in, there obviously needs to be a way for the user to dismiss the screen saver. How do you do that? Well, I just wiggle my mouse. Then the screen saver disappears and one of two things happens. Either my user desktop comes back to life, or ... If I've configured the screen saver to be secure, the OS will ask me for my log on password.
The same thing happens (and has happened for probably 10+ years of Windows versions that I can recall) when the screen saver is running and you press a key. The specific key you press is thrown away (it's actually intercepted by the screen saver itself) and the screen saver dismisses itself. Again, one of two things happens. Either your user desktop comes back to life, or ... If you've configured the screen saver to be secure, the OS will ask you for your log on password.
OK. That's great and all for the mouse and keyboard, but how does speech recognition fit into this? Again, good question.
In a similar (but not identical) way, when the screen saver is running if the user says something that can be recognized by the OS, whatever they say is thrown away. If the screen saver is configured to be secure, that's the end of the story. The log on screen isn't even shown. That's because it wouldn't matter much if we did show the user the log on screen, because currently (as of Windows Vista) the Windows Speech Recognition user experience doesn't run on the secure desktop (where the log on prompting happens).
However, if you don't have the screen saver configured to prompt you for your log on information, we'll just dismiss the screen saver, and put the speech recognizer into the "off" mode (which could actually be "Off" or "Sleeping" depending on a number of things).
So what does all this really mean? Well, for me, since I work on one of the world's most important pieces of software I like to have my PC locked down. I, therefore, have my screen saver set to require me to enter my log on information when it resumes from the screen saver. And ... I have my PC set to show the screen saver after just 3 minutes of idle time. Thus, for me, there's no chance of anybody walking down the hallway controlling my PC using WSR by shouting "OPEN EXPLORER", "SELECT ALL", "DELETE", "OK"... :-) [not to mention the fact that I generally mute my microphone when I'm not talking to my PC]
So what should you do if you want to require some user interaction before letting WSR control your PC?
- Turn on the screen saver,
- Configure it to start after a short duration, and
- Ensure that the "On resume, display the logon screen" checkbox is checked.
It's that simple.
Here's how you can do that using WSR:
- "Start Listening"
- "How do I password protect my screen saver"
And follow the instructions ...
Comments
Anonymous
February 05, 2007
PingBack from http://www.thaibloglink.com/windowsvista/?p=1598Anonymous
February 07, 2007
My previous message didn't link to the official security response: here it is . Meanwhile Rob posted