Article

Longhorn's lengthy security wish list

Robyn Lorusso, Editor

We have yet to see which security features will ultimately be built into Longhorn, but attendees to the recent Microsoft TechEd conference in Orlando, Fla., had expectations set high for the software giant's next version of Windows operating system -- and what Microsoft has announced comes up against mixed reviews.

"The little bits I'm hearing about Longhorn I do like, but I'm not hearing a whole lot," said Roland Gaines, a desktop administrator who deploys and supports 300 local and remote workstations for Regions Financial Corp.,

TechEd roundup

News from Microsoft TechEd 2005

in Tyler, Texas. "We need to reduce admin time on little things." For example, he explains that training end users over the Web often requires new Java updates that his team has to remotely install if the user does not have admin privileges. "It takes a lot of time," he said.

"It's a difficult thing to run your desktops as a non-admin," said Darren Canavor, a program manager for Microsoft's security and business technology unit. But doing so could help achieve 40% cost reduction, according to Microsoft's calculations. The company said customers can achieve that reduction through a combination of running desktops as a non-administrator, using Group Policy or Systems Management Server (SMS) for software deployment and using Windows Server Update Services (WSUS) for patch management.

One Longhorn feature designed to transition users to non-admin desktops is limited-user accounts (LUA), also known as least-privileged user accounts. Microsoft executives detailed LUA and several other new features at TechEd.

Limited-user accounts

Longhorn will provide users with "just enough" access to get their jobs done, said Gordon Mangione, corporate vice president of Microsoft's security unit, at TechEd. Using limited-user accounts, Longhorn will help reduce the likelihood of being infected with malicious code and save true administrators from having to attend to tasks that require elevated privileges, he added.

(Limited-user accounts) are a good idea, but in a practical environment -- especially in education -- it won't fly.
Rick Gasper
network administratorKing's College

"Today, to change the time zone on a Windows machine, you need administrative privileges," Mangione said. "That's needless." Instead, Longhorn will enable users to run Windows with limited privileges, rather than with full administrator rights, so they can log on as a user and temporarily elevate privileges to administrator level for the duration of a task that requires it, he said.

"Managing appropriate levels of access without blocking what people want to do -- it's kind of an artifact of a simpler time," said Mario Juarez, a Microsoft security product manager. Microsoft is trying to get back to basics with Longhorn.

Windows Service Hardening

Windows Service Hardening is a new platform service in Longhorn that will monitor critical Windows services for unusual activity to the file system, registry and network. By preventing services from listening on the network, you can control privileges to only run in permitted areas and cut down Windows' exposure to malware, according to Mangione.

The Longhorn firewall enforces the rules set in the service hardening platform. If the firewall detects unusual behavior as defined in the service hardening rules, it will block it. For example, Windows Service Hardening would have prevented Blaster worm from spreading, according to Microsoft.

Secure Startup Volume Encryption

Secure Startup Volume Encryption is a hardware-based security feature that uses a Trusted Platform Module (TPM 1.2) to protect user data and ensure that a PC running Windows Longhorn has not been tampered with while the system was offline, Microsoft said.

"It's a safety net that the user will never see," Microsoft's Juarez said. "It encrypts the operating system from the boot level up." This full-volume encryption locks all user and system files, helping to protect data on Windows laptops from unauthorized users in the event that they're lost or stolen.

TechEd attendees respond

Aside from demanding that Microsoft carve in stone which Longhorn security features it will release, Windows administrators have both hopes and reservations about what they've heard so far.

Regions Financial's Gaines said LUA would help address his administrators' time-crunch issues. But his Longhorn wish list includes many more remote tools and capabilities that his team needs in order to respond to remote desktop issues in less time and with less effort.

Gaines added that he thinks his current Windows XP desktops lock down pretty well. However, working for a financial company, having a feature like full-volume encryption on remote and mobile laptops may help boost customer confidence in his security measures.

Longhorn security

More long-awaited security enhancements in Longhorn

On the other hand, Rick Gasper, a network administrator for King's College in Wilkes-Barre, Pa., isn't sold on the new features -- particularly running desktops as non-admin.

"That's a good idea, but in a practical environment -- especially in education -- it won't fly," said Gasper, who deals with "power users" who are resistant to change. He supports 120 professors, 300 to 350 staff members and more than 800 who use their own machines, mostly on Windows 2000. He only has three people on his network staff (short one person), and does not have the funds to hire someone new.

"When you're putting out fires, you can't plan ahead," Gasper said. He's currently waiting to upgrade Windows 2000 machines until Longhorn is available.

"Might be that we're missing out on things because XP brings so much to the table, but we have no time to upgrade twice," Gasper added. "Obviously, security is going to be a big thing." Gaines also hopes to see Internet Explorer locked down by default, including disabling Java applications and blocking pop-ups out of the box.

Still, other users are wary about anything Microsoft has to say about Longhorn security at the moment.

One senior systems administrator from a major travel Web site said he's afraid all the innovative features will be pulled out before it's released. He referenced the Microsoft Millennium Edition operating system, which was released without several popular enterprise features, including its NetWare requestor, Windows Resource Kit and support for system imaging: "If Microsoft keeps pulling things out of [Longhorn], it will be like the ME nightmare."

What do you think of the Longhorn security features announced so far? What else would you like to see? Sound Off and let us know.


More information from SearchWindowsSecurity.com

  • Tip: Read about additional, long-awaited security enhancements in Longhorn
  • Article: Microsoft says security threats are becoming broader. Find out how
  • ITKnowledge Exchange: Is Windows security an afterthought? Find out what readers have to say.


  • There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: