Microsoft Vista Security Features

Microsoft is currently talking about supporting hardware security features introduced within Windows Vista, but these features are just a few of the many features that were originally planned to be implemented in the operating system.

Three years ago, Microsoft’s Palladium system was renamed Next-Generation Secure Computing Base because the original name was full of controversy and because another company claimed The right to use the name Palladium has caused Microsoft to have problems with this name. This technology was originally intended to be part of the next-generation Windows system.

NGSCB Technology promises to enhance the security of personal computers by using software and hardware that protects computers from worms, viruses and other malicious programs. At the same time, it also uses the data encryption between the hardware in the computer to isolate the attack caused by the method of intercepting the data transmission between the devices of the computer. However, this technology of NGSCB requires various major changes in computer hardware and software to be implemented.

With the criticism of software manufacturers, in May 2004, Microsoft said it would redesign the NGSCB, without having to rewrite the current application. There is some level of security improvement. Although Microsoft insists that NGSCB is not dead, Microsoft has been silent on the plan since then. According to the Microsoft website, the release date of the technology has not yet been decided.

At present, Microsoft is busy telling software and hardware manufacturers the "safe boot" function in the Windows Vista system, and also claims that this feature is the first step in the hardware security program. ”. The previous codenamed Longhorn's Vista system is the next-generation Windows system client version that Microsoft plans to roll out in the next season's hot season.

Safe Boot

This "Safe Boot" feature is designed to prevent laptop thieves or other unauthorized users from using physical access to get a computer. Information within. According to a survey released by the US Computer Security Center and the FBI in January, about half of the companies’ laptops were stolen, resulting in a total loss of $4.1 million.

& ldquo; Our first priority is to prevent these thieves from using some software tools to access the data stored in the computer, & rdquo; Microsoft technical spokesperson Stephen Heil last month at the Intel Development Forum in San Francisco This is expressed in the speech.

The current version of Windows provides specific folder encryption, while the PC also has a security feature such as a power-on password provided by the BIOS when booting. The so-called BIOS, the full name is (Basic Input /Output System, basic input /output system), is the system that allows the computer's hardware to communicate with the software. Heil said that whether it is encryption or boot password function, as long as the hacker can actually touch the computer, “just fifteen minutes, you can read the data in the computer. ”

The newly launched "Safe Boot" feature uses a chip called "Trust Platform Module", or TPM, to provide encryption keys, passwords and digital certificates for storage devices. Features. Vista uses these capabilities to encrypt data at boot time to verify that the computer's data has not been tampered with or compromised. Typically, the TPM chip will be attached to the motherboard of the computer. Because its data is stored in hardware, these secrets can avoid attacks caused by the use of tool software or the use of physical access.

A number of major chip companies produce TPM wafers such as Atmel, Broadcom, Infineon, Winbond Electronics, Sinosun or STMicroelectronics.

Sometimes the safe boot function can be temporarily turned off depending on the needs of the computer. Heil said that if the PC fails and the data on the hard drive has to be read by another computer, a recovery key must be used to unlock the system's lock code. When the user activates the secure boot function, a recovery key is generated, and the data of the key must be stored outside the computer.

At Intel's conference, Heil hopes that all hardware manufacturers will adopt the latest TPM standard, which is the 1.2 version introduced earlier this year. This is also the version Microsoft intends to support for Vista. Heil hopes that software developers will launch programs that support Microsoft's TPM capabilities on Windows Vista.

However, it is still unclear which version of Vista will start supporting TPM and provide a secure boot function. Heil said that the main target group of this function is the PC users in the enterprise. This may mean that this feature may only be available in high-end Vista systems. However, Microsoft is still reluctant to discuss which versions of the new operating system will be released and how it will be packaged.

At the same time, Microsoft is not willing to promise that the Longhorn server board that was scheduled for release in 2007 will definitely support TPM. In June, the Trusted Computing Group, which develops TPM specifications, announced a detailed plan for using secure chips on server computers.

TPM is not a new technology just launched. Some PC manufacturers, such as IBM, Hewlett-Packard and Dell, have used TPM chips on some PC models to allow hard drive data, or e-mail files, to be encrypted. HP, IBM, and other companies provide software on their own to allow users to use these features.

 Personal computers using TPM chips have been around for two and a half years since its launch," said Brian Berger, director of marketing at Trust Computing Group. The Trust Computing Group provides open specifications that protect the computers used from software attacks.

TPM: Controversial Technology

According to research firm IDC, this year, there will be more than 25 million TPM wafers in the factory. Next year, they predict that there will be 60 million computers with the chip shipped. According to their report, in the end of 2010, most portable computers should have TPM chips in most desktop computers.

NGSCB technology has also received some criticism. Critics worry that the technology will reduce the user's control over the computer while reducing the rights of the average user. And TPM technology is also inevitably subject to some controversy. Some digital rights management applications can also use the functions of this chip to control the rights of digital media. In addition, each computer has a unique password, which also raises personal privacy concerns.

Although TPM is not specifically designed to do digital rights management, according to the Trust Computing Group, a software manufacturer that is a third party should be able to use the data of the chip to limit the number of media that can be played. The number of copies.

& ldquo; There are also some doubts, that is, TPM can infringe on personal privacy," Microsoft's Heil said. According to Heil, in order to quell these doubts, Microsoft will not require PC manufacturers to install security chips, and the chip is also scheduled to be turned off at the factory.

Located in Washington, DC, specializing in Microsoft's think tank, Research Director of Microsoft's Directions on Microsoft, Rob Helm, said that adding TPM support to the new version of Windows is a small ambition compared to the grand NGSCB program. Much more & rdquo;. “But also because he does not need the cooperation of software vendors, the extensive promotion of this technology is relatively more likely. & rdquo; He said.

Help also said that no one is mourning the NGSCB's inability to launch this on Vista. “The grand plan at the beginning was not accepted by any other Microsoft company,” he said. “Today, a step taken by Microsoft can immediately bring benefits to users, and it can also be supported by software and hardware vendors. ”

According to Microsoft's official website, after the security boot feature is completed, Microsoft intends to launch the next part of the NGSCB program. “These new features will work with the Secure Boot feature to provide a broader new security computing solution. However, technical specifications, time schedules and implementation scenarios have not yet been decided. ”