Microsoft Windows Vista Security Advancements

Introduction

In just three decades, the software that runs personal computers and digital devices has transformed the way millions of people around the globe work, communicate and enjoy their free time. Yet we're only beginning to realize the promise of the digital age.

The continued advancements in processing power, storage, networking and graphics are enabling a digital infrastructure with seemingly limitless possibilities. But it's the magic of software that connects these devices into a seamless whole, making them an indispensable part of our everyday lives.

There's really only one thing that could stand in the way. As computers and the Internet play an increasingly important role in business and in our personal lives, they also have become targets for malevolent hackers who infect unprotected PCs with viruses, spread spyware, distribute spam and launch malicious attacks, and for identity thieves who try to trick consumers into revealing valuable personal information.

Four years ago, Microsoft^® Chairman and Chief Software Architect Bill Gates signaled a dramatic shift in the company’s strategy, making a secure, private and reliable computing experience the company’s highest priority. In an increasingly interconnected world of PCs, devices and services, this commitment to Trustworthy Computing is more important than ever.

With the forthcoming release of Windows Vista, Microsoft is delivering innovations that help businesses and consumers maintain control over their computers in a world of constantly evolving security threats — to help end users become more secure and protect the privacy of their information, and to offer IT administrators new ways to make their companies’ networks more resistant to attack while preserving data confidentiality, integrity and availability.

Windows Vista brings a new level of confidence to computing through improved security, reliability and management. Building on these advances, Microsoft and the rest of the technology industry can work to make computing even more reliable and secure by doing the following:

· Building a trust ecosystem in which people, organizations, device-makers and code authors can be properly identified and held accountable for their actions, while still protecting the privacy of end users.

· Engineering for security by establishing, publishing and sharing best practices, security diagnostic tools and security-specific testing methods.

· Simplifying security for consumers and IT professionals, through a combination of industry standards, common development tools, and unified practices across platforms, products and services.

· Delivering a fundamentally secure platform that includes protection technologies that enable isolation, trust-based multifactor authentication, policy-based access control and unified audit across applications.

These principles are reflected in the design and development of Windows Vista, which embraces a holistic approach to security that makes it a significant milestone along the path to achieving Microsoft’s vision of Trustworthy Computing.

Windows Vista is the first version of the Windows^® client to be developed using Microsoft’s Security Development Lifecycle, which makes security a top priority from the start by defining a repeatable engineering process that every developer must follow, and then verifying that process before release.

To improve security at the architectural level, Windows Vista implements a new strategy called Windows Service Hardening that improves the security of system services. Windows Vista also reduces the risk of buffer overrun vulnerabilities through improved testing and development processes, and it adds a number of enhancements to security on 64-bit systems.

With User Account Control, Windows Vista makes it easier for everyday users to run accounts with standard permissions, reducing the “surface area” for attacks. The Windows logon architecture has also been redesigned to improve reliability and enable alternative strong authentication methods.

Network Access Protection helps preserve the security of corporate networks by giving network administrators the tools to keep “unhealthy” machines off the network. Improved support for smart cards makes it easier for organizations to supplement passwords with multifactor authentication.

Windows Vista provides better protection from malware, potentially unwanted software and intrusions through the integration of Windows Defender anti-malware technology, an enhanced, bidirectional Windows Firewall, and advances in Windows Security Center to simplify the process of monitoring and remediating the security status of a user’s Windows PC.

Windows Vista also features a number of enhancements that help protect sensitive data, including Windows BitLocker™ Drive Encryption to better protect data on lost, stolen or decommissioned PCs, expanded Windows Rights Management Services that help organizations control who has access to sensitive data, and improvements to the Encrypting File System. Group policies for IT administrators have been enhanced to restrict the installation of new hardware and the use of USB keys and other removable storage devices.

Microsoft Internet Explorer^® 7 in Windows Vista represents a major step forward in browser security and privacy protection. Its new browser architecture is designed to give users more confidence in the security of their browsing activity while also helping to protect their personal data from phishing attacks and fraudulent Web sites. Advances include a Protected Mode that enables a robust browsing experience while helping to prevent hackers from taking over a user’s browser and executing code. A new Fix My Settings feature helps users keep their security protections at the appropriate level when installing and using a variety of Internet applications. A Security Status Bar helps users quickly differentiate between authentic Web sites and suspicious or malicious ones, and the Microsoft Phishing Filter helps users browse more safely by advising them about suspicious or known phishing Web sites.

Windows Vista is designed not only to mitigate today’s threats, but to evolve to counter future threats. Updates will be distributed automatically, new malware and potentially unwanted software definitions will be released as necessary for Windows Defender, and Internet Explorer will warn users about the latest phishing sites. Advances in computer hardware — including unique capabilities in the new generation of 64-bit processors, as well as hardware solutions such as the Trusted Platform Module and No eXecute (NX) capabilities — have enabled security improvements that were not previously possible on the Windows platform.

The following pages provide detailed descriptions of these security enhancements as implemented in current testing versions of Windows Vista. As the development process continues, Microsoft expects to enhance and refine these features in response to testing and customer feedback. Future white papers will cover additional changes and provide a more comprehensive overview of these features.

Engineering for a Secure Platform

Security Development Lifecycle

Starting in 2003, Microsoft established strong internal security design and development processes to help engineering groups create more secure products. The Security Development Lifecycle (SDL) is an evolving process that helps ensure that the company’s software and solutions are built from the ground up to reduce security risk. The SDL implements a rigorous process of secure design, coding, testing, review and response for all Microsoft products that are deployed in an enterprise, that are routinely used to handle sensitive or personal information, or that regularly communicate via the Internet. The SDL helps remove vulnerabilities and minimize the “surface area” for attacks, improves system and application integrity, and helps organizations more securely manage and isolate their networks.

Although the SDL has been used extensively on several key Microsoft products, Windows Vista is the first client operating system to be developed from start to finish using this new approach. The engineering process took all the lessons from security reviews of previous versions of Windows, analysis of Microsoft Security Response Center (MSRC) bulletins, and engineering practices from the development cycles of Microsoft Windows XP SP2 and Windows Server™ 2003 SP1.

From the start, teams worked with a security advisor who served as a guide and point of contact for the project from initial conception to completion of the final security review. Security reviews and testing were built into every step of the shipping cycle.

The Secure Windows Initiative Attack Team (SWIAT) conducted extensive design reviews and penetration testing of Windows Vista, with the goal of identifying parts of the product’s code or design that needed additional work to achieve an acceptable level of resistance to attack. SWIAT’s team of “in-house hackers” was supplemented by security research contractors drawn from leading security research and penetration testing companies.

More than 1,400 threat models were developed for Windows Vista to ensure identification of risks that required mitigation, code that needed special attention, and parts of the operating system that required especially intensive testing. The Secure Windows Initiative (SWI) team provided product teams with training and tools to support the threat modeling process, and the team reviewed the threat models for completeness and depth.

Throughout the development process, Windows Vista was checked against vulnerabilities discovered in Windows XP. Both operating systems were patched at the same time, and the security processes and tools involved were re-evaluated and improved where possible.

Automation was a key focus in the engineering process. The product groups also used tools that Microsoft developed to find certain types of code vulnerabilities —including PREfix and PREfast, which are source code analysis tools that detect certain classes of errors not found by typical compilers. The tools integrate cleanly with the build process, reduce development time, streamline code review, and help improve overall quality and reliability.

The Windows team annotated all Windows Vista functions containing readable or writeable buffers using the Standard Annotation Language (SAL), which allows these automated code quality tools to evaluate the consistent use of variables and buffers, helping developers detect and remove exploitable coding errors.

The team extensively “fuzz tested” components of Windows Vista that parse or process inputs from potentially hazardous sources. Fuzz testing automates the process of supplying corrupt or malformed data to these components to see how they deal with potentially malicious inputs, and it is very effective at detecting vulnerabilities that an attacker could exploit to run malicious code or cause a software component to fail. Fuzz testing on particularly complex parsers was complemented by a security code review and a deeper level of SAL annotations.

Another Microsoft-developed tool, called FxCop, scans managed code applications for vulnerabilities and helps prevent malicious code from taking advantage of buffer overruns in applications. In addition, the Microsoft Visual C++^® 2005 C runtime library adds buffer checks to functions that are known to be vulnerable to attack. These tools were initially developed for internal use at Microsoft but are also available to the developer community in Visual Studio^® 2005.

The code base was scrubbed for a number of issues that commonly lead to security vulnerabilities. All instances of cryptographic algorithms were reviewed to assess any weaknesses in algorithm choice or key strength. More than 100 programming APIs that had been misused in the past were systematically removed from the code base and replaced with more secure versions. In addition, third-party components that ship with Windows Vista were reviewed against the SDL.

Microsoft also provides detailed guidance on the SDL for independent software developers and the worldwide security community, to enable others to improve the security of their products.

To help ensure a more secure end-to-end computing environment, Microsoft is also working toward Common Criteria (CC) certification. Windows Vista will be independently tested in third-party labs using criteria set by the International Standards Organization (ISO), with the goal of achieving EAL4 and Single Level OS Protection Profile certifications.

Windows Service Hardening

System services are background processes that are always running to support key functionality. They have been a major target for malicious software attacks because they typically run with the highest possible system privileges (referred to as LocalSystem). A malicious attack that exploits system services could cause problems by running arbitrary code with administrator privileges on the user’s machine. (The Slammer, Blaster and Sasser worms all targeted system services.)

To mitigate this threat, Windows Vista introduces the concept of “restricted services” that run under the least possible privileges and limit their activities to the local machine or network. A restricted service program runs from the start with minimal privileges and capabilities. The restricted service approach significantly reduces the number of services that are capable of doing unlimited damage to a user’s machine.

The personal firewall in Windows Vista is closely aligned with the Windows Service Hardening platform initiative, which allows the firewall to enforce inbound, outbound and protocol restrictions for networking operations. In addition, individual services can be uniquely identified, which enables tighter per-service usage of access control lists, such as allowing processes to write to only specific areas of the file system, registry or other system resources.

This helps prevent a compromised service from changing important configuration settings in the file system or registry, or infecting other computers on the network.

Core Windows services included in Windows Vista have service profiles that define the necessary security privileges for the service, rules for accessing system resources, and inbound and outbound network ports that the services are allowed to use. If a service tries to send or receive data on a network port that it is not authorized to use, the firewall will block the network access attempt. For example, the Remote Procedure Call service in Windows Vista is restricted from replacing system files, modifying the registry, or tampering with another service configuration in the system (such as the anti-virus software configuration and signature definition files).

A specific goal of Windows Service Hardening was to avoid introducing management complexity for users and system administrators. Every service included in Windows Vista has been through a rigorous process to define its Windows Service Hardening profile, which is applied automatically during Windows Vista installation and requires no ongoing administration, maintenance or interaction from the end user.

Windows Service Hardening is designed to be used by independent software vendors (ISVs). Microsoft is actively evangelizing the technology to developers so the service components they write will be more secure when running on Windows Vista. This infrastructure is used by system services on an “opt-in” basis, so there is no application compatibility impact with legacy system services (such as services that accompany third-party software).

Mitigating Buffer Overruns With Hardware Protection

Another way that malicious software makes its way onto a user’s machine is by taking advantage of buffer overruns — essentially, tricking software into executing code that has been placed in areas of the computer’s memory that are set aside for data storage. Many of these buffer overruns stem from design or implementation vulnerabilities that processes such as the SDL and related tools can prevent. An additional way to reduce the impact of such vulnerabilities is through the use of NX technologies at the hardware level. NX enables software to mark sections of the computer’s memory as exclusively for data, and the processor will prevent applications and services from executing any code there.

Many processors shipping today support some form of NX, and Microsoft has included support for NX-capable processors since Windows XP SP2 through the Data Execution Prevention feature. Windows Vista introduces additional NX policy controls that allow software developers to enable NX hardware protection for their code, independent of systemwide compatibility enforcement controls. An ISV can mark its program as NX-compliant when the program is built, which allows protection to be enforced when that program runs. This enables a higher percentage of NX-protected code in the software ecosystem —especially on 32-bit platforms, where the default system compatibility policy for NX is configured to protect only operating system components. On 64-bit versions of Windows, NX protection is the default.

Windows Vista also introduces improvements in heap buffer overrun detection that are even more rigorous than those introduced in Windows XP SP2. When signs of heap buffer tampering are detected, the operating system can immediately terminate the affected program, limiting damage that might result from the tampering. This protection technology is enabled for operating system components, including built-in system services, and can also be leveraged by ISVs through a single API call.

64-Bit Security Enhancements: Kernel Patch Protection and Mandatory Driver Signing

Some of the most dire security issues arise from malicious software that manipulates the operating system “kernel,” rendering malicious software undetectable to anti-virus software and running unnoticed on a user’s system. These “rootkits” are often used to cloak other potentially unwanted software, such as bots and spyware. Beyond the serious security implications of rootkits, this class of malicious software can reduce the stability, reliability and performance of the entire system, including all user programs.

Addressing these problems has been difficult because many 32-bit Windows drivers are not identified with a digital signature, or they modify the kernel for legitimate purposes but by unsupported means. Implementing stricter control over these modifications could create major compatibility and performance issues. Some 32-bit security products that provide behavior-blocking capabilities have these characteristics, which has led Microsoft to partner with third-party security vendors to investigate robust, secure and supported alternative platform mechanisms.

However, as computing moves from a 32-bit to a 64-bit architecture, the smaller installed base of 64-bit software makes it possible to make significant enhancements to the security of the kernel, reducing the potential for rootkits and similar types of malicious software to negatively impact users’ systems.

Kernel Patch Protection for x64. The 64-bit versions of Windows Vista support Microsoft kernel patch protection technology (sometimes referred to as PatchGuard), which prevents unauthorized software from modifying the Windows kernel. Kernel patch protection works by preventing kernel-mode drivers from extending or replacing operating system kernel services, and by prohibiting all software from performing unsupported patches in the kernel. In addition to improving security and making it more difficult for hackers to modify the kernel for malicious purposes, kernel patch protection also helps prevent other software from making unauthorized or unsupported modifications to operating system data structures (such as the interrupt dispatch table), thereby greatly improving the overall security, reliability and performance of Windows.

Kernel patch protection is not a guarantee of security, but by blocking unsupported and potentially malicious behavior in the kernel environment, it improves the security and reliability of Windows Vista and enables future improvements in the kernel environment that can address the evolving changes in the landscape of malicious software.More information about kernel patch protection is available at http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx.

Mandatory Kernel Module and Driver Signing for x64. To give users visibility into the source of drivers and other software running in the operating system kernel, Microsoft introduced the concept of “signed drivers” beginning with Windows 2000. Although it was possible to prevent unsigned drivers from installing, the default configuration only warned users if they were about to install an unsigned driver. IT administrators could also block installation of unsigned drivers via Group Policy, but the large installed base of unsigned drivers made this impractical in most situations. Malicious kernel software typically tries to install silently, with no user consent — and because no kernel load-time check existed before Windows Vista, malicious kernel software was likely to run successfully, assuming these actions were performed by a user with administrative privileges.

With Windows Vista on 64-bit systems, security at the kernel level has been greatly enhanced by requiring that all kernel-mode drivers be digitally signed. Digital signing provides identity as well as integrity for code. A kernel module that is corrupt or has been subject to tampering will not load. Any driver that is not properly signed cannot enter the kernel space and will fail to load.

Although a signed driver is not a guarantee of security, it does help identify and prevent many malicious attacks, while allowing Microsoft to help developers improve the overall quality of drivers and reduce the number of driver-related crashes.

Mandatory driver signing also helps improve the reliability of Windows Vista because many system crashes result from vulnerabilities in kernel-mode drivers. Requiring the authors of these drivers to identify themselves makes it easier for Microsoft to determine the cause of system crashes and work with the responsible vendor to resolve the issue. System administrators also benefit from digitally signed and identified drivers because they get additional visibility into software inventory and install state on client machines. From a compatibility perspective, existing Windows Hardware Quality Labs certified x64 kernel drivers are considered validly signed in Windows Vista.

Secure Access

User Account Control

With previous versions of Windows, most user accounts were configured as a member of the local administrator group — giving users all system privileges and capabilities needed to install and configure applications, run some background system tasks and device drivers, change system configuration, and perform many basic maintenance tasks.

Although this approach was convenient for users, it made computers and networks more vulnerable to malware that could abuse those privileges to damage files, make configuration changes such as disabling the firewall, and compromise sensitive data. It also increased maintenance costs for corporate desktops because users could make unapproved or accidental changes that could disrupt the network and make individual machines harder to manage. Although it was possible to deploy Windows accounts in a locked-down configuration with limited user privileges, this severely limited productivity — many basic tasks such as adjusting the clock, connecting to a secure wireless network or installing a printer driver still required administrator privileges.

To address this issue, Windows Vista includes User Account Control (UAC), a new approach that separates standard user privileges and activities from those that require administrator access, thereby reducing thesurface area for attacks on the operating system while still giving typical users most of the capabilities they need every day.

The benefits of UAC are twofold: First, it redefines what a standard user can do by including many basic functions that pose no security risk but that previously required administrative privileges. To enable users to perform a limited set of administrative tasks without disruption, standard user accounts have additional capabilities to enable such tasks as changing the time zone or power management settings, installing new fonts or adding a printer.

When standard users attempt to perform a task that requires administrative access, such as installing a new application or modifying certain system settings, they are prompted for an administrator password. (IT administrators also have the option of “locking down” corporate desktops by configuring a policy setting that prevents users from encountering this prompt, thereby preventing unauthorized administrative actions.) This aspect of UAC helps reduce the risks for ordinary users.

Second, UAC makes user accounts with administrative privileges safer by limiting access to sensitive system resources and functions by default, and by prompting for approval when performing administrative tasks that require greater privileges.

For administrators who need to perform everyday tasks such as checking e-mail or using the Web in addition to their administrative duties, additional controls are needed to ensure that administrative privileges are in place only when they are actually needed. By default, administrator accounts will run in Administrator Approval Mode — most programs will run under standard user privileges, and when users need to perform an action that requires administrative privileges, they will be prompted for consent first. System administrators also have the option to configure the system to require an administrator password for such elevations.

The Windows Vista user interface includes a number of enhancements that make it easier for users to tell which activities require administrator privileges, including describing the requested action and marking administrative actions with a shield icon.

UAC also helps families with children protect their PCs from malware that might be hidden in programs that appeal to children. Parents can give each child an account with standard privileges and can require an administrative password provided by an adult before a child can install any software. This supplements other Parental Controls features in Windows Vista that can be used to limit the activities of children, including Web site “blacklists” and “whitelists” to limit access to violent games, and setting aside certain hours of the day when gaming or other activities are permitted.

UAC strikes a balance between enabling existing applications to work without modifications and providing a platform that helps evolve user applications to avoid the need for administrative privileges in common usage situations. Because many older applications were written on the assumption that users would have administrator privileges, Microsoft enables these applications to run as a standard user on Windows Vista.

For example, to help older applications function properly, Windows Vista includes file system and registry virtualization that redirects writes (and subsequent reads) from protected areas to a location inside the user’s profile, so the application can function properly without affecting other users’ resources or the system in general. This reduces security risk because the application never has access to interfaces or resources that require administrative access.

In addition, Microsoft provides a number of tools, technologies and resources that help developers write new code that works well under UAC. For example, Microsoft provides a Standard User Analyzer tool that helps determine whether applications will perform correctly when executed by a user with standard permissions.

In addition, Microsoft offers resources through MSDN^® to help developers adapt their software to this new model.

By making UAC available to Windows Vista beta users through its Community Technology Preview program, Microsoft received valuable feedback that resulted in further improvements to UAC in Windows Vista Beta 2, including these:

· Further reducing the number of Control Panel applets that require administrator privileges, including Mouse and Keyboard, Infrared, and Bluetooth.

· Eliminating the need for Task Manager to run with administrator privileges.

· Applying fixes to hundreds of older applications so they can run without prompting for an administrator password.

· Modifying the new Hardware Wizard so it does not automatically prompt for an administrator password every time it runs.

The UAC dialog boxes have also been redesigned so they more clearly state which program is requesting administrative privileges, and they also make it easier to identify programs that pose potential risks to the system. Microsoft will continue to improve the UAC experience and remove unnecessary dialog boxes until the final release of Windows Vista and beyond, by using data collected from customers who volunteer to provide this feedback to Microsoft.

This customer feedback is being used to fine-tune the number of prompts that will appear in the post-Beta 2 version of Windows Vista, known as Release Candidate 1. This release is expected to have even fewer prompts than Beta 2. For example, Microsoft expects to remove the consent prompt for administrators when they delete icons on the public desktop, as well as the prompt that appears when the user acquires critical updates from Windows Update. The number of actions and applications that require prompts will continue to be reduced throughout the remainder of the beta cycle. (More information on UAC is available at http://www.microsoft.com/technet/windowsvista/security/uacppr.mspx.)

New Logon Architecture

Many organizations and software vendors are choosing to supplement passwords or smart cards with additional authentication factors such as biometrics or one-time password tokens. In previous versions of Windows, implementing these factors often required developers to rewrite the Graphical Identification and Authentication (GINA) interface. This sometimes made it unduly difficult and expensive for companies using these methods. In addition, it was not possible to use multiple GINAs simultaneously.

Although passwords are still supported, the primary focus for strong authentication in Windows Vista is smart cards. That said, the logon architecture has been completely rewritten to make it easier to extend for new credential types. Supporting new credential types requires creating a new Credential Provider, and the Windows logon user interface can interact simultaneously with multiple Credential Providers to make use of different authentication methods, including biometrics and tokens from third-party credential providers. This not only makes it possible for customers to enhance their security by choosing the right combination of available authentication methods, but it also enables developers to easily implement future authentication methods into the existing architecture.

The new architecture also enables Credential Providers to be event-driven and integrated throughout the user experience. For example, the same code used to implement a fingerprint authentication scheme at the Windows logon screen can be used to prompt the user for a fingerprint when accessing a particular corporate resource. The same prompt also can be used by applications that use the new credential user interface API.

In addition to the security benefits noted above, the new architecture improves overall system reliability and stability because functions that were not essential to the logon process have been moved to separate processes in the Windows Vista system.

Easier Smart Card Deployments

Many organizations are further enhancing security by using smart cards as their preferred two-factor authentication method in place of passwords. Microsoft has provided native operating system support for smart cards since Windows 2000. However, previous versions of Windows required IT administrators to deploy and maintain additional components to support their smart card infrastructure, such as cryptography modules and communications support for card readers.

To make it simpler to deploy and maintain smart cards, Windows Vista includes new advances in its smart card infrastructure that enable a model that is dramatically simplified, more secure and less error-prone. A common cryptographic service provider (CSP) implements all the standard back-end cryptographic functions that hardware and software developers need. In addition, integrated third-party Card Modules make it easier to rapidly deploy a smart card solution and enable secure, predictable communications between the CSP and other components of the smart card infrastructure.

In addition to these infrastructure changes, Microsoft also is working with the partner community to ensure that most of the major smart card vendors are familiar with this new architecture and are developing card modules for Windows Vista.This effort includes a process to certify card modules to validate quality and ultimately to make these card modules available via Windows Update. This initiative will provide customers with better quality and ease of use for their smart card deployments.

These enhancements complement other improvements to the smart card infrastructure in Windows Vista, including improvements to the Kerberos authentication protocol that reduces the need for smart card users to sometimes re-enter their password when accessing certain resources.

Network Access Protection

One of the greatest challenges for IT administrators is ensuring that the machines on their network have all the necessary security updates and meet the network’s “health policy” requirements. As more networks encompass users’ laptops and home computers, which often are not under the administrator’s direct control, there is far greater potential exposure to viruses, malware and other security threats. (In fact, many hackers create malware specifically to target out-of-date computers.)

Network Access Protection (NAP) is a network access control system that lets IT administrators ensure that only “healthy” machines connect to their network, while enabling potentially “unhealthy” machines to get clean before they gain access. The NAP client in Windows Vista simplifies the enforcement of network health policies and protect against malicious network attacks by enabling organizations to establish requirements for client health status (such as current software updates and up-to-date virus scanner signatures) and enforcing those requirements when the client connects to the network. If a client machine does not meet the health requirements, NAP can automatically update the machine or direct it to a separate “quarantine” area where the user can remedy the situation.

NAP is an extensible platform that provides an infrastructure and API for health policy enforcement. Independent hardware and software vendors can plug their security solutions into NAP, so IT administrators can choose the security solutions that meet their unique needs — and NAP helps ensure that every machine on the network makes full use of those solutions.

NAP requires functionality and support from the Windows Server “Longhorn” operating system. Although the NAP client for Windows Vista is included in the operating system, Microsoft will also release NAP client support in Windows XP SP2.

Protection Against Malware and Intrusions

Windows Security Center

In response to customer concerns about security vulnerabilities and how to better protect their PCs, Microsoft undertook a worldwide information campaign in 2003 to educate customers about three essential computer security steps: having a firewall turned on, keeping their PC up to date with automatic updates, and installing and using up-to-date anti-virus and anti-spyware software.

Customers found this information helpful, but they indicated that it was still difficult to understand the security status of their PC and even harder to know how to change settings to make it more secure. In response, Microsoft included a new feature in the 2004 release of Windows XP SP2 called Windows Security Center (WSC).

Running as a background process, WSC in Windows XP SP2 constantly checks and shows the status of three important security components