System Integrity: Ensuring Integrity
December 2005
The information contained in this document represents the current view of
Microsoft Corporation on the issues discussed as of the date of
publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information
presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT
MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS
TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the
express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights,
or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement
from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual
property.
Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events
depicted herein are fictitious, and no association with any real company,
organization, product, domain name, email address, logo, person, place, or
event is intended or should be inferred.
© 2005 Microsoft Corporation. All rights reserved.
Microsoft, Windows, Windows Vista, Authenticode are either registered
trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.
All other trademarks are property of their respective owners
Contents
Executive Summary .............................................................. 1
Introduction ......................................................................... 2
System Integrity Issues ....................................................... 2
The Technologies Supporting System Integrity .................... 7
User Account Protection ............................................................................... 7
BitLocker Drive Encryption ........................................................................... 8
Code Integrity ............................................................................................... 9
Authenticode ................................................................................................. 9
Software Restriction Policy ........................................................................... 9
Network Access Protection ......................................................................... 10
Microsoft Anti-Spyware ............................................................................... 10
Internet Explorer 7 ...................................................................................... 11
Conclusion .......................................................................... 12
Additional Resources: ................................................................................. 12
Executive Summary
Organizations are increasingly challenged to provide their business partners,
customers, and employees with secure access to data and applications. With
the popularity of devices such as laptops, PDAs, Smartphones and kiosks,
companies also need to provide more flexible ways of disseminating
information. But the Internet, which expands business opportunities
exponentially, also presents a unique challenge: How do you open channels of
communication for authorized users and close them to those who are not?
The answer lies in access management, the process by which an organization
protects its resources against unauthorized attack while simultaneously making
information more readily available to the right people. When thinking about an
effective access control strategy, the first step is to ensure the integrity of the
operating system. The purpose of this paper is to describe the technologies
that make up System Integrity, one of the four main components of Access
Control.
The Access Control Strategy Series of white papers from Microsoft is designed to help
technical and business decision makers understand the primary components of access control
technologies, and develop an effective end-to-end security strategy to secure information
assets and achieve compliance with industry regulations. Additional white papers will be
available at:
http://www.microsoft.com/windowsserversystem/overview/benefits/access/default.mspx
System Integrity: Ensuring Integrity
1
Introduction
System integrity begins with selecting and deploying the right hardware and
software components to authenticate a user’s identity—and help prevent
others from assuming it. In doing so, it needs to offer efficient administrative
functions to restrict access to administrator-level functions, and give
administrators processes and controls to manage changes to the system.
There are many individual components to system integrity, such as
vulnerability assessment, antivirus, and anti-malware solutions. However, the
ultimate goal from an access control standpoint is to prevent the installation
and execution of malicious code—while protecting valuable data—from the
outset.
This white paper provides an overview of the Microsoft technologies that help
safeguard critical information and offers typical real-life examples using
Fabrikam, a fictitious manufacturing company.
System Integrity Issues
Essentially, system integrity seeks to ensure the security of system hardware,
software, and data. Microsoft invests significant resources in providing
prevention and mitigation against malware at both the platform and application
level. For Microsoft® Windows Vista™, the next generation of the Microsoft
Windows® operating system, Microsoft has identified the following issues that
have an impact on System Integrity.
Detecting Malware
Malware is one of the most insidious threats that enterprises encounter today.
Malware is a malicious type of software designed to install itself on a computer,
and because it spoofs the administrator login, it operates at the administrator
level without the user knowing it is there. There are many types of malware,
but it is always designed with intent of doing damage. The most dangerous
malware are designed to find and transmit confidential data, credit card
information, user names and passwords, and more.
Many third-party applications require administrator access to function properly,
and this is one reason that malware can be so pernicious. It takes advantage
of administrator settings, which often bypass security features and give the
application or user access to a number of critical, system-level functions.
To stop malware from being installed, enterprises must:

Control administrator-level access privileges
System Integrity: Ensuring Integrity
2

Screen incoming files for malware and prevent their
download/installation

Scan and remove malware from computers
Windows offers a series of tools and best practices to help prevent malware
attacks. These include Microsoft Malicious Software Removal Tool, Microsoft
Anti-Spyware, and Network Access Protection. In addition, Microsoft has also
made critical improvements to reduce the need for administrator mode
operation for users, helping to reduce the attack profile of Windows clients and
eliminate inadvertent damage caused by end-users reconfiguring their
computers.
System Integrity: Ensuring Integrity
3
Preventing Malware
Malware has reached epidemic proportions in many organizations, and even
the best firewalls cannot always filter it out. Many computers are running rogue
code without even knowing it, leaving entire organizations at the mercy of code
that can disable systems, expose confidential user information, and more.
To prevent malware from running, enterprise computers need the ability to
authenticate code and assess applications at the system level before it runs.
The Microsoft response to unauthorized code running on client computers
includes:
Code Integrity to validate the integrity of each binary image with per-page hashes as each
page is loaded into the system. Images that fail are not loaded.
Security Restriction Policy to help prevent damage to systems by identifying and then
controlling software running on an enterprise domain.
Microsoft Authenticode® to digitally sign and validate application code.
Internet Explorer 7 which helps protect a user’s system from malware attacks while he or she
is browsing the internet
Protecting the Operating System
Hundreds of thousands of computers are lost or stolen every year, posing an
enormous liability to organizations—and not just in terms of lost user
productivity and physical assets. Intellectual property and trade secrets are
also at risk. The United States Department of Justice estimates that intellectual
property theft cost enterprises U.S.$250 billion in 2004. Furthermore, with
current legislation such as the Sarbanes-Oxley Act or the Health Insurance
Portability and Accountability Act (HIPAA), companies are now held
accountable for protecting private or sensitive customer data.
As a result, many organizations are justifiably concerned about confidential information being
accessed by unauthorized users. Hacker programs can bypass the Windows XP default data
security mechanisms with an offline attack that exposes core system keys. Even more
problematic, a hacker can browse and copy the contents of a hard disk drive by removing it
from its computer and attaching it to another.
The fact that system data can be readily accessed by removing the hard disk
drive also means organizations must ensure that the information on hard disk
drives, backup tapes, and other storage devices is completely eradicated when
they are decommissioned. Unfortunately, deleting data from a storage device
does not actually remove it, creating a real problem for IT staff.
To protect system data from theft and to dispose of storage media properly,
enterprises need a way to encrypt data so that it can only be read by
authorized personnel. Microsoft developed BitLocker Drive Encryption
specifically to address customer concerns regarding data theft and disposal.
Secure Startup is a hardware-based security feature. By using a Trusted
Platform Module (TPM), it verifies integrity during boot up, protects user data,
and helps ensure that a PC running Windows Vista has not been tampered
System Integrity: Ensuring Integrity
4
with while the system was offline. For example, a hacker can obtain a hard
disk drive and attempt to access information by reinstalling the operating
system. Secure Startup will detect that the system key has been changed and
will not allow the hard disk drive to boot up.
An integral part of Secure Startup is Full Volume Encryption (FVE), which helps protect an
entire hard disk—including the registry—from attack. It also helps prevent data on a lost or
stolen hard disk drive from being accessed or modified. For example, an attacker can steal
and connect a hard disk drive to another system to browse its contents—but with FVE
encryption, this data will remain secure.
Transmitting, Communicating, and Storing Information Securely
There is no question that systems need to be protected from unauthorized external access. At
the same time, the appropriate security measures must be in place internally to protect
individual files at the user level. Although third-party encryption solutions are readily available
in the marketplace, adoption has been slow because they can be cumbersome to implement
and problematic to manage, and they require extensive user education. Therefore, until now,
securing individual files has been fraught with difficulty.
Microsoft has developed Encrypting File System (EFS), which seamlessly encrypts files and
folders so that user information is secure. In addition, Crypto Services provides an underlying
cryptographic technology that drives secure transmission, storage, file connections,
applications, and e-mail. Crypto Services is completely invisible to the user. For more
information on EFS and Crypto Services, please see the “Information Protection” white paper
in this series.
Providing End-to-End Security with Software and Hardware Defense
Mechanisms
A software-only approach to security problems has systemic vulnerabilities; it
uses a shared memory space and relies on the operating system to manage
physical memory. Because the software functions within the confines of the
operating system, data is susceptible to compromise due to the operating
system’s vulnerabilities. In addition, software is usually stored on a medium—
such as a personal hard disk drive or a server computer—in a way that leaves
it open to surreptitious modification.
The Microsoft approach to System Integrity entails combining the more
traditional software approach to unauthorized attack with additional hardware
defense mechanisms. Furthermore, the hardware and software defense
mechanisms are designed to work in tandem, thus helping prevent
vulnerabilities between the two. These efforts are underscored by a Microsoft
initiative called Trustworthy Computing, which seeks to provide a more secure,
private, and reliable computing experience for everyone. As part of Trustworthy
Computing, Microsoft is developing technologies—such as Secure Startup—
that use improved hardware design to secure computers and sensitive data
from initial boot-up to shut-down, and when they are offline.
System Integrity: Ensuring Integrity
5
System Integrity: Ensuring Integrity
6
The Technologies Supporting System Integrity
To help combat a host of recent security exploits and their related
vulnerabilities, Microsoft will be releasing Windows Vista, the most secure
version of Windows that Microsoft has ever developed. System Integrity, which
is the most fundamental step of Access Control, relies on a range of
technologies that work together to solve the way applications operate and
helps ensure the integrity of the operating system.
User Account Protection
User Account Protection is a key component of System Integrity, and solves
the fundamental challenge of how applications behave. Its main goal is to
reduce the exposure and attack surface of an operating system. A protected
user account has no administrator privileges for non-administrative tasks—no
matter what the user’s function. This limitation not only minimizes the ability for
users to make changes that could destabilize their computers, but also
reduces allows users to perform normal tasks without administrator privileges.
User Account Protection features have been built into the Windows operating system since
Windows 2000; with Windows Vista and beyond these features will be set as a default.
Fabrikam can use User Account Protection to allow end-users to operate in standard account
mode and reduce the need for administrator privileges. It can also ensure that employees
using operational systems have just enough privilege to do their jobs, without being able to
compromise manufacturing by altering system settings or deploying unapproved applications.
Over-the-Shoulder (OTS) Consent
With Over-the-Shoulder (OTS) Consent, a user will be prompted for
administrator authorization if they attempt a task not on the approved list. If an
IT administrator has configured User Account Protection to allow this specific
task in Standard mode, the user will be prompted to enter their credentials.
Otherwise, they will be denied.
Increasing Protection Against Application-Based Shatter Attacks
With User Account Protection, users have increased protection against
inadvertent damage caused by shatter attacks— malware that runs on the
Windows messaging system. These attacks are possible because applications
use Windows messaging to communicate with the operating system and there
is no way to tell whether the application is authorized to do so. User Account
Protection helps isolate administrator privileges by design, to reduce the attack
surface of client operating systems.
Virtualization
Using Application Impact Management (AIM), User Account Protection gives
each application its own virtualized view of the resource it is attempting to
System Integrity: Ensuring Integrity
7
change, using a copy-on-write strategy. This prevents malware from
overwriting a commonly used file.
This feature is particularly valuable for a large manufacturer such as Fabrikam.
With several different products being developed at the same time—and stored
in the same database—virtualization helps to eliminate system failures and
resource failures caused by changing files.
Secure Startup
A hardware-based security feature, Secure Startup uses a Trusted Platform Module, which
works with data security mechanisms so that data is only unlocked after the veracity of the
booting process has been confirmed. In other words, the correct version of the operating
system must be used to boot up the PC to view all data, applications, or system files stored on
the Windows. If an incorrect version is used, this information remains encrypted and
inaccessible.
Boot Integrity
Secure Startup detects system tampering while Windows is booting up by comparing boot
process characteristics against previously stored measurements. If the characteristics do not
match, the operating system will not load.
This feature safeguards against unauthorized access to confidential data. For instance,
Fabrikam stores clients’ proprietary designs while they are being created—information that
could put the company at legal risk if it were to become compromised. Boot Integrity helps
prevent theft of this data in offline attacks—a frequent means of intellectual property theft—by
disabling a system that has been tampered with before it can boot up.
Full-Volume Encryption (FVE)
Because the entire Windows volume is encrypted and all encryption keys are moved off the
disk, all data—including filenames, registry information, system data, and user data—can only
be viewed when the system is booted and information is viewed by the correct operating
system. Attackers are blocked from using software tools to view data, modify operating system
files, and compromise other security features.
With FVE, Fabrikam can help ensure the security of data and trade secrets by encrypting
documents at the file and folder level when computers are online. Because all hard disk drive
data is encrypted, it cannot be compromised by other users, even if the drive is stolen and
connected to another operating system.
Attack Resilience
Code and data modifications to disable security cannot be made while the system is offline.
Although it is easy to make changes, it is very hard to change settings to a desired value. For
instance, a Windows operation can be modified by editing the registry or replacing binary
numbers. Using Secure Startup, however, changes to this data will render the operating
system unbootable.
Secure System Files
With Secure Startup, hibernation files, swap files, and crash dump files are all encrypted.
Furthermore, open documents and cached secrets are encrypted in real time as memory
pages are written to the disk.
System Integrity: Ensuring Integrity
8
Code Access Security
To help protect computer systems from malicious mobile code, to allow code
from unknown origins to run with protection, and to help prevent trusted code
from intentionally or accidentally compromising security, the .NET Framework
provides a security mechanism called code access security. Code access
security allows code to be trusted to varying degrees depending on where the
code originates and on other aspects of the code's identity. Code access
security also enforces the varying levels of trust on code, which minimizes the
amount of code that must be fully trusted in order to run. Using code access
security can reduce the likelihood that code can be misused by malicious or
error-filled code, and can also help minimize the damage that can result from
security vulnerabilities in 3rd party code.
Code Integrity
Code integrity improves the fundamental security of the operating system by validating the
integrity of each binary image using a per-page hash value. A hash value—or hash, for short—
is a number generated from a string of text that is used to help ensure that messages have not
been tampered with. The hash is reviewed as each page is loaded. If it fails the validation
process, the page will not be loaded because it has been maliciously or inadvertently
corrupted.
Authenticode
Microsoft Authenticode was designed to remove the worry of downloading programs from the
Internet because digitally signs and validates application code. Not only does it ensure users
that the code is from who it says it is, but it also verifies that the code has not been tampered
with since its publication. Authenticode helps organizations such as Fabrikam protect against
malware masquerading as a legitimate program because it alerts users that the digital
signature is not valid.
Software Restriction Policy
Software restriction policies provide administrators with a policy-driven
mechanism that first identifies software running in their domain, and then
controls the ability of that software to run. Using a software restriction policy,
an administrator can help prevent unwanted applications from running; this
includes viruses and Trojan horses, or other software that is known to cause
conflicts when installed. Software restriction policies can be applied to the
enterprise in one of two ways:

Only let trusted code run. If all trusted code can be identified, the
administrator can lock down the system to help ensure its security. For
instance, the administrator could create a policy in which the only allowed
programs are Microsoft Word and Microsoft Excel®. If a user were to
download a program from the Internet, the program would not run because
it is not on the trusted list.
System Integrity: Ensuring Integrity
9

Help prevent unwanted code from running. An administrator does not
always know the programs users need to run. In this case, administrators
can create rules as undesirable code is encountered. For example, if users
were running file sharing programs that hogged the network’s bandwidth,
the administrator could create a rule to identify the software’s setup
program of that software and stop it from being installed.
Fabrikam has hundreds of different applications running on its enterprise
domain—from the operating system and productivity applications to industryspecific programs and middleware. And because all of these applications are
integrated and mission-critical, the IT staff can choose to let only trusted code
run. For instance, they can specify that users can only use productivity
applications, e-mail, and specific line-of-business applications
Network Access Protection
Network Access Protection (NAP) is a policy enforcement platform built into
Windows Longhorn Server that works to protect network resources. NAP
evaluates the health of devices attempting to access networked resources
such as applications, data, and information.
Through NAP, a network can be shielded from viruses, worms, and malicious
software by helping to verify and directly update any computer attempting to
access the network. Non-compliant clients are restricted from network access.
This set of technologies allows an IT administrator to keep the endpoints
healthy and provides flexible, customized control of network health policies.
Note that NAP is not designed to secure a network from malicious users;
rather it is designed to help administrators maintain the health of the
computers on the network.
When a client tries to access the network, it must present its system health
state. If a client cannot prove it is compliant with the system health policy, its
access to the network can be restricted to a special network segment
containing access to server resources so compliance issues can be remedied.
After the updates are installed, the client again requests access to the network,
presenting updated health credentials. Now compliant, the client is granted full
access to the network based on the associated access policy. For greater
control and a better user experience, health credentials are reusable for
immediate access to the network until there is a change in client health state or
system health policy.
Microsoft Anti-Spyware
The Windows AntiSpyware beta improves Internet browsing safety by helping
guard against spyware. This beta has been downloaded more than 21 million
times and has removed tens of millions of spyware packages since its release
in January, 2004.
System Integrity: Ensuring Integrity
10
Internet Explorer 7
Internet Explorer 7 features focus on core security architecture changes that
offer dynamic protection against data theft, fraudulent Web sites, and malicious
and hidden software. With Microsoft Windows AntiSpyware application,
Internet Explorer 7 helps users achieve an unprecedented level of security
protection:

Defend against malware. Helps customers have more confidence in the
security of their browsing and helps prevent installations without their
consent.

Help protect against data theft from fraudulent Web sites. Internet
Explorer 7 includes new personal data safeguards to help users more
safely and securely engage in legitimate e-commerce and avoid divulging
personal information to identity thieves.

Full control over add-ons. Users have full control over add-ons and will
be able to more safely and easily add functionality on their computer
system while avoiding inadvertent or hidden download of unintended
content.
Windows Malicious Software Removal Tool
The Windows Malicious Software Removal Tool (MSRT) – checks for and
removes the most prevalent malicious software families. This tool has had
more than 830 million executions since its introduction in January, 2004.
System Integrity: Ensuring Integrity
11
Conclusion
As the very first stage in effective Access Control, System Integrity secures the reliability of
Windows through a combination of hardware and software solutions. Although computing
systems will always be a target for malicious code and hackers, Microsoft is committed to
creating secure, safe environments in which authorized users get the information they need—
and critical business data remains confidential.
With Windows Vista, security is greatly heightened to help ensure the integrity of all computing
systems and deliver the security enterprises need to safeguard their proprietary and
confidential data. Whether detecting and preventing malware or protecting data, security
mechanisms are now built in to the operating system itself—rather than as add-ons. As a
result, gaining a more secure computing environment is as simple as installing a new operating
system. In addition, Windows Vista takes advantage of hardware innovations to protect
information, no matter whether it’s being stored, backed up, or is currently in use.
For enterprises actively seeking to augment security and reduce the risk of unauthorized
access, there are four key steps to achieving system integrity.
1. Evaluate your existing system hardware and software. What are their
shortcomings? What areas need to be improved? Can the current configuration
provide the security required to safeguard against malicious code and ensure data
integrity?
2. Determine and prioritize critical challenges. Using the answers from the previous
step, list and prioritize the challenges related to access control and system integrity.
3. Determine appropriate solutions to those challenges. Some features of Windows
Vista may be more relevant than others. What are the appropriate solutions that will
solve the most pressing needs?
4. Establish and execute an improvement strategy. Any improvement strategy should
be based on solving priority challenges through a sequential series of improvements.
Additional Resources:
The Access Control Strategy Series of white papers can help you understand
the primary components of access control technologies. Other papers in the
series include:

Trustworthy Identification – reliably authenticating users, computers,
and applications.

Access Policy Management – Automating access based on organization
policies for users, computers, and applications.

Information Protection – securing information on networks, mobile
devices, laptops, and when distributed outside the firewall.

Compliance – how access control can help ease compliance with
regulations.
System Integrity: Ensuring Integrity
12