August 29, 2005 4:00 AM PDT

Microsoft's leaner approach to Vista security

A correction was made to this story. Read below for details.
Microsoft is talking up support for hardware-based security in Windows Vista, though only a sliver of the company's original plan will make it into the operating system.

Three years ago Microsoft unveiled Palladium, renamed Next-Generation Secure Computing Base (NGSCB) after the original name became tainted with controversy over privacy and fair-use issues and because another company claimed rights to the Palladium name. The technology was to be part of the next Windows release.

NGSCB promised to boost PC security by using hardware and software that would allow parts of a computer to be isolated from malicious code such as viruses and worms. It also would foil attacks that use logging devices by encrypting data as it moves between a PC's hardware components. NGSCB required significant changes to hardware and software.

In May 2004, following criticism from software makers, Microsoft said it was retooling NGSCB so some of the benefits would be available without the need to recode applications. The company has been silent on the plan since, though it insists NGSCB is not dead. Instead, its delivery is still to be determined, according to Microsoft's Web site.

Now Microsoft is busy telling hardware and software makers about Secure Startup in Windows Vista, which it says is the "first delivery" on its hardware-based security plan. Vista, previously known by its code name, Longhorn, is the next client release of Windows due on store shelves in time for the next year's holiday shopping season.

Secure Startup is primarily designed to prevent laptop thieves and other unauthorized users with physical access to a computer from getting access to the data on the system. Nearly half of all enterprises had laptops stolen, causing $4.1 million in damage, according to a January survey by the Computer Security Institute and the FBI.

"The number one goal is to prevent attackers from using software tools to get at information that is at rest on the hard drive," Stephen Heil, a technical evangelist at Microsoft said in a presentation at the Intel Developer Forum in San Francisco last week.

Current versions of Windows offer encryption of file folders and PCs include start-up security such as Basic Input/Output System, or BIOS passwords. However, both can be easily circumvented if an attacker has physical access to the PC. "You can get access to the system in less than 15 minutes," Heil said. BIOS lets hardware speak to software in a PC.

Secure Startup uses a chip called the Trusted Platform Module, or TPM, which offers protected storage of encryption keys, passwords and digital certificates. Vista uses this capability to verify that a PC has not been tampered with when it starts up and to protect data through encryption. The TPM is typically affixed to the motherboard of a PC. Because it is stored in hardware, the information is more secure from external software attacks and physical theft.

TPMs are made by a host of chip companies including Atmel, Broadcom, Infineon, Winbond Electronics, Sinosun and STMicroelectronics.

To service a PC, the Secure Startup feature can be temporarily disabled. And if a PC breaks and data on a hard drive needs to be accessed on, say, a different machine, a recovery key can unlock the system, Heil said. This recovery key is generated when a user enables Secure Startup and should be stored away from the computer.

Heil spoke at IDF to encourage hardware makers to adopt the latest TPM specification, version 1.2, released earlier this year. This is the version that Microsoft will support

 
Correction: This story misreported National Semiconductor as a vendor of TPM chips. National Semiconductor sold its Super I/O business, including its TPM products, to Winbond Electronics in May.

CONTINUED:
Page 1 | 2

See more CNET content tagged:
Palladium, software company, Microsoft Windows Vista, access, Microsoft Corp.

78 comments

Join the conversation!
Add your comment
Where'd all the tech savvy columnists go?
From the article:
---------------------
"Current versions of Windows offer ... start-up security such as Basic Input/Output System, or BIOS passwords"
---------------------

What? BIOS passwords and security have absolutely nothing to do with the OS being used on a system. It is completely a funcion of the hardware used. There is zero interaction between the OS (or any other software) and any form of BIOS security.
Posted by ebrandel (102 comments )
Reply Link Flag
There is interaction between BIOS/Windows...
There is interaction between BIOS security and Windows XP. Take a look at this info Microsoft's Web site:

"Also be aware that BIOS security can supercede Windows XP Professional security by preventing Windows XP Professional from taking control of the computer or other devices."

<a class="jive-link-external" href="http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prdc_mcc_wmnc.asp" target="_newWindow">http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prdc_mcc_wmnc.asp</a>
Posted by mike ricciuti (12 comments )
Link Flag
Where'd all the tech savvy columnists go?
From the article:
---------------------
"Current versions of Windows offer ... start-up security such as Basic Input/Output System, or BIOS passwords"
---------------------

What? BIOS passwords and security have absolutely nothing to do with the OS being used on a system. It is completely a funcion of the hardware used. There is zero interaction between the OS (or any other software) and any form of BIOS security.
Posted by ebrandel (102 comments )
Reply Link Flag
There is interaction between BIOS/Windows...
There is interaction between BIOS security and Windows XP. Take a look at this info Microsoft's Web site:

"Also be aware that BIOS security can supercede Windows XP Professional security by preventing Windows XP Professional from taking control of the computer or other devices."

<a class="jive-link-external" href="http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prdc_mcc_wmnc.asp" target="_newWindow">http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prdc_mcc_wmnc.asp</a>
Posted by mike ricciuti (12 comments )
Link Flag
Where'd all the tech savvy columnists go?
From the article:
---------------------
"Current versions of Windows offer ... start-up security such as Basic Input/Output System, or BIOS passwords"
---------------------

What? BIOS passwords and security have absolutely nothing to do with the OS being used on a system. It is completely a funcion of the hardware used. There is zero interaction between the OS (or any other software) and any form of BIOS security.
Posted by ebrandel (102 comments )
Reply Link Flag
There is interaction between BIOS/Windows...
There is interaction between BIOS security and Windows XP. Take a look at this info Microsoft's Web site:

"Also be aware that BIOS security can supercede Windows XP Professional security by preventing Windows XP Professional from taking control of the computer or other devices."

<a class="jive-link-external" href="http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prdc_mcc_wmnc.asp" target="_newWindow">http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prdc_mcc_wmnc.asp</a>
Posted by mike ricciuti (12 comments )
Link Flag
Didn't learn from the PIII
I guess they do not remember the stiff backlash against the Pentium III serial number. Hopefully consumers will react similarly to this.

Sorry, but you don't need a special chip to encrypt a hard drive. It would be nice if they would just cut the crap and admit the real motivation is DRM.
Posted by CagedAnimal (67 comments )
Reply Link Flag
We can only hope
I'm not so sure that we will see the same backlash against this new technology that we did against the Pentium III serial number. If you look at the current track record of modern, non-technical computer buyers, they don't seem too worried about their privacy.

I seriously doubt that the people who have spyware ridden computers know enough to understand the possible implications of TRM.
Posted by ddesy (4336 comments )
Link Flag
Didn't learn from the PIII
I guess they do not remember the stiff backlash against the Pentium III serial number. Hopefully consumers will react similarly to this.

Sorry, but you don't need a special chip to encrypt a hard drive. It would be nice if they would just cut the crap and admit the real motivation is DRM.
Posted by CagedAnimal (67 comments )
Reply Link Flag
We can only hope
I'm not so sure that we will see the same backlash against this new technology that we did against the Pentium III serial number. If you look at the current track record of modern, non-technical computer buyers, they don't seem too worried about their privacy.

I seriously doubt that the people who have spyware ridden computers know enough to understand the possible implications of TRM.
Posted by ddesy (4336 comments )
Link Flag
Didn't learn from the PIII
I guess they do not remember the stiff backlash against the Pentium III serial number. Hopefully consumers will react similarly to this.

Sorry, but you don't need a special chip to encrypt a hard drive. It would be nice if they would just cut the crap and admit the real motivation is DRM.
Posted by CagedAnimal (67 comments )
Reply Link Flag
We can only hope
I'm not so sure that we will see the same backlash against this new technology that we did against the Pentium III serial number. If you look at the current track record of modern, non-technical computer buyers, they don't seem too worried about their privacy.

I seriously doubt that the people who have spyware ridden computers know enough to understand the possible implications of TRM.
Posted by ddesy (4336 comments )
Link Flag
treacherous computing
great, at least Vista isn't forcing this censorship upon us just yet. we all know MS wants TC to block "unauthorised" software on a machine. to MS anything unauthorised is anything they don't want on your machine (ie. linux instead of windows, openOffice instead of MS Office, RealPlayer instead of Windows Media Player etc)
Posted by Scott W (419 comments )
Reply Link Flag
Why are people willfully missing the point?
Regardless of what you want, 'Protected Computing', DRM, and the lot are there for the content provides benefit, not MS. Here is how it works
1. Major players put DRM tech into the computer/OS
2. Content providers (lets say movie makers) say 'requires on-chip DRM to play'. No chips, no support, doesn't play on that machine.
3. Linux, or any OS that refuses to put the technology into the OS, are left WAY out in the cold.
Same thing goes in business settings. 'These files only usable by these machines. Can't do that in hardware? Don't buy them!'
That will be the end of any desktop OS, regardless of who makes it.

MS, if they even hinted at disallowing OpenOffice/ any rival, would be in court before we were aware of it. The RIAA, Hollywood, those are the folks that are making this happen. Any OS provider not following along is putting a nail in their coffin.
Posted by catchall (245 comments )
Link Flag
treacherous computing
great, at least Vista isn't forcing this censorship upon us just yet. we all know MS wants TC to block "unauthorised" software on a machine. to MS anything unauthorised is anything they don't want on your machine (ie. linux instead of windows, openOffice instead of MS Office, RealPlayer instead of Windows Media Player etc)
Posted by Scott W (419 comments )
Reply Link Flag
Why are people willfully missing the point?
Regardless of what you want, 'Protected Computing', DRM, and the lot are there for the content provides benefit, not MS. Here is how it works
1. Major players put DRM tech into the computer/OS
2. Content providers (lets say movie makers) say 'requires on-chip DRM to play'. No chips, no support, doesn't play on that machine.
3. Linux, or any OS that refuses to put the technology into the OS, are left WAY out in the cold.
Same thing goes in business settings. 'These files only usable by these machines. Can't do that in hardware? Don't buy them!'
That will be the end of any desktop OS, regardless of who makes it.

MS, if they even hinted at disallowing OpenOffice/ any rival, would be in court before we were aware of it. The RIAA, Hollywood, those are the folks that are making this happen. Any OS provider not following along is putting a nail in their coffin.
Posted by catchall (245 comments )
Link Flag
treacherous computing
great, at least Vista isn't forcing this censorship upon us just yet. we all know MS wants TC to block "unauthorised" software on a machine. to MS anything unauthorised is anything they don't want on your machine (ie. linux instead of windows, openOffice instead of MS Office, RealPlayer instead of Windows Media Player etc)
Posted by Scott W (419 comments )
Reply Link Flag
Why are people willfully missing the point?
Regardless of what you want, 'Protected Computing', DRM, and the lot are there for the content provides benefit, not MS. Here is how it works
1. Major players put DRM tech into the computer/OS
2. Content providers (lets say movie makers) say 'requires on-chip DRM to play'. No chips, no support, doesn't play on that machine.
3. Linux, or any OS that refuses to put the technology into the OS, are left WAY out in the cold.
Same thing goes in business settings. 'These files only usable by these machines. Can't do that in hardware? Don't buy them!'
That will be the end of any desktop OS, regardless of who makes it.

MS, if they even hinted at disallowing OpenOffice/ any rival, would be in court before we were aware of it. The RIAA, Hollywood, those are the folks that are making this happen. Any OS provider not following along is putting a nail in their coffin.
Posted by catchall (245 comments )
Link Flag
Beware the Wolf in Sheep's Clothing
Microsoft wants to use a chip to encrypt and protect my data? Wow. I'm so naive I thought that I could use encryption software to do this. ;-) Gee Mr. Gates, thank you for thinking about me. But how come I can't play my .avi files anymore? Or rip my CD's to iTunes? Or rip my DVD's to avi files? Huh? What's this stuff called "DRM" anyway?

Remember the fable: beware of a wolf in sheeps clothing.
Posted by R. U. Sirius (745 comments )
Reply Link Flag
Beware the Wolf in Sheep's Clothing
Microsoft wants to use a chip to encrypt and protect my data? Wow. I'm so naive I thought that I could use encryption software to do this. ;-) Gee Mr. Gates, thank you for thinking about me. But how come I can't play my .avi files anymore? Or rip my CD's to iTunes? Or rip my DVD's to avi files? Huh? What's this stuff called "DRM" anyway?

Remember the fable: beware of a wolf in sheeps clothing.
Posted by R. U. Sirius (745 comments )
Reply Link Flag
Beware the Wolf in Sheep's Clothing
Microsoft wants to use a chip to encrypt and protect my data? Wow. I'm so naive I thought that I could use encryption software to do this. ;-) Gee Mr. Gates, thank you for thinking about me. But how come I can't play my .avi files anymore? Or rip my CD's to iTunes? Or rip my DVD's to avi files? Huh? What's this stuff called "DRM" anyway?

Remember the fable: beware of a wolf in sheeps clothing.
Posted by R. U. Sirius (745 comments )
Reply Link Flag
Awww...big bad Microsoft, is it?
To the pompous and eloquent tech geniuses who have made certain posts to this string, no one is forcing anyone to use Microsoft product. No one is forcing anyone to use the internet to send email and surf the web for that matter - use a carrier pigeon for mail and your local library to do research = no one's ever hacked or spammed these telecomm methods. I am wearying of the Microsoft slams for one specific reason: business is business. And yes, Microsoft wants you to use their products like MediaPlayer and Internet Explorer. So what's the alternative? I'm developing little patience for conspiracies of idiocy. The purpose of business is to make a profit. And to blame MSFT just cause they're the global market killer in their space is as silly as blaming the Stones for corrupting your teenage daughters' minds.
Posted by malabrm1 (36 comments )
Reply Link Flag
Except that if you don't like the 'Stones
you aren't forced to listen to 'em.
Posted by CharlesRovira (97 comments )
Link Flag
And I'm sick of
fools who are willing to give away the whole country to corporate interests in the name of 'business is business'. People are people and I, for one, am tired to death of corporate greed crapping on my entire existance.
Posted by Michael Grogan (308 comments )
Link Flag
The Disgruntled Fight Back
No, you are wrong. The purpose of business is to make a quality
product that the consumer can enjoy.

We, the disgruntled, neither think MS products are quality nor
enjoyable. And since MS has an overwhelming presence in the
market place because of their unfair practices, most of us are
forced to use they substandard junk software.

But the day is coming when they will be no more.
Posted by cjohn17 (268 comments )
Link Flag
don't use the internet?
wow, you are an idiot...
many of the anti-MS crew do our best to NOT use windows and its offspring. unfortunately, when we go to work/school we find windows on our machines. it wouldn't be so bad if we didn't lose a weeks work when the server (frequently) goes down.

don't use the internet? how else do you propose we obtain linux and get support for it? if you're sick of anti-MS remarks why don't you stop viewing talkback? or better yet, follow your own advice and sign off the internet, switch off your computer and bury your head in the sand. the MS way isn't the only way and we are going to express our disapproval of their monopolistic tactics.
Posted by Scott W (419 comments )
Link Flag
Awww...big bad Microsoft, is it?
To the pompous and eloquent tech geniuses who have made certain posts to this string, no one is forcing anyone to use Microsoft product. No one is forcing anyone to use the internet to send email and surf the web for that matter - use a carrier pigeon for mail and your local library to do research = no one's ever hacked or spammed these telecomm methods. I am wearying of the Microsoft slams for one specific reason: business is business. And yes, Microsoft wants you to use their products like MediaPlayer and Internet Explorer. So what's the alternative? I'm developing little patience for conspiracies of idiocy. The purpose of business is to make a profit. And to blame MSFT just cause they're the global market killer in their space is as silly as blaming the Stones for corrupting your teenage daughters' minds.
Posted by malabrm1 (36 comments )
Reply Link Flag
Except that if you don't like the 'Stones
you aren't forced to listen to 'em.
Posted by CharlesRovira (97 comments )
Link Flag
And I'm sick of
fools who are willing to give away the whole country to corporate interests in the name of 'business is business'. People are people and I, for one, am tired to death of corporate greed crapping on my entire existance.
Posted by Michael Grogan (308 comments )
Link Flag
The Disgruntled Fight Back
No, you are wrong. The purpose of business is to make a quality
product that the consumer can enjoy.

We, the disgruntled, neither think MS products are quality nor
enjoyable. And since MS has an overwhelming presence in the
market place because of their unfair practices, most of us are
forced to use they substandard junk software.

But the day is coming when they will be no more.
Posted by cjohn17 (268 comments )
Link Flag
don't use the internet?
wow, you are an idiot...
many of the anti-MS crew do our best to NOT use windows and its offspring. unfortunately, when we go to work/school we find windows on our machines. it wouldn't be so bad if we didn't lose a weeks work when the server (frequently) goes down.

don't use the internet? how else do you propose we obtain linux and get support for it? if you're sick of anti-MS remarks why don't you stop viewing talkback? or better yet, follow your own advice and sign off the internet, switch off your computer and bury your head in the sand. the MS way isn't the only way and we are going to express our disapproval of their monopolistic tactics.
Posted by Scott W (419 comments )
Link Flag
Awww...big bad Microsoft, is it?
To the pompous and eloquent tech geniuses who have made certain posts to this string, no one is forcing anyone to use Microsoft product. No one is forcing anyone to use the internet to send email and surf the web for that matter - use a carrier pigeon for mail and your local library to do research = no one's ever hacked or spammed these telecomm methods. I am wearying of the Microsoft slams for one specific reason: business is business. And yes, Microsoft wants you to use their products like MediaPlayer and Internet Explorer. So what's the alternative? I'm developing little patience for conspiracies of idiocy. The purpose of business is to make a profit. And to blame MSFT just cause they're the global market killer in their space is as silly as blaming the Stones for corrupting your teenage daughters' minds.
Posted by malabrm1 (36 comments )
Reply Link Flag
Except that if you don't like the 'Stones
you aren't forced to listen to 'em.
Posted by CharlesRovira (97 comments )
Link Flag
And I'm sick of
fools who are willing to give away the whole country to corporate interests in the name of 'business is business'. People are people and I, for one, am tired to death of corporate greed crapping on my entire existance.
Posted by Michael Grogan (308 comments )
Link Flag
The Disgruntled Fight Back
No, you are wrong. The purpose of business is to make a quality
product that the consumer can enjoy.

We, the disgruntled, neither think MS products are quality nor
enjoyable. And since MS has an overwhelming presence in the
market place because of their unfair practices, most of us are
forced to use they substandard junk software.

But the day is coming when they will be no more.
Posted by cjohn17 (268 comments )
Link Flag
don't use the internet?
wow, you are an idiot...
many of the anti-MS crew do our best to NOT use windows and its offspring. unfortunately, when we go to work/school we find windows on our machines. it wouldn't be so bad if we didn't lose a weeks work when the server (frequently) goes down.

don't use the internet? how else do you propose we obtain linux and get support for it? if you're sick of anti-MS remarks why don't you stop viewing talkback? or better yet, follow your own advice and sign off the internet, switch off your computer and bury your head in the sand. the MS way isn't the only way and we are going to express our disapproval of their monopolistic tactics.
Posted by Scott W (419 comments )
Link Flag
Another opportunity missed
to clean up their act and their software.

And they wonder why people are getting into Linux and why they're
looking at Mac OS X.
Posted by CharlesRovira (97 comments )
Reply Link Flag
Another opportunity missed
to clean up their act and their software.

And they wonder why people are getting into Linux and why they're
looking at Mac OS X.
Posted by CharlesRovira (97 comments )
Reply Link Flag
Another opportunity missed
to clean up their act and their software.

And they wonder why people are getting into Linux and why they're
looking at Mac OS X.
Posted by CharlesRovira (97 comments )
Reply Link Flag
Wasn't TPM bypassed in Apple's Intel Dev machines
n/t
Posted by technewsjunkie (1265 comments )
Reply Link Flag
Wasn't TPM bypassed in Apple's Intel Dev machines
n/t
Posted by technewsjunkie (1265 comments )
Reply Link Flag
Wasn't TPM bypassed in Apple's Intel Dev machines
n/t
Posted by technewsjunkie (1265 comments )
Reply Link Flag
flawed logic
Nice try to justify Trusted Computing, too bad your logic is a lil' flawed.

First, it's not only Microsoft that wants the TPM on our desk and laptop but the COMPLETE INDUSTRY. IBM, Intel, AMD, Apple, Microsoft , Dell. You have no choice. Yes you could use Linux, but with 95 % of users using TC DRM will find it's way into our homes and you, Linux user, will not be able to use these services.
So then your second argument, don't use the internet?
Let me get this straight, what you basically are saying is this: if you don't like me to invade your home, confiscate your living room, just go live on the street? I'm not buying you any coffee.
Posted by (9 comments )
Reply Link Flag
flawed logic
Nice try to justify Trusted Computing, too bad your logic is a lil' flawed.

First, it's not only Microsoft that wants the TPM on our desk and laptop but the COMPLETE INDUSTRY. IBM, Intel, AMD, Apple, Microsoft , Dell. You have no choice. Yes you could use Linux, but with 95 % of users using TC DRM will find it's way into our homes and you, Linux user, will not be able to use these services.
So then your second argument, don't use the internet?
Let me get this straight, what you basically are saying is this: if you don't like me to invade your home, confiscate your living room, just go live on the street? I'm not buying you any coffee.
Posted by (9 comments )
Reply Link Flag
flawed logic
Nice try to justify Trusted Computing, too bad your logic is a lil' flawed.

First, it's not only Microsoft that wants the TPM on our desk and laptop but the COMPLETE INDUSTRY. IBM, Intel, AMD, Apple, Microsoft , Dell. You have no choice. Yes you could use Linux, but with 95 % of users using TC DRM will find it's way into our homes and you, Linux user, will not be able to use these services.
So then your second argument, don't use the internet?
Let me get this straight, what you basically are saying is this: if you don't like me to invade your home, confiscate your living room, just go live on the street? I'm not buying you any coffee.
Posted by (9 comments )
Reply Link Flag
Circumvented Encryption
CNET wrote that story implying that Stephen Heil said that Windows XP file encryption can be bypassed in 15 minutes. I doubt it. He was probably only refering to the BIOS. If you encypt files on a hard drive on NTFS and then re-install Windows you will lose access to the files. Furthermore, Windows NT does not use the BIOS to talk to the Hardware. That was Windows 9x.
Posted by Andrew J Glina (1673 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.