What should Microsoft do in Windows 8 and beyond to make Windows more secure?

What should Microsoft do in Windows 8 and beyond to make Windows more secure?

Some ideas:

• Get rid of Window Defender; install and enable Microsoft Security Essentials by default.
• Use cloud-based technology that profiles the behavior of every executable (by hash) and does checks on every executable (by hash) before execution, similar to Prevx. This technology would be enabled by default.
• Implement default-deny for execution of files not known to be safe in locations where a standard user can write to. There would be an exception to this for a folder (or folders) where execution can take place, but only after a prompt is answered.
• New user accounts are standard user accounts by default.
• In standard user accounts, when a UAC prompt appears, there is also an option to cache admin credentials for the remainder of the session. If this caching has taken place, then the user simply has to hit OK on subsequent UAC prompts, instead of providing admin credentials.
• Ability to whitelist UAC prompts, with AppLocker-like flexibility in rule creation. In a standard user account, the whitelist is effective only if admin credential caching has taken place during the current session. Developers would still be encouraged to write software that doesn't unnecessarily require admin permissions because even if a developer whitelists her software during installation, in a standard account full admin credentials must be supplied, unless admin credential session caching has taken place in the session.
• Fix other UAC issues, such as this one.
• UAC elevation for any executable not known to be safe requires extra prompts due to the danger presented.
• Let any developer freely and legally consult Microsoft's SmartScreen filter in her program.
• Provide a massive software download site where only non-malware is offered. All software here is scanned with multiple anti-malware scanners regularly. If the Prevx-like profiling technology convicts any software found here, it will be promptly removed.
• Provide standard facilities to developers to auto-update their apps.
• Turn on SEHOP and other exploit mitigation technologies for all programs by default.

What do you think?

 

I think you just made Windows unusable for Microsofts' biggest customer base. I see another issue here, "encouraging developers" to do anything. Software devs are just like website devs, they'll do whatever they want for their "babies". They encouraged developers to have their apps digitally signed, to this day even a bunch of the more well-known apps have not done so. 64bit software is STILL a pain to find, yet a huge percentage of "off the shelf" systems are 64bit. This is especially bad in the security sector, where either devs CAN'T support 64, or WON'T.

So encouragement does very very little. It takes users/customers abandoning them for some developers to come around. I'm not sure caching credentials would be a good move from a security standpoint, even for a single session. Reading through Microsoft help, they can barely simplify explanations of the most used Windows functions, God help us when they try to explain default-deny and "applocker-like rule-making".

You've got smart ideas and have good intentions, but just sit back and visual the normal Windows user. Think of Mom, Dad, Little Sally and Joe, and Grandpa and Grandma, you'll then see why your ideas would cause more problems than they'd solve.

 

In addition to above,
-- Implement XServer security so that apps only have access to events only in their window:
https://www.wilderssecurity.com/showthread.php?t=281119
--Advertise the heck out of LUA.
--Give SRP/Applocker to all

 

I meant "encouragement" in the same sense as it exists today for Vista and Windows 7 - if a developer's app uses admin permissions unnecessarily, then the user has to answer a prompt.

On my computer, so far only two programs have failed due to my default-deny AppLocker rules: LastPass, and Adobe Flash on IE. Developers who want their apps to work on Windows 8+ would thus be "encouraged" to get their apps working in a default-deny configuration.

Regarding the user interface for admin credential caching, it could be as simple as a checkbox on a UAC prompt saying "Use these credentials for future UAC prompts for the remainder of this session, so that I don't have to type them again." Similarly, for the UAC whitelisting, there could be a checkbox on a UAC prompt saying "Never ask again for this program."

 

I agree and should have explicitly mentioned this. It was implicit because I mentioned having default-deny functionality.

 

Put a Mandatory Access Control system into the windows kernel, much like Linux has with its plethora of MAC systems. The Windows Integrity Control is meant to sort of serve this function but it pretty much sucks as it is right now (no configuration possible).

Copy the Unix umask where all newly created files are not executable by default. The user must manually make them so.

User accounts by default

Copy the Linux distros and create a secure, digitally signed software repository (though this is about as likely as pigs flying for a number of reasons beyond MS's control).

Opt all programs into DEP/ASLR by default (if they are compatible of course).

dw426 said:

It's funny how Windows developers have such a hard time with 64 bit apps, where almost all apps available for the various *nixes are native 64 bit. What's the deal?

 

Too many programs require admin, it's a ridiculous situation, but old habit does very hard I guess. What I was worried about with saving UAC credentials was malware either screwing with it in some way or actually capturing the credentials. Granted that could be stopped with your SRP suggestion, but as I mentioned elsewhere, it's more likely to frustrate your "normal" user than protect. Heck, some people can't even stand UAC, and, even at its highest level, it is hardly bothersome.

 

• By default, files within \Program Files and \Windows cannot be made writable by a standard user. Do similar for HKLM in the registry, and any other type of objects.

 

It seems some of it, in the security sector, is "principle" as in "I want Microsoft to change their ways, so I'm not going to support them". I've seen that a lot, two of which I could name, but I'd be burned at the stake so...oh well, maybe I'll have time to grill a burger while I wait for the flames to reach me:

1. Sandboxie. Smartened up and realized slightly less protection was better than losing a bunch of customers.

2. Defensewall. From its own devs mouth, it was a matter of principle. And, as of yet, this attitude has not changed.

 

The UAC credentials would by default be supplied in a separate session, as is done now already. The UAC credentials would not be readable by a standard user. With admin credential caching, a UAC prompt would still be generated when necessary, but just with OK or Cancel options, much the same as is the case in an admin-approval account today.

 

Okay, I see then. That wouldn't be bad.

 

Malware could still issue a fake UAC prompt to try to get admin credentials. So maybe Microsoft should require CTRL+ALT+DEL (the Secure Attention Sequence) by default when admin credentials are being asked for.

 

No, they are not!!! Firefox, flash, acroread, thunderbird and others are all 32 bit for linux. Actually there is an old 64 bit version of flash.

 

To be fair, Chrono said "almost all", lol. An old 64 bit Flash from Adobe? Or one of those half-working, buggy "alternatives" that Linux users claim as "victories"? That sounded a bit rude, I didn't mean to, but I've run into that on Linux systems. A major vendor denies support, so someone decides to make their own version of a driver or something and it causes a mess. Now, back to the topic before I get assassinated by someone from the Linux forum dropping in here, lol.

 

Huh? There is a native 64 bit Firefox for Linux and has been for years. I can't speak for acroread but I am pretty sure Thunderbird is x86_64 as well. You are probably confused because Mozilla only offers 32 bit Firefox for Linux on their website as binary packages. They leave it up to the distros to compile the 64 bit versions themselves (which most do).

Adobe released a 64 bit version of Flash for Linux before they did Windows. They have since stopped supporting the 64 bit version temporarily for some reason but will continue development in the future.

 

I've heard "coming soon" about 64bit Flash for so long that by the time I care again, Flash will be replaced, lol.

 

• 
  
  While I do agree, I don't see it happening. Other security vendors would start complaining. That's the reason, IMHO, why Microsoft didn't bundle it with Windows 7, in the first place.
  
  
  YES!
  
  
  How would that provide any additional security? If the user wants to run it, it will be run. It doesn't matter if it took them 100 prompts (Well, I guess this would make them give up! ).
  
  
  I like that! Also, Windows should only accept digitally signed software! If software developers do not want it, give up being developers!
  
  
  Considering that applications would support it, yes. But, I guess this would follow the principle that every Windows application would need to be placed at the software download site. So, yes, I like it.
  
  
  All in all, nice suggestions. Some not feasible, due to the masses lacking certain knowledge.
  
  I would also like to add the following:
  
  A secondary Administrator account with fewer privileges, for those applications only requiring access to %PROGRAMFILES% dir and HKCU, and that's it.

 

It's easy to approve a UAC prompt without much thought....

 

Isn't there already some digitally signed malware out there? Also, isn't that a quite expensive procedure? Or am I mixing this with something else? If, like I think, it's a process through Microsoft that costs, what about those small-time developers/one man shows? What if they can't afford it, but their products are top notch?

A Windows "store", almost a repository the way Mr Brian described, is a bad idea that sounds fantastic on paper. I can't imagine it being difficult to sneak things in, after all, scanners are having a hard enough time as it is keeping up. And, who is to say the "watchers" over the store would keep things locked down? Even Mozilla once in a while gets a bad apple, and they review things before they even let an extension be listed. Heck, Apple themselves have listed malicious apps in their store, and you can't get any more restrictive than they do with what they let in and don't.

Call me a pessimist, I just don't see it panning out.

 

Clever infomercial.

 

There is some digitally signed malware out there.

I didn't actually suggest that downloads from the store would have to be digitally signed. Beyond the regular anti-malware scans, hopefully there would also be an employee who does some investigation of a given software's reputation - e.g. they should accept Avira but not Antivirus 2009. I'm under no illusion that no malware would be able to get through whatever process Microsoft would use, but that doesn't make trying useless - don't let perfection be the enemy of the good.

A Windows store might be part of the plans for Windows 8.

 

In addition to the other excellent suggestions, especially those of MrBrian's in his first post, improve the Windows firewall to give alerts on programs attempting outbound connections (when two-way control is enabled), and allow easy to create rules on the fly, as well as improve the logging info to include the program allowed or blocked. The only caveat with this is it will certainly hurt sales of 3rd party offerings.

I'm getting sick of waiting for a 64 bit release from them, and I hope it does get replaced by something else if Adobe doesn't get off their useless hides and offer it by the time Win 8 is released.

 

OS Virtualization or application virtualization/sandboxing across all Windows versions.

 

Built-in Sandboxie, problems solved We could ask for pre-configuration, but that would just lead to another Microsoft vs EU mess again, lol.

 

I personally don't have a problem with Microsoft when they include useful functionality in the OS, although I realize that competing third-party vendors can be greatly hurt. I recall that sales in Europe of a version of Windows without Media Player were underwhelming.