Feds' view of Vista focuses on security
Connecting state and local government leaders
When asked what most interests the Army about the upcoming Microsoft WindowsVista operating system, Lt. Col. Clinton Wallington III put it succinctly: 'Security. Security, without a doubt.'
VISTA'S USER ACCOUNT CONTROLS gives administrators power over who can do what, but has been criticized as 'too chatty.'
Wallington, director of advanced
technologies in the Army
CIO's office, served with the 2nd
Armored Division during the
1991 Persian Gulf War. So although
he is still in the military,
he is also classified as a veteran.
'Guess who got one of those 26
million letters [from the Veterans
Affairs Department about
the theft of their personal
data]?' Wallington said.
Wallington participated in a
recent Washington panel discussion
of government IT professionals
sponsored by Microsoft
Corp. and the Potomac
Forum Ltd.
While the gathering was intended
to brief agency decision-
makers on new features in
Vista, the recent data breach at
VA provided a stark backdrop.
As a result, the session's liveliest
discussions centered on security
features in the next-generation
OS.
More security features
'If that laptop had been using
[Vista], I would feel infinitely
safer,' Wallington said, citing the
product's support for rights
management, network access
control and the Trusted Platform
Module specification
through Vista's BitLocker drive
encryption software.
Still, questions swirled around
the BitLocker feature, which encrypts
the user's hard drive and
stores a key in the TPM 1.2 chip,
if one exists in the system (if not,
Vista can store the BitLocker key
on a USB flash drive). Company
officials pointed out that Bit-
Locker employs Federal Information
Processing Standardscompliant,
Advanced Encryption
Standard cryptography.
Patrick Arnold, chief technology
officer for Microsoft Federal,
assured attendees that BitLocker
keys could be archived through
Microsoft Active Directory in the
event a security officer or law enforcement
agency needed access
to an encrypted drive. 'We don't
recommend deploying Vista
without this key escrow feature
enabled,' Arnold said.
Joseph Broghamer, who works
on authentication technologies
in the Homeland Security Department's
CIO office, probed
Microsoft officials on whether
BitLocker would interoperate
with the Personal Identity Veri-
fication II cards that DHS and
other agencies must roll out this
year in compliance with Homeland
Security Presidential Directive-
12. Arnold said BitLocker
could not be used with PIV
cards because BitLocker keys
were stored on TPM chips.
'But in the case of the Encrypting
File System in Vista ... you can
encrypt a private key and store it
on your smart card,' Arnold said.
EFS is a separate encryption technique
that has been part of Windows
since Windows 2000.
Government officials were
particularly interested in two
other Vista security functions:
User Account Control and Network
Access Protection.
Richard Gordon, deputy CIO at
the Securities and Exchange
Commission, acknowledged what
Microsoft and outside analysts
have observed about UAC, namely
that it's too 'chatty.' As part of
UAC, Vista pops up warning windows
when a user or application
does something that could present
a security risk.
Rob Campbell, senior technology
specialist at Microsoft, said
that when Vista is first installed,
it's natural for the UAC function
to generate a surplus of warnings.
Over time, the pop-ups
should diminish, he said, but
users will find UAC particularly
effective when malware or other
software attempts to take action
on the user's behalf.
Longhorn Server is currently
in beta 2. It's scheduled to ship
in the second half of 2007. Vista
will be out later this year.