Wednesday, November 15, 2006

File Integrity and Secure Execution

How do you know when and if your security has been compromised? And how do you prevent compromises to begin with? Sun has digitally signed almost all binaries in the Solaris 10 Operating System, enabling administrators to track changes easily. In a future release of Solaris, Sun will add the ability to lock a system down so that only valid, signed executables from a list of trusted authorities will be allowed to run; rogue applications, Trojan horses, and viruses simply won’t execute. The Solaris 10 OS also introduces a file integrity checking application for data files and customer applications known as the Basic Audit and Reporting Tool (BART). In addition, Sun continues to publicly provide digital hashes for all files shipped in Solaris as part of the Solaris Fingerprint Database project. Together, these tools give you powerful, flexible ways to monitor and protect against changes to your operating system platform.

About BART
This section provides and overview of the new Basic Audit and Reporting Tool
(BART), including concepts you need to understand before proceeding with the
steps to automate file integrity checking.
BART provides a quick and easy way to collect information on filesystem objects and
their attributes so that, at a later time, you can determine whether there have been
any changes. BART can help you detect accidental or malicious changes to files
within an operating system due to either a security incident or change management
incident.
BART is able to collect such information as an object’s UID, GID, permissions, access
control lists, modification time, size, and type. In addition, for files, BART generates
an MD5 fingerprint from the contents of the file. For a full list of the attributes that
can be collected, see the bart_rules(4) manual page.
BART has two primary modes of operation: create and compare.
Create Mode
When run in create mode, BART collects filesystem object information from a
system. You can control the scope of collection on a system, including the entire
system, under a specified root directory, or just a subset of files. You can even define
a more granular policy using a rules file that can be customized to meet your
organization's requirements.
When you use BART in create mode, it can read its rules file from either standard
input or from a regular file—for a listing of file types supported by BART, see
bart_manifest(4). As BART processes individual filesystem objects, it records its
results in a manifest file. This manifest is directed to standard output by default,
although you can easily redirect the output to a file or to another process. BART’s
ability to read rules from standard input and produce a manifest on standard output
are important for the automation of file integrity checking.
Why Automate BART? 3
Compare Mode
To use BART in compare mode, you need two BART manifests and, optionally, a
rules file.
■ The first (and original) manifest, called the control manifest, is used as your
baseline.
■ The second manifest, called the test manifest, is then compared against the control
(in accordance with a set of rules, if supplied).
■ If a rules file is specified, then BART will use the rules it contains to determine
how to make the various comparisons. One of the benefits of a rules file is that
you can use it to define rules to help eliminate any false alarms in your reports,
thereby allowing you to better focus your efforts on the remaining alarms.
Why Automate BART?
For customers with both large and small Solaris deployments, there is a growing
need to manage cost and complexity. The goal of this BluePrints Cookbook is to
highlight how the collection of filesystem information using BART can be securely
automated across any number of systems (with any number of Solaris Containers).
BART automation has several benefits:
■ Through the use of a centralized collection authority, you can collect BART
manifests across a network of Solaris 10 systems using strong authentication, least
privilege, and encryption over the wire.
■ The rules and manifest files never need to be stored on the system (or Container)
being evaluated—they can all be managed and protected on a central authority.
Similarly, the comparison process can be performed in relative isolation because
the comparison need not be done on the host being evaluated.
This approach offers a significant security benefit over other file integrity
methods in use today, where artifacts of the collection or comparison process
must exist on the system being evaluated.
4 Automating Centralized File Integrity Checks in the Solaris™ 10 Operating System • March 2005
Steps to Automate File Integrity
Checking
This section describes the steps to automate file integrity checking. As a matter of
convention, these instructions refer to the two systems in this example as client and
manager.
■ The client system is the one being examined by BART.
■ The manager is the system on which all of the BART rules and manifests are
stored, and from which all connections to the client are made.
Step 1: Create a New User Account
The first step is to create a new user on client whose only purpose is to collect
filesystem information and create BART manifests.
Note – The following example focuses on a single client system, but this same type
of approach could be applied for a network of systems, for which this account could
be created—either locally on each system, or in a networked naming service (such as
LDAP).
To create a new user, enter the following commands.
# mkdir -p /export/home
# useradd -d /export/home/bartadm -m -s /bin/pfsh bartadm
# passwd -N bartadm
passwd: password information changed for bartadm
In this example, note that:
■ The bartadm account is created as a non-login account. This means that, while
this account does not have a Unix login password, it is otherwise able to access
the system, either by using other authentication mechanisms, or through the use
of delayed execution mechanisms such as cron(1M). This is required because the
default behavior of useradd(1) is to create an account that is locked.
■ This account was created with a profile shell ( /bin/pfsh). This was done to allow
commands executed by this user to be evaluated by the Solaris Role-based Access
Control (RBAC) facility to determine whether the command will run with altered
privileges.
Steps to Automate File Integrity Checking 5
Step 2: Create a Secure Shell Key-Pair
After the new user account has been created on client, you next create a Secure Shell
key-pair that will be used to access the account. Remember that, because bartadm is
a non-login account, the only way to access it over the network is to use public key
or GSS-API authentication with Secure Shell.
Note – This does not need to be done on the system where you created the user. In
fact, we recommend that you generate the key on manager so that you will not need
to transfer the private key over any network.
Warning – This recommendation is based on a default Solaris 10 OS installation.
If other authentication mechanisms are enabled by default, however, there might be
other ways in which the bartadm user can be accessed across the network. We
recommend that you verify your /etc/pam.conf settings to be certain.
To create a Secure Shell key-pair, enter the following commands.
$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/export/home/bartadm/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /export/home/bartadm/.ssh/id_dsa.
Your public key has been saved in /export/home/bartadm/.ssh/id_dsa.pub.
The key fingerprint is:
42:ca:d7:fa:ab:1c:f8:c0:5b:2c:7b:56:28:85:dc:65 bartadm@manager
Step 3: Installing the Secure Shell Key-Pair
After the new Secure Shell key-pair has been created, you then install it on the client
system. To do this, you should create the /export/home/bart/.ssh/
authorized_keys file on the client system, if it does not already exist. Then,
append to the authorized_keys file the contents of the id_dsa.pub file that was
created on the manager system. This approach allows you to preserve any existing
keys that might be in that file while also installing the newly generated ones.
Once copied, you should have something similar to the following examples.
6 Automating Centralized File Integrity Checks in the Solaris™ 10 Operating System • March 2005
On manager
# pwd
/export/home/bartadm/.ssh
# ls -l
total 6
-rw------- 1 bartadm other 736 Sep 30 23:03 id_dsa
-rw-r--r-- 1 bartadm other 600 Sep 30 23:03 id_dsa.pub
On client
# pwd
/export/home/bartadm/.ssh
# ls -l
total 6
-rw-r--r-- 1 bartadm other 600 Oct 1 09:14 authorized_keys
Step 4: Configure Secure Shell
Next, on client, you must configure Secure Shell to run only a specific command
when this public key is used. When this public key is used (which is, by default, the
only remote access method), then the bartadm user will be able to run only the
command that you specify. A remote user accessing the bartadm account will not be
able to run any other commands. To do this, you use the Secure Shell command
directive. For more information, see the “ authorized_keys File Format” section of
sshd(1M).
To configure the Secure Shell to run the command, edit the authorized_keys, adding
the following prefix to the existing public key:
command="/usr/bin/bart create -r -"
Making this change causes BART to be run in create mode, taking a rules file from
standard input, which allows you to specify different BART rules files (as needed)
without having to change the configuration of client.
The result will look something like the following example (with a different public
key):
command="/usr/bin/bart create -r -" ssh-dss AAAAB3NzaC1kc3MAAACBAJ6zG8SJtQVi/Et
OugyktNssLVofLmUepqsh712+D1AObTwRWZwjSH4hE423U3AcfY99u9ZxsdJ0sEpqnnvXmKaym7pMgk
NxMCPoPcnf4mAIcx9IQkpotAiCbCQ+My5lFD4iW4Nxjqh6KwIecEaABcpg2x5nhaX8Bsx0XURO/f+jA
AAAFQCD6dOAM1JunvUeCWNpXoB6tLyLewAAAIAXya1UPijNFIjymsJ0gjQXyCgll8/tORHy2vrloH7v
gh9RJ9YNRWSZZjyRvLlKTd4KFIfcjT43WlVWJKa/A7l14DGntoTS+dRh4MohJXdUjYMvV+OODc1j8V2
Steps to Automate File Integrity Checking 7
p+JWbbHlqDxa+zAuFEskoWNPmBrTnbLNzamIPnQ7ZaqWsbWuePQAAAIEAmqlCaMfuFYWlvDHeak79Fm
xHJjRLqmvRwlPPtkW8XDuF8wn8lj/+glWWY6/VJVtbfgteZLweotdM2wvdfXNqROiU9vvlylOdv29iA
DxsSlPGSrjXkbkNGQXMHTgPQmfbDhmtpnM6occl2R+J8dpDT59zWV7+egNZ0TTV8GNnmng=
gmb@manager
Step 5: Create an RBAC Rights Profile
Next, you will create an RBAC rights profile on client that will allow the bartadm
user to run BART with sufficient privileges to collect files across the filesystem. This
is important to prevent the bartadm command from running as the root account.
Note – Remember that, to successfully access this account, you will also need
possession of the bartadm private key (which should be stored on the protected,
centralized authority) as well as the passphrase to unlock the private key. Further,
once you successfully access the account, you will be able to run only the bart
command, as configured above, with the privileges that are described below. Each of
these controls serves to reinforce the security of the overall solution.
To create an RBAC rights profile that will be associated with BART and assigned to
the bartadm user, you need to add the following lines to the /etc/security/prof_attr
and /etc/security/exec_attr files:
Note – When entering the following commands, be sure to omit the line breaks,
which are included here for readability only.
# grep "^File Integrity:" /etc/security/prof_attr
File Integrity:::File Integrity Management:
# grep "^File Integrity:" /etc/security/exec_attr
File Integrity:solaris:cmd:::/usr/bin/bart:privs=file_dac_read,file_dac_search
The File Integrity rights profile grants the file_dac_read and file_dac_search
privileges. These privileges are needed so that the bartadm user can search
directories and read files that normally would not be permitted due to discretionary
access controls (Unix permissions, ACLs, and so on) as implemented in the Solaris
operating system. A description of these two privileges can be found using the
ppriv(1) command, as shown in the following example.
8 Automating Centralized File Integrity Checks in the Solaris™ 10 Operating System • March 2005
# ppriv -l -v file_dac_read file_dac_search
file_dac_read
Allows a process to read a file or directory whose permission
bits or ACL do not allow the process read permission.
file_dac_search
Allows a process to search a directory whose permission bits or
ACL do not allow the process search permission.
Step 6: Assign the Profile to the bartadm User
Finally, you need to assign the new File Integrity rights profile to the bartadm user.
To assign the rights profile, use the following command:
# usermod -P "File Integrity" bartadm
This command will add the following line to the /etc/user_attr file:
# grep "^bartadm:" /etc/user_attr
bartadm::::type=normal;profiles=File Integrity
You can also verify that the File Integrity rights profile has been assigned to the
bartadm user using the following command:
# profiles -l bartadm
File Integrity:
/usr/bin/bart privs=file_dac_read,file_dac_search
All:
*
Step 7: Optional Tasks
You have completed the basic steps to automate file integrity checking with BART.
However, you can perform optional tasks to enhance security, including:
■ limiting access to the bartadm public key by hostname or IP address (for example
only allowing access from manager)
■ restricting bartadm access to cron(1M) by adding the "bartadm" account to the
/etc/cron.d/cron.deny file
Steps to Automate File Integrity Checking 9
There might be other security controls that you will want to evaluate and
implement based on your individual security policies and requirements. Take care
to identify and understand any residual risk in your environment and act
accordingly.
Step 8: Test the Setup
The final task is to test that everything works as expected from the manager system.
Create a Sample Rules File
To test the setup, you first create a small and simple example BART rules file on
manager to test that the functionality works. You will use this rules file as input to
BART on client passed over a Secure Shell channel that uses public-key
authentication to execute a specific command. The output of BART will be displayed
to standard output so you can redirect this to a file for later comparison.
Create the following sample BART rules file on manager:
/usr/sbin
CHECK all
This example limits information collection to files under /usr/sbin. When used in
compare mode, all of the collected attributes are checked. Once your setup is
verified, you can develop more sophisticated policies based on your organization's
needs.
Run the Command to Test
To test the setup (from manager), enter the following command.
$ cat ./client.rules | ssh -T -l bartadm client
! Version 1.0
! Friday, October 01, 2004 (10:46:56)
# Format:
#fname D size mode acl dirmtime uid gid
#fname P size mode acl mtime uid gid
#fname S size mode acl mtime uid gid
#fname F size mode acl mtime uid gid contents
#fname L size mode acl lnmtime uid gid dest
#fname B size mode acl mtime uid gid devnode
#fname C size mode acl mtime uid gid devnode
/usr/sbin D 4608 40755 user::rwx,group::r-x,mask:r-x,other:r-x 415c6c1d 0 2
/usr/sbin/6to4relay F 9888 100555 user::r-x,group::r-x,mask:r-x,other:r-x 414f3ef2 0 2
5dbc53336307f5caf965e4451abde647
10 Automating Centralized File Integrity Checks in the Solaris™ 10 Operating System • March 2005
/usr/sbin/acctadm F 28356 100555 user::r-x,group::r-x,mask:r-x,other:r-x 414f3bb4 0 2
ece9d92d00b0c13ed2d56580e3856df7
/usr/sbin/add_drv F 44244 100555 user::r-x,group::r-x,mask:r-x,other:r-x 414f3cda 0 2
10f542c2c228c2a0efdc16bc543d96d6
/usr/sbin/allocate F 18764 104755 user::rwx,group::r-x,mask:r-x,other:r-x 414f3e96 0 2
2e98bb2d02c4e87b875885dfb3838932
/usr/sbin/arp F 9912 100555 user::r-x,group::r-x,mask:r-x,other:r-x 414f3ef2 0 2
203a43e71abc9c3b9ba2a1c38647b285
/usr/sbin/audit F 10140 100555 user::r-x,group::r-x,mask:r-x,other:r-x 414f3e85 0 2
26b6e6241c6a21aab5fc1bebb816f8fc
[... content edited for brevity...]
Compare Manifest Files
Once you are sure that the process is working, save two copies to illustrate how to
use the compare feature:
$ cat ./client.rules | ssh -T -l bartadm client > ./client.manifest.1
$ cat ./client.rules | ssh -T -l bartadm client > ./client.manifest.2
$ bart compare -r ./client.rules ./client.manifest.1 ./client.manifest.2
$
You should get no comparison errors in this example, which indicates that your files
have not changed relative to the baseline— client.manifest.1. In contrast, here is an
example in which the comparison detected two differences:
$ bart compare -r ./client.rules ./client.manifest.1 ./client.manifest.2
/usr/sbin/auditd:
acl control:user::r-x,group::r-x,mask:r-x,other:r-x test:user::r-x,group::rx,
mask:r-x,other:rwx
contents control:28dd3a3af2fcc103f422993de5b162f3
test:28893a3af2fcc103f422993de5b162f3
In this case, the /usr/sbin/auditd program was modified (contents changed) and
had its access control list modified—adding write access to world, which is certainly
a bad thing!
Conclusion 11
Conclusion
In this BluePrints Cookbook, we have described a method for centralizing and
automating file integrity checks across a network of Solaris 10 systems. This method
uses strong authentication, least privilege, and encryption over the wire to provide a
secure and scalable mechanism for the collection and transport of file fingerprints
from clients to a centralized authority. While providing strong security, this solution
is also flexible in that it allows an unlimited number of BART rules files to be used.
Rules files can be developed per system, per application, per data center, or based on
any other customer requirements.
In addition, the use of this mechanism does not require that the central authority
itself be a system. It can be implemented within a Solaris Container in the Solaris 10
OS to further offer greater security isolation. While this does not improve the
security of BART processing per se, it does offer greater protection for BART rules,
manifests, and related user-developed scripts. By using a Solaris Container as a
BART central authority, you can reap the security benefits that have been designed
into them, including spare-root configurations (read-only, loopback-mounted
filesystems), reduced process privilege sets, namespace isolation, resource
management and global-zone observability, and so on.
For example, you could have a Solaris Container that has no listening services and
that houses all of the rules and manifest files for an entire network of systems.
No other services running on that same system (perhaps other security monitoring
tools) could access the BART data. Further, by using Solaris Containers, you can
monitor all of your BART rules and manifests from the isolated global zone (using
BART, of course) to ensure that they have not been altered.
How you configure the BART management container is up to you, but one thing is
certain—by leveraging the Solaris 10 OS and, more specifically, Solaris Containers,
you will have the opportunity to build your BART central authority upon a very
strong security foundation.

solaris 10 advanced features

Chapter 1
Introduction
The days of the enterprise as a castle — with deep moats and high, thick walls to protect assets from the attack of
marauding invaders — are long gone. Business operations as a lone, well-protected structure with a single, guarded
gateway in and out — both literally and figuratively — is no longer a viable model. Now it seems like everyone and
everything is connected to the network. Businesses may have thousands — even millions — of employees, partners,
suppliers, and customers accessing information and services from homes, hotels, and customer locations. Increasing
connectivity is improving productivity.
Connectivity and access create conflicts and challenges that must be addressed by an environment capable
of delivering comprehensive protection. To operate safely in a connected world, businesses need to secure their
enterprise, with all of the systems, networks, applications, technologies, and users that make it work. How well
an enterprise has deployed and integrated security into its network can be a significant contributor to its overall
productivity. But security is not an object, nor is it simply a list of features. Security is an ongoing discipline that
monitors what’s happening — in an organization and out in the world — and applies this knowledge to the development
and safe deployment of IT resources.
At Sun, this is a lifestyle that we have embraced for more than 20 years. Many Sun products are independently
verified for their security capabilities, while Sun personnel help to drive the new standards-based capabilities in
their work through the Internet Engineering Task Force (IETF). This work comes together in the Solaris™ 10 Operating
System (OS). The Solaris 10 OS provides comprehensive, in-depth security capable of protecting the enterprise at
multiple levels. It offers a new level of security, enabling today’s enterprises to safely increase access to key
computer systems by their business partners for around-the-clock commerce.
Overview
Security not only protects business assets, it also contributes to availability by reducing unplanned downtime
caused by security compromises. Integrated, dynamic business operations demand flexible, accountable security
models that span the globe while still preserving individual and business rights. Any solution needs to consider
the speed at which new customers, suppliers, and partners are added or removed, as well as new government
mandates such as the Health Information Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the
European Union (EU) Directive on Data Protection Act.
Sun Microsystems, Inc. Introduction P1
Security-enabled business operations need protection at many levels — integrated into the IT fabric, not
layered on top of everything. Access to IT resources needs to be very situation and role specific — users should get
to use only the information and services they need to perform their jobs. Assets are protected from unauthorized
use. Data, network traffic, and user information are protected as needed. There is protection at the edge, and
additional protective mechanisms inside the intranet. Systems and processes are monitored. If a system should
be compromised, it should not enable widespread access. Security systems should be safe, right out of the box,
and easily and quickly updated.
Sun and the Solaris 10 OS provide all this and more. The Solaris 10 OS is the foundation for safe IT operations
in a global marketplace.
Sun Microsystems, Inc. P2 Introduction
Chapter 2
Solaris 10 OS Security Highlights
Identity Management
Scenario — Poor Password Management
Company X had no formal password management to speak of. Employees could choose their own passwords —
often a first name, sometimes with a number after it — and were never required to change them. Inevitably, a
security breach happened: A salary and bonus report was posted to an external Web site. Subsequent analysis
showed the same name/password pair was used around the company, sometimes simultaneously from four
different places. The user account belonged to a manager who had left the company three months earlier. Other
name/password pairs also showed signs of multiple users per account, indicating that users had shared their
login information with others.
Passwords are considered the first line of defense in security. The Solaris 10 Operating System improves password
protection by enforcing limits on how long they can be used, how frequently they can be reused, and the
number of login attempts allowed. Passwords can be checked against a database of forbidden text strings —
employee names, for example. Policies on their length, mixing of letters and numbers, and so on can be enforced.
Many password encryption mechanisms ship with the Solaris OS, including MD5, Blowfish, and DES. Solaris software
also supports an extensible mechanism that extends the way passwords are checked and validated. Through the
Pluggable Authentication Module (PAM) architecture, customers can customize password security to fit unique
requirements by changing their password encryption mechanism. While representing a strong first line of defense,
passwords are part of an overall identity management solution.
Identity-Enabled Computing
It is challenging to give employees, partners, and suppliers safe and easy access to the information they need to
be productive. In a dynamic business environment, how does an organization cost-effectively manage secure
access to IT resources?
It starts with comprehensive password management at the point of first contact and continues with Kerberosenabled
single sign-on (SSO) and LDAP authentication to deliver secure single sign-on capabilities across multiple
operating systems. End-to-end identity management solutions can be achieved by integrating the computing
infrastructure with the Sun Java™ Enterprise System security products.
Sun Microsystems, Inc. Solaris 10 OS Security Highlights P3
User identity attributes are often stored in many different places and formats within a company. There is no
single authoritative source where user access privilege and profile information can be store and retrieved. In fact,
there are many reasons why it is not practical to consolidate such information — lack of trust, incomplete technology,
dubious cost-effectiveness, giving up organizational control, and so on. For these reasons and more, Sun
provides single sign-on capabilities throughout corporate intranets, using the Kerberos standards as well as userID/
password management, through a nonintrusive concept called federated identity management that integrates
the management of distributed data stores while leaving identity information in its native locations. When combined
with state-of-the-art techniques for the management of access privileges and entitlements, a federated identity
management network enables a company to integrate its disparate business operations. By doing so, the benefits
that can be leveraged include increased revenues, reduced costs, and gaining a massive competitive edge.
Sun’s identity management suite provides current, consistent, and accurate identity information within and
across enterprise boundaries. Sun identity management products — Java System Directory Server Enterprise
Edition, Java System Access Manager, and Java System Identity Manager — provide a complete solution that
replaces manual methods with automated, flexible, rules-driven processes. The Solaris 10 OS includes enhanced
identity management with centralized management capabilities.
1. Secure LDAP authentication enables user names, passwords, network configuration, home directories, and
other common identity attributes to be centrally stored in the included enterprise-class LDAP directory server.
Sun includes a license for 200,000 user entries of the Java System Directory Server for exactly this purpose.
UserIDs and passwords are protected while on the network using military-strength, SSL-encrypted communications;
when stored in the LDAP directory, similar strong encryption is used.
2. The LDAP authentication methods have been enhanced to utilize the Generic Security Services API (GSS-API)
and Simple Authentication and Security Layer (SASL), two standards for flexible authentication mechanisms.
This provides interoperability with Kerberos and improved interoperability with Microsoft Active Directory.
The Solaris 10 OS implements open, interoperable standards that enable secure enterprise-wide administration
of computing infrastructures.
3. Sun Enterprise Authentication Mechanism™ (SEAM) software implements the Kerberos v5 standards. Interoperability
with Microsoft Active Directory and other Kerberos single sign-on systems is easily achieved. The result
is increased security and reduced costs by centralizing the management of user identities.
4. Remote access and file sharing commands, such as Telnet, rcp, rsh, rlogin, and NFS, are enhanced in the
Solaris 10 OS to interoperate with Sun Enterprise Authentication Mechanism and Kerberos v5 systems. Users’
enterprise identity is securely carried with them throughout their remote access and file sharing uses.
All together, identity-enabled computing provides visibility and control over access to corporate assets as they
are shared across the entire value chain.
Sun Microsystems, Inc. P4 Solaris 10 OS Security Highlights
Authentication
Scenario —Too Many Passwords and Too Much Power
Organization Y has seven large systems, though most people need access to only four: Their department’s main
system, e-mail server, company portal server, and remote access system. The management team takes security
seriously and enforces a policy that requires a different password for each system, which must be renewed every
60 days. Passwords have to be at least eight characters and cannot contain real words. Many people have been
granted superuser access to the system in order to manage privileged operations such as print queue administration.
Despite — or perhaps because of — all this, 300 MB of unlicensed music files were posted on the portal server,
and analysis showed they were accessed more than 5000 times. It’s hard to pin down exactly where the passwords
were compromised — when a PDA fell out of a coat pocket at the airport or when any of the printouts used by
many employees to record passwords fell into the trash, which the cleaning crew delivered to the dumpster.
Who You Are and What You Can Do
A single sign-on facility is a partial and well-known solution to the problem of multiple passwords. Unfortunately,
people in general are not very good at remembering good passwords, such as those containing upper and lower
case characters, mixes of letters and numbers, and so on — especially if they have to change them frequently. And
if a single sign-on password is compromised (lost or stolen), then the new user has access to everything allowed
for that user account.
Smart cards, including the Java Card™ platform, when coupled with passwords ensure that the people using
the system are who they say they are. Using multifactor authentication (something known, such as a PIN, and
something you possess, such as a one-time password generator or digital certificate) provides an extremely high
degree of certainty that a user is authentic. This enables enterprises to create an IT environment that enables
employees to work anywhere — floating offices, in the field, or at home.
The Solaris OS supports many smart card APIs, including the Java Card platform, Solaris Smart Card Framework,
MUSCLECard open source IFD drivers, PKCS #11, and PC/SC Lite smart cards. Strong authentication can be enabled
through built-in smart card interfaces or virtually all of the USB-enabled smart card readers.
Once a user is authenticated, granting access privileges is the next step. Users should have access only to the
applications (and in some cases, only some features within an application) they need according to the role they
serve within the organization. The Solaris 10 OS supports Solaris User Rights Management, which covers individuals
and groups, and restricts access to selected applications and other Solaris 10 OS functions. This increases security
by reducing the chances of administrative errors or accidental/malicious use of IT resources. Using the Solaris
Role-Based Access Control capabilities of Solaris User Rights Management, privileged users can be granted just
the capabilities needed to run a select number of commands consistent with their needs rather than being granted
full superuser access to the system. Solaris Role-Based Access Control information is centrally managed for reduced
administration cost and increased flexibility for rapidly changing business requirements. Effective security reduces
downtime, raises quality of service, and keeps costs low.
Sun Microsystems, Inc. Solaris 10 OS Security Highlights P5
Containment
Scenario — Hacker Attack
Company Z thought it was doing everything right. Management used a firewall to protect their network infrastructure,
and passwords were secured using MD5 encryption. Still, a determined hacker sent a request for information
to the Webmaster and took note of the IP addresses contained in the return message header. A few days’
worth of traffic was collected, analyzed by the hacker, and a simple exploit to the company's Web server was
found. After a few minutes, the hacker was in. Once past the firewall and into the main network, there was very
little additional security. It only took a little more time and effort to get what he wanted: The credit card database.
Sometimes, even when nearly everything conceivable is done, hackers get through. The Solaris 10 OS offers
strong perimeter protection, making it very difficult to break through the firewall. If hackers do penetrate it, in-depth
protection and containment help limit any potential damage. The Solaris 10 OS offers many ways to protect systems
from break-ins, and to contain them if such events do occur.
1. The built-in stateful Solaris IP Filter firewall controls interaction of services on the network. Solaris IP Filter
firewall can control access to IP services not only at the gateway, but also to systems inside the firewall.
Solaris IP Filter firewall is fully supported by Sun.
2. Solaris Containers (formerly N1™ Grid Containers) technology offers a way to virtualize system resources and
use multiple software partitions within one instance of the operating system. By providing a virtual, securityisolated
instance of the Solaris OS — including separate IP addresses and root passwords — where applications
can be run, it isolates the application and other associated resources and hides system details. This powerful
capability enables businesses to consolidate resources without compromising security. It is now possible to
host multiple, competing customer or supplier applications on the same system while isolating each set of
processes from the others.
3. Solaris Process Rights Management, enabled through Solaris Privileges, provides fine-grained control of the
security of services and applications, increasing security and helping prevent them from being used to compromise
a system or the data within it. Privileges assigned to processes are restricted only to those necessary
to perform its function, reducing exposure to security exploits. This limits what processes can do, regardless
of the user — unprivileged processes cannot do damage to the overall system. System administrators can
deploy Solaris Process Rights Management to existing applications without modifying any code, and user
retraining is not required.
Sun Microsystems, Inc. P6 Solaris 10 OS Security Highlights
Chapter 3
Solaris 10 OS Security Technology
The Solaris 10 Operating System offers superior security that helps to protect an IT infrastructure from the
moment the software is installed. This release contains many new features and capabilities, extending Sun’s
proven history of delivering the protection enterprises need.
System-Level Security
Enhanced Security at Installation
The Solaris 10 OS offers unparalleled built-in security. For administrators who want to customize their installation,
the Solaris 10 OS offers the Reduced Networking metacluster — the smallest, most secure install of Solaris software
to date. In the near future, the Solaris 10 OS is scheduled to feature a new Services Management Infrastructure and
add enhanced security settings as an install-time choice. When customers choose the enhanced security settings,
Solaris 10 software protects the system from attack and misuse by disabling many commonly unused services.
The system helps ensure usability by enabling local-only access to many other useful services, such as the GNOME
or CDE desktop. For administrators who want protection during remote installations, the Solaris 10 OS features
the SSL-encrypted WAN boot capability. Administration costs can be reduced and security enhanced by enabling
centralized installation of remote systems.
Easier Implementation of Best Practices
The Solaris Security Toolkit is based on best practices in the real world and was created as part of the Sun BluePrints™
program. Informally known as the JumpStart™ Architecture and Security Scripts (JASS) Toolkit, it provides a flexible
and extensible mechanism to minimize, harden, and secure Solaris OS systems according to the server’s function.
It is based on the best practices of thousands of customer installations by Sun Services, and the resulting systems
are also supported by Sun Services.
Sun Microsystems, Inc. Solaris 10 OS Security Technology P7
The Trusted Solaris™ OS: For Government and Commercial Use
Once designed only for government use, the Trusted Solaris™ OS is being embraced by commercial organizations
as well. It separates users, data, and resources, specifically granting access from users and processes. Elimination
of the superuser and dividing these functions into multiple roles makes system penetration far more difficult. A
combination of labeling all objects, clearance levels for each user, and strong audit capabilities makes all users
accountable and all actions traceable, greatly diminishing the risk of security violations. Trojan horses, such as
programs to intercept passwords or other sensitive data, are prevented by a graphical user interface and protocol.
Mandatory Access Controls enforce a hierarchical compartmentalization of information, protecting sensitive information
from general use.
Common Criteria certification represents Sun’s commitment to the highest levels of security. Sun’s longstanding
practice of independently validating the security of the Solaris OS continues forward into Solaris 10 and Trusted
Solaris software. The Solaris 10 OS is targeted at Controlled Access Protection Profile (CAPP) and Role-Based Access
Control Protection Profile (RBACPP) at Evaluation Assurance Level 4+ (EAL 4+). The Trusted Solaris OS is the only
enterprise-class OS that has been independently certified under Common Criteria Evaluation Assurance Level 4+
(EAL 4+) with three critical protection profiles: Labeled Security Protection Profile (LSPP), Controlled Access Protection
Profile (CAPP), and Role-Based Access Control Protection Profile (RBACPP). All in all, it delivers proven protection.
Prevention of Stack Buffer Overflow Exploits
Stack buffer overflows enable many types of attacks. The Solaris 10 OS provides protection against exploits arising
from stack buffer overflows with all 64-bit applications, and optionally for all 32-bit applications, through a simple
configuration setting. Core system administration utilities also provide this protection by default. ISVs and corporate
developers can link into designated libraries, protecting their application. This functionality is available for SPARC®
and AMD64 processors, and unavailable on any operating system running on the Intel IA-32 platform due to limitations
in the architecture of these CPUs.
Automated Patch Management
As new threats appear, Sun is committed to providing the tools and updates customers need to protect their
systems. Solaris Patch Manager automatically gets the right patch for each system in the form of digitally-signed
(verified) .jar files. Patches can be pushed to multiple servers and installed as required. Automated patch management
enables administrators to be more productive and helps maintain systems at the highest levels of protection.
Accountability
Auditing
The ability to track what’s happened on a system is a cornerstone of strong security as well as a regulatory and
liability requirement. Auditing monitors system configuration changes and user activity, and watches for malicious
behavior.
1. File Integrity. New in the Solaris 10 OS is the Solaris Basic Audit and Reporting Tool (BART). BART enables
customers to generate digital signatures of files and attributes to those files, and compare them over time to
check for changes.
Sun Microsystems, Inc. P8 Solaris 10 OS Security Technology
2. System-Level Files and Executables. The Solaris Fingerprint Database (sfpDB) is used to verify that a file or
executable has not been changed from an official binary distribution; an altered version may compromise
system security and cause other types of problems. It compares an MD5 digital fingerprint with the trusted
entry stored in the sfpDB and instantly identifies mismatches. This tool is accessed through a free Web interface
located on the SunSolvesm Web site at sunsolve.sun.com.
Sun also delivers digitally signed executables, binaries, and drivers for almost all of the Solaris 10 OS.
Initially, system administrators can manually verify that an executable has not been modified or hacked.
Administrators may also sign and verify their own in-house code or third-party executables as well. In a future
update of the Solaris 10 OS, the system kernel itself will be able to dynamically verify the integrity of these
files at run time, thus ensuring a high-integrity computing environment.
3. Auditing Tools. Solaris auditing tools track kernel, application, and user activity with fine-grained control.
Solaris audit trails can be stored on a centralized system for later analysis. Administrators can continuously
monitor and verify virtually any file or executable to check for changes.
Together, any file can be watched and alerts generated if there are changes. File and executable integrity can
be maintained.
Secure Communication
Ensuring private data connections is the foundation of network-based business. The Solaris OS provides many
different mechanisms to secure network traffic. Secure communication products now use the Solaris Cryptographic
Framework, which delivers an across-the-board performance improvement of 15–130 percent.
1. IPSec provides a strong, standards-based framework for securing TCP data communication. Internet Key
Exchange (IKE) manages the necessary encryption/decryption keys. IPSec/IKE can secure almost any protocol
without changing the application in both IPv4 and IPv6 environments. Strong encryption is supplied by DES,
3DES, AES, and Blowfish, with support for X.509 certificates.
2. Solaris Secure Shell encrypts remote sessions, verifies both users and hosts, and hides passwords over the
network. This latest version features enhanced encryption support and integrates with Kerberos authentication
for enterprise single sign-on use.
3. OpenSSL, an open source set of libraries for secured Web transactions, is integrated with the Solaris Cryptographic
Framework in the Solaris 10 OS. It delivers high-performance cryptographic algorithms and transparent hardware
acceleration, improving throughput to secure Web servers. Out-of-the-box support for encrypted Web
pages from an Apache Web server is also included in the Solaris 10 OS.
4. TCP Wrapper support enables administrators to grant access to specific services based on a domain name, for
example, allowing FTP file transfer and SMTP e-mail access to everyone in engineering while denying access
to sales and manufacturing. By selectively providing services to just those systems that need it, risk is reduced
while availability is increased.
5. Solaris Enterprise Authentication Mechanism (SEAM) software provides strongly authenticated and encrypted
file sharing through the NFS standard. This prevents rogue system administrators from inappropriately accessing
individual data via the network file server. Solaris Enterprise Authentication Mechanism software in the Solaris
10 OS utilizes the Solaris Cryptographic Framework for strong, accelerated 3DES and AES Kerberos sessions.
Sun Microsystems, Inc. Solaris 10 OS Security Technology P9
Chapter 4
Strong Security in Your Enterprise
Your business and its employees, management, partners, and suppliers depend on well-implemented security.
Beyond protecting intellectual property and preventing misuse of systems, security helps maintain availability
and service levels.
How can you protect your enterprise? Work toward a goal of applying security pervasively and in depth — to
every node, every device, every user, every IT asset, and every resource. Create and enforce an enterprise security
policy that represents a coherent and comprehensive security architecture, and ensure that all devices and users
conform to it.
Sun and the Solaris Operating System assist companies in achieving the secure enterprise, with products and
technologies that have security designed and defined from the outset and provide protection by default. Strong,
intrinsic security enables business commerce, reduces unplanned downtime, and increases services levels.
Sun has helped thousands of organizations with security assessment, planning, deployment, and support.
Contact your Sun representative for more information on any of these services.
Security is a moving target, and Sun continues to invest. The Solaris 10 OS is the best example yet of our
commitment.
More Information
Sun Microsystems, Inc. P10 Strong Security in Your Enterprise
Sun Security Information
Sun Security Home Page • sun.com/security
Solaris OS Security • sun.com/solaris
• sun.com/security/jass
Trusted Solaris OS • sun.com/solaris/trustedsolaris
Java Platform Security • java.sun.com/security
Network and Security Products • sun.com/servers/entry/checkpoint
• sun.com/networking
Solaris OS Patches and Fingerprint Database • sunsolve.sun.com
Sun Security Coordination Team • sunsolve.sun.com/security
Sun BluePrints for Security • sun.com/blueprints
• sun.com/software/security/blueprints
Sun Security Information
Sun Consulting Security Services • sun.com/service/sunps/security
Sun Education Security Services • suned.sun.com/US/catalog
Sun Support Services • sun.com/service/support
Additional Security Resources on the Web
Network and Security Products • humanfirewall.org
Generally Accepted System Security Principles (GASSP) • web.mit.edu/security/www/gassp1.html
NSA INFOSEC Assessment Methodology • certtest.com/nsa-iam.html
Operationally Critical Threat, Asset, and Vulnerability • cert.org/octave
Evaluation (OCTAVE)
Sun Microsystems, Inc. Strong Security in Your Enterprise P11
© 2004 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 USA
All rights reserved.
This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No
part of this product or document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any.
Third-party software, including font technology, is copyrighted and licensed from Sun suppliers.
Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California.
Sun, Sun Microsystems, the Sun logo, [ADD APPLICABLE TRADEMARKS HERE] are trademarks, registered trademarks, or service marks of Sun
Microsystems, Inc. in the U.S. and other countries.
UNIX is a registered trademark in the United States and other countries, exclusively licensed through X/Open Company, Ltd.
All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries.
Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc.
The OPEN LOOK and Sun™ Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the
pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a
non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun’s licensees who implement OPEN LOOK GUIs and
otherwise comply with Sun’s written license agreements.
RESTRICTED RIGHTS: Use, duplication, or disclosure by the U.S. Government is subject to restrictions of FAR 52.227-14(g)(2)(6/87) and FAR 52.227-
19(6/87), or DFAR 252.227-7015(b)(6/95) and DFAR 227.7202-3(a).
DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT,
ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS HELD TO BE LEGALLY INVALID.

solaris 10

Security


The Solaris 10 Operating System, the most secure OS on the planet, provides security features previously only found in Sun's military-grade Trusted Solaris OS. User and Process Rights Management work in conjunction with Solaris Containers to let you securely host thousands of applications and multiple customers on the same system. Security administrators can minimize and harden Solaris even better than before to implement a secure foundation for deploying services. In addition, the upcoming Solaris 10 release - Solaris 10 11/06 - will include Solaris Trusted Extensions. Solaris Trusted Extensions is an extension of the existing Solaris 10 security policy that will allow Solaris 10 customers who have specific regulatory or information protection requirements to take advantage of labeling features previously only available in highly specialized operating systems or appliances.

  • Enable the strong security controls required by governments and financial institutions using Solaris Trusted Extensions
  • Verify the integrity of your system using Solaris Secure Execution and file verification features
  • Reduce risk by granting only the privileges needed with User and Process Rights Management
  • Simplify administration by using the open standards-based Solaris Cryptographic Framework for file encryption
  • Secure your systems by leveraging IPSec/IKE and the Solaris IP Filter firewall for network traffic protection.

Solaris 10

Introducing a new offering from Sun: a no cost acquisition model that creates volume
opportunity and makes it easier for customers to acquire and use a complete, integrated
Sun™ portfolio, including the robust Solaris™ Operating System (OS), Sun Java™ Enterprise
System, developer tools, a host of server-side Sun software, and many supported open source
products. This no cost offering is available on multiple OS platforms and optimized for the Solaris
OS as part of the Solaris Enterprise System. The new strategy is aimed at helping developers and
deployers manage the entire software adoption life cycle while easing the cost and risk of acquisition, development, and deployment of services on Sun software.
Shared success
Why are we doing this? In the Participation Age, easier access allows more people to do more things, creating greater value for the community and for customers. Sun is breaking down the barriers to access by offering wide distribution of our software at no cost. We are also building communities and empowering our customers to participate.
Sun is the first to simplify the customer experience with no cost access to preintegrated, pretested infrastructure software and simplified subscriptions for related support and services.
We are committed to sharing the risk of acquiring and deploying enterprise infrastructure
software with our customers.
This means that anyone can download and use current development and deployment
versions of the Solaris™ Enterprise System, which now encompasses the Solaris Operating
System (OS), developer tools, Sun Secure Global Desktop, Sun Java Integration, and
Sun N1™ management software, plus the Java Enterprise System (Java ES) — at no cost.
It also makes it easier for customers to adopt our software by developing and deploying on
no cost versions that are the same as the versions deployed in production environments.
The goal is to help speed our customers’ time to market for new applications and services.
We believe that volume is the way to win for Sun and our customers — because increased
access drives increased availability of related solutions and support, leading to safety, ubiquity, and cost advantages.
A holistic approach
Customers taking advantage of this new offering can adopt our software, and develop and deploy on no cost versions that are identical to the versions deployed in supported production environments.
Full enterprise support with patches, upgrades, updates, warranties and more will
be enabled with technology and available as a subscription.
Intelligent network services for operations management
Sun Connection services are already offered for Solaris OS updates and patches, and Sun will continue to roll out technology-based, automated remote network services for operations, administration, and management. These include remote configuration, monitoring, resource management,and maintenance services. Software and full documentation are available online. A
single download of the latest software releases and tools may be used for evaluation, development, testing, and deployment. Customers can choose to develop and deploy in a self-supported fashion, leveraging thriving communities such as java.net, OpenSolaris™, the Sun Developer
<
Highlights
• Solaris™ Enterprise System includes the Solaris 10 OS and other Sun server software offerings, plus the Java™ Enterprise System, developer tools, and full online documentation —at no cost.
• Leverage thriving communities such as java.net, OpenSolaris™, and new communities created around Java ES and Java System Suites.
• Infrastructure, integration, education, and support services available with Sun’s warranted software.
• Sun Connection links together customers, partners, developers, and Sun to deliver economies of scale and the power of community from the desktop to the enterprise. Services include remote configuration, monitoring, resource management, and maintenance.
New Solaris™
Enterprise System Complete, integrated, enterprise-class Network, and other communities that foster shared support and insights. At any phase of the software life cycle, customers will be able to purchase a subscription that includes warranted software along with the appropriate support, education, and integration services necessary to ensure their success. No cost. No restrictions. No limit. Developers and system administrators can take advantage of full-featured and preintegrated, pretested, self-supported software at no cost.
Develop and deploy Sun software with the confidence that comes from using stable,
enterprise-class software. In addition, developers gain access to a complete set of Java and Sun
Studio develop, test, and deploy tools. Risk-free adoption For CIOs and IT managers, the benefits are clear: Now customers facing unclear, disjointed paths in software adoption can more easily obtain and use Sun software to satisfy business needs. Sun helps customers address challenges throughout the adoption life cycle of identifying a business need and then obtaining, evaluating, developing, and successfully deploying the appropriate software solution. Sun’s new no cost software model is designed to enable customers to bring new services to market under tight budget constraints. Built-in advancements like predictive self-healing will enable Sun to extend its broad range of network- delivered services, such as Sun Update Connection and Sun Preventive Services.
System administrators and IT managers will appreciate the opportunity to employ preintegrated, pretested enterprise software on multiple platforms. It is no longer necessary to hassle with migrations complicated by free trial versions that differ dramatically from supported versions, because Sun’s no cost and supported versions are one and the same. The same JavaES infrastructure software that is optimized for the Solaris OS can be deployed acros several platforms, including Red Hat Enterprise Linux, Microsoft Windows, and HP-UX.
Support: It’s all about choice
Self support by leveraging the community is available at no cost. Or, customers can take advantage of Sun’s world-class enterprise service capability, now accessible in two ways: First, Sun is continuing to roll out technologybased, intelligent networked services that leverage automation for improved efficiencies. They also provide access to the appropriate integration, education, and support service offerings for each stage of the software life cycle, enabling customers to manage project investments. Second, Sun will introduce a series of building block services which, used progressively, lead customers to deployment and operation of proven, optimized, and standardized solutions with a significantly lower total cost of ownership (TCO) over the application’s life. These services augment currently available Sun Software Support Services — comprehensive architecture, implementation, management, and methodologies — making the right services available for every step in the software life cycle, and extending them to new audiences through Sun Connection, as well as our network of partners.
Especially for developers
Take advantage of the full-featured Java Enterprise System, which is optimized for the most advanced OS on the planet — Solaris 10. Part of the new Solaris Enterprise System, the Solaris OS is the industry’s first enterprise operating system to be offered at no charge, with the same production quality bits that are used in commercially supported environments. Sun’s no hassle and no limit test drive enables developers to create and deploy richer, more fullfeatured,
enterprise-ready applications — at no cost. They can also obtain a full set of developer
tools and the most complete, integrated, serverside,enterprise-class software—at no cost.

New Solaris Enterprise System
• Solaris 10 OS
• Sun Java Enterprise System (Java ES):
• Sun Java Application Platform Suite
• Sun Java Identity Management Suite
• Sun Java Availability Suite
• Sun Java Web Infrastructure Suite
• Sun Java Communications Suite
• Sun Java Integration Suite (Coming soon)
• Sun N1 Service Provisioning System
• Other server software:
• Sun N1 System Manager
• Sun N1 Grid Engine
• Sun Secure Global Desktop
• Sun Ray™ server software
• Complete set of developer tools:
• Sun Java Studio Enterprise
• Sun Java Studio Creator
• Sun Studio
©2005 Sun Microsystems, Inc. All rights reserved. Sun, Sun Microsystems, the Sun logo, Solaris, Java, N1, Sun Ray, and OpenSolaris are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States
and other countries. Information subject to change without notice. 11/05
Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, CA 95054 USA Phone 1-650-960-1300 or 1-800-555-9SUN Web sun.com

Monday, November 13, 2006

Apple's Time Machine: Forward into the past?

The backup app in Mac OS X 10.5 represents 'a paradigm shift'

Ryan Faas

October 05, 2006 (Computerworld) -- One of the most talked about features in Apple Computer Inc.'s upcoming operating system, Mac OS X 10.5, also known as Leopard, is the built-in backup tool called Time Machine. For Mac users, Time Machine is big news: It marks the first time Apple has bundled any sort of backup solution with its operating system. (While it's true that Apple's .Mac service includes a basic consumer backup tool, the service is available only to subscribers of .Mac -- at a cost of $99 per year.)

Being a Mac OS X backup tool isn't the main reason Time Machine is important. There have been any number of free, shareware and commercial backup tools for quite some time. But Time Machine is a step ahead of competitors because it's designed by Apple as a backup tool for the average computer user, meaning that it is very simple to use, with virtually no management or oversight needed.

Unique interface

Anyone who's seen Apple's demos or screenshots of Time Machine can tell that this is not a typical backup application. When you need to access a backup of any file, folder or item tucked away inside a Time-Machine-aware application, you simply select the appropriate window (such as a Finder window of the folder containing the items you need to recover) and then click the Time Machine icon in the dock.

The window you initially selected remains on display but with two arrows (backward and forward) next to it and with translucent images of the window disappearing into the background of the screen. Each translucent window indicates a previous-generation backup of the selected folder. Using the arrow keys, you can move back or forth through each backup. As the interface implies, you move backward or forward through the files on your computer based on time.

This approach is not only visually amazing -- it does look like something out of a science fiction movie -- but it is also incredibly intuitive and easy to navigate. With most backup applications, you need to locate the appropriate backup set, load its catalog file and then search for either the name of the file or browse through the backup generations based on date. This typically involves looking through file path representations to locate the correct backup set and navigate through it. Even the best backup solutions rely on an interface that is separate from the operating system.

By incorporating Time Machine into Leopard, which is due out by next spring, Apple retains the same basic interface, be it in the Finder or a Time-Machine-aware application. This means the user doesn't have to navigate through an alien file structure. To reiterate the genius of Time Machine: Select a file, click an icon in the dock and you're soon looking through past incarnations of the original item you were already viewing. There's no extra navigation except backward and forward.

Going beyond files

One of the smartest concepts that comes from building in Time Machine at the operating system level is that Apple was able create Time Machine APIs that developers can use in individual applications. This means that an application has access to past files, configurations or chunks of data -- and users won't need to leave that application to access lost, changed or deleted items. Instead, they can simply click the Time Machine icon while still in the application and, using the same two-arrow interface, go through previous incarnations of the displayed information.

Here's an example: If you are working in iPhoto and make changes to an album (or delete an album) and later realize you need a photo from that album, you can simply use Time Machine to view the album as it was yesterday or the day before -- or last month. With a couple of clicks, you can restore lost photos or albums.

The same is true with contact information in Address Book. If you deleted someone's phone number and need to recover it (or if you deleted an entire contact), you can use Time Machine to backtrack and restore the information. This is going to offer users incredible contact management far beyond what is offered by any other contact manager.

What is truly remarkable about both of these examples is that you don't need to be concerned with where the files are stored. You don't need to restore the actual files that Address Book uses to keep contacts information. And for many applications, a majority of users don't know where to find the files anyway, so with traditional backup applications, they wouldn't be able to restore them. That's because until now, backup tools have worked only at the file level.

This integration truly makes Time Machine a paradigm shift in the way users relate to backups.

No configuration needed

Time Machine will function much like Spotlight in that users won't need to be concerned with how it works, just how to access it. Like Spotlight, Time Machine will index the contents of a hard drive when it is first available to the file system.

However, instead of maintaining a database for searching, Time Machine will make a backup of the contents and use its database to track changes made to files. Like Spotlight, Time Machine will also be alerted when a file is modified and will create a backup copy of that file and index the changes. All of this will happen automatically, with no need for a user to configure backup sets -- other than to identify where backup data is to be stored -- such as to an external hard drive.

Like Spotlight, Time Machine will also allow a user to exclude certain directories or folders. Some of these exclusions will be automatic (such as cache files used by Web browsers and other Internet/network technologies).

Excluding certain directories may be necessary for a number of reasons. The first is simply to conserve space on a backup drive. Some users may want Time Machine to automatically manage backups of their entire systems; others may only be concerned that their home folders or specific segments of their home folders be backed up. In network environments, Time Machine will likely need to be configured to exclude network home directories or portable home directories for mobile accounts because this could cause problems with network processes, generate excess network traffic and because an enterprise-level backup solution should already be in place.

All in all, there is a great deal of reason to be excited about Time Machine. It will truly offer users backup abilities that have so far been limited primarily to larger organizations -- and it will do so at only the cost of storage space. More important, it will offer a uniquely easy-to-use backup solution, one that users will be able to access without needing to really think about complicated configurations that have until now been part of traditional backup applications. The fact that this powerful tool will be included free with Leopard puts it at the top of the list of changes coming to Mac OS X -- at least among the features announced so far.

The Skinny on Windows SPP and Reduced Functionality in Vista

What's the truth about Microsoft's controversial new antipiracy measure?
Scot Finnie

November 10, 2006
(Computerworld) -- One aspect of Microsoft's Windows Vista operating system that has raised users' hackles is its new antipiracy system, called Software Protection Platform (SPP). To understand SPP, it's necessary to take a few steps back. Microsoft began its aggressive campaign against software piracy in Office XP and Windows XP with functionality called Office product activation (OPA) and Windows product activation (WPA).

In July 2005, Microsoft unleashed Windows Genuine Advantage (WGA), which required users of Microsoft's Windows Update, Microsoft Update and Microsoft Download pages to install the first component of WGA, subsequently dubbed WGA Validation. One of the first pieces of software requiring a WGA check was Windows Defender. At that time, Microsoft began requiring that you either install WGA Validation or not use any of Microsoft's download sites. (It was still possible to get Microsoft's security patches through Windows XP's Automatic Updates without installing WGA Validation.)

WGA Validation is a piece of code that runs in Windows and that determines all on its own whether the installed copy of Windows it's running in might have been pirated or improperly authorized. Earlier this year, Microsoft delivered the second component of WGA, called WGA Notifications. Its purpose is to inform the user that WGA Validation has found a problem with the installed copy of Windows. It also tries to help the user find a solution, including asking for money to relicense Windows.

WGA Notifications ran into a buzz saw of criticism when an early version of it reconnected with Microsoft servers in the background on a daily basis. Even more important, there was a wave of reported false positives. WGA Notifications is technically an optional install from Windows Update or Automatic Updates, but the manner in which you choose not to receive it is not intuitive for most users.

WPA and WGA work together on Windows XP machines they're installed on. WGA is also capable of running solo on Windows 2000 computers.

Enter Windows Vista. Microsoft took the opportunity of a new Windows release to unify the processes of WPA, WGA Validation and WGA Notifications. Possibly because of the bad press WGA received over the summer, Vista's new antipiracy system is called Software Protection Platform.

The most overt change in SPP is that Microsoft's antipiracy measures now have an enforcement action. Whereas WGA Notifications just nagged you, with little negative fallout other than the nagging itself, SPP carries a big stick. After numerous warnings and a grace period, SPP will automatically and without option force Windows Vista into what Microsoft terms "reduced functionality mode" (RFM).

How SPP works

Perhaps because many of the early reports about SPP and RFM were based on a series of whirlwind press briefings, an online FAQ, and later a white paper (Word .doc), a lot of conflicting reports attributed different descriptions of how RFM works. We asked Microsoft to provide some clarity on SPP and RFM. Here are the company's answers, relayed by its public relations firm:

CW: What exactly is SPP's reduced functionality mode?

Microsoft: When a user enters RFM, the default Web browser will be started and the user will be presented with an option to purchase a new product key. There is no start menu, no desktop icons, and the desktop background is changed to black. The Web browser will fully function and Internet connectivity will not be blocked. After one hour, the system will automatically log the user out. It will not shut down the machine, and the user can log back in.


CW: How long does RFM last?

Microsoft: RFM lasts until the user remedies the situation. In the event that a system is placed into RFM, there are several remedies available. First, the user can simply follow the prescribed activation process and options described above -- these include entering a new product key, obtaining a new product key or reentering the original product key. For volume-licensing customers, the user can return to normal Windows operating mode by connecting to a Key Management Service (KMS) service to automatically renew the activation or obtain a Multiple Activation Key (MAK). Finally, if the system is in RFM because of hardware changes, the user can restore the original hardware configuration. At any time in the process, a user can contact Microsoft support for additional help.

CW: Does RFM automatically log off users after a period of time?

Microsoft: In RFM, users are logged off of the Internet after one hour of usage.

CW: And does RFM let you log back in later?

Microsoft: Users will be able to immediately log back in.

CW: When does SPP's RFM begin? After 30 days?

Microsoft: A copy of Windows Vista can go into reduced functionality mode under two scenarios:

1. If any of the following events occurs (for each license type):

Retail License (or corporate user with a MAK):

  • Failure to activate within the grace period (30 days after installation)
  • Failure to renew activation within three days of a major hardware replacement

OEM License (or non-volume-license enterprise with OEM-sourced, preactivated Vista image):

  • Failure to activate within three days of switch to a non-OEM motherboard

Enterprise License using KMS:

  • Failure to activate with KMS within 30 days of installation
  • Failure to renew activation with KMS within 210 days of previous activation
  • Failure to renew activation with KMS within 30 days of hard drive replacement

2. A copy of Windows Vista may be required to reactivate for the following reasons, and failure to successfully reactivate during the 30-day grace period will cause the copy of Windows Vista to go into reduced functionality mode:

  • The activation process has been determined to have been tampered with or worked around, or other tampering of license files is detected.
  • A leaked, stolen or prohibited product key is detected that is blocked by Microsoft product activation servers.

Before being placed into RFM, users will always have a grace period to resolve the situation. During the grace period, reminders will pop up to inform them that they must activate within the specified time period or else they will lose Windows functionality. During the last three days of the grace period, the reminders are displayed with increasing frequency.

Making Your Move to Vista: What You Need to Know

Scot Finnie and Valerie Potter

November 10, 2006 (Computerworld) -- By now you should be aware there are many pluses and minuses to Vista. It's not a slam-dunk decision, but there's a lot to like about the new Windows. Once you decide to make the upgrade, you'll find that you're confronted with more than the usual number of questions to answer and details to sort through before you arrive at your Vista upgrade path.

For starters, are you buying new hardware? Or are you upgrading your existing hardware to Vista? Most of Microsoft's system requirements should very definitely be described as minimum. I mean overly minimum. It's even a little contradictory because the video requirement is more in keeping with advanced newer hardware, and the CPU and memory configuration is more like what you'd expect from an el cheapo PC circa 2004.

Or let us put it another way: This is the salient information you need to know about system requirements if you want to fully enable Windows Vista's Aero user interface:

DirectX 9 (DirectX 10 preferred) 3-D graphics processing unit with a WDDM driver, 128MB graphics memory (minimum), support for "Pixel Shader 2.0," and the ability to display a color depth of 32 bits per pixel.

Although graphics cards that share main system memory are acceptable, you will find that the best approach is 256MB of dedicated video RAM. We have seen some 64MB dedicated video RAM mobile graphics processing units that support Aero nominally, probably because they share main system memory beyond the dedicated 64MB.

The rest of Microsoft's Vista-capable system requirements read like this:

  • 1-GHz 32-bit (x86) or 64-bit (x64) processor
  • 1GB of system memory
  • 40GB of hard drive capacity with 15GB free space
  • DVD-ROM drive
  • Audio output capability
  • Internet access capability

Our real-world experience indicates that an Intel or comparable Pentium Centrino or M 2-GHz CPU should be the minimum. You should have at least 1.5GB of RAM, and if you're buying a new machine, get 2GB of RAM. Your hard disk should be at least a 60GB drive, and we'd recommend 25GB free to allow for new applications. Don't forget the DVD drive. The Vista disc is a DVD, not a CD.

If at all possible, get Vista on a new machine. Our limited experience with upgrading Vista over Windows XP has been surprisingly positive. But be aware that you can't uninstall a Vista upgrade the way you could those of previous versions of Windows. And you'll be absolutely assured of driver support if you buy Vista pre-installed from a reputable hardware vendor.

Anyone planning an upgrade installation should review Microsoft's Upgrade Planning for Windows Vista. There are two aspects of the term upgrade worth considering. The first is saving money on the cost of Vista. The second is something new and different. There are heavy limits on which previous versions are capable of being upgraded to four of the six main Vista versions.

So, for example, even though you can upgrade from Windows 2000 to Windows Vista at the cash register, you can't actually perform a Windows 2000 upgrade of the software. You have to clean install Vista when moving up from Windows 2000. The same is true of Windows XP Pro x64. Windows XP Home Edition can be software upgraded to any version of Vista. But the other three versions, XP Pro, XP Media Center and XP Tablet PC can upgrade only to some of the new Vista versions.

Versions and prices

In the United States, Vista will be offered in five basic editions -- two aimed at businesses and three at home users. Not sure which one to choose? You're not alone. Please see the Comparison of Selected Features in Windows Vista Versions chart at the bottom of the page, which gives detail about the differences among Vista versions. Here's a quick summary of the versions along with pricing information:

For businesses:

• Windows Vista Business ($299 new; $199 upgrade) supports the Aero interface and includes several features aimed at IT manageability, including Fax and Scan, wireless network provisioning, system image-based backup and recovery, and Group Policy support. In keeping with its business focus, this version lacks many digital media features.

• Windows Vista Enterprise (available only to volume licensees, pricing not released) adds advanced management features such as BitLocker drive encryption; a subsystem for Unix-based applications; and Virtual PC Express, which lets you run legacy apps on a legacy Windows operating system inside a virtual environment on Vista. Like Windows Vista Business, this version does not include Media Center or DVD-burning functions.

For home users:

• Windows Vista Home Basic ($199 new; $99.95 upgrade) offers parental controls and not much else. This version does not support the Aero interface, and it lacks many digital media capabilities.

• Windows Vista Home Premium ($239 new; $159 upgrade) adds digital media features such as Media Center and Windows DVD Maker, as well as Tablet PC functionality and scheduled user data backup.

• Windows Vista Ultimate ($399 new; $259 upgrade) combines all the multimedia features of the home editions with the advanced file- and network-management features of the business versions. This version has it all -- and it'll cost you.

Our recommendations? Nobody should opt for Vista Home Basic. That's especially the case if you're buying a new PC. So long as you can afford a better PC, get a better PC -- one that supports Vista Home Premium. Even in an upgrade situation, you might want to move your retail version to better hardware someday. Spend a bit more for Vista Home Premium. That will deliver the ability to run the Aero interface, support for Media Center and DVD-burning capabilities. If your hardware doesn't support Aero, Vista degrades to the Vista Basic interface automatically. On a desktop PC, you may be able to get Aero by updating your video card.

IT organizations will make the decision about the business version that's best for their users, and we suspect the choice will have more to do with their license agreement than the minor differences in the feature set. Any enterprise that needs BitLocker or the Virtual PC legacy app utility on employee machines will need Vista Enterprise.

What if your computer is the primary computer you use 24/7? You use it for work, you use it for entertainment, it's your weekend shopping tool, your DVD player and the machine you give business presentations with? Well, first, we'd like to congratulate you. Because you've eliminated one of the biggest frustrations of computing: Where's that file? Oh, yeah, that was on the other computer. All your data is in one place, the way it should be.

Microsoft has a version of Windows for you. It's called Windows Vista Ultimate Edition. You'll notice it's not cheap. But it does everything you want, and then some.

Compatibility and timing

Microsoft has done several things to make hardware work better with Vista. One of our favorite features is the fact that it can now smartly search an entire CD, DVD or directories and subdirectories on your hard drive to find a specific driver, without your having to click into the specific folder. So you no longer have to guess or remember where that legacy hardware driver is.

On the other hand, hardware support in the on-DVD driver pack is definitely not perfect. About 70% of the drivers that we've seen Vista come up empty on are mainstream components, such as the SoundMax driver set and Linksys's PCI Gigabit NIC. (NICs in particular should have excellent support, since you can't get online to help yourself without them.)

Microsoft is claiming excellent hardware support; we think the company intends to rely heavily on Windows Update to deliver driver support. Because, really, it's no better than previous versions of Windows.

About software compatibility, that's still a wild card. The gold version of Vista hasn't been out there long enough to draw hard conclusions. We think you can expect issues with security software, utilities and many enterprise applications designed to run on older Microsoft operating systems. We've even been hearing rumblings about issues with IE7 and some enterprise Web applications.

For more information about hardware and application compatibility in advance of installation, download and run the Windows Vista Upgrade Advisor on the machine on which you intend to perform the upgrade. You may not like what you learn from this exercise, but you'll be forewarned. We recommend that everyone considering Vista take this step.

Should you jump in with both feet on the first day Vista is available to you? Enterprises already know that's patently absurd. XP works well enough for now. But there are reasons why enterprises might be interested in making the move. Perhaps your hardware is tired and needs an upgrade now, and you're planning to move to Vista. Perhaps you need the security or some of the other improvements. Test it right away. But you know the drill; hang back and let the first adopters make all the mistakes.

Home users have a different set of issues to consider. Need new hardware? Hey, let's be honest with ourselves, most of us can wait another six months. That would be our very best advice. If you're going to jump, jump into the higher end. The first wave of PCs for any new Windows is often a little lacking in the right stuff to run the operating system properly for the long haul.

Instead of an upgrade installation, advanced home users should consider installing Vista in a dual-boot arrangement or as a virtual machine in a virtualization utility, such as VMWare. To virtualize Windows Vista, your utility must support ACPI. Working in this way has no downsides to you. You can buy it this way and test it for a while before making your decision about how and where to install it more permanently.