[Infowarrior] - Change in Microsoft Vista security system promises Windows migration headaches

[Richard Forno]

This story appeared on Network World at
http://www.networkworld.com/news/2006/050806-microsoft-vista.html

Change in Microsoft Vista security system promises Windows migration
headaches

By John Fontana, Network World, 05/08/06

Corporate users with third-party, Windows-based authentication systems such
as VPNs could face a difficult transition to Microsoft's Vista because of an
overhaul of the core Windows logon architecture, according to independent
software vendors and analysts.

The good news for users is that those same observers say Vista, which is
being touted for its security features, will eventually deliver a more
secure and flexible authentication architecture than exists today in
Windows.

But ISVs say rewriting their code for the new architecture will produce
headaches that will extend to their customers that have deployed strong
authentication such as biometrics or tokens, enterprise single sign-on and a
number of other systems integrated with the Windows authentication
architecture.

"Not only the vendors, but the customers that have [authentication systems]
already deployed are going to go through a lot of pain," says one ISV who
asked not to be named. "We knew there were going to be changes, but we
didn't know there would be wholesale changes."

Users will have to go through testing periods after vendors deliver new
interfaces for their products. During migrations, users will have key
security infrastructures that straddle two different authentication
environments, one for Vista and one for earlier versions of Windows, until
migrations are complete. They also will have to support different
client-side code and separate interfaces that will present retraining
issues, experts say.

In addition, users with any homegrown authentication mechanisms linked to
Windows will have to rewrite their code from the ground up.

ISVs also have to completely rewrite and certify the custom code they write
to interface with Winlogon, the Windows process that manages logon and
logoff. That task will be painful in part because ISVs say Vista's new
authentication architecture is incomplete in the beta released in February.
The new architecture, called Winlogon Re-Architecture, includes a model for
building modules called Credential Provider. The February CTP also was the
first time Microsoft included in the release notes the fact that the GINA
architecture had been abandoned even though the company had started talking
about it at its Professional Developers Conference last September.

The previous model, called Graphical Identification and Authentication
(GINA), is used by ISVs such as Check Point, Cisco, Citrix, Nortel, Novell,
RSA Security and Symantec to link their authentication technology into the
Windows authentication architecture.

"There are things built into GINA that are not in the existing Winlogon
module you get with the Vista beta," says the ISV who requested anonymity.
"Other pieces must be coming in later betas. If not, this makes the strategy
of waiting for the first Vista service pack even more valid." Historically,
many corporate users have waited for Service Pack 1 of a new operating
system before adopting it.

The ISV says customers with multiple products that hook into GINA will have
the most difficult support and migration issues.

"There will be a relatively significant migration challenge to go from a
GINA-dependent architecture to the new Vista authentication interfaces,"
says the ISV, adding that a systems integrator told him he "anticipates a
big business in helping customers migrate."

Another systems integrator says users always have faced this danger with
custom code added to Windows.

"No doubt there is going to be an impact on the industry; every time you
change Windows code there is an impact on the industry," says Nelson Ruest,
a consultant and systems integrator with Resolutions Enterprises in
Victoria, British Columbia.

"We often recommend to our customers to be very careful about custom
modifications to the Windows environment. Vendors' GINA integrations are
100% custom code," he says.

Ruest says Vista will replace a GINA architecture - which dates back to
Windows NT - that has problems of its own.

The issue over the Vista authentication architecture began to emerge last
week when RSA CEO Art Coviello lamented in a press interview the fact that
Vista is not providing native support initially for RSA's SecureID for
Windows. RSA refused to comment further, but the company will have to
rewrite its GINA code using the Credential Provider model.

Microsoft also refused comment on Coviello's remarks. A company spokesman
says the strategic direction now is Smart Cards, which Microsoft is
supporting natively in Vista.

The GINA model is a Dynamic Link Library file that displays in Windows the
"Press Ctrl+Alt+Del to log on" screen and accepts a username and password.

The Credential Provider model is based on .Net, Component Object Model and
Windows Shell Extensions, and supports the creation of modules that plug
into Winlogon.

The GINA model is based on Win32, but Windows can run only one copy of it. A
complex method called chaining is required to support the use of multiple
GINA models. Vendors can modify GINA to include their interface on the logon
screen or write their own GINA to replace the logon interface completely.
With Credential Provider, vendors will not be able to replace the logon user
interface.

"To extend authentication we need to move away from GINA," says Austin
Wilson, director of product management for Windows client at Microsoft. He
said GINA replacements are difficult to write and often present problems
when service packs and security fixes are applied to the operating system.
Those issues are solved in the Credential Provider model, Wilson says.

He said all the tools needed to write Credential Providers are in the Vista
beta today, but he did acknowledge that there would not be any backward
compatibility for GINA.

"ISVs have to write [Credential Providers], and customers have to move to
them, but in the long run it should provide more flexibility, stability and
a more consistent experience," Wilson says.

Some analysts say given the inevitability of change, the next move is up to
vendors and users.

"This is a wake-up call for the vendors," says Phil Schacter, vice president
and group services director for the Burton Group. "For users the question
is, do I roll out a GINA architecture in parallel at the same time I bet on
Vista and its different architecture?"