June 6th, 2006

Why Microsoft should put user data in a separate volume

Posted by George Ou @ 1:50 pm

Categories: Infrastructure, Security, Vista

Tags:

When I attended Microsoft’s Vista preview two weeks ago, Microsoft’s Jim Allchin gave a talk and answered some questions to the press.  During his talk, Mr. Allchin told us a story about some memories he shared with Steve Ballmer.  The way the story goes, Steve Ballmer walked in to Jim’s office one day and plopped a big desktop PC on his desk.  Apparently, Ballmer had spent the entire weekend trying to clean spyware off of a friend’s computer and couldn’t so he put it in Allchin’s hand.  After tens of man-hours of engineering time, they finally managed to clean the PC to a workable state and sent it back to the owners.

The reason I bring this story up is that it explains precisely the reasoning behind Mike Danseglio’s recommendation that infected PCs be nuked and rebuilt from scratch.  The pundits jumped on Danseglio’s recommendation and scolded him for being a coward and admitting defeat on the spyware front but any security expert will tell you that unless you had a checksum database of every single file on your system drive regardless of the operating system, there is no way to be sure the system is actually clean.  To make this case, I wrote "wiping an infected computer is best for any OS".  As Jim Allchin’s engineering team is fully aware of, cleaning an infected computer is not easy and it can costs tens of man-hours to fix.

Following up my blog to respond to some of the harsh feedback that I too was being a coward, I wrote "ego and computer maintenance don’t mix".  Having been a PC repair tech in my college days and being the designated friend that fixed your PC most of my life, I can say with certainty that it never makes sense to attempt to repair Windows if it’s infected badly or is unstable.  I even had a Geek Squad member under the handle of AlisaK2000 explain that this is exactly what they do whenever a computer requires anything more than a simple scan and removal.  The problem with this is that backing up and restoring the data is no trivial task because Microsoft defaults the data partition to share the same logical volume as the operating system.  Another computer repair tech explains that they would essentially give the customer two options.  They either forfeited their data to a drive format and be charged for 2 hour labor to rebuild Windows or they paid 4-5 hours labor have the data backed up first and then restored after Windows was rebuilt.  This is a choice that no one should ever have to make!

Even system integrators like Dell and HP offer an image recovery disk that sets a computer back to factory defaults which means it rebuilds the entire OS along with applications that came with your PC within 30 minutes.  Then whenever a tech support person needs to spend more than 15 minutes on the phone troubleshooting the PC, they ask the user to insert the recovery disk and re-image their system.  The problem with this has always been the user data mixed in with the OS and the user has to make the tough choice if they want their computer to work normal again or if they want their data more.  This same problem even affects corporate PC images because it isn’t easy to shift the entire "Documents and Settings" folder on to a different partition and simply relocating "My Documents" is no substitute.  There are some manual ways of do this, but it’s very difficult to do and it requires a special installation routine with special command line options.

Whenever an OS needs to be backed up or restored, the challenge of having a shared system and data partition affects hundreds of millions of users and Microsoft’s default location Documents and Settings is a big factor in this problem.  Having user data live on the system volume makes it extremely difficult to take a system snapshot.  The OS usually takes up 3 to 8 GBs, but user data typically takes up 10 times that amount!  If you have to take a system image, you’re typically forced to image 50 GBs instead of just the 5 GBs that the OS and Applications would need.  Having separated data is essential to the system imaging strategy for the home or the business.  The fact that Windows Vista now includes a system backup utility and a whole new corporate imaging deployment tool is wonderful, but that only increases the need for data separation.

If we’re talking about data encryption, there as been much talk lately of Microsoft’s BitLocker technology.  However, there is still a need for Microsoft’s improved EFS (Encrypted File System) in Vista to protect user data.  While Vista’s BitLocker is touted as a "full drive encryption" solution, it turns out that it’s more suitable for protecting just the operating system volume rather than the user data since BitLocker is not PKI based due to the limitation that PKI relies on infrastructure that is non-existent in a pre-boot environment.  This means that you will have to put all user data in a separate physical or logical storage volume so you can apply EFS to just the data volume and BitLocker encryption to the system drive.

When I asked Jim Allchin about the need to separate user data, he initially suggested using roaming profiles but I wouldn’t accept that answer because not everyone uses that and it still involves a massive transfer of data to recover a system.  I asked Mr. Allchin why Microsoft couldn’t simply change the default location of "Documents and Settings" to a data partition or data drive.  I added that no legacy applications use "Documents and Settings" via absolute addressing anyways in the first place and everything that uses relative addressing won’t be affected anyways.  As this went on, Mr. Allchin admitted that it would probably not break too many things and he seemed to at least be open to the idea.  After the presentation, Mr. Allchin sent his Executive Director of Communications to follow up with me and I intend to send her a copy of this blog as an open letter to Mr. Allchin and Microsoft.  I’ll finish with the following summary.

• Windows (or any other OS) once infected is extremely difficult to repair.  Jim Allchin’s story with Steve Ballmer clearly proves this.
• Users are forced to choose between paying more for backup and recovery service or forfeit all their data.
• Corporations waste a lot of time restoring systems images when data is mixed in with the system partition.
• Techniques like roaming profiles are not always practical and are not a substitute for good default data separation.
• Imaging a combined system/data volume is impractical due to the massive size.
• Running hybrid BitLocker and EFS mode requires separate user data
• Changing the default location of user data and the volume it resides on shouldn’t be difficult for Windows Vista and it certainly shouldn’t break any legacy applications any more than the new "C:\Users" folder structure would.  There is no better time to make this kind of correction to make all of our lives easier.

Mr. Allchin, I await your response.  Thank you for listening.