By Roger A. Grimes
I’ve been using several versions of Microsoft’s Windows Vista for the last few months. Although any beta’s feature set is not set in stone until the release-to-manufacturing date, here’s a recap of some of the new security changes.
UAC (User Account Control) is probably the most welcome security update. A large portion of today’s malware requires that the user executing the malware be logged in with administrative privileges. Unfortunately, for one reason or another, many of today’s users are logged in as administrators all the time.
UAC avoids this problem by running most programs in a more restricted context (actually, it’s an expansion of the Restricted SID available in XP today), even when the user is an administrator. For example, if you are logged in as an administrator, your Internet Explorer session will still run as a non-admin user. To accomplish admin-level tasks, you’ll be prompted to re-enter your password.
On a related note, a new privilege is being added so that non-admin users can adjust the system’s time zone settings. This is a welcome addition for travelling users.
Microsoft’s antisyware software will be integrated into Windows Vista. This should prevent more malware successfully deploying. And registry redirection features will offer an extra layer of protection against malware, too. Legacy (pre-Vista) applications that expect to write directly to protected system registry locations will instead be transparently redirected to virtual registries.
Vista also has Secure Startup. On Enterprise versions, this means the entire hard drive can be encrypted prior to boot, and the encryption key will be securely stored inside a Trusted Platform Module chip on the motherboard. Many of the methods used to circumvent permissions using NTFS-aware boot disks will no longer work.
There’s improved auditing too, including the ability to kick off external programs (such as a sniffer) when a specified event type is noted. You’ll also enjoy improved support for non-password authentication mechanisms (smart cards, fingerprint readers and so on). On a related note, EFS (Encrypting File System) keys can be stored on smart cards.
Windows services, often an entry point for buffer overflows and malware, will be hardened. Although Vista will include more services than any of its predecessors, more of them will run in the Local Service and Network Service contexts (instead of Local System), along with a complete code inspection and rewrite of vulnerable services. Each service will be given its own SID, allowing permissions, privileges, and firewall settings to be set per service.
Microsoft has also added a new NTFS ACE (access control entry) permission called Creator Owner. It will allow more granular permissions to be set ahead of time for new objects and their owners. Currently, NTFS permissions can be given to the Creator Owner’s group. This new ACE permission is the opposite — it will allow for a permission called Creator Owner to be given to another security principal.
The Power Users group will be degraded or removed on Vista. The Windows Firewall will do outbound blocking, and the new version will alert the user when an unapproved program attempts to connect to an internet location or attempts to set up a listening service.
On new OS installs, the Windows Firewall will be enabled with no exceptions allowed until after patching is completed. This feature is already built in to Windows Server 2003 SP1 and prevents roving malware from exploiting Windows prior to patches being installed.
There will also be an entirely new console, called the Windows Firewall with Advanced Security, for configuring and better integrating both IPSec and the firewall. It looks to be much easier to use, requiring much less effort to configure.
Vista will not rely on MD5 or SHA-1 hashing. Since both hash algorithms have been found to have cryptographically easy collisions, Microsoft will be using stronger hashes, including SHA-256.
On the patch front, Vista supports patch-in-place features. You can patch and then reboot the box with all current applications open, and Vista will restore the current application sessions upon reboot. Of course, it would be nicer if patches didn’t require a reboot at all.
A new Network Centre application will allow all things networking to be viewed, configured and managed at a central location. There’s also an improved NAP (Network Access Protection) client. NAP is a network access control (also known as network quarantining) client. When the server side is enabled on Windows Server 2003, NAP can prevent unauthorised and ill-configured clients from connecting to a production network. Microsoft’s current implementation of NAP is not user-friendly or overly useful.
Vista will also include the much improved Internet Explorer 7, which includes more than a dozen new security enhancements. And, of course, there will be hundreds of new GPO (group policy objects) settings regarding security, but these are too numerous to cover here.