Preliminary testing of the first public beta release of Microsoft's next version of Windows, called Vista, shows that a reorganised system for managing files and folders and new security features aimed at thwarting malware will force enterprise administrators to think about how these features can be best deployed across their networks.
We tested build 5112 of the client version of the Vista code. Beta code for the server version isn't publicly available yet. The client code is far from finished (the long-awaited search technology and promised configuration and management upgrades are missing), and it's not very stable — we had a blue screen and reboot within ten minutes of initial testing.
That said, Microsoft has vastly expanded its file system characteristics through the use of file metadata tagging, virtualised folders, and peer and server file services. Microsoft has taken its traditional "documents and settings" file folder structure and, while keeping some ties to it for backward compatibility, has adopted the user "home" directory folder concept from Unix, Linux, Mac OS X and other operating systems.
In addition, a public folder for each machine is automatically made that is then available for cross-machine (peer) searches, making Vista a thoroughly team-enabled operating system that allows information sharing in ways not before seen in other Microsoft operating systems.
Files and folders also can now be easily cached and synchronised to a server using a method that completes the vision of the Windows 95 Briefcase system of server-side backup and availability services. This plays into Microsoft's recently announced Data Protection Services initiative, but we could not test those ties, as the production version of Microsoft's Data Protection Manager wasn't available. How synchronisation works across both groups and individuals will require administrative thought to avoid multiple concurrent instances of data and program files.
File attributes — presented as file metadata in Vista — have been expanded. Metadata tagging information schemas have standard definitions, but they beg expansion, as the tags are limited to applications for which Windows has generated example tags. For example, beyond knowing the author, you might want to know if a document has had a legal review by a certain user.
This level of metadata tag usage will force IT execs to consider new policy management scenarios for the kinds of metadata tags that can be used by which users, how metadata is organised, and the means by which new data can be searched for across enterprise boundaries.
New user account protection
Vista uses a modified (from Windows XP) security model for enabling security hierarchy. One problem for XP has been that many users and processes have administrative-strength privilege, allowing unwitting and surreptitious installation of malware. Patches, fixes and updates also must be installed using administrative access rights, which makes it difficult to keep administrative account use to a minimum.
Microsoft strongly recommends user account protection (UAP), which dramatically demotes user account privilege. User-level logons can no longer even install basic and well-known applications such as Office XP without an administrative logon, which should help prevent the installation of malware. UAP is turned off by default in this release, as it can prevent applications from working. But even when it's turned on, it can be easily fooled or thwarted with application spoofing.
With UAP (much like what happens with MacOS X), each installation — or modification to the Windows registry or change to certain files — requires the installer to provide an administrative password. Passwords issued by the new operating system are tokens used only for specific acts, so it's possible to generate numerous token/authentication requests until databases can be built to protect multiple occurrences of protection requests per session. Simple execution of applications that try to install malware (we tested infected email scripts and PIF files) can sometimes trigger an administrative password use. When we tested it with a common version of the Sobig virus, the downloaded virus that should have triggered the privilege or authentication request did not do so, and it easily infected the machine.
Applications used to living in an administratively privileged environment may or may not become exception-handling problems in the final edition. Microsoft certainly will have a long list of applications to accommodate as root users or find fixes for before the 2006 release.
One feature in the Internet Explorer 7 upgrade included in Vista that may require network attention is the easy access to RSS feeds. With the new tabbed Internet Explorer 7 interface, we could add and delete RSS subscriptions without rules or other impositions as to any item except the frequency of RSS polling and updates. Some organisations have placed limitations on RSS usage because of its network bandwidth requirements and perceived loss of worker productivity.
Vista manifests Microsoft's efforts to pay attention to security, availability and client-side management. While the feature set isn't complete in this beta, it is obvious that a wide deployment of this upgrade will require extensive planning.
Henderson is principal researcher for ExtremeLabs. He can be reached at firstname.lastname@example.org