Driver Signing
Although Microsoft introduced the concept of driver signing with Windows 2000,
driver signing is mandatory only in the 64-bit version
of Vista. All kernel mode drivers in the 64-bit versions of Vista must be
digitally signed, preventing poorly written or aberrant software from compromising
the core of the OS. Driver signing isn't purely a security feature, and it can't
ensure that a driver isn't purposefully written to compromise Vista. However,
because driver signing prevents tampering and introduces a sense of identity
to the process of installing drivers, signed drivers tend to be more stable
and secure than their unsigned counterparts, leading, ultimately, to a more
stable and secure OS.
64-Bit Security
Vista includes some improved 64-bit security features and others that are entirely
new. This means that, theoretically, 64-bit versions of Vista are more secure
than 32-bit versions. That said, you'll want to balance your desire for security
with the realities of the 64-bit world: As of this writing, 64-bit versions
of Vista have more hardware and software compatibility problems than do 32-bit
versions, so you will want to ensure that everything works correctly before
moving to 64-bit.
I discussed a number of 64-bit security features in "What You Need to Know
About Windows Vista x64 Versions' Unique Security Features" (August 2006, InstantDoc
ID 50522) including Kernel Patch Protection ("PathGuard"). Microsoft has since
bowed to pressure from security software vendors and agreed to provide APIs
so that the vendors can programmatically access the Vista kernel as they could
with previous Windows versions.
Finally, the low-level remote exploit protection feature Microsoft has been
working on for the past year now has a name: Address Space Layout Randomizer
(ASLR). This feature, which has proven quite effective on UNIX, randomly varies
the memory addresses of Windows data structures at boot time, helping to protect
against malware that relies on particular memory offsets to perform overflow
attacks. In addition to being available only on the 64bit versions of Vista,
ASLR requires that Data Execution Protection be enabled.
USB Device Control
Because so many of today's users have iPods and USB devices such as thumb drives,
systems administrators often fear that the USB ports on client PCs will be an
off ramp for valuable corporate data. It doesn't help that USB devices are often
so small that they're easily lost and that malware can be written to launch
from a USB device. Some administrators have even taken to gluing USB ports shut
to prevent such losses.
To combat this potential problem, Vista supports new Group Policy options that
help administrators block the installation and use of unauthorized devices,
including USB and Firewire storage devices. These options can be applied to
individual computers or across a group of machines throughout your environment.
You can even fine-tune which devices are blocked. For example, you can choose
to block an entire class of devices (e.g., all USB devices), block all removable
storage devices, or block or allow specific devices. You can even control read
and write access to removable storage devices by user and by machine.
Network Access Protection
When the newest version of Windows Server— code-named Longhorn—ships
in late 2007, enterprises will be able to use it with Vista to implement a network
quarantining solution called NAP. NAP will utilize health policies to examine
systems connecting to the network and quarantine those that don't adhere to
the policies. While in quarantine, out-of-date systems can be brought up to
speed with whatever security updates and other features are mandated by policy.
Healthy systems, meanwhile, will be provided normal access to the corporate
network. Vista includes the NAP client, and Microsoft will ship a NAP client
for XP SP2 with Longhorn.
Final Thoughts
There's no doubt that Vista is more secure than previous Windows versions. The
only question is whether Vista's security features will prompt you to move to
the OS more quickly. Microsoft is betting that you will. I predict that businesses
will migrate to Vista more quickly than they did to XP, and the OS's security
features are a good reason to migrate early.
Register
