In "Vista's User Account Control and BitLocker Drive Encryption," (April 2007, InstantDoc ID 95153), I examined two major new security features in Windows Vista. But the improvements in Microsoft's latest OS don't stop there. Vista also has many other technologies that will help IT pros secure their environments, including secure logon support, file system and registry virtualization, an enhanced Encrypting File System (EFS), service and process isolation, driver signing, 64-bit security features, USB Device Control, and Network Access Protection (NAP). These new and enhanced features are responsible for Vista's reputation as the most secure Windows OS yet.
New Ways to Securely Log On
Most people today use an alphanumeric password to log on to secure PCs, but Vista has been designed to support smart cards, biometric devices such as fingerprint readers, and other secure logon methods. Indeed, Microsoft is embarking on a multiyear quest to move its biggest customers from alphanumeric passwords to more secure authentication methods. Vista is the first OS to fully support these alternatives.
To accommodate these security features, Microsoft has completely rewritten the Windows logon UI and the logon technologies in Vista. Vista natively supports not only new credential types (i.e., smart cards and biometrics) but also multiple credentials. Furthermore, because the credentials system is extensible, enterprises will soon be able to choose from a wide range of third-party solutions. These solutions will integrate with appropriate technologies in the Windows desktop, including Vista's User Account Control (UAC).
File System and Registry Virtualization
Many legacy applications aren't designed to support standard user accounts, but modify the registry or file system to let users perform certain tasks or access certain resources. When you try to run such applications on Vista, with its locked-down file system and registry, you can run into difficulties. To ensure that legacy applications have fewer problems during installation and execution, Microsoft has created virtualized versions of the file system and registry.
In Vista, all file system and registry writes are automatically and silently redirected to user locations so they can't harm the entire network. For example, when an application installer attempts to write to C:\Program Files, Vista redirects the write operation to a VirtualStore directory within the current user's account. To the application, the write operation proceeds normally, and to the user, the application appears to reside in the expected location. On multiuser systems, each user has an isolated, local copy of every redirected file.
Registry virtualization works similarly. Vista virtualizes the HKEY_LOCAL_MACHINE\SOFTWARE hive, and applications that attempt to store configuration information in system-wide portions of the registry are redirected to a new structure under HKEY_CLASSES_ROOT\VirtualStore\MACHINE\SOFTWARE. As with file virtualization, all users on a system have their own copies of configuration information that, on earlier versions of Windows, was saved globally.
Because file system and registry virtualization is a stopgap measure intended to make legacy software compatible with Vista, such virtualization is available only in the 32-bit versions of Vista. Microsoft expects Vista-compliant applications to respect the new Windows application guidelines. As more and more applications are ported to the new development framework, future Windows versions will do away with file system and registry virtualization. Vista's compatibility technology is only a short-term solution.
Although Vista Enterprise and Ultimate editions have a new, automated approach to full disk encryption, called BitLocker, Windows has long supported EFS for general file and folder encryption. Vista continues that support, but has improved EFS security, performance, and management.
Specifically, you can now store EFS user keys on smart cards, making administrative recovery of EFS-protected data more secure and convenient than ever before. Vista also supports encryption of the system page file and offline copies of remote files, functionality that administrators have been requesting for years. To make EFS easier to manage, Microsoft has added several EFS-related options to Group Policy. These options include requiring smart cards for user verification, enforcing page file encryption, and enforcing encryption of each user's Documents folder structure.
Windows Service and Process Isolation
In an effort to reduce the overall attack surface of Vistabased PCs, Microsoft has reduced the number of services that run by default and ensured that they are running at the lowest privilege level possible. Furthermore, all services are now limited to the local machine or local network, in contrast to previous Windows versions, in which service permissions extend beyond the box according to the privilege level under which they are run. Individual processes are also much more restricted than they were in previous Windows versions.
Both service and process isolation—as well as UAC and file system and registry virtualization—rely on a low-level change to Windows that categorizes and isolates objects by trust level. The new Windows integrity control component essentially prevents processes that have few rights from interfering with processes that have more rights. In Vista, integrity levels trump user privileges. For example, malware can no longer run with the privileges of the logged-on user, as it could in Windows XP. Now, malware runs only within the integrity level of the object that spawned it. Thanks to Vista's service and process isolation, malware that successfully attacks the OS should be less able to break into other parts of the system.
Vista has six integrity levels:
- Untrusted—a rarely seen level that's used only for anonymous logons.
- Low—a level that's used for Internetrelated features, including Internet Explorer 7.0 and the Temporary Internet Files folder.
- Medium—the default integrity level, used for Standard User accounts and most Windows-generated files.
- High—the level used by Administrator accounts running in elevated mode. (By default, even Administrator runs with Standard User privileges.)
- System—the level used by most kernel and system services.
- Installer—a level that's invoked only by installer routines. (To ensure that uninstall works properly, installers need to operate at a higher integrity level than other objects in the system.)
Although Microsoft introduced the concept of driver signing with Windows 2000, driver signing is mandatory only in the 64-bit version
of Vista. All kernel mode drivers in the 64-bit versions of Vista must be digitally signed, preventing poorly written or aberrant software from compromising the core of the OS. Driver signing isn't purely a security feature, and it can't ensure that a driver isn't purposefully written to compromise Vista. However, because driver signing prevents tampering and introduces a sense of identity to the process of installing drivers, signed drivers tend to be more stable and secure than their unsigned counterparts, leading, ultimately, to a more stable and secure OS.
Vista includes some improved 64-bit security features and others that are entirely new. This means that, theoretically, 64-bit versions of Vista are more secure than 32-bit versions. That said, you'll want to balance your desire for security with the realities of the 64-bit world: As of this writing, 64-bit versions of Vista have more hardware and software compatibility problems than do 32-bit versions, so you will want to ensure that everything works correctly before moving to 64-bit.
I discussed a number of 64-bit security features in "What You Need to Know About Windows Vista x64 Versions' Unique Security Features" (August 2006, InstantDoc ID 50522) including Kernel Patch Protection ("PathGuard"). Microsoft has since bowed to pressure from security software vendors and agreed to provide APIs so that the vendors can programmatically access the Vista kernel as they could with previous Windows versions.
Finally, the low-level remote exploit protection feature Microsoft has been working on for the past year now has a name: Address Space Layout Randomizer (ASLR). This feature, which has proven quite effective on UNIX, randomly varies the memory addresses of Windows data structures at boot time, helping to protect against malware that relies on particular memory offsets to perform overflow attacks. In addition to being available only on the 64bit versions of Vista, ASLR requires that Data Execution Protection be enabled.
USB Device Control
Because so many of today's users have iPods and USB devices such as thumb drives, systems administrators often fear that the USB ports on client PCs will be an off ramp for valuable corporate data. It doesn't help that USB devices are often so small that they're easily lost and that malware can be written to launch from a USB device. Some administrators have even taken to gluing USB ports shut to prevent such losses.
To combat this potential problem, Vista supports new Group Policy options that help administrators block the installation and use of unauthorized devices, including USB and Firewire storage devices. These options can be applied to individual computers or across a group of machines throughout your environment. You can even fine-tune which devices are blocked. For example, you can choose to block an entire class of devices (e.g., all USB devices), block all removable storage devices, or block or allow specific devices. You can even control read and write access to removable storage devices by user and by machine.
Network Access Protection
When the newest version of Windows Server— code-named Longhorn—ships in late 2007, enterprises will be able to use it with Vista to implement a network quarantining solution called NAP. NAP will utilize health policies to examine systems connecting to the network and quarantine those that don't adhere to the policies. While in quarantine, out-of-date systems can be brought up to speed with whatever security updates and other features are mandated by policy. Healthy systems, meanwhile, will be provided normal access to the corporate network. Vista includes the NAP client, and Microsoft will ship a NAP client for XP SP2 with Longhorn.
There's no doubt that Vista is more secure than previous Windows versions. The only question is whether Vista's security features will prompt you to move to the OS more quickly. Microsoft is betting that you will. I predict that businesses will migrate to Vista more quickly than they did to XP, and the OS's security features are a good reason to migrate early.