The new security features in Windows Vista will directly impact the lives of IT pros and administrators (and not always in a purely positive manner). By all accounts, Microsoft has made Vista the most secure Windows version ever produced, yet many industry analysts believe that these security features can tend to overwhelm the user, and that even the most secure Windows version ever could stand some additional hardening. This is the first of several articles that will address what IT pros need to know about Vista security.
What We're Not Discussing
When it comes to new software, it's hard not to focus on the bits that show
up obviously in the UI. In Vista, these UI baubles include items such as Windows
Security Center, Windows Defender, Windows Firewall, parental controls, Internet
Explorer (IE) 7.0 Protected Mode, Windows Update, and Automatic Updates. Because
a discussion of these features is decidedly high-level and you'll almost certainly
read about them elsewhere, we're going to ignore them for the time being and
concentrate instead on more fundamental, low-level security technologies that
will regularly impact your job.
User Accounts and UAC
Like previous Windows versions, Vista utilizes user accounts to determine which
tasks users are allowed to perform and which computer resources they are allowed
to access. Earlier versions of Windows included four basic user account types.
From most restrictive to least restrictive, these account types were Guest,
Standard User, Power User, and Administrator. In Vista, the Power User account
type, essentially a compromise between Standard User and Administrator, has
been removed, and all account types—including Administrator—are
now locked down more securely than ever before. The result is a simpler, more
manageable group of user account types.
Vista's changes to user account features all seem to have been implemented with an eye toward better security. At first glance, the default admin-level account, Administrator, seems to have disappeared. However, it's just hidden and can be activated if you think you really need it. But the first account you create for any Vista installation is an administrator-level account, so you really don't need to activate Administrator. In fact, it's best to leave it hidden since, by default, it doesn't have a password.
The most substantial change to user accounts is User Account Control (UAC). Although it's the most reviled feature Microsoft has added to Vista, UAC is, in my opinion, one of the most important changes in the new OS. Essentially, UAC allows Vista to be as locked down and as secure as possible in its default running state. However, any time the user requests an application, a setting, the Control Panel, or any feature that could affect the system state, Vista displays a consent dialog box—a modal window that appears over a grayed-out version of the current desktop. You must deal with this dialog box before you can continue working—thus my use of the word "reviled" above: It's extremely annoying. What you see will vary slightly depending on the type of user account you're using.
Consider the pre-Vista days: In Windows XP, users with an admin-level account could do anything, including trashing system files. Standard users, meanwhile, could do very little—they couldn't even play most games. Thanks to UAC, Standard User is now completely viable; any time a Standard User tries to perform an admin-level task, the consent window appears and requires the user to type the username and password for an Administrator account.
What's interesting is that even Administrator needs to deal with these UAC consent windows, though such users need only click a Continue button. For admin-level users, UAC is essentially an "are you really sure about that?"–type check. occur in the Secure Desktop (which you typically see when you press Ctrl+Alt+Del within XP or Vista) and are intended to prevent malware spoofing.
Perhaps the most amazing thing about UAC is that it helps lock down Administrator accounts. Even when you log on as Administrator, Vista reduces your privileges. Administrator accounts typically run with the same privileges as Standard User. If you need to elevate your permissions temporarily, Vista prompts you with a UAC consent dialog box and elevates your permissions only for the task you're trying to perform. Most Vista actions that require elevated privileges display a small graphical shield to help you understand what's going to happen. In some cases, you can manually run certain tasks as Administrator. For example, you can right-click the command prompt in the Start menu and choose Run as administrator to run that application with elevated privileges. Moreover, you'll need to use this method if you expect to perform any admin-level tasks from the command line. (You can create shortcuts that always run individual applications as Administrator, but you still need to handle the UAC consent dialog box each time you use the shortcut.)
On paper, UAC seems like a dream come true. However, most users will soon run afoul of this feature. UAC consent dialog boxes pop up quite frequently when you start using Vista—in other words, when you install applications, configure features and settings, and generally make the system your own. After you start actually using Vista, UAC will annoy you much less frequently.
OSs such as Apple's Mac OS X and Linux, which are based on UNIX code, also use UAC-like consent prompts. And because those systems typically require end users to use nonadmin-type accounts for day-to-day work, they're even more annoying than UAC because they always require a password. Paranoid Vista users can configure UAC to always require their password, just like OS X and Linux. That's even more secure than the default configuration (although it's also more arduous to use).
BitLocker Drive Encryption
Given the number of corporate laptops lost to theft or forgetfulness each year,
it's little wonder that the cost of replacing these machines is far outweighed
by the value of the information stored on them. Nearly every month you can read
a news story about someone who lost a laptop that contains private information
for customers and clients, requiring a company to undertake an expensive and
embarrassing public process to try to set things right. Laptop loss and theft
can easily lead to identity theft, sometimes on a massive scale. The key to
preventing this kind of information loss is to encrypt the data on the laptop,
thus preventing others from removing the machine's hard disk and accessing its
contents.
Windows NT-based versions of Windows, such as XP and Windows 2000, have included Encrypting File System (EFS) for years. EFS provides you the flexibility to encrypt individual folders on your hard disk, ensuring that all the data they contain—including documents and other data files added after the folder is encrypted—are protected from prying eyes. EFS does its work with a minimal, imperceptible performance hit, and the results have proven quite satisfactory.
We'll look at Vista's improvements to EFS in Part 2 of this write-up next month, but Vista Enterprise and Vista Ultimate include an even more impressive encryption function called BitLocker Drive Encryption. BitLocker Drive Encryption automatically encrypts the entire Windows volume (i.e., the partition on which the WINDOWS directory is located—typically the C drive) without requiring the end user to configure anything. Admins can easily roll out this feature to executives and others who travel with sensitive corporate data.
But BitLocker doesn't stop there. You might remember that Microsoft's Next-Generation Secure Computing Base (NGSCB—formerly code-named Palladium) technologies were originally going to be a major part of Vista. Today, BitLocker Drive Encryption is one of only a handful of NGSCB-based technologies that remain in the product. The NGSCB component of BitLocker works with Trusted Platform Module 1.2 hardware on the motherboard to ensure the integrity of key system components at boot time. This integrity check ensures that the BitLocker-protected hard disk hasn't been placed into a different PC, but it also helps prevent attacks that can occur at boot time before the OS is loaded.
For those who don't have Trusted Platform Module 1.2–enabled hardware, Microsoft offers a slightly less effective version of BitLocker that requires you to use a USB memory key instead. This version supplies all of BitLocker's disk encryption functionality but doesn't include the integrity checks.
For the end user, BitLocker Drive Encryption is a bit ponderous to install. You must reserve a second active partition of at least 1.5GB in size on the laptop's hard drive. This volume won't be encrypted and will contain a few files needed for the PC to boot correctly. If you didn't partition your system correctly during initial setup, you'll need to find a Vista-compatible nondestructive partition utility that can do the job. Users of Vista Ultimate have access to a free extra called the BitLocker Drive Preparation Tool, which will perform this partitioning. Microsoft must think Vista Enterprise users are able to handle this kind of thing on their own.
But Wait, There's More
We're far from finished discussing Vista's security features. Next month, I'll
examine Vista's EFS improvements, file system and registry virtualization, service
isolation, driver signing, and code integrity features, Address Space Layout
Randomization, and security features you'll only see in x64 versions of Vista.