Although the hardware and software compatibility issues that dog Windows XP Professional x64 Edition will continue to be problematic during Windows Vista's lifetime, Microsoft is slowly making x64 more viable on the client by adding a number of unique features to the x64 versions of the Windows Vista Home Basic, Vista Home Premium, Vista Business, Vista Enterprise, and Vista Ultimate editions. Some of the best differentiators are security-related: Because of key improvements that are available only on the Vista x64 versions, these systems will be the most secure client OSs that Microsoft has ever released. Here's what you need to know about the x64 Vista versions' unique security features.
Low-Level Remote Exploit Protection
Microsoft isn't openly promoting its remote-exploit-protection feature, called Address Space Layout Randomization (ASLR), that it has added to the x64 Vista versions. The company believes that ASLR will almost completely eradicate remote exploits against the Windows platform. Today, Windows OSs always load system files at the same memory offsets when the system boots, allowing hackers to inject code into the same memory location offset. In the x64 Vista versions, system files load into random memory locations, meaning there is a 1 in 256 chance that system files will load into the same memory location offset that the previous boot used. My sources tell me that the performance hit resulting from this change is almost negligible but that the benefits are enormous. Microsoft believes that more than 99 percent of all remote exploit attempts against x64 Vista versions will fail. Time will tell, of course, but Microsoft is curious to see how the hacker community reacts to this change.
Like XP Pro x64, the x64 Vista versions support data execution prevention (DEP), which works in tandem with the no execute (NX) technology that's built into today's microprocessors to help prevent buffer overrun-type attacks. There are two kinds of DEP: Software-based DEP is available in the 32-bit Vista versions, and hardware-based DEP is available only on the x64 platform. The hardware-based DEP is more resilient because the chips prevent executable code from loading into memory reserved for data.
A new x64 technology called PatchGuard prevents malicious software from patching the Vista kernel on x64 versions of the system. Microsoft describes PatchGuard as a method for preventing both kernel-mode drivers from extending or replacing other kernel services and third-party software from patching any part of the kernel.
Digitally Signed Drivers
x64 Vista versions will install only digitally signed drivers on your system (installing unsigned drivers is the norm with current Windows versions). Using digitally signed drivers won't make your system more stable, but Microsoft is working with driver manufacturers to help raise drivers' quality level. Using digitally signed drivers will result in far more reliable drivers—thus more reliable PCs—because poorly written device drivers are still the leading cause of blue screens and other problems.
Switching to x64 Vista versions will pose major trade-offs for many users because they'll encounter software and hardware incompatibilities. However, the new security features available with the x64 Vista versions might tip the scales for some corporations and agencies for whom security is of the utmost importance. Microsoft is trying to make a strong case for security, which is noticeable if you look at the x64 Vista security features combined with new security features available for x32 Vista users—such as User Account Control (UAC), Windows Defender, Windows Firewall, Windows Service Hardening, Encrypting File System (EFS), and Bit-Locker. So, if you can live with the hardware limitations, the x64 Vista versions will provide a more secure client environment. And that's going to resonate with many users.