Enhanced security, performance, and reliability
| Executive Summary:|
Microsoft Windows Vista Service Pack 1 (SP1) delivers numerous security, performance, and reliability updates that will make existing Windows Vista users happy, as well as encourage Windows XP users to upgrade.
Just a year after Microsoft officially released Windows Vista, the company announced the release to manufacturing (RTM) availability of SP1. Not coincidentally, this announcement came the same day as Windows Server 2008’s RTM— Microsoft clearly wants to emphasize Vista SP1 as the fully compatible client platform for Server 2008. Some of Server 2008’s new features, such as Secure Socket Tunneling Protocol (SSTP) and Remote Server Administration Tools (RSAT), don’t work on Vista, or on previous client OSs. Because Vista SP1 and Server 2008 are based on the same kernel, many files are common to both products.
In addition to its compatibility with Server 2008, Vista SP1 is an important user upgrade for a variety of reasons. SP1 greatly improves Vista’s performance and stability. In addition, SP1 fixes all registered bugs and security holes reported up to January 2008. Microsoft made extensive use of the Windows Error Reporting (WER) service’s user bug and crash reports to analyze and summarize bugs that needed to be fixed. In this article I focus on SP1’s most important improvements and new features.
Microsoft is including SP1 with new Vista installations. If you’re already running Vista, you can obtain the service pack from Microsoft Update or from your local Windows Server Update Services (WSUS). This approach is easy and fast because it downloads only the files that are necessary for your machine. For example, if you’re running a fully updated version of Vista, then SP1 requires only about 100MB to 130MB of new files. (Note that automatic updates must be enabled for this method to work.) Another option is to download the full 500MB package. This method is necessary if you want to install SP1 offline. To download Vista SP1, go to technet.microsoft.com/en-us/windowsvista/bb738089.aspx.
SP1 is available in 36 languages. Vista’s language-neutral design ensures that the service pack can update any possible combination of the basic languages supported, with a single installer. Language files for the 36 basic languages are included in the stand-alone installer.
Installing SP1 takes approximately 40 minutes to an hour. You must restart the machine after installation.
Several of Vista SP1’s improvements are immediately apparent. For example, the number of User Account Control (UAC) prompts is greatly reduced for certain tasks, such as for creating and modifying folders in a systemprotected location. Many Vista users complained that UAC prompts appear too often, especially repeatedly for a single task. These occurrences are significantly reduced in SP1. (Note that leaving UAC prompts enabled is still highly recommended.)
Another improvement is that Vista SP1’s Control Panel System applet now displays the correct amount of memory. In previous Windows versions (e.g., Vista, 32-bit XP), the system shows only 3.25GB of RAM if you have more than 3GB. Although you can now see the correct amount of RAM, the OS can’t necessarily allocate the whole memory space. Also, because this feature is chipset/ BIOS dependent, the amount of memory that’s displayed might still be incorrect if BIOS doesn’t read it correctly. This problem occurs most often with older versions of chipsets that are 32-bit at the core. If you have a newer motherboard, you can use the memory remapping feature in BIOS to fix this problem.
Unlike in the original version, the OS won’t default to reduced functionality mode if you install Vista SP1 without a proper license key, or with a pirated key. Although you can use the OS’s full functionality and features, you’ll receive repeated and frequent messages that your copy of Vista isn’t genuine, as well as instructions for obtaining a legitimate copy. Microsoft is dedicated to fighting piracy, and the company’s research and customer feedback show that this approach is much more effective than reducing the OS’s functionality.
When you set up Vista SP1, you’ll be forced to enter a password hint. The hint was optional in previous versions, but because the Vista Administrator account isn’t enabled by default, as it is in XP, users who forget their passwords will be completely unable to access their computers.
Group Policy Management Console (GPMC) is removed in SP1 because of a similar console in RSAT, which replaces the Windows Server 2003 Administration Tools Pack and contains a more powerful GPMC. RSAT is available as a separate download from www.microsoft.com/downloads/details.aspx?familyid=9ff6e897-23ce-4a36-b7fcd52065de9960. If you’re wondering what would happen if you installed RSAT on Vista (which contains GPMC), you should note that doing so isn’t possible. RSAT works only on Server 2008 and Vista SP1.
Vista SP1 contains numerous other minor enhancements. For example, in SP1 the Network Diagnostic Framework covers a wider scope of problems than in Vista, fewer OS restarts occur when you install updates, and you can now install the 64-bit OS from a 32-bit system (which lets you easily create a dual boot disk, as well as use just one Windows Preinstallation Environment— WinPE—image for installing both 32-bit and 64-bit Vista). Another benefit is that you can choose from various desktop search engines in Vista SP1, just as in Internet Explorer (IE). Vista SP1 is more resilient to power failures or incomplete software installations than XP SP2. Finally, SP1 supports the new extended file allocation table (exFAT) file system, which is designed for flash storage devices.
In addition to including all previously published security fixes, Vista SP1 delivers some new security features. Although SP1 doesn’t have as many security problems as XP, aligning Vista with Server 2008 required some security updates.
Vista SP1 supports SSTP connections, which is a useful new feature in Server 2008 that lets users establish VPN connection by using Secure Sockets Layer (SSL) over port 443. Previously, most VPN connections were established via ports 1723 (PPTP) or ports 500 and 4500 (L2TP). This approach sometimes caused problems—for example, users couldn’t connect from public hotspots or hotel networks because those ports were usually blocked by a firewall, or VPN traffic couldn’t pass Network Address Translation (NAT). Port 443 is always open because of HTTP Secure (HTTPS) traffic, leading to wider VPN availability. Vista SP1 is the only client OS that supports SSTP. As you can see in Figure 1, configuring this feature is similar to creating a VPN connection.
Continued on page 2
SP1 uses signed RDP files for Server 2008’s RemoteApp feature, which lets users run terminal-based applications with locally installed applications. Prior to Vista SP1, client OSs couldn’t use signed RDP files to connect to remote programs. SP1’s support of signed RDP files increases security because it prevents users from altering the RDP file after the administrator publishes it. In addition, Vista SP1’s new RDP client software, which is needed for RemoteApp, lets administrators more easily manage saved credentials and provides a streamlined process for providing credentials to remote servers.
Windows Vista Ultimate and Windows Vista Enterprise offer some Windows Bit- Locker Drive Encryption enhancements. First, BitLocker can now encrypt all system volumes, not just the volume that contains the OS (as in Vista). Second, BitLocker security is improved by implementing a multi-factor authentication method that combines a key protected by the Trusted Platform Module (TPM) with a startup key stored on a USB storage device and a user-generated PIN. This two-factor authentication benefits systems with high security requirements. To take advantage of this kind of authentication, your computer must have a TPM chip installed.
Windows Security Center now allows only authenticated applications to report themselves as valid for updating a system’s security state. Because Windows Security Center is the central security point for the whole system, it’s important to prevent malicious code from altering the system security state. Moreover, because Server 2008’s Network Access Protection (NAP) technology relies on Windows Security Center from the client side, having reliable Windows Security Center data is additionally important.
Vista SP1 includes new and stronger encryption algorithms for IPsec. For ESP and AH you can now use SHA-256, AES-GCM, and AES-GMAC. For IKE and AuthIP, available algorithms include ECDSA, SHA-256, and SHA-384. These updates are to align Vista with Server 2008’s IPsec, as well as to support the new Suite B set of algorithms.
In Vista SP1, Microsoft also improved Online Certificate Status Protocol (OCSP) support, added support for smart card biometric authentication, and improved data execution prevention (DEP) by implementing a new set of APIs to control DEP policies. In addition, SP1 users with standard privileges can run the Complete PC Backup application—unlike in Vista, which limited the application to administrators. Finally, Vista SP1 offers full support for 802.11n wireless networking.
Performance and Reliability Enhancements
Most user complaints about Vista have focused on performance problems. Although Microsoft promoted Vista as the fastest OS ever, the reality was often different. In some situations, Vista performs noticeably slower than XP. Vista’s reliability and application compatibility are equally troublesome, and are further complicated because of UAC technology. SP1 addresses many performance and reliability problems.
The performance of file copy operations is greatly enhanced in Vista SP1. Vista suffers from extremely slow file copying in several situations. According to Microsoft, Vista SP1’s improvements include
- 25 percent faster when copying files locally on the same disk on a machine
- 45 percent faster when copying files from a remote non-Vista system to a Vista SP1 system
- 50 percent faster when copying files from a remote SP1 system to a local SP1 system
In addition, SP1’s estimation of the time remaining to finish a copy process is much more precise than in Vista.
SP1 improves the performance of offline domain-joined clients. In Vista, if you connect a domain-joined computer (e.g., a notebook) to another network (e.g., your home network), Windows Explorer and all the operations that depend on it will perform much slower than usual. This problem occurs because Vista tries to locate the domain controller (DC) and authenticate to the resource you’re opening. For simple operations such as saving a Microsoft Word file, you’ll experience a 7- to 10-second delay. SP1 eliminates this delay. In addition, users can now rename or delete folders while working offline with redirected folders. Although this functionality is disabled by default, you can enable it via a registry setting.
Power consumption on mobile computers is reduced in Vista SP1. Many Vista users have complained that the OS drains a notebook battery much faster than XP did— which has certainly been my experience. Microsoft implemented several fixes in SP1 to reduce unnecessary power consumption. For example, the CPU now remains in sleep state if nothing is changing on the display, the hard disk will always spin down if it’s configured to do so (which didn’t always happen), and the video chipset that prevented a computer from remaining in sleep mode has been fixed. These enhancements improve the battery life more than 20 percent in SP1 versus Vista.
Browsing the network in SP1 consumes much less bandwidth than in Vista. Because of the new Network Discovery service, Vista uses excessive bandwidth to locate and browse network resources. SP1 optimizes this service to reduce bandwidth consumption. In addition, SP1 is capable of choosing the optimal network connection, if several are available (e.g., in the case of a wired or wireless connection to the same network). Finally, RDP usage is improved by implementing a new algorithm for compression of bitmap images traveling over an RDP channel. This feature must be enabled through Group Policy.
Reading large image files is as much as 50 percent faster in Vista SP1. In addition, moving directories that contain a large number of files is faster, as is copying files immediately after deleting files. Finally, file operation performance is further enhanced when you use Background Intelligent Transfer Service (BITS) or ReadyBoost drives.
Better Than Great
Vista SP1 delivers numerous updates and improvements that will make existing Vista users happy, as well as encourage XP users to upgrade. Most of SP1’s enhancements focus on security, performance, and reliability. For a full list of SP1’s hotfixes and security updates, go to Microsoft’s Vista SP1 hotfixes and security updates Web page (technet2.microsoft.com/windowsvista/en/library/20184cb6-7038-4e82-a32c-4bc10ffe56ab1033.mspx).