Security Advisor

Does Vista Matter?

A look at Vista's security enhancements and just how much they can help your network.

• By Joern Wettern
• 02/01/2007

User Account Control
Vista's User Account Control (UAC) is one of the features that has been most heavily promoted by Microsoft -- and most strongly ridiculed by early reviewers. If you're logged on as a non-administrative user and you're running a program that requires elevated privileges, Vista will temporarily block all input, prompt you to enter administrative credentials and then run the program using those credentials. In effect, this replaces the old Run As command. In a corporate setting, though, most users don't have an administrative account.

Even though it's a bad practice to be logged on as an administrator for normal computing tasks, it's no secret that it's fairly common. Let's face it, some programs simply won't run under a normal user account and switching back and forth between two accounts is cumbersome.

Thanks to UAC, now you can always be logged on as an administrator without compromising security. With UAC enabled, Vista runs all your programs with the regular user-level privileges. When a program requires elevated privileges, Vista starts the program at a more privileged level, but only after prompting you for your permission (see Figure 1). If you're starting an administrative tool, you can give your approval.

UAC is definitely a good idea and it's much less cumbersome to use now than it was in pre-release versions of Vista. While UAC has a lot of potential, I predict that it won't increase security that much compared to a Windows XP-based environment where users aren't logged on as administrators.

[Click on image for larger view.]

Figure 1. Privileged use requires the appropriate level of approval.

BitLocker
BitLocker (covered in "Bit by Bit," August 2006) encrypts your system drive to ensure that no data is compromised when an unauthorized person gains access to your hard drive. The most common use for BitLocker is on laptops. With BitLocker, you no longer have to worry about who reads your e-mail or memos if you leave your laptop in the backseat of a taxi cab.

There are other programs that can do this, but BitLocker's features and tight integration with the operating system make it an appealing choice for corporate IT departments. However, BitLocker protection doesn't come cheap. It's only included with Vista Ultimate, the most expensive edition of the operating system. Also, it requires that your computer have a Trusted Computing Platform (TCP) chip to protect the encryption keys.

Internet Explorer 7
Internet Explorer 7 (IE7) has a number of security improvements over older versions of IE. One big change you'll immediately notice is the new Phishing Filter. This filter checks Web sites against a Microsoft database of known phishing sites. This gives you reasonably good protection against Web sites that try to gather log-on credentials by emulating legitimate banking Web sites.

While the Phishing Filter protects against phishing attacks by giving you warnings, you can get the same protection by installing IE7 on Windows XP machines. There are some security features you'll only find in the Vista version of IE7, however. Home users may benefit from the greatly improved parental controls, and those can also provide some benefits in a corporate environment where you need to restrict user browsing.

The Protected Mode is a much more significant factor with IE7. This severely restricts how applications can interact with Internet Explorer. This feature, which is also only available in the Vista version of IE, makes it much more difficult for malicious software to attack your computer through the browser. This new level of protection is probably the most valuable security enhancement for Internet Explorer that you'll get with Windows Vista.

Finally: A Real Firewall
Windows XP comes with the Windows Firewall, which is an easy-to-use personal firewall that remains politely in the background most of the time. The trade-off for this ease of use is that its capabilities are fairly limited. Configuring detailed firewall exceptions is difficult, and you simply can't configure rules to block outbound network traffic.

Windows Vista gives you extremely powerful configuration options for setting firewall exceptions, including rules based on specific applications. Even better, it can block selected outbound network traffic. In other words, Windows now comes with an extremely powerful and full-featured personal firewall.

Microsoft was afraid this power would confuse users. Their solution was to provide a default configuration program that lets you configure the Windows Firewall pretty much the same way as in Windows XP -- with the same limited functionality.

You'll want to use the full Windows Firewall with Advanced Security, once you find it. It's actually a snap-in for the Microsoft Management Console. Not only is this new Windows Firewall quite powerful, you can also administer it with Group Policy. It's unfortunate, however, that configuration is such a complex task and that even the administration tool is hard to locate. This will probably prevent widespread use of this powerful firewall.

Defender to the Defense
Windows Vista includes Windows Defender, an anti-spyware program that's capable, if not altogether impressive. Like the old version of the Windows Firewall, it was designed to operate out of sight of users and only become visible when something is blocked. Unfortunately, this also means that your ability to customize it is somewhat limited. It's also hard to manage in a corporate environment.

Microsoft is currently working on its Forefront Client Security product for corporate client protection, but you'll have to purchase that one separately. Like IE7, Windows Defender is available as a free download for Windows XP, so that doesn't make a compelling argument for upgrading to Vista.

Under the Hood
Some of the most exciting security enhancements in Windows Vista are not immediately obvious because they relate to modifications Microsoft made to the internal operations of the operating system. In previous versions of Windows, you often had to log on as administrator to run applications that insisted on writing to locations on your disk or in the registry not accessible to regular users. Vista solves this problem by writing those changes to a temporary user-specific area. It then integrates them with the unmodified versions on the fly so the application thinks it's accessing protected areas.

The original files are left alone so no other users are affected and no critical files or settings are changed. This lets your users run many user accounts without having to resort to an administrative account.

Kernel Patch Protection is another internal enhancement. To prevent rootkits from changing the Windows kernel -- the core component of the operating system -- Windows Vista only allows limited access to these components. It even shifts kernel components around in memory to make it almost impossible for a rootkit to find its exact target. Unfortunately, Kernel Patch Protection is only available in the 64-bit version of Windows Vista.

On the downside, it makes it more expensive for hardware manufacturers and other software developers to create 64-bit drivers. Microsoft already ruffled the feathers of its antivirus partners by trying to prevent them from accessing the operating system kernel at all. It reversed this decision shortly before the launch of Vista. Even though hackers will probably find a way to circumvent this protection to plant their rootkits, it's still a significant security enhancement, at least for the time being.

There are numerous other small security enhancements throughout Vista. You can now configure more security settings through Group Policy and you have a rudimentary ability to block the use of hardware devices. Other security-related components like Network Access Protection won't be enabled until they're complemented by Longhorn Server, which is not due to be released until later in 2007.

Should You Upgrade?
If you're in the market for a new computer, there's no question that Windows Vista will give you a more secure computing experience. If you look strictly at security, though, there are few compelling arguments to rush into a Vista deployment on your existing computers.

Companies with well-managed client computers and a good security infrastructure will likely find the improved security features are not enough to justify the upgrade until the next regularly scheduled upgrade cycle. Others may find that even a single feature is enough to make Vista a compelling purchase -- for example, getting BitLocker protection for laptop computers. If you're thinking about upgrading to 64-bit client computers in the next few months, you might also consider holding off on the operating system upgrade until then so you'll get all the security benefits of 64-bit Vista when you finally make your move.

My recommendation to companies is to plan for moving to Windows Vista at some point in the near future to get the protection provided by its security enhancements. However, you shouldn't rush into any deployment decisions without first carefully evaluating how many immediate benefits you'll really get from Vista.