Does Vista Matter?
A look at Vista's security enhancements and just how much they can help your network.
- By Joern Wettern
There's no question that Vista is a major step forward for Windows, but how
much can it really do to enhance the security of your network? Here we'll take
a look at the security enhancements in Vista to help you figure out if you should
rush to upgrade your computers.
User Account Control
Vista's User Account Control (UAC) is one of the features that has been most
heavily promoted by Microsoft -- and most strongly ridiculed by early reviewers.
If you're logged on as a non-administrative user and you're running a program
that requires elevated privileges, Vista will temporarily block all input, prompt
you to enter administrative credentials and then run the program using those
credentials. In effect, this replaces the old Run As command. In a corporate
setting, though, most users don't have an administrative account.
Even though it's a bad practice to be logged on as an administrator for normal
computing tasks, it's no secret that it's fairly common. Let's face it, some
programs simply won't run under a normal user account and switching back and
forth between two accounts is cumbersome.
Thanks to UAC, now you can always be logged on as an administrator without
compromising security. With UAC enabled, Vista runs all your programs with the
regular user-level privileges. When a program requires elevated privileges,
Vista starts the program at a more privileged level, but only after prompting
you for your permission (see Figure 1). If you're starting an administrative
tool, you can give your approval.
UAC is definitely a good idea and it's much less cumbersome to use now than
it was in pre-release versions of Vista. While UAC has a lot of potential, I
predict that it won't increase security that much compared to a Windows XP-based
environment where users aren't logged on as administrators.
[Click on image for larger view.]
|Figure 1. Privileged
use requires the appropriate level of approval.
BitLocker (covered in "Bit
by Bit," August 2006) encrypts your system drive to ensure that no
data is compromised when an unauthorized person gains access to your hard drive.
The most common use for BitLocker is on laptops. With BitLocker, you no longer
have to worry about who reads your e-mail or memos if you leave your laptop
in the backseat of a taxi cab.
There are other programs that can do this, but BitLocker's features and tight
integration with the operating system make it an appealing choice for corporate
IT departments. However, BitLocker protection doesn't come cheap. It's only
included with Vista Ultimate, the most expensive edition of the operating system.
Also, it requires that your computer have a Trusted Computing Platform (TCP)
chip to protect the encryption keys.
Internet Explorer 7
Internet Explorer 7 (IE7) has a number of security improvements over older versions
of IE. One big change you'll immediately notice is the new Phishing Filter.
This filter checks Web sites against a Microsoft database of known phishing
sites. This gives you reasonably good protection against Web sites that try
to gather log-on credentials by emulating legitimate banking Web sites.
While the Phishing Filter protects against phishing attacks by giving you warnings,
you can get the same protection by installing IE7 on Windows XP machines. There
are some security features you'll only find in the Vista version of IE7, however.
Home users may benefit from the greatly improved parental controls, and those
can also provide some benefits in a corporate environment where you need to
restrict user browsing.
The Protected Mode is a much more significant factor with IE7. This severely
restricts how applications can interact with Internet Explorer. This feature,
which is also only available in the Vista version of IE, makes it much more
difficult for malicious software to attack your computer through the browser.
This new level of protection is probably the most valuable security enhancement
for Internet Explorer that you'll get with Windows Vista.
Finally: A Real Firewall
Windows XP comes with the Windows Firewall, which is an easy-to-use personal
firewall that remains politely in the background most of the time. The trade-off
for this ease of use is that its capabilities are fairly limited. Configuring
detailed firewall exceptions is difficult, and you simply can't configure rules
to block outbound network traffic.
Windows Vista gives you extremely powerful configuration options for setting
firewall exceptions, including rules based on specific applications. Even better,
it can block selected outbound network traffic. In other words, Windows now
comes with an extremely powerful and full-featured personal firewall.
Microsoft was afraid this power would confuse users. Their solution was to
provide a default configuration program that lets you configure the Windows
Firewall pretty much the same way as in Windows XP -- with the same limited
You'll want to use the full Windows Firewall with Advanced Security, once you
find it. It's actually a snap-in for the Microsoft Management Console. Not only
is this new Windows Firewall quite powerful, you can also administer it with
Group Policy. It's unfortunate, however, that configuration is such a complex
task and that even the administration tool is hard to locate. This will probably
prevent widespread use of this powerful firewall.
Defender to the Defense
Windows Vista includes Windows Defender, an anti-spyware program that's capable,
if not altogether impressive. Like the old version of the Windows Firewall,
it was designed to operate out of sight of users and only become visible when
something is blocked. Unfortunately, this also means that your ability to customize
it is somewhat limited. It's also hard to manage in a corporate environment.
Microsoft is currently working on its Forefront Client Security product for
corporate client protection, but you'll have to purchase that one separately.
Like IE7, Windows Defender is available as a free download for Windows XP, so
that doesn't make a compelling argument for upgrading to Vista.
Under the Hood
Some of the most exciting security enhancements in Windows Vista are not immediately
obvious because they relate to modifications Microsoft made to the internal
operations of the operating system. In previous versions of Windows, you often
had to log on as administrator to run applications that insisted on writing
to locations on your disk or in the registry not accessible to regular users.
Vista solves this problem by writing those changes to a temporary user-specific
area. It then integrates them with the unmodified versions on the fly so the
application thinks it's accessing protected areas.
The original files are left alone so no other users are affected and no critical
files or settings are changed. This lets your users run many user accounts without
having to resort to an administrative account.
Kernel Patch Protection is another internal enhancement. To prevent rootkits
from changing the Windows kernel -- the core component of the operating system
-- Windows Vista only allows limited access to these components. It even shifts
kernel components around in memory to make it almost impossible for a rootkit
to find its exact target. Unfortunately, Kernel Patch Protection is only available
in the 64-bit version of Windows Vista.
On the downside, it makes it more expensive for hardware manufacturers and
other software developers to create 64-bit drivers. Microsoft already ruffled
the feathers of its antivirus partners by trying to prevent them from accessing
the operating system kernel at all. It reversed this decision shortly before
the launch of Vista. Even though hackers will probably find a way to circumvent
this protection to plant their rootkits, it's still a significant security enhancement,
at least for the time being.
There are numerous other small security enhancements throughout Vista. You
can now configure more security settings through Group Policy and you have a
rudimentary ability to block the use of hardware devices. Other security-related
components like Network Access Protection won't be enabled until they're complemented
by Longhorn Server, which is not due to be released until later in 2007.
Should You Upgrade?
If you're in the market for a new computer, there's no question that Windows
Vista will give you a more secure computing experience. If you look strictly
at security, though, there are few compelling arguments to rush into a Vista
deployment on your existing computers.
Companies with well-managed client computers and a good security infrastructure
will likely find the improved security features are not enough to justify the
upgrade until the next regularly scheduled upgrade cycle. Others may find that
even a single feature is enough to make Vista a compelling purchase -- for example,
getting BitLocker protection for laptop computers. If you're thinking about
upgrading to 64-bit client computers in the next few months, you might also
consider holding off on the operating system upgrade until then so you'll get
all the security benefits of 64-bit Vista when you finally make your move.
My recommendation to companies is to plan for moving to Windows Vista at some
point in the near future to get the protection provided by its security enhancements.
However, you shouldn't rush into any deployment decisions without first carefully
evaluating how many immediate benefits you'll really get from Vista.
Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping
companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.