About Us > Briefing Papers   
IDsec Limited
Security in Windows Vista
             Home             
           Services           
           Products           
           About Us           
Feel Good About Your Network
IDsec Limited
31-33 College Road
Harrow, Middlesex
HA1 1EJ
United Kingdom
(London: Map)
T: 020 8861 2001
F: 020 8861 3433
www.idsec.co.uk
Copyright © 2012 IDsec Ltd 5.11
        Search Site Map
        Site Map Site Map
Printable PDF PDF Version
  Text version Text Version

The next generation of Windows is coming, but what will it mean for network security?

By Raj Lotey
Most users on the Internet today are running Microsoft Windows. This has made personal computing accessible to nearly everyone on the planet, as long as they are able to use a mouse. However, security vulnerabilities in Windows can be exploited in many of these installations.This is why it is extremely important to ensure that software is regularly patched and up to date, in order to minimise the damage that cyber criminals can achieve.

Features
The new Microsoft Windows Vista (previously known as “Longhorn”) is designed to be far more security oriented than previous versions: there have been some radical changes to the Windows kernel and the file structure. The trend seems to be towards greater granularity, intended to give system administrators more control over user access and privileges.

Significant new security features include:

  • User Account Control (UAC): users run in Standard User Mode as opposed to Administrator Mode
  • Authentication: this allows for custom-based authentication methods, with support for technologies such as biometrics and Kerberos
  • Anti-Malware: includes Protection Mode for Internet Explorer, Windows Defender (a real-time Spyware monitoring tool) and a built-in anti-virus utility
  • Network Access Protection: a utility denies access to unhealthy systems or systems that have not been adequately patched and updated
  • Firewall: now includes Application Aware Outbound Filtering: this is capable of blocking P2P, instant messaging and similar technologies, and is also configurable by Group Policy Objects
  • Hardened Windows Services: critical services are restricted from carrying out harmful activities such as the installation of Malware
  • Internet Explorer: now uses Protected Mode with just enough privileges to browse the Web, preventing sites from automatically installing unwanted software and running scripts
  • Data Protection: with rights management and data encryption, as well as integrity checking

First Views
Since Windows Vista version 5384 (Beta 2) was released on 23 May at the Windows Hardware Engineering Conference (WinHEC), it has been made available to developers and IT professionals through MSDN and TechNet subscriptions. The main purpose of this is the widespread testing of the key features, in order to gain constructive feedback and possible areas for improvement in the final product release.

So what is the overall opinion of Vista, based on its Beta releases? Although testers generally appear to understand the need for the “Standard User Mode” that is part of the UAC security feature, there has been concern over the large number of obtrusive prompts that are displayed when performing simple administrative tasks. Previous versions of Windows have treated all users as local administrators unless specified otherwise. Microsoft now appears to have adopted principles from classic operating systems such as UNIX, which does not give users the privileges to make system changes but forces them to switch to the root account (Administrator equivalent) to carry them out.

Windows UAC also provides the administrator with greater control over the functions that ordinary users can perform. For instance, they no longer need to gain authorisation from IT Support before changing the date on their machines, but they would need authorisation to install third-party software, in accordance with a company specific security policy.

The new Internet Explorer browser also takes great advantage of the UAC feature. If a malicious script is unintentionally downloaded, which is often the case, the script would have insufficient privileges to run in the standard user environment. This provides a critical layer of protection.

Although this system seems to be an adequate safeguard against accidental (or intentional but unauthorised) changes to critical systems, the general opinion is that users will find the prompts overwhelming. Security specialists fear that users will either dismiss the warnings and rapidly click through the prompts without reading them or seek ways to disable the feature. In view of this it is likely that Microsoft will need to address this matter in the final release.

Data Security
There has recently been some controversy surrounding the “BitLocker” that is included in Vista. This feature, which is to be introduced into the full release, is mainly an encryption mechanism that is designed to prevent data on the hard drive from being read by an unauthorised entity. This provides extra protection for the information stored on a system in the event of a loss or theft.

However, governments (the UK government in particular) are uneasy about the way in which this would impede law enforcement agencies in reading the contents of a hard drive when required. For example, if a computer were to be seized by a Computer Crime Unit, they would find it extremely difficult, if not impossible, to use the hard drive and the data on it as admissible evidence in court.

For this reason, the UK government has been in discussions with Microsoft over this issue. It is thought that a request was made of Microsoft to introduce “backdoors” (hidden methods for gaining access) into BitLocker, so that law enforcement agencies would be able to by-pass the encryption security when deemed necessary. However, it has been recently revealed by Microsoft that it has no intention of introducing backdoors.

Timescales
Microsoft has already released two Beta versions. According to testers, there are still many bugs and challenges that need to be addressed. However, most agree that steady progress is being made and that successive releases are making vast improvements.

Do remember that while Microsoft releases Beta versions in order to get feedback from prospective users, they are indeed unfinished versions of the software and should not be used for production purposes. The final release can be significantly different from the Betas.

A final release date for Vista has not been set yet, but Microsoft has stated that it will be some time in early 2007. Based on patterns of previous releases and comments from testers of the beta releases, we recommend that companies delay the incorporation of Vista into their architecture until around six months after the initial release. This will allow time for Microsoft to provide any necessary patches in order to fix initial bugs, which are usually quite disruptive.