A look inside Vista security

gallery

Microsoft Vista promises to be the most secure operating system that the company has ever shipped. It's the first one to be developed totally under the firm's Secure Development Lifecycle (the methodology it adopted after Bill froze development in 2002 and forced the company to teach its programmers how to code properly).

Vista was gutted of many of the features promised in the first public demo, back in October 2003, but some good security measures remain. Some of the Trusted Computing Platform Alliance's Trusted Computing Module (TPM), originally to be supported by Vista's Next Generation Secure Computing Base (NGSCB), still survives in the form of BitLocker, Vista's AES-based hard drive encryption system.

BitLocker, which can be backed up by a password held on a USB key for two-factor authentication, can also check the integrity of system files at start up. "We're well past the time when encryption of laptops should be routine," says Gartner analyst Jay Heiser. "So I applaud anything that Microsoft can do in that area."

Other enhancements include the elimination of the mandatory Graphical Identification and Authentication (GINA) logon system. Instead, it will be easier for companies to write their own logon environments for the operating system, making it simpler to integrate smart cards for two factor authentication, for example.

Group Policy has been improved with new policy settings, better awareness of where clients are in relation to the network when trying to enforce group policy, and a redesign of the ADM template system used to store group policy settings.

Look out for address space layout randomisation (ASLR), which will randomise executable code between 256 possible locations, making it harder for malicious code to hijack the executable code and adapt it. And heap buffer overflow protection will kill applications that try to stuff the buffer with data to make it leak into executable memory.

Claming down in admin mode

All of that looks good from here, but some of Microsoft's other security measures have been criticised. Take administrative account privileges. The company has tried to stop people running the operating system in admin mode for years, because this mode gives all processes privileged access to system resources, making it easier for malware to do damage. Users have largely ignored these pleas, not least because running in standard mode is inconvenient. Many developers tend to write their applications while running in admin mode, which makes it easy to overlook restrictions that their software will experience when running in standard mode. For example, trying to digitise film into Adobe Premiere across a FireWire link works fine in admin mode, but is not allowed in standard mode.

Microsoft has tried to circumnavigate the problem with User Access Control, (UAC), a system that lets standard mode accounts carry out administrative tasks by entering their credentials. It also introduces an approved mode for administrator accounts that requires administrators to grant consent before executing high-privilege actions.

Theoretically, this is little more complicated than Apple's current protection in OS X, which requires users to enter a password when performing certain actions. Nevertheless, it has infuriated some industry commentators. UAC could have significant implications for the Windows interface, warns Ken Munro, managing director of penetration testing company SecureTest. "One of the problems they'll have is that people using the Windows UI will get click-happy, as they did with Windows XP SP2, and start enabling things that they shouldn't be enabling, and not really understanding what they're clicking and accepting."

Email to a friend

Print this page