When Microsoft co-president Jim Allchin, arguably the guiding hand behind the company's Vista efforts, said during his Vista RTM (release to manufacturing) conference call with the press that the number one reason to upgrade to this Windows version was security, a lot of people sat up and took notice. Microsoft had long pledged not to sell its products solely as security upgrades, but Allchin's faith in the security prowess of Windows Vista is notable. Though Windows Vista does include many incredible functional improvements over Windows XP, every single person who upgrades to Vista will benefit from its new security features. It is, in other words, the one area of Vista that will literally impact all users in very dramatic ways.
"Windows Vista is our first operating system to go through the Secure Development Lifecycle from the start," Allchin said, referring to Microsoft's secure coding practices guidelines. "I have tremendous confidence in this product. Customers will feel safer, and they will be safer, quantitatively. Security is number one reason to use Vista."
So is it true? Are Windows Vista's security features really that impressive? Let's take a look.
Many of Vista's security features are extensions and improvements to security features that Microsoft first released in Windows XP Service Pack 2 (see my review). In that important release, Microsoft first shipped its improved firewall, a number of Internet Explorer (IE) security enhancements, Windows Security Center, and other related features. But Vista security isn't just about evolutionary security band-aids.
A new Windows Vista feature called Address Space Layout Randomizer (ASLR) will virtually eliminate remote system attacks for the first time on the Windows platform. (A similar technology is currently employed in Linux and various UNIX versions.) This feature, first disclosed here on the SuperSite for Windows, ensures that system files load at random (1 in 256) memory offsets at every system boot, compared to previous Windows versions where system files always loaded to the same offset memory location. Because of this change, most (approximately 99 percent) remote attacks will simply fail on x64-based Vista versions because attackers can't rely on files being in the same location. Bravo.
Reviled during the beta process, User Account Control (UAC, previously called User Account Protection, or UAP, and Limited User Account, or LUA) has proven to be one of Windows Vista's best features. Indeed, the fact that something very much like UAC has been available for some time in both Linux and Mac OS X is telling: This is user security at its most basic.
UAC is about protecting users from themselves. In previous Windows versions, virtually all users set up administer-class user accounts for themselves, ensuring that they could make any change to the system they wanted, including installing applications, software updates, and drivers, modifying key system settings, and so. In fact, Windows users are so used to this level of control that most of them don't even understand how unsafe this is. In the UNIX world--a paradigm followed, again, by both Linux and Mac OS X--typical user accounts either don't have administrative privileges at all or are severely limited by default. Any time you need to make a change to these systems, you have to authenticate yourself to prove that you are in fact you. Typically, this happens via an authentication-type dialog where you provide the user name and password of an administrator-class account (or, in the UNIX world, the root account).
In Windows Vista, Microsoft is finally adopting this approach. On a non-domain system, Windows Vista now provides exactly two types of user accounts: Administrator and Standard User (previously and perhaps more accurately called Limited User). By default, the first user account you configure on a Vista system (typically during Setup) is an Administrator-type account. Subsequent user accounts (typically configured by going into the User Accounts control panel) are flagged as Standard User accounts by default, though you can of course change that during the creation process.
This doesn't sound so different from Windows XP until you realize that both administrators and standard users, as we'll call them, are both beholden to UAC. Anytime you need to make a change to the system, install an application, game, or non-critical security update, or perform any other task that might harm the PC, Windows Vista will blank the screen and display an authentication dialog that you have to deal with before moving on. The types of authentication dialogs you'll see, however, will differ depending on which type of user account is currently being used.
Administrators will see what's called a consent, or approval, dialog. This dialog simply requires the user to click a Continue button in order to resume the requested task. Standard users, meanwhile, will receive a credentials dialog that forces them to enter the password for the one of the administrator-class accounts that's configured on the system.
Regardless of the type of user account currently being used, you will see other UAC-related dialogs. When you attempt to run an unsigned application (as you will see sometimes when trying to install an application), for example, you'll see a bigger, more prominent UAC dialog warning you of the dangers of running applications with unknown origins.
In use, UAC can be annoying, and while you can turn off this feature from within the User Accounts control panel, I advise you not to do so. UAC's predecessors on other systems prove the worth of this type of protection, and the truth is, you won't really see UAC rear its ugly head all that often once your applications are all installed and your system is fully configured. The occasional minor irritation is definitely worth the peace of mind: Thanks to UAC, spyware and other malware will have a harder time silently installing themselves on your PC.
In managed environments, UAC can be configured to specifically block certain applications as well. This means that IT administrators can prevent users from running applications that are known to be dangerous, of course, but they can also filter out applications such that might be undesirable at work, such as instant messaging, file sharing, and digital media solutions.
In Windows XP Service Pack 2 (SP2), Microsoft debuted Windows Security Center, a dashboard for the system's various security features. In XP, however, Security Center was somewhat limited. It could only monitor three features--Windows Firewall, Automatic Updates, and anti-virus--and couldn't be accessed in an elegant fashion by third party tools. With Windows Vista, Security Center has been improved dramatically. You still get the Windows Firewall, Automatic Updates, and anti-virus monitoring capabilities, but now Security Center integrates nicely with Vista's many other security features (such as spyware protection and User Account Control) and can be controlled or replaced by third party solutions. If any of these security features are out of date or disabled, Security Center provided a notification pop-up and a red Security Center icon in the system tray.
Sadly, Windows Security Center has been somewhat detuned because of competitive pressures from security software companies such as Symantec and McAfee, which want to create their own dashboards to replace Security Center. Now, this is possible, though Microsoft is requiring these companies to provide full replacements for all of Security Center's features.
Overall, Windows Security Center is common-sense protection and a nice improvement over the version that shipped with Windows XP SP2.
I've been a big fan of Windows Defender ever since it was called Giant AntiSpyware, and as elated I was that Microsoft bought Giant Company Software, I've been even more impressed with what the company has done with its anti-spyware technologies. In Windows Vista, Windows Defender is an integrated anti-spyware and anti-malware solution that works largely in the background, providing your system with round-the-clock protection. Typically, you won't have to ever deal with Windows Defender, as it's been designed to silently protection your PC and only throw up warning dialogs when something horrible has happened. This is absolutely the right approach--just ask anyone who's had to deal with the inscrutable dialogs and notifications provided by competing solutions--and one that Microsoft's competitors should follow.
Windows Defender is an excellent anti-malware solution and a welcome addition to Windows Vista. While many security experts suggest that running two or more such solutions concurrently is advisable, I've never run into any problems with this single application. If you do feel the need to run a competing solution, simply ensure that Windows Defender is still enabled.
As with Windows Security Center, the Windows Firewall debuted in Windows XP SP2, replacing the older Internet Connection Firewall from previous Windows XP versions. In Windows Vista, Windows Firewall is enabled by default, providing full inbound network protection and some outbound protection as well. I think we're past the point where anyone should be caught running Windows (or any other OS) without a software firewall: Even if you've got a hardware solution between your home network and the outside world, Windows Firewall is a final line of defense that can help prevent hackers and malicious software from compromising your PC.
As is so often the case in Windows Vista, Windows Firewall provides basic security functionality that works hand-in-hand with other security features to provide better overall security. Unlike with anti-spyware solutions, however, you should typically only run a single firewall. Most modern third party firewall solutions are intelligently designed and will disable Windows Firewall upon installation. Otherwise, you should leave Windows Firewall running.
Protected Mode is one of the few Internet Explorer (IE) 7 features that's available only on Windows Vista: Windows XP users who download and install the standalone version of IE 7 will not get this feature. Protected Mode essentially ensures that IE 7 is running in a state in which it has much fewer rights than other running applications, thus protecting your system against various forms of electronic attack. This mode is important for IE because IE is the portal through which your PC accesses the Web, the leading vector for electronic attacks. Protected Mode, basically, is yet another security feature that is designed to mitigate the effects of an electronic attack, even if it is otherwise successful. Because electronic attacks that enter the PC through the browser are only able to run under the permission level of the browser, IE's lower rights mode will severely restrict--or essentially block--what these attacks can accomplish.
In my experience, Protected Mode has proven its worth, though I've seen some weird side effects of this technology that may or may not affect other users. For example, a secure Web site I visit regularly to post articles to this Web site cannot save my password with IE 7 because of Protected Mode's security controls (and this feature cannot be overridden). Likewise, because of cross-zone security issues with Protected Mode, my normal browser home page, a locally saved HTM file I created years ago, does not work as it did with IE 6: Every time I click a link on my home page, a new browser window opens. This, too, is by design, though it's forced me to change how I utilize this home page (I keep a copy now on both an Internet-based server and the local IIS Web server so that links I click don't need to change zones and open in new windows).
Some may wonder why Protected Mode was not added to the standalone version of IE 7. However, this technology relies on Vista-specific features like User Account Control and various low-level security features. And while you could turn off Protected Mode, I don't recommend doing so even if you, like me, experience occasional issues. Turning off Protected Mode puts your PC at risk, and it also forces IE to display an annoying Information Bar until you re-enable it (though, oddly, that Information Bar can itself be disabled as well).
One of the more nefarious online attacks that's arisen in recent years is the so-called phishing (pronounced "fishing") attack, in which hackers fool a user into visiting a malicious Web site that is typically masquerading as a site for bank or other financial institution. If the user is fooled into believing that the site is legitimate, they might provide personal information such as credit card numbers, social security numbers, and the like. That, of course, can lead to outright theft as well as identity theft.
Phishing attacks generally start with an email message, purporting to come from a bank, financial institution, or e-commerce Web site like eBay, PayPal, or Amazon.com, which you may or may not do business with, warning you that there is a problem with your account. You can see how innocent Internet users could be fooled by such scams, and hackers make the phishing emails doubly believable by obscuring the real URL of the site you'll be visiting by hiding it in a link in an HTML email or using alternate character sets to provide a URL that can often look startlingly real.
To combat this type of attack, Windows Vista includes a Phishing Filter, which is exposed in both Windows Mail and Internet Explorer 7, which detects phishing emails and Web sites and helps prevent you from succumbing to a scam. Microsoft's Phishing Filter utilizes three methods for protecting you from this type of attack. First, Microsoft maintains a blacklist of known phishing sites to which it compares all URLs clicked inside of Windows Vista (in IE 7 or Windows Mail; a local copy of this list is stored on your PC). Second, IE 7 and Windows Mail analyze URLs in emails and Web sites you visit to see if they meet certain criteria which may indicate they are fraudulent. And third, the Phishing Filter can optionally send suspicious URLs to Microsoft for further research, though this won't happen without your consent.
Because of the need to send information to Microsoft servers, Phishing Filter is not enabled by default. Presumably, privacy freaks would have a field day if it were. But the Phishing Filter is enormously useful and beneficial, and you'd have to be pretty crazy to leave it disabled, as it will only check the infrequently-updated local list of known phishing sites. The first time you run IE 7, the Phishing Filter can be enabled via the Welcome page you see. If you choose to ignore this invitation, you can later enable the Phishing Filter by clicking the Tools command bar item in IE 7 and then selecting Phishing Filter and Turn On Automatic Website Checking.
Windows Mail helps locate phishing emails in a variety of ways. The most obvious is to the compare URLs in emails with known phishing sites. But Windows Mail goes beyond that by examining the underlying URLs in HTML emails to see if they match the URLs displayed to the user. Mixed URLs are, by nature, suspicious.
Put simply, Microsoft's Phishing Filter is an important tool in your arsenal against electronic attacks. I strongly advise that you enable this feature if you haven't already.
Windows Update has gone through a number of permutations over the years. It began as an online service from which Windows 98 users could download security patches and other updates. Since then, Windows Update has been enhanced dramatically with Automatic Updates, which over time has itself been updated to support both the downloading and installation of critical security updates, and Microsoft Update, which extends the Windows Update service to non-Windows products such as Microsoft Office.
In Windows Vista, Windows Update has come full circle. Now, it is an application in Windows, as it should be, which communicates with the Microsoft Update back-end. By default, Windows Update only checks for Windows-related updates by default, but you can configure it to utilize Microsoft Update's ability to check for non-Windows updates as well. Windows Vista Ultimate users will also see a unique Windows Update feature called Windows Ultimate Extras, which provides access to unique Windows Vista Ultimate downloadable features and add-ons.
I like that Windows Update is now integrated so seamlessly into Windows. It is what its name suggests, and it works well. You can use the handy front-end application to view and install available updates, view the names and details of installed updates, and perform other related tasks. Thanks to its integration with Automatic Updating, Windows Update will automatically ensure that you're always up-to-date with the latest security updates, software updates, and driver updates.
In keeping with the move to stronger user accounts, Microsoft has bolstered Windows Vista with amazing Parental Controls functionality that will finally make multi-user PCs more viable, especially for families. With Parental Controls, you can configure accounts for your children, or even for yourself if you're particularly security minded, that are locked down in various ways. This will keep you, your kids, and your PC safe from various forms of electronic attacks and undesirable content on the Web, in video games, and elsewhere.
Parental controls can be applied to any Standard User account, and they must be configured from an account that has administrative privileges. You do this through the User Accounts control panel, via a Set up Parental Controls option that you'll see associated with any Standard User accounts. In Parental Controls, you'll find a wealth of features you can configure, including:
Activity Reporting. When enabled, this feature collects information about your child's activities on the PC. You can view these reports at any time and see what they've been doing. The amount of information collected is pretty impressive: You'll see lists of the Web sites they've visited, Web sites they've tried to visit but were blocked, files they've downloaded or tried to download, the days and times they've logged on to the system (or tried to), the applications they've run, the games they've played, the email and instant messages they've sent and received, and the media files they've listened to. All of these features are configurable through parental controls, so you will only see data for the features you've configured.
Web Filtering. With the Windows Vista Web Filter, you can choose to block certain Web sites or types of Web sites so that your children won't browse objectionable content. There are a variety of ways to configure this feature. You can only allow certain sites or domains that you approve (a white list) or use automatic Web content blocking. If you want to allow or block specific sites, you can do so, and you can optionally block file downloads.
Time Limits. If you would like to ensure that your child is only using the PC when you want them to, you can use the Time Restrictions UI to block out the time periods during which they can and cannot logon and use the system. This is done via a simple hourly grid system, so you might allow PC access from, say, 7 am to 7 pm each day during the week, but extend the time a bit on weekends. It's up to you.
Games. Windows Vista integrates with the ESRB game ratings to help you allow and block games based on their content. Or, you can choose to block all games automatically or set up white and blacklists of allowed and blocked games. So, for example, I could set up parental controls for my 8 year old son and specify that he can only play games that are rated C (Early Childhood) or E (Everyone). If he attempts to play Call of Duty, which is rated T (Teen) for violence and blood, he'll be blocked from doing so.
Application Restrictions. With this setting, you can specify that the child can use all applications or pick and choose which applications are acceptable using a list of apps installed on the system. This is handy for users who have installed applications that they'd rather not allow children to utilize.
Vista's parental controls are well conceived and nicely implemented. If you're allowing children to access your only PC, this is a feature you're going to want to investigate thoroughly. Incidentally, I mentioned earlier that some people are actually configuring Parental Controls for their own user accounts. This is somewhat understandable: A security conscious user could set up a Standard User account for themselves for day-to-day use and then configure Parental Controls to block certain kinds of Web sites, allowing them to browse the Web with more confidence. I could see this being popular with certain groups of people.
While I haven't configured this feature yet with the final shipping version of Windows Vista, I did utilize it for quite a while on Dell notebook computer during the beta. Windows BitLocker Drive Encryption is one of the only remaining Vista features remaining from the once-vaunted Palladium (nee Next Generation Secure Computing Base, or NGSCB) initiative. What it does, basically, is encrypt the entire system drive (i.e. the drive on which the WINDOWS folder resides). It is therefore a distant relation to EFS, the Encrypting File System, which allows you to individually encrypt files. But BitLocker encrypts the whole drive, including the critical system files that are responsible for booting the computer and starting Windows. If Windows Vista detects that one of these files has been altered while the machine was off, it will lock the drive and require you to enter your BitLocker recovery password in order to unlock it. Otherwise, the files on the drive will be lost forever.
Why would you want such a thing? Simple: While the theft of a desktop PC or laptop might set you back a couple of thousand dollars, the real damage is often the theft of the files on the machine and the vital personal data they contain. By encrypting the system drive, you can ensure that a thief doesn't steal your PC and attempt to access the hard drive from a different PC. Because the content of the drive is encrypted, they'll be unable to access your files and personal data. (You can still use EFS to encrypt the data on other drives, of course.)
I mentioned that BitLocker was part of the Palladium initiative, and sure enough, one of the ways in which you can enable BitLocker is via an integrated Trusted Platform Module (TPM) chip in your PC. (If you don't have such a chip, you can use a removable USB flash drive, though such a solution is less elegant due to the requirement that this key be inserted every time you boot up the system.) BitLocker also comes with specific configuration requirements: Your first hard drive must be split into at least two partitions, one for the system drive and one for BitLocker; this second partition must remain unencrypted so that your PC can start normally. Finally, your PC's BIOS must support at least TPM 1.2 or support booting from USB devices.
If you can get over all of these requirements, you can install BitLocker, which can take quite a while on larger hard drives. But once it's up and running, you won't typically be aware of it, unless of course you're using the less desirable USB drive option. I like the idea of BitLocker, but it should be a more seamless procedure. For example, if your system isn't already configured with the two partitions needed for this feature, BitLocker should simply create a 1.5 GB partition out of the free space on your system drive and get to work. As it is now, you have to go through a lot of manual steps in order to get BitLocker installed.
While this won't affect home users, IT administrators will be delighted to discover that one of the new features in Windows Vista's support of Active Directory (AD) Group Policy (GP) is a USB Device Lockdown feature that can be used to prevent users from connecting iPods, USB flash drives, and other USB-based storage devices to corporate PCs. Why would you want to do this? Well, with iPods and other similar devices now offering up to 80 GB of storage space--and USB-based hard drives scaling past 500 GB--it's become easier than ever for a disgruntled employee to wipe out a business by stealing all of their critical internal data and bringing it to a competitor. This is an important feature and one that will surely make Windows Vista more desirable to businesses.
A number of Windows Vista security features will only be made available on x64 versions of the OS, the 64-bit versions of Windows Vista that run on newer AMD and Intel processors. These include Kernel Patch Protection (sometimes called PatchGuard), which prevents hackers (and as it turns out, security companies and even Microsoft applications) from altering the Vista kernel at run-time; digitally signed drivers, which ensures that all hardware drivers used in x64 Vista versions are digitally signed and therefore of high quality and unlikely to be the cause of instability issues; and the removal of the 16-bit subsystem, which breaks compatibility with older applications but makes the overall system simpler and more reliable.
While I don't have the time or expertise to cover Vista's truly low-level security improvements, I hope it's obvious from this high-level list of security enhancements that Windows Vista represents a major security advance over Windows XP and previous Windows versions. The only question, of course, is whether this is enough. As it stands right now, this much is certain: Windows Vista is dramatically more secure than is Windows XP. But over time, we'll need to see how Vista withstands the real-world electronic attacks that will no doubt hound this OS. A year from now, we'll be able to step back and evaluate how Vista performed in the wild. For now, Microsoft can at least take some comfort in the fact that Vista is, perhaps, the most secure OS it's ever created. There's just no doubt about that.
Next: Windows Vista Features: Performance Features.