Skip navigation

Waiting for Vista's Best Security Adv

In its bid to get its enterprise customers to sit up and notice Windows Vista, Microsoft has consistently pushed one unbeatable message: Vista will be more secure. Windows Vista, Microsoft says, is the most secure operating system that the company has ever released. And sure enough, the list of Vista benefits reads like a laundry list of security features. You'll see terms like Address Space Layout Randomization (ASLR), User Account Control (UAC), Bitlocker Drive Encryption, and much more. But you're going to have to wait for some of the biggest security advantages in Windows Vista. And that's probably just fine with most businesses, as it seems that virtually no one is in any hurry to deploy Microsoft's next client operating system right now.

Some of these features, such ASLR, digitally signed device drivers, and Kernel Patch Protection (sometimes called PatchGuard) are only available in the x64 versions of Windows Vista. While many of us have been buying the x64-based hardware necessary to run these 64-bit Vista versions for some time, I advise you to hold off: The x64 versions of Vista will suffer from withering application incompatibility issues for some time. Unless you've fully tested all of the software you use--whether it's commercial or developed in-house--on x64 versions of Windows Vista, don't even consider moving to these systems. My guess is that it will take a year or more before the x64 versions of Windows Vista can be considered mainstream releases.

Other features waiting in the wings won't really come to life until Microsoft ships Windows Server "Longhorn" and Windows Vista Service Pack 1 (SP1), both of which are expected to ship concurrently. Vista SP1 will include an updated kernel version, which will bring Vista inline with the kernel found in Longhorn Server. That alone is a big deal. But there are various Vista features that won't make much sense until you're running Longhorn Server on the back-end. The most obvious is Network Access Protection (NAP), a network quarantine feature. For NAP to work, you need support for the technology on both the client and the server. Windows Vista is the first Windows OS to ship with native NAP support, though presumably it could be added to previous Windows versions via an agent install.

Microsoft has been working on this feature for several years, and you may recall that the server NAP code was originally going to ship as part of Windows Server 2003 R2. Microsoft stripped NAP from that product, however, because of a deal with Cisco in which the two companies agreed to create interoperable network quarantine solutions. Cisco's Network Admission Control (NAC) and Microsoft's NAP will be fully interoperable, and customers will be able to choose between the two technologies on the server-side. This means you could install Cisco-based appliances or software solutions, and/or Longhorn Server-based servers in your enterprise and use compatible client OSes, like Windows Vista, to ensure that systems connecting to the network meet your security requirements. Systems that do not meet these requirements are quarantined from the network and provided with the security updates they need before being granted full access.

With Longhorn Server not due to ship until late 2007, most Microsoft-oriented enterprises will likely want to wait until that time to begin deploying any network quarantine solution. But this technology is an absolutely crucial security piece that is missing from many environments today. For this reason, you should begin evaluating NAP in Longhorn Server when Microsoft ships its Beta 3 release in the first half of 2007. Rolling out NAP and Vista together is an excellent idea. In fact, if you were looking for a truly good reason to go through the expense and pain of rolling out Windows Vista, this might just be it.

As for the timing, heck, you were waiting for SP1 anyway. And late 2007 might just be the perfect time to move to x64 versions of the OS as well.

This article originally appeared in the November 28, 2006 issue of Windows IT Pro UPDATE.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.