Over the past few years, we've touched on a number of topics in Need to Know related to Windows Vista. We've even discussed Windows Vista security a few times. This time around, I'd like to examine some of the Windows Vista security features that will directly impact the lives of IT professionals and administrators. Microsoft has made dramatic changes to the underpinnings of Vista, and these change all work together to make Windows Vista the most secure Windows version ever. This, then, is what IT professionals need to know about Windows Vista security.
What we're not discussing
When it comes to new software, it's hard not to focus on the bits that show up obviously in the user interface. In Vista, these UI baubles include such things as Windows Security Center, Windows Defender, Windows Firewall, Parental Controls, Internet Explorer 7 Protected Mode, Windows Update and Automatic Updates, among others. Since a discussion of these features is decidedly high-level and you've almost certainly run into them elsewhere, we're going to ignore these features here and focus on more fundamental, low-level security technologies that will impact your job on a regular basis.
User accounts and User Account Control
As in previous Windows versions, Windows Vista utilizes user accounts to determine which tasks a given user is allowed to perform and which computer resources they are allowed to access. Previous to Vista, Windows included four basic user account types. In order from most restrictive to least restrictive, these account types included Guest, Standard User, Power User, and Administrator. In Vista, Power User, essentially a compromise between Standard User and Administrator, has been removed. Instead, all account types--including Administrator--are now more locked down than ever before, which we'll discuss in just a bit. The result is a simpler and more manageable group of user account types.
Other user account features have changed in Vista, always with an eye towards better security. The default admin-level account, the eponymous Administrator, appears to be gone from Vista. It's really just hidden, and can be activated if you think you really need it. But since the first account you create for any Vista install is an Administrator-level account anyway, you really don't need to activate Administrator. In fact, it's best to leave it hidden, since it does not have a password by default.
The big user accounts change is a new feature called User Account Control (UAC). Perhaps the most reviled feature Microsoft added to Windows Vista, UAP is, in my opinion, one of the most important changes in this release. What it does, essentially, is allow Windows Vista to be as locked down and secure as possible in its default running state. However, any time the user requests a feature such as an application, setting, Control Panel, or whatever that could affect the system state, Vista displays a consent dialog, which his basically a modal dialog box that appears over a grayed-out version of whatever the desktop currently looks like. You must deal with this dialog before you can continue working--thus the use of the word "reviled" above; it's annoying. And what you see will vary slightly depending on what type of user account you're using.
Consider the pre-Vista days. In Windows XP, users with an Administrator-class account could literally do anything, including trashing key system files. Standard users, meanwhile, could barely do anything, including, even, playing most games. (Many of which, incidentally, were made by Microsoft. This explains the creation of the Power Users group.) Thanks to UAC, Standard User is now completely viable: Any time a Standard User tries to perform an admin-level task, the consent dialog pops up and requires them to type in the user name and password of an Administrator.
What's interesting is that even Administrators need to deal with these UAC consent UIs, though these types of users will only need to click a Continue button and not type their user name or password. For admins, UAC is essentially an "are you really sure about that?"-type check. It occurs in the Secure Desktop (which you typically see when you tap CTRL+ALT+DEL from within Windows XP/Vista), preventing malware spoofing.
The most amazing thing about UAC, perhaps, is that it helps lock down Administrator accounts. Even if you do choose to run as Administrator, Vista will force you to run with reduced privileges. In fact, Administrator accounts normally run with the same privileges as Standard User. However, any time you need your permissions elevated temporarily, Vista will prompt you with a UAC consent dialog. This elevation occurs only for the task you are trying to perform. Generally, most Vista features that require elevation--and thus a UAC consent dialog--display a small graphical shield to help you understand what's going to happen. In other cases, you can manually run certain tasks as an Administrator. For example, you can right-click the Command Prompt in the Start Menu and choose Run as administrator to run that application with elevated privileges. In fact, you'll need to do just that if you expect to perform any admin-level tasks from the command line. (You can create shortcuts that always run individual application as Administrator, of course. These shortcuts will require you to handle the UAC consent dialog each time they're run, however.)
On paper, UAC seems like a dream come true. But users will run afoul of this feature as UAC consent UIs typically pop-up quite frequently when you start using Vista for the first time. That's because this is the time during which you begin installing applications, configuring features and settings, and generally making the system your own. Once you start actually using Vista, UAC will annoy you much less frequently.
And consider a final point about UAC: Competing operating systems such as Apple Mac OS X and Linux, both of which are based on UNIX, both utilize UAC-like consent prompts as well. And because those systems typically require end users to use non-admin-type accounts for day-to-day work, they're even more annoying than UAC because you always need to type in a password. On the flipside, paranoid Vista users will be interested to know that they can configure UAC to always provide a consent dialog that requires their password, just like OS X and Linux. That's even more secure than the default (though more arduous to use).
BitLocker Drive Encryption
The amount of corporate laptops lost to theft or forgetfulness runs well into the several hundred thousand annually, so it's little wonder that the cost of replacing these machines is far outweighed by the value of the information stored on the machines. Every month, it seems, there's a news story about an executive or information worker who loses a laptop that contains the private information of customers and others, requiring that company to undertake an expensive and embarrassing public process during which they hope to set things right. Laptop loss and theft can easily lead to identity theft, sometimes on a massive level. Obviously, the key to preventing this kind of loss is to ensure that the data on the laptop is encrypted. This prevents others from removing the machine's hard drive and accessing its contents from a different PC.
NT-based versions of Windows such as Windows 2000 and XP have included the Encrypting File System (EFS) for years. This feature lets you arbitrarily encrypt individual folders on your hard drive, ensuring that all of the data they contain--including documents and other data files added after the folder is encrypted--are protected from prying eyes. EFS does this with a minimal, imperceptible performance hit, and the results have proven quite satisfactory.
We look at the EFS improvements in Windows Vista in the next section, but Vista includes even more impressive encryption functionality in this latest Windows release, though you'll need Vista Enterprise or Ultimate to get this feature. It's called BitLocker Drive Encryption and it automatically encrypts the entire Windows volume (i.e. the partition on which the WINDOWS directory is located; typically the C: drive) without requiring the end user to configure anything. This alone makes BitLocker pretty interesting, because it's a feature that admins can easily roll out to executives and others who travel with sensitive corporate data.
But BitLocker doesn't stop there. You may remember that Microsoft was pushing its so-called Palladium technologies a few years back. These technologies, which were later branded under the Next Generation Secure Computing Base (NGSCB) name, were originally going to be a major part of Vista. Today, there are only a handful of NBSCB-based technologies left in the product. BitLocker is one of them.
The NGSCB component of BitLocker works in tandem with Trusted Platform Module (TPM) 1.2 hardware on the computer's motherboard to ensure the integrity of key system components during boot time. This integrity check ensures that the BitLocker-protected hard drive hasn't been placed into a different PC, of course, but it also helps prevent attacks that can occur during boot time, before the OS is loaded.
And if you don't have TPM 1.2-enabled hardware, fear not: Microsoft offers a slightly less effective version of BitLocker that requires you to use a USB memory key instead. This version of BitLocker supplies all of the full disk encryption functionality from the "full meal deal" version, but drops the integrity checks.
For the end user, BitLocker is a bit ponderous to install. You must reserve a second active partition on the laptop's hard drive that is 1.5 GB in size or larger. This volume will not be encrypted, and will contain a few files needed for the PC to boot correctly. If you didn't partition your system correctly during initial setup, you'll need to find a Vista-compatible non-destructive partition utility that can do the job. However, users of Windows Vista Ultimate should know that they have access to a free Ultimate Extra called the BitLocker Drive Preparation Tool that will perform this partitioning for you. Vista Enterprise users are apparently able to handle this kind of thing on their own.
All Vista versions support general file and folder encryption services via EFS, the Encrypting File System. In Vista, however, EFS has been somewhat improved and is now more secure, offers better performance, and is more easily managed.
Specifically, you can now store EFS user keys on smart cards, making administrative recovery of EFS-protected data more secure and convenient than before. Vista also supports encrypting the system page file and offline copies of remote files, functionality that administrators have been requesting for years. To make EFS easier to manage, Microsoft has also added a number of EFS-related options to Group Policy. These options include such things as requiring smart cards, enforcing page file encryption, and enforcing encryption of each user's Documents folder structure.
New ways to logon
Though most people today logon to secure PCs using an alphanumeric password, Vista has been architected to support smart cards, biometric devices such as fingerprint readers, and other secure logon methods. Indeed, Microsoft is embarking on a multi-year quest to get its biggest customers off of passwords and onto more secure authentication methods, and Vista is the first OS to fully support these alternatives.
To make this change, the logon technologies in Vista have been completely rewritten, as has the Windows Logon user interface. Now, Vista supports both new credential types as well as multiple credentials, and because the system is extensible, enterprises will be able to soon choose from a wide range of third party solutions. These features also integrate with appropriate technologies in the Windows desktop, including UAC.
File system and Registry Virtualization
Because the Vista file system and Registry have been changed somewhat from a structural standpoint and have been dramatically locked down compared to previous versions, Microsoft has created virtualized versions of both to ensure that legacy applications have fewer problems when installing and executing on the new system. (File system and Registry virtualization both rely on UAC to work properly.)
Here's how it works. In Windows Vista, system-wide file system and Registry writes are automatically and silently redirected to per-user locations that won't harm the wider system. For example, when an application installer attempts to write to C:\Program Files, it is silently redirected to a Virtual Store directory located inside the current user's account. To the application, things proceed as normal, and it has no idea that it is being redirected. To the user, the application, too, still appears to be located at the old, expected location. But because the application is not access system-wide file locations, it cannot be used to harm the system. And on multi-user systems, each user will have isolated, local copies of redirected files.
Registry virtualization works similarly. In this case, the HKEY_LOCAL_MACHINE\SOFTWARE hive is virtualized so that applications which attempt to store configuration information in system-wide portions of the Registry are redirected to a new structure under HKEY_CLASSES_ROOT\VirtualStore\MACHINE\SOFTWARE. As with file virtualization, each user on a system will have their own copy of configuration information that was previously issued once on a global basis.
One final note about file system and Registry virtualization: This feature is a stop-gap measure aimed at making legacy software work better in Vista. Microsoft expects Vista compliant applications to respect the new Windows application guidelines. And future Windows versions will do away with file system and Registry virtualization after more applications are moved to the new development style. This is short-term solution only.
Windows Service and Process Isolation
In an effort to reduce the overall "attack surface" of a Windows Vista-based PC, Microsoft has dramatically reduced the number of default running services and ensure that those services that are running are doing so in the lowest-possible privilege level. Furthermore, services are now limited to the local machine or local network. Likewise, individual processes in Vista are also much more restricted than they were in previous Windows versions.
Both of these features--as well as other Vista security features, like UAC and file system and Registry virtualization--rely on a new low-level change to Windows that isolates different objects on a trust-based scale. Dubbed Windows Integrity Levels, this feature is controlled by a new OS component called Windows Integrity Control (WIC). With integrity levels, integrity levels trounce permissions. For example, malware no longer runs in the privilege level of the logged-on user, as it does in XP. In Vista, malware runs in the integrity level of the object that spawned it. And malware that does successfully attack Vista should normally be less able to break into other parts of the system, thanks to Windows service and process isolation: These integrity levels prevent low-rights processes from interfering with higher-rights processes.
There are six integrity levels in Windows Vista:
1. Untrusted. Rarely seen and used only for anonymous logons.
2. Low. Used for Internet features, including IE 7 and the Temporary Internet Files folder.
3. Medium. This is the default integrity level, and it is used for Standard User accounts and most files generated by Windows.
4. High. Used by Administrator accounts running in elevated mode. (Normally, even Administrator runs with Standard User privileges.)
5. System. The province of most kernel and system services.
6. Installer. Invoked only by installer routines because installers need to operate at a higher integrity level than other objects in the system in order to ensure that uninstall works properly.
While Microsoft introduced the concept of driver signing back in Windows 2000, it was never mandatory until the 64-bit versions of Windows Vista. (In 32-bit Vista versions, this feature is still optional.) Now, all kernel mode drivers must be digitally signed, preventing poorly written or aberrant software from compromising the core part of the operating system. Driver signing isn't purely a security feature, of course, and it cannot ensure that a driver isn't purposefully written to compromise Vista. But because driver signing prevents tampering and introduces a sense of identity to the process, signed drivers tend to be more stable and secure than their unsigned counterparts. And that will ultimately lead to more stable and secure operating systems as well.
Note that driver signing is unique to the 64-bit (x64) versions of Windows Vista.
Other 64-bit Security Features
Windows Vista includes a number of other new security features that are unique or improved when running a 64-bit (x64) version of the operating system. This means that 64-bit versions of Vista are theoretically more secure than their 32-bit counterparts. That said, you will want to balance your desire for security with the realities of the 64-bit world. As of this writing, 64-bit versions of Vista are less compatible with both hardware and software than are the 32-bit versions, so you will want to ensure that everything works correctly before moving to 64-bit.
We discussed a number of 64-bit security features back in the August 2006 issue of Windows IT Pro Magazine, including Kernel Patch Protection ("PathGuard"). Since then, a few things have changed and some new security features have emerged. First, Microsoft has bowed to pressure from security software vendors and agreed to provide application programming interfaces (APIs) so that they can programmatically access the Vista kernel as they could with previous Windows versions.
Second, the low-level remote exploit protection feature we discussed last year now has a name: Address Space Layout Randomizer (ASLR). This feature, which has proven quite effective on UNIX, randomly varies the memory addresses of Windows data structures at boot time, helping to protect against malware that relies on particularly memory offsets to perform overflow-based attacks. In addition to only being available on the x64 versions of Vista, ASLR also requires that Data Execution Protection (DEP) is enabled.
USB Device Control
Because so many users today have iPods, USB thumb drives, and other USB-based devices, administrators often fear that the USB ports on client PCs will be an off ramp for valuable corporate data, whether it's taken purposefully or not. (Indeed, some admins have even taken to gluing USB ports shut to prevent this from happening.) It doesn't help that USB devices are often so small that they're easily lost, and that malware could easily be written to launch from a USB device.
To combat these issues, Vista supports new Group Policy options that help administrators block the installation and use of unauthorized devices, including USB and Firewire-based storage devices. These options can be applied to individual computers or across a group of machines throughout your environment. And you can fine-tune which devices are blocked. For example, you can choose to block entire classes of devices, block all removable storage devices, or block or allow specific devices. You can even control read and write access to removable storage devices per-user and per-machine.
Network Access Protection
When Windows Server 2008 is completed in late 2007, enterprises will be able to use that system in tandem with Vista to implement a complete network quarantining solution called Network Access Protection (NAP). This system will utilize "health policies" to examine systems connecting to the network and quarantine those systems that don't meet the requirements of the policies. While quarantined, out of date systems can be brought up to speed with whatever security updates and other features are mandated by policy. Healthy systems, meanwhile, are provided with normal access to the corporate network.
While Vista includes the client portion of NAP out of the box, Microsoft will also ship a NAP client for Windows XP with Service Pack 2 (SP2) simultaneously with Windows 2008.
As you probably realize, the security features in Windows Vista are vast and deep and touch every part of the new system. There's little doubt that Vista is more secure than previous Windows versions. The only question, of course, is whether these and other new Vista security features will prompt you to move to Vista more quickly. Microsoft is betting that you will. My prediction is that businesses will migrate to Vista more quickly than they did to XP. And these features are just part of the reason why I believe that's a good decision.
An edited version of this article originally appeared in two parts over the April and May issues of Windows IT Pro Magazine. --Paul