Security and Windows Vista
Vista is the first of Microsoft’s operating systems to be built from the ground up with security in mind. Microsoft has rewritten Windows’ core code to make it far more secure. Vista also includes technologies to combat spyware and phishing and to make your computer more resistant to outside attack and control.
While Vista shows plenty of signs of Microsoft’s new focus on security, much of the evidence is hidden from view, threaded through Vista’s foundation code. Features such as Windows Services Hardening – which prevents compromised Windows services from altering configuration settings – mostly run below the user radar.
Things you will notice, though, include a beefed up firewall that monitors both incoming and outgoing traffic; parental controls that make it a whole lot easier to manage and monitor your children’s computer usage; and User Account Control.
The latter is designed to prevent you from accidentally installing software or making changes to settings that might damage or compromise your computer. Unfortunately, UAC works by halting certain actions and displaying prompts before you can continue. The whole system freezes until you respond to the prompt. It seems likely this is going to confuse many Windows beginners and simply annoy long-time users, who may end up clicking OK without really thinking. It’s a bit of a no-win situation for Microsoft. If you really want a more secure computing experience, you should be prepared to train yourself to understand and use User Account Control and to think before you click.
Vista will ship with Internet Explorer 7, the new version of Microsoft’s browser. This is a far better browser than earlier versions of IE and Vista users get the additional benefit of Protected Mode. Protected Mode prevents the browser – or any outside code trying to operate through it – from doing anything that could harm your system. In effect, the browser’s local actions are corralled within the Temporary Internet Files folder and it is unable to write outside its confines. Despite the improvements, IE 7 still has an uncomfortable amount of code in common with IE 6 and there’s nothing about the browser that’s likely to wean anyone away from Firefox or Opera. At least those who use whatever browser ships with the operating system will be safer than they were when running IE 6 on XP.
Although Vista is undoubtedly more secure than any other Windows operating system, it is by no means impregnable. An ominous indication of that emerged during the Black Hat security conference in August 2006, when Microsoft placed the Beta 2 version of Vista in the hands of security professionals and hackers, inviting them to test its defenses. It was a bold, confident move by Microsoft. Unfortunately, on the last day of the conference a researcher demonstrated a successful attack and installed a rootkit (a stealth program designed to subvert a system) on Vista. In order to do so, the researcher had to ignore a security prompt displayed by the system, but that’s just the sort of thing users are likely to do when confronted by Vista’s manifold User Account Control warnings. Since then, Microsoft has done a lot of work to reduce the number of UAC prompts displayed by Vista; here’s hoping that will be enough to render the system more palatable to users, and hence more effective.
What the Black Hat experience shows us is that Vista will not herald the end to the plague of security vulnerabilities we’ve suffered over the years. Still, given Vista’s security focus, it’s reasonable to expect the number of problems will decrease significantly.