Security Systems in Vista

Having been born in an environment where security is the buzz word, how does Vista fare on that front? We drill down into some of the new security aspects expected to ship with Vista

Wednesday, March 08, 2006

Print

Comment

Email

Digg

Del.icio.us

Reddit

Twitter

This is an OS that's supposed to be written from the scratch and is coming at a time when the word 'security' is in everything. Let's take a look at some of the new features and tools in Vista and see how well they help you combat security threats. We are considering all three types of security in this article – against malware, against people, and data security.

User security
While Microsoft has introduced new security features in Vista that allow you to use external devices like USB keys to store authentication/authorization information, security has been left blatantly ignored in other areas. A key one being the 'Administrator' user account. Until Win XP, the user is prompted during installation to select a strong password for the Administrator user. This allowed the user to do two things – one, remember that there was such an account on the PC; and two, protect such a powerful account with a good password. Now, in Vista there is no such option at all. Like XP, Vista too will not prompt you to login if you have just one account on your system with no password set up for it. This means that a majority of users will not even know that there is an Administrator user account on their PC. And we're not giving any prizes for guessing what its default password is!

The UAP (User Account Protection) is a strong presence in Vista . This is what causes all those security dialogs to pop up when you attempt to do something that requires 'higher privileges'. When you login as a user not in the Administrator's group, you have access to do very few tasks in the system. You can launch your regular applications like Word and browse the Internet. But try to use a system management tool and you get a pop up warning that such an action has been initiated and if you want to allow it. Now, in this Beta release, it does not seem to remember when you permit an operation (and there are no on-screen options to let you save the setting), but hopefully that will be fixed before Vista goes RTM. It is also apparently very easy for people to get in and turn off UAP altogether on their systems (one such tip is online at http://windowsitpro.com/ Article/ArticleID/47757/ 47757.html). Some activities explicitly require you to be an Administrator. In such cases, you are nicely prompted to login as one. In fact, when you do attempt to over ride every other security feature by setting a program to always run as Administrator (Properties>Compatibility and turn on 'Run this program as an administrator'), Vista will turn on a diagnostic monitor to debug the program and find out if it is really required to run as Administrator. If it finds such high privileges are not required, it tells you so and demands you turn it down.

Network access
There are again two layers of protection (at least) on the network front. At the basic level, you have the Windows Firewall and then you have Windows Defender (which is actually an integrated version of the AntiSpyware tool for XP). A third component is the Network Access Protection agent. What this does is that at every system start up, it scans your PC to check if there are any pending software updates. If some are found, it blocks access to the LAN until this is fixed. Currently, this is as simple as clicking on the icon in the system tray and then on the 'Try Again' button there. This makes the firewall in Vista bi-directional. So, it no longer just protects access from the outside, but also prevents things in the system from affecting the outside world unless permitted.

However, we must note with disappointment that getting Vista on a network is a rather tough task. It is rather picky about its hardware and even then, if once the network system in Vista crashes for any reason, getting everything working again is a painful task. Again, this would hopefully go away before it RTMs.

The integrated error reporting and troubleshooting tool not only sends error messages to MS, but also downloads their solutions when available

Secure your hard disk
From the control panel, Vista lets you enable something called Secure Startup. When enabled, this will encrypt one or more hard drives on the PC and make them completely unusable without using the key created for the purpose. To this end, the Secure Startup applet displays a list of hard drives on which Secure Startup has been enabled. This feature also scans the system for modifications since last startup, which are usually signs of tampering attempts. Once enabled, these PCs cannot be booted off a CD, USB drives or floppy disks.

One of the big things being talked about in Vista is its 'BitLocker' feature. This is actually the EFS (Encrypting File System) in Vista , but implemented over the entire hard disk. For instance, in NTFS (XP), you can selectively have the OS encrypt particular files and folders (and also the hard disk). In Vista , this happens by default for the entire hard disk. This is great for data security. But what happens to all that data if the PC crashes and you need to read it from another OS?

Patch and update
Applying patches and updates have never been easier with the desktop Windows family. The Windows Update is now right in the system, featured as a Control Panel applet. Sadly, this seems to update only Windows and not the entire range of MS software as available from their earlier launched 'Microsoft Update' service. From this UI, you can review what updates are available and apply them. You can also see a list of what updates failed or you declined earlier and select to apply them now.

Problem solvers and privacy
Earlier versions of Windows troubleshooters have been notorious for their final screen that said you should look elsewhere for a solution since the troubleshooter wasn't able to find one. Vista features a 'Solutions to Problems' Control Panel applet that sends the Error Reporting data back to Microsoft. Then, you can have Vista automatically poll that system for solutions to previously submitted problems. These are downloaded as patches and hot fixes and applied to your deployment transparently. However, at this point of time, we did not see a way to control when and how this information is sent. Whenever a program crashes or Vista determines there is a problem, the auto-reporting starts immediately with just a 'Cancel' button. Sometimes, attempts are made to report without there being even a network connection present!

The next time, we will look at the wireless and networking features and services in Vista , and how they affect enterprise network topology. If you have any suggestions to what we could look at in this series, do let us know at forums.pcquest.com.

Sujay V. Sarma

Page(s)   1