Sunday, November 22, 2009  
Google
Web pcquest.com

CIOL Network sites

Search by Issue | Sitemap | Advanced Search

• For most updated version of DQ TOP 20 issue, visit dqindia.com • Ad : Play and Plug ERP by IBM
 RSS |  Follow Us on twitter
 Home > OS > Windows

Vista under the Hood

Windows Vista is in Beta 2. We check it out for security, productivity and other key features, and tell you everything you need to know well before its final release

Saturday, April 08, 2006

Print Comment Email DiggDigg DeliciousDel.icio.us RedittReddit TwitterTwitter

The new OS due to ship out of the Redmond camp later this year has its feature-frozen “beta 2” out on a CTP (Community Technical Preview). What this means is that give or take a few minor pieces here and there, this is what the final release of Vista will look like, come end of the year. Coming as it does to the top of the pile from the line up of preceding desktop OSes like Windows XP, expectations are high from everyone on what it should and needs to contain. So, how closely has your wish list been answered? And more importantly, when the sales people come knocking to say maybe its time you upgraded, what are the things you need to know?

The skews
As per current information, there will be five different skews (editions) of Vista . Unlike Win XP, which the Home, Professional, Media Center and Tablet PC editions, Vista has two editions each meant for the home and business users. And then you have the Ultimate edtion as well. For organizations, there are Vista Business and Enterprise editions. Home users can experience the Home Premium and Home Basic. The Ultimate edition has a mix of features from both the Home and Business skews and is useful for people who work from home. The Tablet PC and Media Center editions are now gone and this functionality has been integrated into other editions except the Basic. Enterprise edition contains all features of the Business Edition plus a few enhanced ones like BitLocker encryption (to protect data even if somebody steals your hard disk) and virtualization support (run previous versions of Windows). It also has a sub-system that allows you to run UNIX apps. The Home Basic edition is meant for basic productivity, and won't contain all the bells and whistles of the Home Premium. The Premium likewise, contains Media Center functionality, and other advanced features.

All skews except for Basic, come with the new 3D Aero UI  which requires pretty high system specs to be enabled and work.  This time, MS has been particularly careful about security, and has therefore built-in quite a few security features into the OS, as we shall soon see. It's claimed to be the safest OS designed ever by MS. Then of course, the usual slew of benefits of enhanced productivity, lower management costs, better connectivity, etc are anyways being touted.

In this story, we try to look at many of the key features being promised in Vista that deliver upon these benefits. For instance, all editions have early warning systems for hardware failure, which would thereby reduce administrative overheads. All have parental control features. This being a Beta, we did face problems in some of them, and we sincerely hope that they would not be there in the final release.

Security systems
There are several layers of security built into Vista . Some of these features are improved versions of those we've been used to so far, in Win XP. Others like the UAP and BitLocker encryption are brand new. Of course, when we at Labs see something new like this, we love to get our hands dirty and see how sturdy it is. Here's what we found in the security features shipped in Vista .

User account control (UAC) 
After being named a lot of things, this is what user account authority limitation in Vista is being called now. To cut a long story short, UAC is in that layer of the OS, which prompts you to enter administrator user credentials when you run certain programs or commands. It's controlled by a set of group policy settings (six of them). We expect that these can later be setup at the domain level (in the Longhorn Server) and enforced by Vista .

UAC requires users to provide administrative credentials for certain programs or commands

  • Behavior of elevation prompt for administrators

  •  Behavior of elevation prompt for standard users

  •  Elevate on application installs

  •  Run all users, including administrators, as standard users

  •  Validate signatures of executables that require elevation and;

  •  Virtualize file and registry write failures to per-user locations

The first two control what happens when administrator and non-administrator users encounter programs that require administrative privileges. By default, administrators would see a consent dialog that simply asks them permission to continue; while standard users will see a credential entry box where they need to enter logon information for an administrator-class account. Now, which account the user enters here depends on what he is trying to access. For instance, if it is something on the local system, he needs to enter the administrator credentials for the local system. But if it is a network or domain operation then the credentials have to be for that resource. The possible settings for these include-'Silent elevation' (where no prompts are displayed and this is not recommended for regular use); 'Prompt for credentials' (requires user to enter logon information) and; 'Prompt for consent' (requires just an approval to continue).

The firewall in Vista allows extensive configuration and management of access rules

The logic behind this feature is that a user, regardless of whether he is logged in as the Administrator, should never be running everything in sight with full privileges. This cuts down on malicious software installing themselves without consent from the user, and also prevents users from inadvertently installing rogue applications (that can even be things banned by the network administrator in an enterprise) on their systems. How and what kind of programs the UAC invokes the consent/credential box for is determined heuristically with a list of criteria (for example: words like 'setup' or 'install' in the file name and certain properties in the file's SxS manifest data).

The sixth group policy setting above (virtualize...) is designed to accommodate legacy applications that are designed for XP but needs to run under Vista . It allows Vista to redirect read and write operations to sensitive system areas and registry locations to virtual locations under that user's profile. MS has announced that this virtualization would be removed in a future service pack and not supported in future releases of Vista and thus developers should not depend on this virtualization in perpetuity.

Windows firewall
There are two interfaces to manage the Windows Firewall. One is the version we've been used to since Win XP. This dialog, now accessible only through the Control Panel, features re-written explanations under each option on the main tab that are easily understood by the non-geek. Under the Exceptions tab, there are many more programs and services listed compared to a standard Win XP desktop.

You will find services like BITS (Background Intelligent Transfer Service, existing since Win 2000) and Firewall Remote Management (new to Vista ) listed here. On our test system, we had around 20 items, including those for IMs. The second and more advanced interface is an administrator-only MMC console. To access this one, go into Administrative Tools and open the 'Windows Firewall with Advanced Security' item. Here you have a fairly large number of options to configure. Some of them appear not to be working yet and we hope they would be running in the next beta. There is no way to add new items to monitor or generate reports.

note:
One good security feature we found in Vista was that by default, it didn't allow a user to save any documents in c:\, giving a message that you don't have the permission to do that. This message came up even for the administrator user.

Ports and exceptions
Using the WF console, you can manage exceptions for both inbound and outbound connections. To add a new exception, right-click anywhere in the right-hand pane. You can selectively enable or disable various exceptions by right-clicking on that exception and selecting 'Enable Exception' or 'Disable Exception'. You can change its parameters from the Properties dialog invoked from its context menu. However, each entry in the exception list can control only one combination of the set of available parameters. This means, if you need to enable (say) ports for both the UDP and TCP protocols for some application, you would need to create at least two rules for the same.

In the same exception entry, you can require secure connections with encryption-and when this is selected, you can use the options in the Authorization tab to allow in only specific computers and users. These computers and users can be selected from your Active Directory if your system is on a domain. The Protocols tab lists 18 pre-defined protocols and allows you to configure custom ones (with the protocol number) as well. For inbound and outbound scopes to apply the rule to, you can specify either a single IP address or subnet mask or an IP range. Following the trend everywhere else in Vista , you can specify either IPv4 or IPv6 addresses in these boxes. You want to configure more parameters for this exception? Go on to the Advanced tab and here you can select if the exception applies when the PC is connected to a domain or not; what network interfaces (if the system is multi-homed) the rule applies and what services/processes the exception applies to. This answers the complaint so far that Win XP's firewall isn't very configurable.

IPsec
Other than the setup, which ports to block or leave open, the IPSec console also lets the administrator configure IPsec policies, where you can define what kind of security keys to exchange, using what algorithm and how to validate that. You can also setup data protection using ESP or AH protocol. ESP is compatible with NAT and is recommended if you use NAT on your network. AH is not NAT compatible and is suited if you use a standalone Vista system. Encryption can be setup too and in this option, you can use an ESP plus AH hybrid protocol which is again not compatible with NAT.

Authentication
Both the computer as well as the user can be authenticated by setting up two levels of authentication (First for the computer and Second for the user), with a caveat that if a pre-shared key is used for the first level then you cannot use the second level authentication. Therefore, if you require both levels, then you need to select either Kerberos or (digital) certificate based authentication for the first level. User level authentication can be performed either using Kerberos, NTLM, digital certificates or 'computer health certificates'. When using certificates, you need to select which issuing CA to use certificates from and can enable the certificate to be mapped to user accounts.

Zooming has so far existed in a browser only for text (center image), and did not magnify images or resize other content on the Web page. IE 7 adds page zoom that magnifies everything on the page (right image)

Page(s)   1  2  3  
I am interested in more information about this product
I am interested in buying this product
Print Comment Email DiggDigg DeliciousDel.icio.us RedittReddit TwitterTwitter


Untitled Document



ZTE:Leading CDMA Technology

Extraordinary Networks:Freedom of Choice
   
 

 
 

Magazine Subscription | RQS | Contact Us | Team PCQuest | Advertising - Print | jobs@cybermedia

 
 
 
 
   

Copyright © CyberMedia. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.
Usage of this web site is subject to terms and conditions.
Broken links? Problems with site? Send email to webmasterciol@cybermedia.co.in