IE7 and a lotBy Larry Seltzer | Posted 07-28-2005
Windows Vista Security Looks Promising
For several years, especially since Windows XP Service Pack 2, Microsoft has been tightening security in Windows and Internet Explorer. It's hard to see at times, but I do think they have been making progress. Nevertheless, with a completely new version of Windows, Microsoft has the opportunity to do some radical things that should help a lot more.
Like Service Pack 2, these changes will break existing applications and require ISVs and device driver writers to make changes. Such is life, I say, and as with SP2, these people will have lots and lots of time to work on updating their software. With few exceptions, if a product doesn't work when Vista ships late next year (cross fingers) you can blame the ISV.
Many of these "new" features have been available in other operating systems or third-party products, but having them standard in Windows makes a difference. I'd like to focus on some of the important ones.
Corporate IT has known for a long time (and if they don't, they're incompetent) how to manage their Windows users with restricted permissions, both on the network and on the local computer. For the average home user it hasn't been hard to set up such accounts, but it's common to run into applications that require greater privileges that are provided on Windows XP for a Limited User.
The problem is changed in Windows Vista first by attitude. The word "Limited" is gone and a "User Account" is now limited. Getting an account with Administrator privileges is now the extraordinary case, but it's not generally going to be necessary. If you do something that requires admin privileges, such changing firewall settings, the system will offer you an opportunity to enter account credentials that have sufficient privileges, such as the Administrator account. So you can run normally as a non-Administrator. This is all called "User Account Protection," and in beta 1 it must be enabled manually.
This approach, of course, is straight out of Mac OS X, and Mac advocates like to point to it as the right way to do things, but there are definite limitations to how much it can protect you. Most spyware/adware installed on Windows is installed deliberately by the user out of carelessness. You want that cool toolbar and you know you're installing a program, so of course you are going to give it admin privileges or whatever it needs. You'd have to do the same to install a legit program. On the other hand, it should provide protection against silent drive-by downloads unless, once again, the user is stupid enough to let them proceed.
Another User Account Protection feature is that when programs write to protected areas of the file system and registry, these writes are actually stored in a separate area, maintained per user, called the Virtual Store. This is very similar to what is done on a Terminal Server, and in fact I wonder why the Virtual Store is stored in C:\Virtual Store rather than under each user's Documents and Settings folder as is done on Terminal Server.
IE7 and a lot
Internet Explorer 7 has many new security-related features on Windows Vista and Windows XP, but the most important work only on XP. IE runs, by default, in a crippled mode called Protected Mode. Doing bold and possibly dangerous things will require special permission. It's a special type of User Account Protection for the browser.
And as with User Account Protection, it has the potential to trip on the outstretched leg of social engineering. Even if it works perfectly, all you need to do is convince users that they really do want to do the things that Windows is warning them could be dangerous. IE7 has plenty of other cool and useful security features, but they also all happen in Windows XP.
A good example of a feature that has been around for a while is NAP (Network Access Protection), which came out, I believe, for Windows Server 2003. It is a set of programs and policies, similar to Cisco's Network Access Control Program and the Zone Labs Integrity product line, that defines security and other requirements for a client before it attaches to a network. The requirements can be that Windows be up to date with specific patches, that anti-virus software be running and up to date, that other programs be installedjust about anything.
The advance in Vista may be as simple as bundling the client components of NAP, but it would be good if this encourages use of it. I have a dream that one day a system like this will be simple enough for ISPs to use and thereby keep dirty clients off of their networks, but we're nowhere near there yet.
There's a lot more, of course: The Windows Firewall will finally filter outbound traffic. EFS disk encryption will improve. Windows programs can be profiled so that the system will know what resources (such as TCP ports) they use, and anything else will raise a red flag. Microsoft's malware removal tool, which runs during updates, will be included. Many of these are important, and I'm sure I'll be looking at them in greater depth in the coming months.
This isn't the first time Microsoft has gotten serious about security, so it would be premature to declare victory against security threats, and Microsoft is plenty circumspect about the future of such things. There is some clever stuff here though, along with a continuation of a several-year trend of locking things down after an orgy of opening insecure services in the late 1990s. If all Windows users were running Vista, the Internet would be a much safer place.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at firstname.lastname@example.org.
Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.