In "Vista's User Account Control and BitLocker Drive Encryption," (April 2007, InstantDoc ID 95153), I examined two major new security features in Windows Vista. But the improvements in Microsoft's latest OS don't stop there. Vista also has many other technologies that will help IT pros secure their environments, including secure logon support, file system and registry virtualization, an enhanced Encrypting File System (EFS), service and process isolation, driver signing, 64-bit security features, USB Device Control, and Network Access Protection (NAP). These new and enhanced features are responsible for Vista's reputation as the most secure Windows OS yet.

New Ways to Securely Log On
Most people today use an alphanumeric password to log on to secure PCs, but Vista has been designed to support smart cards, biometric devices such as fingerprint readers, and other secure logon methods. Indeed, Microsoft is embarking on a multiyear quest to move its biggest customers from alphanumeric passwords to more secure authentication methods. Vista is the first OS to fully support these alternatives.

To accommodate these security features, Microsoft has completely rewritten the Windows logon UI and the logon technologies in Vista. Vista natively supports not only new credential types (i.e., smart cards and biometrics) but also multiple credentials. Furthermore, because the credentials system is extensible, enterprises will soon be able to choose from a wide range of third-party solutions. These solutions will integrate with appropriate technologies in the Windows desktop, including Vista's User Account Control (UAC).

File System and Registry Virtualization
Many legacy applications aren't designed to support standard user accounts, but modify the registry or file system to let users perform certain tasks or access certain resources. When you try to run such applications on Vista, with its locked-down file system and registry, you can run into difficulties. To ensure that legacy applications have fewer problems during installation and execution, Microsoft has created virtualized versions of the file system and registry.

In Vista, all file system and registry writes are automatically and silently redirected to user locations so they can't harm the entire network. For example, when an application installer attempts to write to C:\Program Files, Vista redirects the write operation to a VirtualStore directory within the current user's account. To the application, the write operation proceeds normally, and to the user, the application appears to reside in the expected location. On multiuser systems, each user has an isolated, local copy of every redirected file.

Registry virtualization works similarly. Vista virtualizes the HKEY_LOCAL_MACHINE\SOFTWARE hive, and applications that attempt to store configuration information in system-wide portions of the registry are redirected to a new structure under HKEY_CLASSES_ROOT\VirtualStore\MACHINE\SOFTWARE. As with file virtualization, all users on a system have their own copies of configuration information that, on earlier versions of Windows, was saved globally.

Because file system and registry virtualization is a stopgap measure intended to make legacy software compatible with Vista, such virtualization is available only in the 32-bit versions of Vista. Microsoft expects Vista-compliant applications to respect the new Windows application guidelines. As more and more applications are ported to the new development framework, future Windows versions will do away with file system and registry virtualization. Vista's compatibility technology is only a short-term solution.

EFS Improvements
Although Vista Enterprise and Ultimate editions have a new, automated approach to full disk encryption, called BitLocker, Windows has long supported EFS for general file and folder encryption. Vista continues that support, but has improved EFS security, performance, and management.

Specifically, you can now store EFS user keys on smart cards, making administrative recovery of EFS-protected data more secure and convenient than ever before. Vista also supports encryption of the system page file and offline copies of remote files, functionality that administrators have been requesting for years. To make EFS easier to manage, Microsoft has added several EFS-related options to Group Policy. These options include requiring smart cards for user verification, enforcing page file encryption, and enforcing encryption of each user's Documents folder structure.

Windows Service and Process Isolation
In an effort to reduce the overall attack surface of Vistabased PCs, Microsoft has reduced the number of services that run by default and ensured that they are running at the lowest privilege level possible. Furthermore, all services are now limited to the local machine or local network, in contrast to previous Windows versions, in which service permissions extend beyond the box according to the privilege level under which they are run. Individual processes are also much more restricted than they were in previous Windows versions.

Both service and process isolation—as well as UAC and file system and registry virtualization—rely on a low-level change to Windows that categorizes and isolates objects by trust level. The new Windows integrity control component essentially prevents processes that have few rights from interfering with processes that have more rights. In Vista, integrity levels trump user privileges. For example, malware can no longer run with the privileges of the logged-on user, as it could in Windows XP. Now, malware runs only within the integrity level of the object that spawned it. Thanks to Vista's service and process isolation, malware that successfully attacks the OS should be less able to break into other parts of the system.

Vista has six integrity levels:

  1. Untrusted—a rarely seen level that's used only for anonymous logons.
  2. Low—a level that's used for Internetrelated features, including Internet Explorer 7.0 and the Temporary Internet Files folder.
  3. Medium—the default integrity level, used for Standard User accounts and most Windows-generated files.
  4. High—the level used by Administrator accounts running in elevated mode. (By default, even Administrator runs with Standard User privileges.)
  5. System—the level used by most kernel and system services.
  6. Installer—a level that's invoked only by installer routines. (To ensure that uninstall works properly, installers need to operate at a higher integrity level than other objects in the system.)
   Prev. page   [1] 2     next page



You must log on before posting a comment.

If you don't have a username & password, please register now.