The new OS due to ship out of the Redmond camp later this year has its feature-frozen “beta 2” out on a CTP (Community Technical Preview). What this means is that give or take a few minor
pieces here and there, this is what the final release of Vista will look like, come end of the year. Coming as it does to the top of the pile from the line up of preceding desktop OSes like Windows XP, expectations are
high from everyone on what it should and needs to contain. So, how closely has your wish list been answered? And more importantly, when the sales people come knocking to say maybe its time you upgraded, what are the things you need to
know?
The skews
As per current information, there will be five different skews (editions) of
Vista
. Unlike Win XP, which the Home, Professional, Media Center and Tablet PC
editions, Vista has two editions each meant for the home and business users. And
then you have the Ultimate edtion as well. For organizations, there are Vista
Business and
Enterprise
editions. Home users can experience the Home Premium and Home Basic. The
Ultimate edition has a mix of features from both the Home and Business skews and
is useful for people who work from home. The Tablet PC and
Media
Center
editions are now gone and this functionality has been integrated into other
editions except the Basic.
Enterprise
edition contains all features of the Business Edition plus a few enhanced ones
like BitLocker encryption (to protect data even if somebody steals your hard
disk) and virtualization support (run previous versions of Windows). It also has
a sub-system that allows you to run UNIX apps. The Home Basic edition is meant
for basic productivity, and won't contain all the bells and whistles of the
Home Premium. The Premium likewise, contains
Media
Center
functionality, and other advanced features.
All skews except for Basic, come with the new 3D Aero UI
which requires pretty high system specs to be enabled and work. This time,
MS has been particularly careful about security, and has therefore built-in
quite a few security features into the OS, as we shall soon see. It's claimed
to be the safest OS designed ever by MS. Then of course, the usual slew of
benefits of enhanced productivity, lower management costs, better connectivity,
etc are anyways being touted.
In this story, we try to look at many of the key features
being promised in
Vista
that deliver upon these benefits. For instance, all editions have early warning
systems for hardware failure, which would thereby reduce administrative
overheads. All have parental control features. This being a Beta, we did face
problems in some of them, and we sincerely hope that they would not be there in
the final release.
Security systems
There are several layers of security built into
Vista
. Some of these features are improved versions of those we've been used to so
far, in Win XP. Others like the UAP and BitLocker encryption are brand new. Of
course, when we at Labs see something new like this, we love to get our hands
dirty and see how sturdy it is. Here's what we found in the security features
shipped in
Vista
.
User account control (UAC)
After being named a lot of things, this is what user account authority
limitation in
Vista
is being called now. To cut a long story short, UAC is in that layer of the OS,
which prompts you to enter administrator user credentials when you run certain
programs or commands. It's controlled by a set of group policy settings (six
of them). We expect that these can later be setup at the domain level (in the
Longhorn Server) and enforced by
Vista
.
UAC requires users to provide administrative credentials for certain programs or commands |
-
Behavior of elevation prompt for administrators
-
Behavior of elevation prompt for standard users
-
Elevate on application installs
-
Run all users, including administrators, as standard
users
-
Validate signatures of executables that require
elevation and;
-
Virtualize file and registry write failures to
per-user locations
The first two control what happens when administrator and
non-administrator users encounter programs that require administrative
privileges. By default, administrators would see a consent dialog that simply
asks them permission to continue; while standard users will see a credential
entry box where they need to enter logon information for an administrator-class
account. Now, which account the user enters here depends on what he is trying to
access. For instance, if it is something on the local system, he needs to enter
the administrator credentials for the local system. But if it is a network or
domain operation then the credentials have to be for that resource. The possible
settings for these include-'Silent elevation' (where no prompts are
displayed and this is not recommended for regular use); 'Prompt for
credentials' (requires user to enter logon information) and; 'Prompt for
consent' (requires just an approval to continue).
The firewall in Vista allows extensive configuration and management of access rules |
The logic behind this feature is that a user, regardless of
whether he is logged in as the Administrator, should never be running everything
in sight with full privileges. This cuts down on malicious software installing
themselves without consent from the user, and also prevents users from
inadvertently installing rogue applications (that can even be things banned by
the network administrator in an enterprise) on their systems. How and what kind
of programs the UAC invokes the consent/credential box for is determined
heuristically with a list of criteria (for example: words like 'setup' or
'install' in the file name and certain properties in the file's SxS
manifest data).
The sixth group policy setting above (virtualize...) is
designed to accommodate legacy applications that are designed for XP but needs
to run under
Vista
. It allows
Vista
to redirect read and write operations to sensitive system areas and registry
locations to virtual locations under that user's profile. MS has announced
that this virtualization would be removed in a future service pack and not
supported in future releases of
Vista
and thus developers should not depend on this virtualization in perpetuity.
Windows firewall
There are two interfaces to manage the Windows Firewall. One is the version
we've been used to since Win XP. This dialog, now accessible only through the
Control Panel, features re-written explanations under each option on the main
tab that are easily understood by the non-geek. Under the Exceptions tab, there
are many more programs and services listed compared to a standard Win XP
desktop.
You will find services like BITS (Background Intelligent
Transfer Service, existing since Win 2000) and Firewall Remote Management (new
to
Vista
) listed here. On our test system, we had around 20 items, including those for
IMs. The second and more advanced interface is an administrator-only MMC
console. To access this one, go into Administrative Tools and open the
'Windows Firewall with Advanced Security' item. Here you have a fairly large
number of options to configure. Some of them appear not to be working yet and we
hope they would be running in the next beta. There is no way to add new items to
monitor or generate reports.
note: |
One good security feature we found in Vista was that by default, it didn't allow a user to save any documents in c:\, giving a message that you don't have the permission to do that. This message came up even for the administrator user. |
Ports and exceptions
Using the WF console, you can manage exceptions for both inbound and outbound
connections. To add a new exception, right-click anywhere in the right-hand
pane. You can selectively enable or disable various exceptions by right-clicking
on that exception and selecting 'Enable Exception' or 'Disable
Exception'. You can change its parameters from the Properties dialog invoked
from its context menu. However, each entry in the exception list can control
only one combination of the set of available parameters. This means, if you need
to enable (say) ports for both the UDP and TCP protocols for some application,
you would need to create at least two rules for the same.
In the same exception entry, you can require secure
connections with encryption-and when this is selected, you can use the options
in the Authorization tab to allow in only specific computers and users. These
computers and users can be selected from your Active Directory if your system is
on a domain. The Protocols tab lists 18 pre-defined protocols and allows you to
configure custom ones (with the protocol number) as well. For inbound and
outbound scopes to apply the rule to, you can specify either a single IP address
or subnet mask or an IP range. Following the trend everywhere else in
Vista
, you can specify either IPv4 or IPv6 addresses in these boxes. You want to
configure more parameters for this exception? Go on to the Advanced tab and here
you can select if the exception applies when the PC is connected to a domain or
not; what network interfaces (if the system is multi-homed) the rule applies and
what services/processes the exception applies to. This answers the complaint so
far that Win XP's firewall isn't very configurable.
IPsec
Other than the setup, which ports to block or leave open, the IPSec console also
lets the administrator configure IPsec policies, where you can define what kind
of security keys to exchange, using what algorithm and how to validate that. You
can also setup data protection using ESP or AH protocol. ESP is compatible with
NAT and is recommended if you use NAT on your network. AH is not NAT compatible
and is suited if you use a standalone
Vista
system. Encryption can be setup too and in this option, you can use an ESP plus
AH hybrid protocol which is again not compatible with NAT.
Authentication
Both the computer as well as the user can be authenticated by setting up two
levels of authentication (First for the computer and Second for the user), with
a caveat that if a pre-shared key is used for the first level then you cannot
use the second level authentication. Therefore, if you require both levels, then
you need to select either Kerberos or (digital) certificate based authentication
for the first level. User level authentication can be performed either using
Kerberos, NTLM, digital certificates or 'computer health certificates'. When
using certificates, you need to select which issuing CA to use certificates from
and can enable the certificate to be mapped to user accounts.
Zooming has so far existed in a browser only for text (center image), and did not magnify images or resize other content on the Web page. IE 7 adds page zoom that magnifies everything on the page (right image) |
What about IE 7?
Windows Vista bundles the next version of the Internet Explorer browser (now
renamed to 'Windows Internet Explorer 7'). This much anticipated browser
upgrade while including a lot of new features and bells and whistles for
security does not exactly manage to make everyone happy. For instance, standards
compliance and CSS2 support that the standards gurus have been clamoring for, is
squarely not there and MS has gone so far as to announce it is not even a
priority for them. So what are the security features in
Vista
's IE7 that would affect you? Let's take a quick look.
IE 7 didn't pass the frame injection test, wherein one genuine frame on a web page was replaced with a fake one |
Anti-phishing
Windows Internet Explorer 7.0 includes an anti-phishing filter that will
perform an automatic check of the website you are visiting. This is essentially
a blacklist based check that involves checking the URL against a list of known
URLs that are known to be malicious. Typical things the engine checks for
are IP addresses in the URL and forms being submitted to locations other than
the URL in the address bar. This is a subjective process, since it depends on
users submitting malicious sites they come across using the 'Report this
Website' option in the anti-phishing menu option.
Anti-spoofing
Spoofing is the process where the webmaster of a malicious website will try to
fool you into believing the URL you are seeing for a webpage is different from
where the content is actually coming from. One of the most common ways to hide
this is by hiding the UI elements (like the address bar and the status bar) that
display this information. IE 7.0 does not allow windows to be created that do
not have the address bar or the status bar. Also, scripts are not allowed to
replace the address displayed-if a script attempts this the user is
automatically redirected to the new URL.
Vulnerabilities: tested
Secunia.com has a battery of tests (which are not very openly listed, but you
can get there using a search engine like Google) to check your browsers against
known vulnerabilities. This is done using pages hosted on their servers that
check for the vulnerability in your browser copy using safe pages and scripts
that show you what can be done. We tested IE 7.0 against their IDN Spoofing, URL
Spoofing and Frame Injection attacks. URL spoofing is the process of replacing
URLs with other strings to make it seem the web page is actually from a
legitimate and harmless source. In IDN Spoofing, international characters (like
Chinese and Japanese on a computer setup for English) are used to make the URL
seem different. Frame Injection misuses the ability to inject content into a
frames page being hosted from a completely different URL, with the frame
displaying content from a different website. Sadly, IE 7 fails the Frame
Injection test. What this means is that you could be on a fake website
purporting to be of your bank, even see the content as they would be in the
header, menu and footer, including all their advertising
Observation |
A note No options to gracefully recover from errors during migration... |
There are three problems with the Easy Transfer Wizard and two of them dont seem to have options to recover.1. When using the network to transfer files, the wizard does not warn you that you need to return to the new PC to make a few selections while the transfer is in progress from the old system.2. If you get an error that the wizard is corrupted, the only option is to reinstall Vista (or attempt to copy over the wizard's files from installation media).3. A 'debug assertion failed' error crashes the wizard, and erases all information collected or transferred, without options to recover. |
Inactive X
ActiveX components are what enable web pages to display rich media and content
that static content, scripting and images alone cannot satisfy. Flash, QuickTime
and MPEG movies, and page-embedded content (PDF, Word files) are played on HTML
pages using this technology. Other than helping display dynamic and rich
content, these components can also be a conduit for malware.
Traditionally, users have been able to install whatever
ActiveX components they so pleased and sometimes web sites have made use of the
leisurely attitude current and older browser versions have taken towards this
technology by silently installing components on visitors' PCs and spying on
the users. IE 7 seeks to undo and limit this damage by disallowing automatic and
even manual installations of ActiveX components. This will now require explicit
Administrator intervention. Certified add-ons that are known to the
browser can be initialized and run without requiring explicit permission
-these include components that are either a part of Vista or IE 7 itself and
can be found under the 'Add-ons that can run without requiring permission'
box in the Add-on Manager. When you visit a Web page that requires a particular
add-on, the browser will automatically prompt you (via the Information Bar as
well as a status bar icon) and you can choose if you want to turn it on or leave
it off.
How productive?
The best way to test the productivity features of an OS is to use it in your
routine work. That's exactly what we did with
Vista
. We setup the OS and used it for our day-to-day work. There were some things we
really liked about it, and others that we feel need improvements. Below, we list
out experiences and complaints.
System specs and installation
There wasn't an official list available on the minimum or ideal system specs
to decently run
Vista
with all its bells and whistles. So we tried it out on four different types of
machines. These included two Centrino laptops from IBM and HP, a high-end
desktop, and a standard IBM ThinkCenter desktop having an Intel 915 chipset,
onboard graphics and 256 MB RAM. Barring a few quirks, it worked beautifully on
all the machines. The only difference was that the much talked about UI, Aero in
full-glass mode only worked on the high-end machine. It was automatically
disabled on the rest. You would need a decent graphics card with at least 128 MB
video memory, support for Direct X 9, and also supporting the Windows Display
Driver Model or WDDM. You'll find a list of compatible graphics cards on both
nVidia and Ati's websites. So most onboard and year old AGP cards are off the
list for Aero glass to function fully. The card we chose to try out the latest
CTP was the TurboForce edition 7800GTX card from Gigabyte. While this
release is still very much a 'beta', there were quite a few installation
quirks we noted in our labs.
Vista is supposed to be the safest OS designed by Microsoft |
On a regular hard disk already having partitions and OSes
installed on them,
Vista
didn't let us repartition or even format existing partitions. The way to look
for this is to keep an eye open for the missing 'Advanced' link on the
right-hand side of the partition selection screen. Also, the setup needs a
pre-formatted NTFS partition (which it will freely allow you to re-format) to
install on. One of our
Vista
systems initially had Win XP and our PCQLinux 2006 installed in a dual-boot
configuration. The selection screen only showed up the partitions, with no
options to delete and reconfigure them. We had to boot into XP, remove the Linux
partitions and create a new one for
Vista
. Even then, it refused to let us install on it saying there weren't any free
NTFS drives. We had to give in, boot into XP again and format the new partition
to NTFS before we could go on. We also noted that
Vista
refused to install for us within virtual environments (such as those provided
by VMware and MS Virtual PC), even when we gave it fixed-sized disks formatted
with NTFS.
Recycle Bin shows previews of files, but not of those in sub-folders since it cannot enter the folder | The status bar has been revamped and gives more useful info about your documents |
And, if you should need to pull out the DVD during
installation to lookup the installation key and click Next before you put it
back in, the installer will fail with an error and refuse to proceed further.
The way out is to reboot and re-enter the key. A third problem that existed with
the previous CTP appears to have been fixed in the Feb release-in the earlier
one, setup used to require you to enter the computer's name before it started
installation. Then it would forget what you entered before and ask for it again
post-installation when it also sets up the time-zone and so on. Now it asks for
it only once, post installation.
Post installation experience
The first thing we noticed after opening My Computer in
Vista
was the Tiles view, which is enabled by default. This graphically displays each
hard drive's capacity and available free space at one glance. You don't need
to right click on a hard drive and go to properties to get this information.
Remember the various types of file and folder views in older versions of
Windows? This allowed you to view all your files and folders in any window as a
list. The list view has been changed to what's now called small icons. Plus,
several other views have been added, right from the details view to a very large
icons view. You can even have a preview pane in place of the status bar, which
will give you a preview of all your documents, just so that you don't have to
open them. There's even a reading pane option, which would let you preview
certain types of files (text, images, Office files). Animations for copying
files are quite nice. Likewise, the lightup effects when you move a mouse over a
folder are also quite nice. If a file copy operation fails, the copy status
indicator bar turns red instead of green.
Infotainment | ||||
|
You can |
The task bar still has a few bugs. If you configure it to
auto hide, and you move your mouse over it, then it will only respond if you
move it to an area of the task bar that is not holding an application. For
instance, if you've opened Word, then it occupies some space in the Task Bar.
If the Task Bar is auto-hidden, and you move the mouse to it, then it won't
pop back up if you move it to an area occupied by Word. While this might be
because the OS is still in beta, but the biggest complaint we had with the OS
was that many times it started doing some activity that hogged all system
resources. As a result, while the GUI was working, we couldn't open any other
application. In fact, many a times, even the Task Manager took a long time to
appear after we pressed Ctrl+Alt+
Del.
We do wish that the system would save some bandwidth, which can be used by the
user to find out what's hogging up all the system resources.
The tiles view shows you a graphical view of your hard drive capacity |
One difference we found over WinXP was that if you do an
End Task to an unresponsive application, then it gives a pop up with an error
message saying that "the application is not responding...collecting more
information to help identify the problem, this might take several minutes".
Otherwise however, we found that the system does utilize system resources quite
optimally. For instance, while doing a file copying operation from a CD to a
directory on the system, we simultaneously launched other applications and the
system didn't seem to slow down. It did seem to slow down when we tried to
open a folder with too many files. It took a while to index them and display the
list, especially with all the nice effects. Once we were through playing around
with the GUI, we installed Thunderbird mail client. It did so without a hitch
and the mail client worked normally. After that, we tried using the erstwhile
Outlook Express, which has been rechristened as Windows Mail in
Vista
. The first thing we noticed was its automatic email filtering, which works like
a charm. On day one, it started filtering out spam automatically and moving it
to the junk folder.
Windows collaboration
This application allows you to create a small P2P network with users around you
so that you can collaborate. In this, one user initiates a session to
share a PPT presentation. Other users can either look for this session on their
own or the initiator can send them invitations. The initiator can even handout
documents to the session members, just like in a real presentation. You can even
broadcast your desktop view so that whatever you're doing is visible to
others. This can be a great way for users to collaborate with each other. You
can even hand over the controls to another user, for instance if you've made a
presentation and your boss would like to make changes to it.
Easy migration
Earlier, you had two ways to migrate your data (settings as well as personal
files and documents) from your old PC to the new one. First, the USMT (User
State Migration Tool, found inside the VALUEADD\ MSFT\USMT folder on the Win XP
CD) lets the network/system administrator migrate settings and files for IE, OE,
settings configured via the Control Panel for that user (sound, desktop,
accessibility, etc) and those inside the user's profile and home folders. The
other tool-File and Settings Transfer Wizard-lets normal users do the same
thing without needing the assistance of the administrator. In
Vista
, the two are combined into a single 'Windows Easy Transfer Wizard'.
This wizard can help you if your old system is Win 2000, XP
or
Vista
. A caveat with using this wizard is that it will also move file association
settings over. So, you need to install the relevant applications before using
the wizard or the association settings could get overwritten by the migration
process. Windows Easy Transfer lets users transfer data in multiple ways,
including: CD/DVD media, USB drives and over the network. If you select the
optical media option, then both the systems need to have a CD or DVD writer and
you need to have blank media handy. USB drives are limited in their capacity and
unless you have a high-capacity drive, it's not advisable if you have a large
number of files (includes your e-mail) to move over.
Pre-purchase-Vista |
Come
|
The easiest is to use the network option, which lets both
computers establish a session directly with each other without requiring an
intermediary. Although the documentation for the process (at:
http://www.microsoft.com/technet/windowsvista/deploy/depenhnc .mspx) reads:
“Saves users state data to a server and restores it to the desktop after
installation”, we noticed that we had to restart the process on both systems
when it failed. Hopefully, this problem would disappear when
Vista
goes RTM. Anyway, the wizard needs to be started on the old system first. This
will compulsorily copy the wizard's files to the media or location you specify
(depending on the mechanism you selected earlier). Again, hopefully this would
disappear pre-release and we would be able to ask it to skip the step. Then, you
go over to the new system and run the 'Migwiz.exe' file from what was
copied. If you selected the network mechanism, the wizard waits for the incoming
connection. On the old PC, you can select what information to copy (including
adding and removing items --- folders and files) from the list it detects
automatically and then the process continues by itself, requiring minimal
intervention on that system. If you had selected some form of media (CD/DVD or
USB) for the transfer, once it is full, take it to the new system and insert it
to have the wizard automatically pick up the data.This process though easy,
still requires some fine-tuning and work. Obviously some mechanism has to be
provided to gracefully recover from errors and even resume over-the-network
transfers.
Super fetch
One of the biggest challenges that users face while using computers is that due
to hardware limitations, software stops responding as required. For instance, if
you are working on many heavy applications simultaneously, you'll find that
even machines with a GB of RAM sometimes freeze due to the heavy memory
requirements of all these apps.
Win XP had the “pre-fetch” option that allowed the
system to keep track of files required to be loaded as part of aech
application's startup. After a few such rounds of analysis, XP would start
loading these files in advance when it saw that the application in question was
getting initialized and this caused a performance boost.
Vista
offers certain enhancements to this scenario. First, the pre-fetching algorithm
predicts the components required for starting up an application better. It can
also create usage profiles to let the system know the application usage
patterns. For instance, application used during work hours will be very
different from those used during break hours which themselves will differ from
the applications being run during off-hours or idle times (say by the sys
admin).
Vista
's Super Fetch can recognize these patterns and optimize usage of the
application loads as per them. Now all of the above is done by the memory
management subsystem automatically in
Vista
. SuperFetch also allows users to dynamically increase the available secondary
memory in their systems using any compatible USB flash drive.
Simply plug in a compatible USB 2.0 flash drive and the
Autoplay option of
Vista
will offer you a new choice “Speed up my system using this device”. When
you select this,
Vista
allows you to decide what part of the device you wish to use for dynamic
memory. For example, if you plug in a 1 GB flash disk, you can reserve say, 768
MB as memory for your system. Which means that if you already have 1 GB RAM,
you've effectively increased the amount of memory in your system to 1.7GB! So
if you are in the middle of a technical demo and suddenly realize that you need
to increase the performance of the demo that you are showing, simply plug in
your flash disk, assign an amount of memory and see the system immediately start
using this extra memory for many tasks.
The information stored in the flash disk is encrypted.
Although it is not a fast as system RAM, it is faster than your hard disk (being
used for virtual memory) in many orders of magnitude. Apparently the next step
is to enable persistent SuperFetch that will allow you to store Super Fetch
information on the USB memory for different usage scenarios. For example, when
you do serious work, you plug in one USB key that has SuperFetch enabled for
those applications. When you wish to take some time off and play some heavy duty
gaming, remove the first one and put in another key that is ready with the Super
Fetch of your favorite game and you will be able to get up and running in no
time at all. All in all, Super Fetch is a cool new way of getting a major
performance boost from your system with a cheap alternative of USB flash drives.
Watch this space for actual performance benchmarks once the
final version of
Vista
is released. We are also continuing our series on this OS from the enterprise
perspective, which will feature all the updates as they happen
Anil Chopra, Anubhav Verma, Sujay V Sarma and Vinod Unny