by March 7, 2006 0 comments



This is an OS that’s supposed to be written from the
scratch and is coming at a time when the word ‘security’ is in everything.
Let’s take a look at some of the new features and tools in
Vista

and see how well they help you combat security threats. We are considering all
three types of security in this article — against malware, against people, and
data security.

User security
While Microsoft has introduced new security features in Vista that allow you to
use external devices like USB keys to store authentication/authorization
information, security has been left blatantly ignored in other areas. A key one
being the ‘Administrator’ user account. Until Win XP, the user is prompted
during installation to select a strong password for the Administrator user. This
allowed the user to do two things — one, remember that there was such an
account on the PC; and two, protect such a powerful account with a good
password. Now, in
Vista

there is no such option at all. Like XP,
Vista

too will not prompt you to login if you have just one account on your system
with no password set up for it. This means that a majority of users will not
even know that there is an Administrator user account on their PC. And we’re
not giving any prizes for guessing what its default password is!

Direct
Hit!
Applies
to:
CIOs/CTOs
USP:
Learn about the security and defense mechanisms in Vista
Links: 
http://microsoft.com/windowsvista 
Google keywords:
win vista security 

The UAP (User Account Protection) is a strong presence in
Vista

. This is what causes all those security dialogs to pop up when you attempt to
do something that requires ‘higher privileges’. When you login as a user not
in the Administrator’s group, you have access to do very few tasks in the
system. You can launch your regular applications like Word and browse the
Internet. But try to use a system management tool and you get a pop up warning
that such an action has been initiated and if you want to allow it. Now, in this
Beta release, it does not seem to remember when you permit an operation (and
there are no on-screen options to let you save the setting), but hopefully that
will be fixed before
Vista

goes RTM. It is also apparently very easy for people to get in and turn off UAP
altogether on their systems (one such tip is online at http://windowsitpro.com/
Article/ArticleID/47757/ 47757.html). Some activities explicitly require you to
be an Administrator. In such cases, you are nicely prompted to login as one. In
fact, when you do attempt to over ride every other security feature by setting a
program to always run as Administrator (Properties>Compatibility and turn on
‘Run this program as an administrator’), Vista will turn on a diagnostic
monitor to debug the program and find out if it is really required to run as
Administrator. If it finds such high privileges are not required, it tells you
so and demands you turn it down.

Network access
There are again two layers of protection (at least) on the network front. At the
basic level, you have the Windows Firewall and then you have Windows Defender
(which is actually an integrated version of the AntiSpyware tool for XP). A
third component is the Network Access Protection agent. What this does is that
at every system start up, it scans your PC to check if there are any pending
software updates. If some are found, it blocks access to the LAN until this is
fixed. Currently, this is as simple as clicking on the icon in the system tray
and then on the ‘Try Again’ button there. This makes the firewall in
Vista

bi-directional. So, it no longer just protects access from the outside, but
also prevents things in the system from affecting the outside world unless
permitted.

However, we must note with disappointment that getting
Vista

on a network is a rather tough task. It is rather picky about its hardware and
even then, if once the network system in
Vista

crashes for any reason, getting everything working again is a painful task.
Again, this would hopefully go away before it RTMs.

The integrated error reporting and troubleshooting tool not only sends error messages to MS, but also downloads their solutions when available

Secure your hard disk
From the control panel,
Vista

lets you enable something called Secure Startup. When enabled, this will
encrypt one or more hard drives on the PC and make them completely unusable
without using the key created for the purpose. To this end, the Secure Startup
applet displays a list of hard drives on which Secure Startup has been enabled.
This feature also scans the system for modifications since last startup, which
are usually signs of tampering attempts. Once enabled, these PCs cannot be
booted off a CD, USB drives or floppy disks.

One of the big things being talked about in
Vista

is its ‘BitLocker’ feature. This is actually the EFS (Encrypting File
System) in
Vista

, but implemented over the entire hard disk. For instance, in NTFS (XP), you can
selectively have the OS encrypt particular files and folders (and also the hard
disk). In
Vista

, this happens by default for the entire hard disk. This is great for data
security. But what happens to all that data if the PC crashes and you need to
read it from another OS?

Patch and update
Applying patches and updates have never been easier with the desktop Windows
family. The Windows Update is now right in the system, featured as a Control
Panel applet. Sadly, this seems to update only Windows and not the entire range
of MS software as available from their earlier launched ‘Microsoft Update’
service. From this UI, you can review what updates are available and apply them.
You can also see a list of what updates failed or you declined earlier and
select to apply them now.

Problem solvers and privacy
Earlier versions of Windows troubleshooters have been notorious for their final
screen that said you should look elsewhere for a solution since the
troubleshooter wasn’t able to find one.
Vista

features a ‘Solutions to Problems’ Control Panel applet that sends the
Error Reporting data back to Microsoft. Then, you can have
Vista

automatically poll that system for solutions to previously submitted problems.
These are downloaded as patches and hot fixes and applied to your deployment
transparently. However, at this point of time, we did not see a way to control
when and how this information is sent. Whenever a program crashes or
Vista

determines there is a problem, the auto-reporting starts immediately with just
a ‘Cancel’ button. Sometimes, attempts are made to report without there
being even a network connection present!

The next time, we will look at the wireless and networking
features and services in
Vista

, and how they affect enterprise network topology. If you have any suggestions
to what we could look at in this series, do let us know at forums.pcquest.com.

Sujay V. Sarma

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<