Windows Vista: Added Security for Your System
Microsoft Windows Vista: Added Security for Your System, User Account
Control, Network Access Protection, Hard Drive Encryption, User Security
Authentication
With the constant threats to computer systems that have become a
fact of life in the last several years, Microsoft has taken
steps to help secure its operating systems. Seen in the
past as a ripe target for attack, Microsoft has been working
to dispel that image. They are going further steps with
Vista,
their new operating system, to help secure it from its
inception and release.
Some of the basic technologies being
put in place with Vista are:
- A more
secure Internet Explorer built-in
- User Account Control
- Windows Service Hardening
- Outbound filtering in the
firewall
- Network Access Protection
- BitLocker hard drive encryption
- Improved user security
authentication architecture.
Microsoft Vista: Giving More Control to IT Administrators Without Losing System
Usability
User Account Control will allow IT administrators
to deploy systems to users without giving them local
administrator control. Today it is difficult to deploy
computers to users without giving them local administrator
privilege since many applications refuse to run without
administrator privileges and many users get frustrated by
the inability to perform simple tasks such as adding
printers.
Whereas, in XP a standard user would be denied
access to perform administrative tasks, such as installing
software, Vista will explicitly prompt the user for
credentials or permission, depending on the security policy.
This will keep malware from being installed in the
background without the user's knowledge. No longer will
administrators need to use the RUN AS command because Vista
will automatically prompt for proper credentials.
Starting with Beta 2, Vista will include Internet
Explorer with Protected mode. This will allow users
enough privileges to browse the web, but not enough to modify user
files or settings by default. This will prevent harmful code
from a malicious site that is attacking vulnerabilities in
Internet Explorer from installing software, copying files to
the user's startup folder, or hijacking the browser's
homepage or search provider. Other enhancements include a phishing filter and the ability to clear cache with a single
click.
Windows Vista: Firewalls Give Full Directional Control
The built-in firewall for Vista builds on the
firewall included with XP SP2. It includes application aware
filtering that gives full directional control over traffic
on the system. Administrators will be able to block network
access to specific applications such as instant messaging
software and peer-to-peer file
sharing programs. This is all
configurable through Group Policy, making management of
Vista's firewall and application blocking easy.
Windows services represent the largest exposure to
attacks because of the privilege level of the code and it
always running. Windows Service Hardening restricts services
from abnormal activities in the file system, registry,
network or other resources that could be used to allow
malicious software to install itself or attack other
systems.
Vista: Prevent Other Services From Accessing Your Resources
Vista introduces a per-service security identifier
(SID) that enables per-service identity. This takes
advantage of the access control model in windows through ACLs. Services can now apply explicit ACLs to resources
which are private to the service, which prevents other
services as well as the user from accessing the resource.
Other features of the new Vista Operating System include:
- Vista moves services from LocalSystem to lesser privileged
accounts to reduce the overall privilege level of the
services.
- Vista removes un-necessary Windows privileges on a
per-service basis, such as the ability to debug. Write
attempts to resources that do not explicity grant the
service's SID access will fail. Services are assigned
network firewall policy, which prevents unwanted network
access by a service.
- BitLocker Drive Encryption enterprise feature adds
machine-level data protection. On a computer with
appropriate enabling hardware, BitLocker Drive Encryption
provides full volume encryption of the system volume,
including Windows system files and the hibernation file,
which helps protect data from being compromised on a lost or
stolen machine.
- In order to provide a solution that is easy
to deploy and manage, a Trusted Platform Module (TPM) 1.2
chip is used to store the keys that encrypt and decrypt
sectors on the Windows hard drive. It requires the TPM and
an enterprise management infrastructure to ensure that the
feature is easy to use for end users.
- BitLocker full volume encryption seals the symmetric
encryption key in a Trusted Platform Module (TPM) 1.2
chip. A TPM chip is a hardware component that stores
keys, passwords, and digital certificates. The chip is currently
available in some newer computers.
- BitLocker also stores measurements of core operating
system files in a TPM chip. Every time the computer is
started, Windows Vista verifies that the operating system
files have not been modified in an offline attack.
An
offline attack is a scenario where an attacker boots an
alternative operating system in order to gain control of the
system. If files have been modified, Windows Vista
alerts the user and refuses to release the key required to
access Windows.
The system then goes into a recovery mode,
prompting the user to provide a recovery key to allow access
to the boot volume.
- Recovery mode is also used if a disk drive is transferred
to another system.
|
15275 Stoney Creek Way