In "Vista's User Account Control and BitLocker Drive Encryption,"
(April 2007, InstantDoc ID 95153), I examined two major new security features
in Windows Vista. But the improvements in Microsoft's latest OS don't stop there.
Vista also has many other technologies that will help IT pros secure their environments,
including secure logon support, file system and registry virtualization, an
enhanced Encrypting File System (EFS), service and process isolation, driver
signing, 64-bit security features, USB Device Control, and Network Access Protection
(NAP). These new and enhanced features are responsible for Vista's reputation
as the most secure Windows OS yet.
New Ways to Securely Log On
Most people today use an alphanumeric password to log on to secure PCs, but
Vista has been designed to support smart cards, biometric devices such as fingerprint
readers, and other secure logon methods. Indeed, Microsoft is embarking on a
multiyear quest to move its biggest customers from alphanumeric passwords to
more secure authentication methods. Vista is the first OS to fully support these
alternatives.
To accommodate these security features, Microsoft has completely rewritten
the Windows logon UI and the logon technologies in Vista. Vista natively supports
not only new credential types (i.e., smart cards and biometrics) but also multiple
credentials. Furthermore, because the credentials system is extensible, enterprises
will soon be able to choose from a wide range of third-party solutions. These
solutions will integrate with appropriate technologies in the Windows desktop,
including Vista's User Account Control (UAC).
File System and Registry Virtualization
Many legacy applications aren't designed to support standard user accounts,
but modify the registry or file system to let users perform certain tasks or
access certain resources. When you try to run such applications on Vista, with
its locked-down file system and registry, you can run into difficulties. To
ensure that legacy applications have fewer problems during installation and
execution, Microsoft has created virtualized versions of the file system and
registry.
In Vista, all file system and registry writes are automatically and silently
redirected to user locations so they can't harm the entire network. For example,
when an application installer attempts to write to C:\Program Files, Vista redirects
the write operation to a VirtualStore directory within the current user's account.
To the application, the write operation proceeds normally, and to the user,
the application appears to reside in the expected location. On multiuser systems,
each user has an isolated, local copy of every redirected file.
Registry virtualization works similarly. Vista virtualizes the HKEY_LOCAL_MACHINE\SOFTWARE hive, and
applications that attempt to store configuration information in system-wide portions of the registry are redirected
to a new structure under HKEY_CLASSES_ROOT\VirtualStore\MACHINE\SOFTWARE. As with file virtualization,
all users on a system have their own copies of configuration
information that, on earlier versions of Windows, was saved
globally.
Because file system and registry virtualization is a stopgap measure intended to make legacy software compatible
with Vista, such virtualization is available only in the 32-bit
versions of Vista. Microsoft expects Vista-compliant applications to respect the new Windows application guidelines. As
more and more applications are ported to the new development framework, future Windows versions will do away with
file system and registry virtualization. Vista's compatibility
technology is only a short-term solution.
EFS Improvements
Although Vista Enterprise and Ultimate editions have a new, automated approach
to full disk encryption, called BitLocker, Windows has long supported EFS for
general file and folder encryption. Vista continues that support, but has improved
EFS security, performance, and management.
Specifically, you can now store EFS user keys on smart
cards, making administrative recovery of EFS-protected
data more secure and convenient than ever before. Vista
also supports encryption of the system page file and offline
copies of remote files, functionality that administrators have
been requesting for years. To make EFS easier to manage,
Microsoft has added several EFS-related options to Group
Policy. These options include requiring smart cards for user
verification, enforcing page file encryption, and enforcing
encryption of each user's Documents folder structure.
Windows Service and Process Isolation
In an effort to reduce the overall attack surface of Vistabased PCs, Microsoft
has reduced the number of services that run by default and ensured that they
are running at the lowest privilege level possible. Furthermore, all services
are now limited to the local machine or local network, in contrast to previous
Windows versions, in which service permissions extend beyond the box according
to the privilege level under which they are run. Individual processes are also
much more restricted than they were in previous Windows versions.
Both service and process isolation—as well as UAC and file system and
registry virtualization—rely on a low-level change to Windows that categorizes
and isolates objects by trust level. The new Windows integrity control component
essentially prevents processes that have few rights from interfering with processes
that have more rights. In Vista, integrity levels trump user privileges. For
example, malware can no longer run with the privileges of the logged-on user,
as it could in Windows XP. Now, malware runs only within the integrity level
of the object that spawned it. Thanks to Vista's service and process isolation,
malware that successfully attacks the OS should be less able to break into other
parts of the system.
Vista has six integrity levels:
- Untrusted—a rarely seen level that's used
only for anonymous logons.
- Low—a level that's used for Internetrelated
features, including Internet Explorer 7.0 and the Temporary Internet Files
folder.
- Medium—the default integrity level, used for
Standard User accounts and most Windows-generated files.
- High—the level used by Administrator accounts
running in elevated mode. (By default, even Administrator runs with Standard
User privileges.)
- System—the level used by most kernel and system
services.
- Installer—a level that's invoked only by installer
routines. (To ensure that uninstall works properly, installers need to operate
at a higher integrity level than other objects in the system.)
Previous
