How Windows Vista Helps Protect Computers From Malware
Windows Vista Anti-malware Features
Published: September 6, 2006
Windows Vista has many new security features to protect computers from malware. Most significantly, User Account Control (UAC) limits the risk of malware by enabling IT professionals to deploy users as Standard users, rather than Administrators. This helps prevent users from making potentially dangerous changes to their computers without limiting their ability to control simple things on their computer, like time zone or power settings. For those who do log on as an administrator, UAC makes it more difficult for malware to have a machine-level impact on a computer. Similarly, the Protected Mode of Internet Explorer runs Internet Explorer without the necessary privileges to install software (or even write files outside of a limited set of directories), reducing the risk that it can be abused to install malware without the user’s consent. Windows Defender detects many types of spyware and other potentially unwanted software, and prompts the user before applications can make potentially malicious changes.
Many of the security improvements provide defense in depth by both protecting against attacks and limiting the damage that an attacker can do after compromising a computer. Windows Service Hardening limits the damage attackers can do in the event that they are able to successfully compromise a service, thereby reducing the risk of attackers from making permanent changes to the Windows Vista computer or attacking other computers on the network. Finally, the Windows Security Center enables users to verify the security level of their computers and to quickly fix potential weaknesses.
The sections that follow discuss these technologies in more detail.
User Account Control
To help protect users from malicious software, Microsoft recommends using accounts with limited privileges (known as Standard user accounts in Windows Vista, and Limited user accounts in Windows XP). Standard user accounts help prevent malware from making system-wide changes such as installing software, because if a user lacks permission to install a new application, then any malware the user accidentally runs is also prevented from making those changes. In other words, malware run in the context of the user account has the same security restrictions as the user.
Two major problems with using Standard user accounts are encountered with Windows XP and earlier versions of Windows:
Although logging on to your computer as a Standard user offers better protection from malware, working with this type of account has been so difficult that many organizations choose to give users administrative privileges. However, 85 percent of enterprises in a recent Microsoft survey would like 75 percent or more of their desktops deployed using Standard user accounts if it were easy to deploy this way. Windows Vista UAC is a set of features that offer the benefits of Standard user accounts without unnecessary limitations. First, all users (including administrators) run with standard user privileges by default. Second, Windows Vista allows Standard user accounts to change the time zone and perform other common tasks without providing administrative credentials, which enables organizations to configure more users with Standard accounts. Third, UAC enables most applications, even those that required administrative privileges on Windows XP, to run correctly in Standard user accounts.
Administrator Approval Mode
With Windows XP and earlier versions of Windows, any process that an administrator ran automatically used administrative privileges. This situation was troublesome because malware could make system-wide changes, such as installing software, without confirmation from the user. In Windows Vista, members of the Administrators group run in Administrator Approval Mode, which (by default) prompts administrators to confirm actions that require more than Standard privileges.
Administrator Approval Mode creates two access tokens when a member of the Administrators local group logs on: one token with full permissions and a second, filtered token with User Account Protection. The least-privilege token is used for non-administrative tasks, and the privileged token is used only after the user’s explicit consent. As shown in Figure 1, Windows Vista prompts the user for consent before completing an action that requires administrative privileges.
Many organizations will use the benefits of UAC to create Standard, rather than Administrator, user accounts. Administrator Approval Mode offers some protection for those users, like developers, who need administrator privileges by requiring confirmation before an application makes any potentially malicious changes. Like most Windows Vista security improvements, the consent prompt is enabled by default but can be disabled using Group Policy settings. Additionally, the consent prompt can require the user to type an administrative password or, for Standard users, simply inform them that access is not permitted.
Enabling Non-administrators to Make Configuration Changes
Standard user accounts in Windows Vista can make configuration changes that don’t compromise the computer’s security. For example, Standard user accounts in Windows Vista have the right to change the time zone on their computers, an important setting for users who travel. In Windows XP, Limited user accounts do not have this right by default, an inconvenience that causes many IT professionals to deploy accounts as administrators and sacrifice the security benefits of Limited user accounts. However, Standard user accounts in Windows Vista do not have the right to change the system time, because many applications and services rely on an accurate system clock. As shown in Figure 2, a user who attempts to change the time is prompted for administrative credentials.
Providing Application Compatibility for Non-administrators
Some applications do not run in Windows XP without administrative privileges, because these applications attempt to make changes to file and registry locations that affect the entire computer (i.e., C:\Program Files, C:\Windows; HKEY_LOCAL_MACHINE) and Standard user accounts lack the necessary privileges. Registry and file virtualization in Windows Vista redirects per-machine file and registry writes to per-user locations if the user doesn’t have administrative privileges. This feature enables standard accounts to run applications that must write to areas of the registry or file system that only administrators can access. Ultimately, this will enable more organizations to use Standard user accounts because applications that would otherwise require administrative privileges can run successfully without any changes to the application.
The Benefits of UAC
Allowing Standard user accounts to make some configuration changes and providing application compatibility for Standard user accounts does not directly affect malware. However, these features make Standard user accounts practical for those who previously logged on with Administrator accounts, thus enabling them to take advantage of the malware protection offered by Standard user accounts. For users who still require an Administrator account, UAC offers some level of protection by requiring confirmation before taking administrative actions, making it more difficult for malware to have machine-level impact on a computer.
To understand the malware protection of UAC, consider an average user who is traveling for business and using a Standard user account without knowledge of a local Administrator password. In an attempt to improve network performance, he or she downloads a tool advertised on the Internet. The tool is a Trojan horse, however, and attempts to install malware that starts automatically when the computer starts. The UAC feature in Windows Vista prevents the tool from performing this malicious task because the user lacks sufficient privileges. In this way, UAC protects users while minimizing problems relating to restrictive privileges.
Internet Explorer Improvements
Protected Mode in Internet Explorer 7 in Windows Vista builds upon the concept of UAC to limit Internet Explorer to just enough privileges to browse the Web but not enough to modify user files or settings by default. As a result, even if a malicious site attacks a vulnerability in Internet Explorer, protected mode helps reduce the risk of the site’s code installing software, copying files to the Startup folder, modifying registry settings, or hijacking the settings for the browser’s homepage or search provider. This feature, known as Internet Explorer Protected Mode, will only be available when using Internet Explorer 7 on Windows Vista. Because these defenses constrain the capabilities of Internet Explorer, a number of compatibility features are added that insure that legitimate users still have the power to install new software, download files, and modify system settings as they are used to.
Additionally, Internet Explorer offer new protection from rogue ActiveX controls. While the ActiveX platform can greatly extend browser capabilities and enhance online experiences, some malicious developers have co-opted the platform to write harmful applications which steal information and damage user systems. Many of these attacks were made against ActiveX controls shipped within the Windows Operating System, even though the controls were never intended to be used by Internet facing applications. Internet Explorer 7 offers users a powerful new security mechanism for the ActiveX platform. ActiveX Opt-In automatically disables entire classes of controls—all controls the user has not previously enabled—which greatly reduces the attack surface. This new feature works directly to mitigate the potential misuse of pre-installed controls. Users will now be prompted by the Information Bar before a previously installed, but as yet unused ActiveX control can be accessed. This notification mechanism will provide users the ability to permit or deny access when viewing unfamiliar websites. For malicious websites that attempt automated attacks, ActiveX Opt-In helps protect users by preventing unwanted access and gives the user control. In the event the user does opt to permit loading an ActiveX control, the appropriate control is easily enabled by clicking in the Information Bar.