Windows Vista Security and Data Protection Improvements

New features make Windows Vista even more secure than earlier Windows client operating systems

By Tony Northrup

Security threats evolve constantly. To stay protected from threats on the Internet and wireless networks, the Microsoft Windows client operating system must also evolve. Windows Vista is the most secure and trustworthy Windows operating system yet, and it will help organizations achieve their business and computing goals with confidence. This paper describes the most significant security improvements, the benefits they provide, and why the new features matter to IT professionals.

On This Page

Overview
User Account Control
Authentication
Anti-Malware
Network Access Protection
Firewall
Windows Service Hardening
Internet Explorer Enhancements
Data Protection

Overview

Microsoft is making fundamental investments in technology to help make customers more secure. Efforts include using a security development lifecycle to develop more secure software and providing technology innovation in the platform to provide layered defense, or defense-in-depth. Windows Vista includes many security features and improvements to protect client computers from the latest generation of threats, including worms, viruses, and other malicious software (collectively known as malware).

• User Account Control allows users to be productive and change common settings while running as a standard user, without requiring administrative privileges. This prevents users from making potentially dangerous changes to their computers, without limiting their ability to run applications.
• Windows Vista's built-in Web browser, Microsoft Internet Explorer (IE), includes many security enhancements that protect users from phishing and spoofing attacks. New features include protected mode Internet Explorer, which helps protect user data and configuration settings from being deleted or changed by malicious Web sites or malware.
• Windows Defender detects many types of potentially suspicious software and can prompt the user before allowing applications to make potentially malicious changes.
• The new outbound filtering in the firewall provides administrative control over peer-to-peer sharing applications and other similar applications that businesses want to restrict.
• Windows Service Hardening limits the damage attackers can do in the unlikely event that they are able to successfully compromise a service. As a result, the risk of attackers making permanent changes to the Windows Vista client or attacking other computers on the network is reduced.
• Administrators can use Network Access Protection to prevent clients that do not meet the internal system health policy from connecting to the internal network and potentially spreading malware to other machines.

Enterprise users with computers with appropriate enabling hardware benefit from protection of data on lost or stolen computers with BitLocker™ Drive Encryption. A computer with BitLocker enabled will have its entire Windows volume encrypted—protecting data, files, e-mail, and intellectual property from unauthorized users trying to break into a computer.

Finally, to ensure that IT departments have a wide variety of authentication mechanisms to choose from, Windows Vista includes new authentication architecture that is easier for third-party developers to extend. Ultimately, this will lead to a wider choice of smart cards, fingerprint scanners, and other forms of strong authentication. Together, these security improvements will make users more confident in using their PCs.

User Account Control

Today, many Windows users run with administrative privileges in both the enterprise and the home. Running as an administrator results in a desktop that is hard to manage and has the potential for high support costs. Deploying desktops with standard user permissions can result in cost savings because a non-administrative user no longer has the ability to accidentally improperly configure the network or install an application that might affect system stability. Running without administrative privileges is challenging today since many applications fail to run and end users get frustrated by the inability to perform common tasks such as adding printers.

In Windows Vista, the User Account Control (UAC) initiative introduces fundamental operating system changes to enhance the experience for the non-administrative user. For example, in the enterprise context, a mobile laptop user will be able to set a WEP key to attach to a secure wireless network, install a printer, download and install application updates, setup and configure a Virtual Private Network (VPN) connection, and perform many other standard tasks, all while running as a non-administrator.

User Account Control leverages the Windows security user model to distinguish between administrator and standard users. The standard user account is an account that has no computer administrator privilege. When a user whose account is a member of the local Administrator account logs on to a Windows Vista computer, they are logged on as a standard user by default. When the user wants to perform a task that requires administrative privileges, such as installing an application, Windows Vista explicitly prompts the user for permission or for credentials, depending on the security policy that is chosen. This process helps ensure that malware cannot silently install on a user’s computer. Unlike Windows XP, however, standard users are not automatically blocked from performing tasks that require administrative privileges. Windows Vista explicitly prompts a standard user to enter valid credentials for a local administrator account before it will allow the standard user to perform the task.

For those times when an administrator needs to use their administrator privileges, they don't have to use Run As because Windows Vista can automatically prompt them for the required credentials, as shown in Figure 1.

Figure 1: Windows Vista automatically prompts you for administrator credentials when an application requests them.

Although there will be some exceptions, most applications will run equally well under either the administrator account or a standard user account. Many applications will not run on Windows XP without administrative privileges today because they attempt to make changes to file and registry locations that the user cannot access, such as C:\Program Files, C:\Windows, or HKEY_LOCAL_MACHINE. Registry and file virtualization in Windows Vista redirects per-machine file and registry writes to per-user locations if the user doesn't have administrative privileges. This enables standard accounts to run applications that need to write to areas of the registry or file system that only administrators can access—without making changes that impact the whole system.

Benefits

User Account Control allows organizations to move to a better-managed desktop with potentially lower support costs.

User Account Control reduces:

• The need for organizations to re-image computers due to user configuration changes.
• The risk of system-level impact by malware.

To understand the benefits of User Account Control, consider the following scenario of Don Hall, a remote user that is traveling for business. Don has a laptop with Windows Vista installed and runs as a standard user. During some free time in his hotel, Don browses to the Internet and attempts to download a game. Don is not aware, however, that the game is a Trojan horse, and the game attempts to install malware that starts automatically when the computer starts. However, because the malware requires administrative privileges to install and Don is running with a standard user account, Don’s computer will not be infected with the malware. Later, Don needs to install a new printer driver in order to print a document to the hotel printer. Because the driver is signed by a company that the IT department trusts, Don will be able to install the driver without administrator privileges. In this way, User Account Control protects users while still enabling them to be productive.

Why It Matters

With Microsoft Windows XP and earlier versions of the Windows operating system, IT professionals had two choices:

• Give users administrative privileges and deal with support calls resulting from improper software installations or configuration changes.
• Give users restricted privileges and deal with support calls when applications don't work properly.

With Windows Vista, you do not have to make compromises. Users can be productive and protected from system-wide malware installs while still being able to run most applications. Ultimately, this means fewer support calls and less engineering time spent configuring applications to run under restrictive privileges.

Authentication

Feature Description

Windows Vista continues to have built-in authentication support for passwords and smart cards. Because many customers are looking for alternatives to passwords for authentication, Windows Vista makes it simpler for developers to add their own custom authentication methods to Windows, such as biometrics and tokens. Windows Vista also provides enhancements to the Kerberos authentication protocol and smart card logons. Deployment and management tools, such as self-service personal identification number (PIN) reset tools, make smart cards easier to manage. A common Application Programming Interface (API) model for smart card developers also makes tools easier to develop.

Benefits

The smart card improvements in Windows Vista make it easier for organizations to deploy and support this built-in authentication method. Windows Vista directly benefits developers who offer customized authentication mechanisms such as biometrics and tokens by making it easier to implement the authentication mechanism. This benefits IT departments indirectly by granting them more choices from third-party vendors.

Why It Matters

For many organizations, single-factor authentication is not sufficient. IT organizations that place a high value on security need multi-factor authentication. By making it easier for developers to create custom authentication methods, IT departments will have more choices for biometric, smart cards, and other types of strong authentication.

Anti-Malware

Feature Description

User Account Control, discussed earlier on this page, and security improvements to Internet Explorer (including the new protected mode, which will be discussed later) can reduce the impact of malware on Windows Vista. In addition to these features, Windows Vista can clean many worms, viruses, rootkits and spyware, thereby ensuring the integrity of the operating system and the privacy of users' data. Windows Vista will also include Windows Defender, a technology that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. It features Real-Time Protection, a monitoring system that recommends actions against spyware when it's detected, and a new streamlined interface that minimizes interruptions and helps you stay productive.

Benefits

Malware often degrades system performance, which often leads users to prematurely conclude that their computers are too slow or unreliable and need to be re-imaged. Unfortunately, this process increases computer maintenance costs overall. Malware's greatest threat, however, is to security. For example, malware may compromise confidential data or introduce additional security vulnerabilities to a computer. Therefore, the added protection and malware cleaning available in Windows Vista improves the performance and security of the computers on your network, reducing support calls.

Why It Matters

IT departments waste many of their resources solving problems caused by malware: slow computer performance, poor reliability, and security compromises. Windows Defender removes malicious software and gives users better control over the software on their computers.

Network Access Protection

Feature Description

Windows Vista includes an agent that can prevent a Windows Vista-based client from connecting to your private network if it lacks current security updates, lacks virus signatures, or otherwise fails to meet your computer health requirements. Network Access Protection can be used to protect your network from remote access clients as well as local area network (LAN) clients. The agent reports Windows Vista client health status, such as having current updates and up-to-date virus signatures installed, to a server-based Network Access Protection enforcement service. A Network Access Protection infrastructure, included with Windows Server Code Name Longhorn, determines whether to grant the client access to your private network or to a restricted network.

Benefits

Network Access Protection can enforce health requirements for mobile computers, remote computers, and computers directly connected to your private network. Often, users who travel with their computers are unable to connect to your private network for weeks at a time. When they do connect, their connections might be so brief that their computers do not have time to download the latest updates, security configuration settings, and virus signatures. Therefore, mobile computers are often in a less-healthy state than other computers. Network Access Protection improves the security of these mobile computers by ensuring that the latest updates are installed before users connect to your private network.

Why It Matters

Viruses and worms are often introduced to a private network by an infected mobile or remote computer. Network Access Protection in Windows Vista, when used with a Network Access Protection infrastructure, allows you to configure requirements for all client computers. If a client computer does not meet the health requirements, you can:

• Prevent the computer from connecting to your private network and potentially spreading a virus or worm.
• Provide instructions to users on how to update their computers, or update their computers automatically if the appropriate remediation technologies are in place.
• Grant restricted access to a limited number of servers on your network to allow users to download updates.

Firewall

Feature Description

The personal firewall built into Windows Vista builds on the functionality that is included with Microsoft Windows XP Service Pack 2. It also includes application-aware outbound filtering, which gives you full, directional control over traffic. For example, Windows Firewall in Windows Vista will allow administrators to block applications (such as peer-to-peer sharing or instant messaging applications) from contacting or responding to other computers. In addition, the Windows Vista firewall settings are configurable by Group Policy objects to simplify manageability.

Benefits

Many potentially risky applications, such as peer-to-peer sharing client applications that might transmit personal information across the Internet are designed to bypass firewalls that block incoming connections. Windows Vista's firewall enables enterprise administrators to have the ability to set Group Policy settings for applications that should be allowed or blocked, giving them control over which applications can communicate on the network.

Why It Matters

One of the most important ways IT departments mitigate security risks is by limiting the applications that can access the network. The personal firewall built into Windows Vista is an important part of this strategy. With the personal firewall, administrators can allow an application to run locally on computers but prevent it from communicating across the network. This gives administrators the granular control they need to mitigate security risks without negatively impacting user productivity.

Windows Service Hardening

Feature Description

Windows Service Hardening restricts critical Windows services from doing abnormal activities in the file system, registry, network, or other resources that could be used to allow malware to install itself or attack other computers. For example, the Remote Procedure Call (RPC) service can be restricted from replacing system files or modifying the registry.

Windows services represent a large percentage of the overall attack surface in Windows—from the perspective of the quantity of overall "always-on" code footprint in the system, and the privilege level of that code. Windows Vista limits the number of services that are running and operational by default. Today, many system and third-party services run in the LocalSystem account, where any breach could lead to unbounded damage to the local machine—including disk formatting, user data access, or driver installation.

Windows Service Hardening reduces the damage potential of a compromised service by introducing new concepts which are used by Windows services:

• Introduction of a per-service security identifier (SID). It enables per-service identity which subsequently enables access control partitioning through the existing Windows access control model covering all objects and resource managers which use access control lists (ACLs). Services can now apply explicit ACLs to resources which are private to the service, which prevents other services as well as the user from accessing the resource.
• Moving services from LocalSystem to a lesser privileged account such as LocalService or NetworkService. This reduces the overall privilege level of the service, which is similar to the benefits derived from User Account Control.
• Removal of un-necessary Windows privileges on a per-service basis; for example, the ability to do debugging.
• Applying a write-restricted access token to the service process. This access token can be used in cases where the set of objects written to by the service is bounded and can be configured. Write attempts to resources that do not explicitly grant the Service SID access will fail.
• Services are assigned network firewall policy, which prevents network access outside the normal bounds of the service program. The firewall policy is linked directly to per-service SID.

Benefits

Windows Service Hardening provides an additional layer of protection for services based on the security principle of defense-in-depth. Windows Service Hardening cannot prevent a vulnerable service from being compromised; other Windows Vista components and defense-in-depth strategies, such as the Windows firewall and good patch management processes, help with that. Instead, Windows Service Hardening limits how much damage an attacker can do in the unlikely event the attacker is able to identify and exploit a vulnerable service.

Windows Service Hardening is also supported for consumption by third-party service authors, which allows application authors to get this same security benefit for their code.

Why It Matters

The cost of a security compromise can be huge. Confidential data can be compromised, users can lose data, and productivity can be sacrificed. An IT department might spend several weeks repairing the damage done by a severe compromise. Windows Service Hardening can greatly reduce the damage caused by a compromised service by preventing the service from changing important configuration settings or infecting other computers on the network. With Windows Service Hardening, what could have been a major security exploit can potentially be limited to a minor compromise.

Internet Explorer Enhancements

Feature Description

Windows Vista will build upon the User Account Control initiative to limit Internet Explorer to just enough privileges to browse the Web, but not enough to modify user files or settings by default. This Windows Vista-only feature, known as Protected mode, will be in Windows Vista Beta 2. As a result, even if a malicious site attacks a potential vulnerability in Internet Explorer, the site's code will not have enough privileges to install software, copy files to the user's Startup folder, or hijack the settings for the browser's homepage or search provider.

To help protect a user's personal information, Internet Explorer:

• Highlights the new security status bar when visiting a Secure Sockets Layer-protected site and lets the user easily check the validity of a site's security certificate.
• Has a phishing filter, which helps users browse more safely by advising them when Web sites may be attempting to steal their confidential information. The filter works by analyzing Web site content, looking for known characteristics of phishing techniques and using a global network of data sources to decide if the Web site should be trusted. Filter data is updated several times an hour, which is important given the speed with which phishing sites can appear and potentially collect a user's data.
• Clears all cached data with a single click.

Benefits

The new features in Internet Explorer help your users access resources on the Internet while minimizing security threats. Reducing the risk presented by malicious Web sites helps to reduce your potential security costs.

Why It Matters

Malicious Web sites can compromise your users' computers, even if they only visit seemingly safe sites. The improvements to Internet Explorer in Windows Vista greatly reduce the risk of a browser's being compromised, which reduces your security risks. With the combination of User Account Control and Internet Explorer's new protected mode, you will not receive as many support calls from users complaining that their home page has changed or that they have unwanted Internet Explorer toolbars.

Data Protection

Feature Description

Theft or loss of corporate intellectual property is an increasing concern for organizations. Windows Vista has improved support for data protection at the document, file, directory, and machine level. The integrated Rights Management client allows organizations to enforce policies around document usage. The Encrypting File System, which provides user-based file and directory encryption, has been enhanced to allow storage of encryption keys on smart cards, providing better protection of encryption keys. In addition, the new BitLocker Drive Encryption enterprise feature adds machine-level data protection. On a computer with appropriate enabling hardware, BitLocker Drive Encryption provides full volume encryption of the system volume, including Windows system files and the hibernation file, which helps protect data from being compromised on a lost or stolen machine. In order to provide a solution that is easy to deploy and manage, a Trusted Platform Module (TPM) 1.2 chip is used to store the keys that encrypt and decrypt sectors on the Windows hard drive. It requires the TPM and an enterprise management infrastructure to ensure that the feature is easy to use for end users.

BitLocker full volume encryption seals the symmetric encryption key in a Trusted Platform Module (TPM) 1.2 chip. A TPM chip is a hardware component available in some newer computers that stores keys, passwords, and digital certificates.

BitLocker also stores measurements of core operating system files in a TPM chip. Every time the computer is started, Windows Vista verifies that the operating system files have not been modified in an offline attack. An offline attack is a scenario where an attacker boots an alternative operating system in order to gain control of the system. If the files have been modified, Windows Vista alerts the user and refuses to release the key required to access Windows. The system then goes into a recovery mode, prompting the user to provide a recovery key to allow access to the boot volume.

Recovery mode is also used if a disk drive is transferred to another system. Recovery mode requires a recovery key that is generated when BitLocker is enabled, and that key is specific to one machine. As a result, BitLocker is intended for enterprises with a management infrastructure in place to store the recovery keys, such as Active Directory. Otherwise, there is the potential for data loss if a computer fails and its drive is moved to another computer and the recovery key is unavailable.

Benefits

Windows XP and earlier versions of Windows are vulnerable to offline attacks that attempt to obtain a user's data on lost or stolen computers. Unlike online attacks, which occur when the operating system is running (and therefore can be mitigated by firewalls and antivirus software), offline attacks occur when the operating system is turned off. The most common types of offline attacks are:

• Starting an offline computer with a boot disk and resetting the administrator password so that the attacker can start the operating system and authenticate.
• Accessing the computer's hard disk directly with a different operating system to bypass file permissions.

BitLocker can be used to protect against both of these types of attacks. This protection is particularly valuable with mobile computers, which are vulnerable to theft.

Why It Matters

Lost or stolen computers often contain confidential corporate intellectual property or personally identifiable information about customers. The compromise of that data can result in an organization receiving unwanted publicity when news of the theft becomes public, which happens when an organization notifies customers that their personal information was lost. That can result in lost customer confidence and negative articles in the press.

With Windows Vista's full volume encryption, you can dramatically reduce the risk of an attacker compromising confidential files by using offline attacks. Full volume encryption provides assurance that an attacker will not be able to access sensitive company or customer data on that machine if a laptop is lost or stolen.