The release of Windows Vista presents a whole new set of challenges for IT administrators and end-users alike. The overall goal of the design and functionality of the operating system is to simplify the user experience, but Microsoft has changed enough of the ‘look and feel’ to make it difficult for seasoned Windows veterans to find their way around initially. In addition, there many new security features bundled with Vista, and it will take some time to become familiar with all of these. There will be many blogs posted here that will address various pieces of the Vista security stack. This initial posting will give a brief overview of some of the new security features, and subsequent entries will explore each in greater detail.
BitLocker encrypts files so that they are rendered unreadable if a laptop or PC is stolen. BitLocker also has built-in logic that prevents files from being encrypted if the system appears to have been stolen or tampered with. Users have the option to lock the boot process with a PIN number or by attaching a USB thumb drive with the key to decrypt files.
There are many new features and capabilities in the newest version of Windows Firewall. These have already been addressed in the following blog entry:
Network Access Protection
This security feature allows administrators to customize policies that relate to client machines on a shared network. These policies can included certain minimum requirements such as operating system patch levels, firewall settings, and antivirus software to name but a few. If the client machine requesting access does not meet these specified requirements, the machine is either denied network access, or is placed in a ‘quarantined’ area of the network isolated from other machines. Full network access is granted once the client machine has been updated with whatever is required to meet that particular network’s policy requirements.
Software Protection Platform
Microsoft is increasing their efforts to reduce the circulation of pirated copies of their operating system. If Microsoft discovers an illegal copy of Vista, which can be accomplished via something as simple as connecting to Microsoft’s website to download a patch or piece of software, the operating system switches over to a mode of significantly reduced functionality. Most services and features will be rendered inoperable, but basic security functionality, like the ability to download updates, is retained.
‘Forefront’ Security Protection
Forefront is Microsoft’s answer to antivirus and anti-spyware solutions in a all-inclusive package. Forefront is designed to us Active Directory and Windows Server Update services to distribute its security updates and virus definition files. Forefront will offer a number of sub-components that are intended to protect Microsoft applications. Two examples of these sub-components are:
· Forefront Security for Microsoft Exchange
· Forefront Security for Microsoft SharePoint
Forefront is currently still in testing, and is tentatively scheduled to be released later this year.
Vista User Account Control
User Account Control allows for highly granular control over user accounts, reducing the need to grant users Administrator or Power User privileges. Most applications and processes can be run with minimal privileges, but these permissions can be temporarily elevated so that certain administrative tasks and application functions can be performed. Once these have been completed the privileges level will revert back to its original state.
Another feature of User Account Control is that when a task requires elevated privileges, like installing an application, a pop-up box will appear advising the user of the issue and asks if it is okay to proceed. At this point the user can simply click “Allow”, and the task will continue as normal. You can expect to see a large number of these pop-up notifications during the initial installation and configuration of a machine running Vista. There are advantages to this control, the main one being that is that it helps to prevent users from accidentally making changes to their machines. It also helps to mitigate the damage done by malware.