The security features you've seen so far are certainly worth the price of admission and should be enough to make Vista the most secure Windows OS yet. But Microsoft has more security tricks up its sleeve. The next few sections take you on a quick tour of the most important or interesting of the rest of Vista's new security innovations.
If you could map out the Windows attack surface, the biggest feature in the resulting landscape would be, by far, the system and third-party services that run in the background. Services are a tempting malware target for two reasons.
First, most services are "always on," in the sense that they start when Windows loads and then remain running until you shut down the system. Second, most services run with a high privilege level that gives them full access to the system. Malware that manages to get into a computer can use the system services to perform almost any task, from installing a Trojan horse to formatting the hard drive.
To reduce the chance that a malware program could turn a system's services on itself, Windows Vista implements a new service security technology called Windows Service Hardening. This technology doesn't prevent malware from infecting a service. (That's the job of Windows Firewall and Windows Defender.) Instead, Windows Service Hardening is designed to limit the damage that a compromised service can wreak upon a system by implementing the following security techniques:
- All services run in a lower privilege level.
- All services have been stripped of permissions that they don't require.
- All services are assigned a security identifier (SID) that uniquely identifies each service. This enables a system resource to create its own access control list (ACL) that specifies exactly which SIDs can access the resource. If a service that's not on the ACL tries to access the resource, Vista blocks the service.
- A system resource can restrict which services are allowed write permission to the resource.
- All services come with network restrictions that prevent services from accessing the network in ways not defined by the service's normal operating parameters.
System Drive Encryption with BitLocker
Take new Vista technologies such as the bidirectional Windows Firewall, Windows Defender, and Windows Service Hardening; throw in good patch-management policies (that is, applying security patches as soon as they're available); and add a dash of common sense, and your computer should never be compromised by malware while Vista is running. However, what about when Vista is not running?
If your computer is stolen or if an attacker breaks into your home or office, your machine can be compromised in a couple of different ways:
- By booting to a floppy disk and using command-line utilities to reset the Administrator password.
- By using a CD-based operating system to access your hard disk and reset folder and file permissions.
Either exploit gives the attacker access to the contents of your computer. If you have sensitive data on your machinefinancial data, company secrets, and so onthe results could be disastrous. To help you prevent a malicious user from accessing your sensitive data, Windows Vista comes with a new technology called BitLocker that encrypts the entire system drive.
That way, even if a malicious user gains physical access to your computer, he or she won't be able to read the system drive contents. BitLocker works by storing the keys that encrypt and decrypt the sectors on a system drive in a Trusted Platform Module (TPM) 1.2 chip, which is a hardware component available on many newer machines.
To enable BitLockerwhich is available only in the Enterprise and Ultimate editions of Windows Vistaopen the Control Panel and select Security, BitLocker Drive Encryption (or just open the BitLocker Drive Encryption icon directly if you're using Classic view). In the BitLocker Drive Encryption window, click Turn On BitLocker.
This launches the Turn On BitLocker Drive Encryption Wizard, which takes you through the following tasks:
- Save a startup key on a removable USB device. You need to insert this device each time you start your computer to decrypt the system drive.
- Creating, displaying, printing, or saving the recovery password. You need this password if BitLocker blocks access to your computer. (BitLocker blocks access if it detects that one or more system files have been tampered with.) You can either enter the 48-digit(!) password by hand or use the recovery key you save to a USB device in the next step.
- Encrypt the system volume. After this is done, you must insert the device with the startup key each time you want to load Vista.
Avoiding Overflows with Support for the NX Bit
One common cause of system crashes, and a common technique used by makers of malicious software, is the buffer overflow. A buffer is a memory area set aside to hold data. The buffer has a fixed size, which means it can't handle data larger than that size. A well-programmed system includes checks to ensure that only data of the correct size (or less) gets written to the buffer.
In practice, however, the desire for faster code or sheer sloppiness by the programmer can occasionally result in unprotected memory buffers. When buffer overflow occurs, either by accident or by design, the extra data is written to memory areas that are adjacent to the buffer. If these adjacent areas just hold more data, nothing terrible happens.
However, if the adjacent areas contain core operating system code, the system can crash; even worse, if the adjacent areas are designed to run system control code, a clever hacker can take advantage of that to run whatever code he or she wants, usually with disastrous results.
To help prevent these nasty aspects of buffer overflow, recent CPUs have implemented the NX (No eXecute) attribute, which can brand certain memory areas as nonexecutable. This means that even if a buffer overflows into a code area, no malicious code can run because that area is marked with the NX attribute.
Windows Vista fully supports the NX bit, allowing it to brand core system areas such as the stack and the head as nonexecutable.
Thwarting Malware Randomly with ASLR
Microsoft isn't assuming that users' machines will never be subject to malware attacks. To that end, Windows Vista implements not only support for the NX bit and continued support for Data Execution Prevention (which prevents malicious code from running in protected memory locations). Vista also implements an open-source security feature called Address Space Layout Randomization (ASLR). This feature is aimed at thwarting some common attacks that attempt to run system code.
In previous versions of Windows, certain system DLLs and executables were always loaded into memory using the same addresses each time, so attackers could launch one of those processes because they knew the function's entry point. With ASLR, Vista loads these system functions randomly into one of 256 memory locations, so attackers can't be certain where a particular bit of system code resides in memory.
Using Parental Controls to Restrict Computer Usage
If you have children who share your computer, or if you're setting up a computer for the kids' use, it's wise to take precautions regarding the content and programs that they can access. Locally, this might take the form of blocking access to certain programs (such as your financial software), using ratings to control which games they can play, and setting time limits on when the computer is used.
If the computer has Internet access, you might also want to allow (or block) specific sites, block certain types of content, and prevent file downloads. All this sounds daunting, but Windows Vista's new Parental Controls make things a bit easier by offering an easy-to-use interface that lets you set all of the afore-mentioned options and lots more. (You get Parental Controls in the Home Basic, Home Premium, and Ultimate editions of Windows Vista.)
Before you begin, be sure to create a standard user account for each child that uses the computer. When that's done, you get to Parental Controls by opening Control Panel and selecting the Set Up User Account link (or by launching the Parental Controls icon directly if you're using Classic view). Click the user you want to work with to get to the User Controls window. You should activate two options here:
- Parental Controls - Click On, Enforce Current Settings. This enables the Windows Vista Web Filter, and the Time Limits, Games, and Allow and Block Specific Programs links in the Settings area.
- Activity Reporting - Click On, Collect Information About Computer Usage. This tells Vista to track system events such as blocked logon attempts and attempted changes to user accounts, the system date and time, and system settings. Activating this option also enables the Activity Reports link in the Settings area
The User Controls window gives you four links to use when setting up the controls for this user:
- Windows Vista Web Filter Click this link to display the Web Restrictions page. Here you can allow or block specific websites, set up general site restrictions (such as Kids Websites Only), block content categories (such as Pornography, Mature Content, and Bomb Making), and block file downloads.
- Time Limits Click this link to display the Time Restrictions page, which shows a grid where each square represents an hour during the day for each day of the week. Click the squares to block computer usage during the selected times.
- Games Click this link to display the Game Controls page. Here you can allow or disallow all games, restrict games based on ratings and contents, and block or allow specific games.
- Allow and Block Specific Programs Click this link to display the Application Restrictions page, which displays a list of the programs on your computer. Click the check boxes for the programs you want to allow the person to use.
Network Access Protection
Over the past few years, we've all heard too many reports of viruses and other malware spreading around the globe in the electronic equivalent of a wildfire. One of the reasons these plagues spread so quickly is that they often start on computers connected to local area networks. The malware takes over the hapless network client and soon begins moving through the network, taking down clients and servers as it goes.
A client computer that allows a malware infection to spread to the network is an IT professional's worst nightmare, but Windows Vista has a solution. It's called Network Access Protection (NAP), and the idea behind it is simple: If a client computer is compromisedeven if it's only theoretically possible that it might be compromiseddon't let it connect to the network. (NAP comes with the Business, Enterprise, and Ultimate editions of Windows Vista.)
The way NAP works is that Vista runs a service called the Network Access Protection Agent. This service checks the health status of the computer: its installed security patches, downloaded virus signatures, security settings, and more. Before the network logoneither via the local area network or via a remote connectionthe agent reports the computer's health status to a NAP enforcement service running on the server. (This enforcement service is part of Windows Server "Longhorn.")
If any of the health items are not completely up-to-date or within the network guidelines, the NAP enforcement service either doesn't let the computer log on to the network, or it shuttles the computer off to a restricted area of the network. You can also set up the server's NAP process to automatically update the client computer with the latest patches, virus signatures, security settings, and so on.