Wednesday, July 26, 2006

Windows Vista Security Features

This blog is posted on http://nikhilw.blogspot.com
========
The following column is based on the last build from Microsoft, Windows Vista build 5219, released September 2005. It is one more semipublic build later than the Beta 1 currently in limited circulation, but Microsoft is careful not to call it Beta 2, although the code is based on code that will eventually be Beta 2 (got that?).

Like Linux, like Mac...
Microsoft seems keenly aware of its competition. For years, Linux and the Mac OS have designated administrator privileges to a separate user account, not the default user account, so malware has found it harder to infect those OSs. Microsoft had argued that Windows was easier for everyone to use; Microsoft's user-cum-administrator access within Windows allowed you to make changes within the operating system with ease. But the downside of this convenience is steep; viruses and malicious code picked up along the Internet could also perform changes and could even take over your computer.

Linux and the Mac OS designate administrator privileges to a separate user
account, not the default user account, so malware has found it harder to infect
those OSs.

In Vista, Microsoft offers something called User Account Protection (UAP). Under UAP, standard users can still install software and make changes within the OS, but they'll first be prompted to enter an administrator password. Even Administrator accounts (like those in XP) will be limited, requiring additional passwords to perform high-level tasks. Seems like that might be a hassle, but there's an immediate benefit to this extra layer of passwords: you'll be prompted before anything rogue attempts to install on your machine. This should reduce the need for antispyware apps in the future.
And speaking of restrictions, Microsoft also plans to reduce the amount of kernel-level code in Vista, relocating a number of device drivers and virus scanners that currently write to the protected areas of the system registry. For example, all printer drivers write to the kernel, requiring a reboot. The downside is that if the printer driver ever misbehaves, it'll take down your entire system. Under the new Vista plan, printer drivers, antivirus scanners, and other devices will install on the user level only--not within the OS kernel. As a result, look for new Vista-compatible antivirus products to hit the shelves next fall.

Internet Explorer 7 for Vista
IE 7 for Vista will operate in a restricted mode as well. The browser will be able to write only to the History and Temporary Internet folders; it cannot, for example, upgrade privileges without your Administrator password. This should prevent malware from hijacking your browser and taking control of your PC.
IE 7 will also require you to turn on or off any add-ins, such as the Flash player, and IE 7 for Vista will have built-in antiphishing technology. Whenever you attempt to access a page that Microsoft determines to contain the potential for ID theft, you'll receive a warning. You may proceed, but at your own risk. The plan here is that users will report suspected phishing sites, and the MSN division of Microsoft will check them out and warehouse a database of blacklisted sites. The details of this technology are sketchy, and I suspect this feature will change before the final release.

Hits and misses
One of the really wild ideas being discussed for Windows Vista is self-healing software. The applications and the OS will contain a list of key hash files; if any of the files have changed over time or are missing, the software will automatically reinstall the file upon loading. Also, whenever the OS is updated, Windows Update will check your system for and remove known malware. These are cool ideas, should they become implemented.

One of the really wild ideas being discussed for Windows Vista is self-healing
software.

Then there are some obvious misses. While Microsoft plans to finally roll out its two-way firewall, once again, the new firewall feature won't be on by default. Given Microsoft's past performance with firewalls, though, I'd say you're better off using a third-party product such as Zonealarm instead. Still, providing a two-way firewall shouldn't be such a hassle. Microsoft says it doesn't want the user to experience "dialog fatigue" from accepting or denying applications that want to access the Internet. Microsoft will have a whitelist of apps permitted to run under Windows Firewall, but it sounds as though it won't be as thorough as that offered by ZoneAlarm or other major firewall vendors. I remain baffled as to why Microsoft can't seem to get a basic security feature like personal firewalls right.

It's coming: Microsoft antivirus app
Also missing will be the much-rumored Microsoft antivirus app. Microsoft would get into the antivirus business, displacing stalwarts such as Symantec and McAfee. It would also open the software giant up to charges of creating a monopoly. Instead, through the aegis of MSN, Microsoft will offer something called OneCare, a protection service that users subscribe to annually. OneCare will manage just about everything on your PC, from backups to disk defragmentation, and will also include Microsoft's GeCad-based antivirus app as part of the service. So OneCare won't really compete with Symantec and McAfee, but I think that's a fine legal distinction.
==========
Courtesy:
Robert Vamosi
Senior editor
CNT Reviews

posted by Nikhil Wadhwani @ 12:55 PM

0 Comments:

Post a Comment

<< Home