Vista's Security ChallengeVista's Security Challenge
Security features such as BitLocker, Network Access Protection, and reduced functionality mode help make this Microsoft's most-secure release.
November 23, 2006
Yes, Vista is more secure, but Microsoft remains a primary attack target. "Vista being more secure doesn't necessarily make my organization more secure," warns Jeremiah Grossman, former Yahoo information security officer who's founder and CTO of WhiteHat Security.
BitLocker encrypts files, so they can't be read if a PC or laptop is lost or stolen. Conversely, BitLocker won't encrypt files if it suspects a PC has been lost or stolen--a defense against data tampering. There's an option to lock the boot process until the user supplies a PIN, much like an ATM card PIN, or inserts a USB flash drive that contains the key for decryption. Of course, that doesn't give you permission to leave your laptop on the front seat of an unlocked car.
Network Access Protection is one of the most widely anticipated features of Vista. When integrated with Cisco's Network Admission Control framework, NAP supports remote-access policy enforcement. PCs seeking to enter a network protected by Microsoft's, Cisco's, or some other combination of access control technologies get the equivalent of an airport security X-ray. If software's not up to snuff, network access is limited till things get fixed.
Vista's Software Protection Platform is Microsoft's latest get-tough approach to software piracy. If Microsoft catches someone with improperly loaded Vista, the operating system switches to reduced functionality mode, preventing access to Windows Defender anti-spyware software, Aero user interface graphics, and ReadyBoost, which supports a spare USB memory stick. Business customers who get Vista from Microsoft or established PC makers don't have to worry.
Forefront Client Security protects PCs, laptops, and servers from viruses and spyware, using Active Directory and Windows Server Update Services to distribute virus signature updates. Microsoft sees Forefront as a replacement for antivirus and anti-spyware products from other vendors. In beta now, it's due in the second quarter of 2007. Microsoft's challenge: Built-in security is rarely as effective as tech- nology developed by security specialists.
Forefront Security for Exchange Server offers antivirus engines from CA, Kaspersky Lab, Sophos, and others, using their combined power to respond to security threats. In beta and scheduled for launch in December, Forefront for Exchange grew out of Microsoft's 2005 acquisition of Sybari. Exchange Server 2007 comes with built-in spam protection, continuous replication, and rules that let admins and compliance officers set and enforce policies for e-mail, voice mail, and fax.
(click image for larger view)
Forefront Security for SharePoint Server (timed for release with Forefront for Exchange) can prevent certain file types, such as MP3s, from being posted to a user's SharePoint site. It includes antivirus scanning from CA, Kaspersky Lab, Sophos, and others. In addition, Microsoft is releasing updated "optimizers" for Office SharePoint Server and Dynamics CRM that provide, among other things, policy-based access and content inspection.
User Account Control in Vista provides granular control over user accounts and eliminates the need to extend administrative privileges to users, a screaming weakness in Windows.
Office Trust Center lets users set security preferences for handling Office documents. It includes separate settings for VBA Macros, Active X controls, junk e-mail, application add-ins, and other features because users are likely to have different security sensibilities depending on what a file contains or where it's from.
Versions of Vista for 64-bit PCs will include Kernel Patch Protection (formerly PatchGuard) to prevent kernel modification. Microsoft worries malware writers might exploit the same interfaces security vendors use to detect and block rootkits, keystroke-logging software, and worms; thus, the lockdown. Symantec and McAfee object. They want kernel access.
About the Author(s)
You May Also Like