Before this year's annual WinHEC conference, Microsoft hosted a reviewers' day and spent a third of that day discussing security. With Windows Vista, Microsoft believes it has finally gotten security right. The secret? By lowering user privileges across the new operating system, Microsoft joins Linux and Apple, which already keep root access well away from remote criminal hackers (crackers). But Microsoft feels that Windows Vista not only meets the competition, it surpasses it. Only time will tell. Now that Windows Vista beta 2
will soon be available for download by the public (reserve your copy here
), let's take a look at what Microsoft promises within its shiny, new Windows Vista operating system.
Remember Trustworthy Computing?
Under Vista, even administrators run as standard users but have express access to administrator privileges when needed.
According to Austin Wilson, Microsoft's Director of Windows Client, Windows Vista is the first operating system to pass through Microsoft's new threat model testing, an outgrowth of Bill Gates's famous declaration of Trustworthy Computing
back in January 2002. What Trustworthy Computing means for Vista is that each part of the modularly designed operating system is checked before integration into the larger code. If a section of code fails, it doesn't get added. And this is true for all legacy code within Windows Vista; it too must pass through various security checkpoints. Wilson said Vista is also checked for Common Criteria Certification
, which is used by the U.S. government.
In addition to hardening the code at creation, Vista will prevent device drivers from installing inside the system kernel. Microsoft claims that most system crashes in Windows XP are related to third-party drivers. In general, if you have to reboot in order to run software or install hardware, you're more or less trusting that that software or hardware will play nice inside your system kernel; if not, your system will become unstable, fast. System crashes or reboots have been used by crackers to install malicious software without your notice.
Least privilege users
Another security feature within Vista is what Microsoft calls the Security Desktop: the desktop goes gray whenever a privilege escalation pop-up appears onscreen.
But the real security boost in Vista will come from how you access the operating system. Most Windows XP users run as administrators because they can install just about any app and get better system performance overall. Very few willingly create and run standard user accounts in Windows XP, although that would be much safer. Perhaps the most significant security advance throughout Windows Vista is a concept that Microsoft calls "least privilege," and it resonates through a number of specific features (such as IE) as well as the overall user experience.
Under Vista, even administrators run as standard users but have express access to administrator privileges when needed. For example, whenever a task is called that requires true administrator privilege, such as configuring wireless connections, Vista issues a pop-up message requiring administrators to acknowledge the process before letting them continue. If you're running as a standard user, you'll be prompted for an administrator's password. Even this is an improvement. In XP, a standard user would have to change to administrator user to perform a task, then change back to standard; under Vista, you simply type in an administrator's password and continue working as a standard user. Those noisy pop-ups
Much has been written elsewhere about the annoying User Account Protection pop-ups in Vista that are an integral part of the least user process. Just checking the Control Panel in early builds of Vista caused a pop-up. In beta 2, Microsoft has listened. In earlier Vista releases, you'd see a pop-up, for example, whenever you tried to access the Task Manager, MSN updates, or mouse controls. In beta 2, none of these pop-ups appear if you're already running as administrator. This is still a work in progress, and after more beta 2 testing by millions of less technical folks, Microsoft will no doubt continue to refine the process.
Another security feature within Vista is what Microsoft calls the Security Desktop: the desktop goes gray whenever a privilege escalation pop-up appears onscreen. According to Wilson, this darkening is deliberate to distract you from whatever's happening on the desktop and direct you to the fact that some process wants administrator access. This might be helpful should an app attempt to load without your permission. Shims for criminal hackers?
There do remain some security concerns in beta 2, however. After talking about how the code has been hardened and user privileges restricted, Microsoft is still cutting corners. One way that Vista users will be able to run their pre-Vista, XP-compatible software is through something Microsoft calls "shims." Similar to their physical counterparts, shims are wedges for software that check for operating system versions to run on Vista. Whenever the software asks for an OS version, Vista shouts back "Vista," and it'll say "but I'm also XP," allowing the software to run. While it's a clever fix for the end user, such shims could be an avenue for crackers. Do you plan to test-drive Windows Vista beta 2? Why or why not? Talk back to me.