PC freak

Saturday, March 24, 2007

Security-related technologies

Microsoft stated that security was a primary design goal for Vista. Microsoft's Trustworthy Computing initiative, which aims to improve public trust in its products, has had a direct effect on its development. This effort has resulted in a number of new security and safety features.

User Account Control is perhaps the most significant and visible of these changes. User Account Control is a security technology that makes it possible for users to use their computer with fewer privileges by default. This was often difficult in previous versions of Windows, as the previous "limited" user accounts proved too restrictive and incompatible with a large proportion of application software, and even prevented some basic operations such as looking at the calendar from the notification tray. In Windows Vista, when an action requiring administrative rights is requested, the user will be first prompted for an administrator name and password; in cases where the user is already an administrator, the user is still prompted to confirm the pending privileged action. User Account Control asks for credentials in a Secure Desktop mode, where the entire screen is blacked out, temporarily disabled, and only the authorization window is active and highlighted. The intent is to stop a malicious program 'spoofing' the user interface, attempting to capture admin credentials.

Internet Explorer 7's new security and safety features include a phishing filter, IDN with anti-spoofing capabilities, and integration with system-wide parental controls. For added security, ActiveX controls are disabled by default. Also, Internet Explorer operates in a "protected mode" which operates with lower permissions than the user and it runs in isolation from other applications in the operating system, preventing it from accessing or modifying anything besides the Temporary Internet Files directory. Microsoft's anti-spyware product, Windows Defender, has been incorporated into Windows, providing protection against malware and other threats. Changes to various system configuration settings (such as new auto-starting applications) are blocked unless the user gives consent.

Another significant new feature is BitLocker Drive Encryption, a data protection feature included in the Enterprise and Ultimate editions of Vista that provides encryption for the entire operating system volume. Bitlocker can work in conjunction with a Trusted Platform Module chip (version 1.2) that is on a computer's motherboard, or with a USB key.

A variety of other privilege-restriction techniques are also built into Vista. An example is the concept of "integrity levels" in user processes, whereby a process with a lower integrity level cannot interact with processes of a higher integrity level and cannot perform DLL–injection to a processes of a higher integrity level. The security restrictions of Windows services are more fine-grained, so that services (especially those listening on the network) have no ability to interact with parts of the operating system they do not need to. Obfuscation techniques such as address space layout randomization and Kernel Patch Protection are used to increase the amount of effort required of malware before successful infiltration of a system. Code Integrity verifies that system binaries haven’t been tampered with by malicious code.

As part of the redesign of the network stack, Windows Firewall has been upgraded, with new support for filtering both incoming and outgoing traffic. Advanced packet filter rules can be created which can grant or deny communications to specific services.