By Andrew Garcia
November 26, 2006
Review: But new features will have greater impact on consumers than
One of the advertised hallmarks of Windows Vista is securityas in
Microsoft's renewed focus on and dedication to tightening up the Windows
Indeed, Vista is chock-full of new security featuresincluding a
beefed-up firewall, integrated anti-spyware functionality, BitLocker
drive encryption and UAC (User Account Control) but these features will
ultimately have greater benefits for consumers. For corporate customers
demanding cross-platform functionality, centralized manageability and
rock-solid reliability, these new features will likely be nothing more
than window dressing.
eWEEK Labs has been most interested in BitLocker's potential for the
enterprise, as it encrypts all the contents of the system driveoperating
system and data files alike.
BitLocker tries to provide an experience that is seamless to the end
user. Ideally, the decryption key is stored on a chip on the
motherboard, which automatically decrypts the hard drive upon boot.
Administrators can configure BitLocker to require a user-entered PIN
code as well, as an embedded key can prevent a data thief from
performing an offline attack from another boot drive but not an online
brute force attack once the drive is automatically loaded.
Corporations that plan to use BitLocker need to plan for it from the
Vista get-go: System hard drives need to be partitioned in such a way
that the boot manager and boot images are stored on a partition separate
from the rest of the operating system, applications and data files.
Although it is possible to repartition the drive on an existing
installation, the process is not straightforward. Also, administrators
need to ensure that a computer's BIOS is Vista-ready, and that it has
either an on-board TPM (Trusted Platform Management) chip or supports
access to a USB stick under preboot conditions.
However, at this early stage in Vista's development, the necessary level
of support from hardware manufacturers is still to come. For example,
although Vista comes with a generic TPM driver, we could not initially
get the driver to install correctly on our Lenovo ThinkPad T60. We
needed to update the BIOS to the most recent revision, and then manually
locate and install the driver. According to Microsoft engineers, the
T60's TPM chip did not report a device ID that Vista would recognize, so
the driver would not install automatically.
With the TPM chip finally enabled, we could start the encryption process
through the BitLocker configuration wizard, which asked us to archive
the decryption key before initiating a system check to ensure that
BitLocker would work. The wizard rebooted the machine, tested whether
the key was detected and then began encrypting the entire drive.
We found the actual disk encryption process to be slow: It took more
than an hour for a 30GB partition. In addition, since the encryption
keys must be created on a machine-by-machine basis, it will take
considerable time and administrative effort to enable a fleet of
notebooks with BitLocker.
According to documentation, administrators will have to turn off
BitLocker to decrypt the drive before initiating a BIOS upgrade. Simple
BIOS changes can be done by temporarily disabling BitLocker, although we
found that some changessuch as changing the drive boot orderdid not
require that step. We did note that when we booted our test machine with
the Vista install CD still in the drive, we had to manually enter the
recovery key to start the system, even though we chose not to actually
boot from the media drive.
With a quick change to a Group Policy setting, we also could use
BitLocker without a TPM chipinstead using a USB thumb drive inserted
into the computer at boot time to provide the decryption key. The BIOS
must be able to access the key during the boot process for this to
worksomething we couldn't achieve with our ThinkPad T60 but were able to
do with a custom-built machine based on Advanced Micro Devices' Athlon
64 3500+ processor and an Abit motherboard.
Anti-spyware and Firewall
Vista comes bundled with the Windows Defender Anti-Spyware program. In
previous tests, we've found Windows Defender to be an adequate solution
for detecting, removing and preventing spyware, and that legacy
continues in Vista.
Windows Defender could make a decent second line of defense behind a
corporation's standard anti-virus/anti-spyware solution of choice.
Because it lacks centralized policy control, status monitoring and
reporting capabilities, corporations will need to have another solution
in place to provide the documentation and controls necessary to comply
with various regulations.
Through Active Directory Group Policy, we could control only a few
Windows Defender actions: We could disable or enable the program, enable
a few logging metrics, and configure SpyNet reporting characteristics.
We could not schedule scans, do much to change the signature update
checking interval or designate some form of centralized reporting. The
controls we could enable apply only to Vista machines and not to legacy
versions of Windows that had Windows Defender installed as a stand-alone
Waiting in the wings to provide enterprise-grade management and
reporting capabilities is Microsoft's ForeFront Client Security suite.
ForeFront, due in the second quarter of 2007, leverages the same
anti-spyware capabilities as Windows Defender and the same anti-virus
engine as OneCare. (A beta version of ForeFront can be downloaded here.
Vista marks the first Windows operating system to provide an integrated
two-way firewall, which we found to be satisfactory overall. Whereas the
integrated firewall that came with Windows XP blocked only inbound
network traffic, Vista's firewall can also monitor and block outbound
traffic, potentially cutting off unauthorized traffic from already
The basic Windows Firewall Settings configuration pane looks similar to
the configuration pane of the XP firewall, although a new button to
block all incoming settings has replaced the old option to prohibit
Drilling down, the Policy Exceptions page looks largely the same as with
XP's iteration, but ICMP (Internet Control Message Protocol) exemption
rules are conspicuously missing. These exemption policies, along with
policy controls for outbound traffic, are now located in a new MMC
(Microsoft Management Console)-based configuration screen called Windows
Firewall with Advanced Security.
Although we found the entire integrated firewall solution highly
functional, we doubt it will gain much traction in a large enterprise
that must continue to support legacy Windows operating systems for the
foreseeable future. For the sake of management simplification, an
organization that has already standardized on a third-party firewall
solution for XP-based workstations will be highly disinclined to
implement and manage Vista's Windows Firewall separately. Instead, they
will more likely roll out the third party's Vista Firewall solution,
whenever that becomes available.
User Account Control
Vista's UAC marks the first time that Microsoft has attempted to create
an operating system on which the user is supposed to run with limited
local rights rather than with administrator credentials.
Central administrators can dictate two UAC modes: Users can be denied
the rights to administrative functions, such as installing software and
changing system settings, or they can be warned in a secured interface
whenever an administrative action is being initiated.
Run in the latter mode, UAC generates enough warning messages that users
will likely become inured to the messages' contentslikely clicking
"yes," "yes," "yes" by rote. IT managers who figured out the ins and
outs of LUA (Least User Privilege) on XP- or Windows 2000-based systems
will likely not subject their users to this and will run UAC in the
first mode described.
We like the leap of thinking Microsoft has taken with UAC, acknowledging
that users should not be running with administrative privileges 100
percent of the time. But UAC provides measures that diligent IT
departments should have takenand hopefully did takelong ago.
Technical Analyst Andrew Garcia can be reached at andrew_garcia (at)
Subscribe to InfoSec News