Security and safety features new to Windows Vista
Encyclopedia
There are a number of security and safety features new to
Windows Vista
, most of which are not available in any prior Microsoft Windows
operating system
release.
Beginning in early 2002 with Microsoft's announcement of their Trustworthy Computing
initiative, a great deal of work has gone into making Windows Vista a more secure operating system than its predecessors. Internally, Microsoft adopted a "Security Development Lifecycle
" with the underlying ethos of "Secure by design, secure by default, secure in deployment". New code for Windows Vista was developed with the SDL methodology, and all existing code was reviewed and refactored to improve security.
Some specific areas where Windows Vista introduces new security and safety mechanisms include User Account Control, parental controls, Network Access Protection
, a built-in anti-malware
tool, and new digital content protection mechanisms.
UAC asks for credentials in a Secure Desktop mode, where the entire screen is faded out and temporarily disabled, to present only the elevation UI. This is to prevent spoofing of the UI or the mouse by the application requesting elevation. If the application requesting elevation does not have focus before the switch to Secure Desktop occurs, then its taskbar icon blinks, and when focussed, the elevation UI is presented (however, it is not possible to prevent a malicious application from silently obtaining the focus).
Since the Secure Desktop allows only highest privilege System applications to run, no user mode application can present its dialog boxes on that desktop, so any prompt for elevation consent can be safely assumed to be genuine. Additionally, this can also help protect against shatter attack
s, which intercept Windows inter-process messages to run malicious code or spoof the user interface, by preventing unauthorized processes from sending messages to high privilege processes. Any process that wants to send a message to a high privilege process must get itself elevated to the higher privilege context, via UAC.
Applications written with the assumption that the user will be running with administrator privileges experienced problems in earlier versions of Windows when run from limited user accounts, often because they attempted to write to machine-wide or system directories (such as Program Files) or registry keys (notably HKLM) UAC attempts to alleviate this using File and Registry Virtualization, which redirects writes (and subsequent reads) to a per-user location within the user’s profile. For example, if an application attempts to write to “C:\program files\appname\settings.ini” and the user doesn’t have permissions to write to that directory, the write will get redirected to “C:\Users\username\AppData\Local\VirtualStore\Program Files\appname\.”
for the system volume. Using the command-line utility, it is possible to encrypt additional volumes. Bitlocker utilizes a USB key or Trusted Platform Module
(compliant with the version 1.2 of the TCG specifications) to store its encryption key. It ensures that the computer running Windows Vista starts in a known-good state, and it also protects data from unauthorized access. Data on the volume is encrypted with a Full Volume Encryption Key (FVEK), which is further encrypted with a Volume Master Key (VMK) and stored on the disk itself.
significantly improves the firewall to address a number of concerns around the flexibility of Windows Firewall in a corporate environment:
Windows Defender also includes the ability to remove ActiveX
applications that are installed and block startup programs. It also incorporates the SpyNet
network, which allows users to communicate with Microsoft, send what they consider is spyware, and check which applications are acceptable.
Windows Vista includes a range of parental controls
for non-domain
user accounts. Windows Parental Controls rely on UAC
to implement reduced rights account identities needed for offline restrictions. An administrator can apply parental control restrictions to other users on the computer. Facilities include:
(EFS) in Windows Vista can also be used to encrypt the system page file and the per-user Offline Files cache. EFS is also more tightly integrated with enterprise Public Key Infrastructure
(PKI), and supports using PKI-based key recovery, data recovery through EFS recovery certificates, or a combination of the two. There are also new Group Policies to require smart card
s for EFS, enforce page file encryption, stipulate minimum key lengths for EFS, enforce encryption of the user’s Documents folder, and prohibit self-signed certificates. The EFS encryption key cache can be cleared when a user locks his workstation or after a certain time limit.
The Encrypting File System rekeying wizard allows the user to choose a certificate for EFS and to select and migrate existing files that will use the newly chosen certificate. Certificate Manager also allows users to export their EFS recovery certificates and private keys. Users are reminded to backup their EFS keys upon first use through a balloon notification. The rekeying wizard can also be used to migrate users in existing installations from software certificates to smart card
s. The wizard can also be used by an administrator or users themselves in recovery situations. This method is more efficient than decrypting and reencrypting files.
(ASLR) to load system files at random addresses in memory. By default, all system files are loaded randomly at any of the possible 256 locations. Other executables have to specifically set a bit in the header of the Portable Executable (PE)
file, which is the file format for Windows executables, to use ASLR. For such executables, the stack and heap allocated is randomly decided. By loading system files at random addresses, it becomes harder for malicious code to know where privileged system functions are located, thereby making it unlikely for them to predictably use them. This helps prevent most remote execution attacks by preventing Return-to-libc buffer overflow
attacks.
The Portable Executable
format has been updated to support embedding of exception
handler address in the header. Whenever an exception is thrown, the address of the handler is verified with the one stored in the executable header. If they match, the exception is handled, otherwise it indicates that the run-time stack has been compromised, and hence the process is terminated.
Function pointers are obfuscated by XOR-ing with a random number, so that the actual address pointed to is hard to retrieve. So would be to manually change a pointer, as the obfuscation key used for the pointer would be very hard to retrieve. Thus, it is made hard for any unauthorized user of the function pointer to be able to actually use it. Also metadata for heap blocks are XOR-ed with random numbers. In addition, check-sums for heap blocks are maintained, which is used to detect unauthorized changes and heap corruption. Whenever a heap corruption is detected, the application is killed to prevent successful completion of the exploit.
Windows Vista binaries include intrinsic support for detection of stack-overflow. When a stack overflow in Windows Vista binaries is detected, the process is killed so that it cannot be used to carry on the exploit. Also Windows Vista binaries place buffers higher in memory and non buffers, like pointers and supplied parameters, in lower memory area. So to actually exploit, a buffer underrun is needed to gain access to those locations. However, buffer underruns are much less common than buffer overruns.
(No-Execute) feature of modern processors. DEP was introduced in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. This feature, present as NX (EVP) in AMD's AMD64 processors and as XD (EDB) in Intel's processors, can flag certain parts of memory as containing data instead of executable code, which prevents overflow errors from resulting in arbitrary code execution.
If the processor supports the NX-bit, Windows Vista automatically enforces hardware-based Data Execution Prevention
on all processes to mark some memory pages as non-executable data segments (like the heap and stack), and subsequently any data is prevented from being interpreted and executed as code. This prevents exploit code from being injected as data and then executed.
If DEP is enabled for all applications, users gain additional resistance against zero-day exploits. But not all applications are DEP-compliant and some will generate DEP exceptions. Therefore, DEP is not enforced for all applications by default in 32-bit versions of Windows and is only turned on for critical system components. However, Windows Vista introduces additional NX policy controls that allow software developers to enable NX hardware protection for their code, independent of system-wide compatibility enforcement settings. Developers can mark their applications as NX-compliant when built, which allows protection to be enforced when that application is installed and runs. This enables a higher percentage of NX-protected code in the software ecosystem on 32-bit platforms, where the default system compatibility policy for NX is configured to protect only operating system components. For x86-64 applications, backward compatibility is not an issue and therefore DEP is enforced by default for all 64-bit programs. Also, only processor-enforced DEP is used in x86-64 versions of Windows Vista for greater security.
and content-protection features have been introduced in Windows Vista, to help digital content providers and corporations protect their data from being copied.
The inclusion of new digital rights management
features has been a source of criticism of Windows Vista.
or 8
. A lower privilege process cannot perform a window handle validation of higher process privilege, cannot SendMessage or PostMessage to higher privilege application windows, cannot use thread hooks to attach to a higher privilege process, cannot use Journal hooks to monitor a higher privilege process and cannot perform DLL–injection to a higher privilege process.
on the system and preventing entry of malware by exploiting system services
. Services are now assigned a per-service Security identifier
(SID), which allows controlling access to the service as per the access specified by the security identifier. A per-service SID may be assigned during the service installation via the ChangeServiceConfig2 API or by using the SC.EXE command with the sidtype verb. Services can also use access control list
s (ACL) to prevent external access to resources private to itself.
Services in Windows Vista also run in a less privileged account such as Local Service or Network Service, instead of the System account. Previous versions of Windows ran system services
in the same login session as the locally logged-in user (Session 0). In Windows Vista, Session 0 is now reserved for these services, and all interactive logins are done in other sessions. This is intended to help mitigate a class of exploits of the Windows message-passing system, known as Shatter attack
s. The process hosting a service has only the privileges specified in the RequiredPrivileges registry value under HKLM\System\CurrentControlSet\Services.
Services also need explicit write permissions to write to resources, on a per-service basis. By using a write-restricted access token
, only those resources which have to be modified by a service are given write access, so trying to modify any other resource fails. Services will also have pre-configured firewall policy, which gives it only as much privilege as is needed for it to function properly. Independent software vendors can also use Windows Service Hardening to harden their own services. Windows Vista also hardens the named pipe
s used by RPC
servers to prevent other processes from being able to hijack them.
(GINA
), used for secure authentication and interactive logon has been replaced by Credential Providers
. Combined with supporting hardware, Credential Providers can extend the operating system to enable users to log on through biometric devices
(fingerprint, retinal, or voice recognition), passwords, PINs
and smart card
certificates, or any custom authentication package and schema third party developers wish to create. Smart card authentication is flexible as certificate requirements are relaxed. Enterprises may develop, deploy, and optionally enforce custom authentication mechanisms for all domain users. Credential Providers may be designed to support Single sign-on
(SSO), authenticating users to a secure network access point
(leveraging RADIUS
and other technologies) as well as machine logon. Credential Providers are also designed to support application-specific credential gathering, and may be used for authentication to network resources, joining machines to a domain, or to provide administrator consent for User Account Control
. Authentication is also supported using IPv6
or Web service
s. A new Security Service Provider, CredSSP is available through Security Support Provider Interface
that enables an application to delegate the user’s credentials from the client (by using the client-side SSP) to the target server (through the server-side SSP). The CredSSP is also used by Terminal Services to provide single sign-on
.
Windows Vista can authenticate user accounts using Smart Card
s or a combination of passwords and Smart Cards (Two-factor authentication
). Windows Vista can also use smart cards to store EFS
keys. This makes sure that encrypted files are accessible only as long as the smart card is physically available. If smart cards are used for logon, EFS operates in a single sign-on
mode, where it uses the logon smart card for file encryption without further prompting for the PIN.
Fast User Switching
which was limited to workgroup computers on Windows XP, can now also be enabled for computers joined to a domain, starting with Windows Vista. Windows Vista also includes authentication support for the Read-Only Domain Controllers introduced in Windows Server 2008.
(ECC) and a number of newer algorithms that are part of the National Security Agency
(NSA) Suite B. It is extensible, featuring support for plugging in custom cryptographic APIs into the CNG runtime. It also integrates with the smart card
subsystem by including a Base CSP
module which implements all the standard backend cryptographic functions that developers and smart card manufacturers need, so that they do not have to write complex CSPs
. The Microsoft Certificate Authority
can issue ECC certificates and the certificate client can enroll and validate ECC and SHA-2 based certificates.
Revocation improvements include native support for the Online Certificate Status Protocol
(OCSP) providing real-time certificate validity checking, CRL
prefetching and CAPI2 Diagnostics. Certificate enrollment is wizard-based, allows users to input data during enrollment and provides clear information on failed enrollments and expired certificates. CertEnroll, a new COM-based enrollment API replaces the XEnroll library for flexible programmability. Credential roaming capabilities replicate Active Directory key pairs, certificates and credentials stored in Stored user names and passwords within the network.
(NAP), which makes sure that computers connecting to a network or communicating over a network conform to a required level of system health as has been set by the administrator of the network. Depending on the policy set by the administrator, the computers which do not meet the requirements will either be warned and granted access or allowed a limited access to network resources or completely denied access. NAP can also optionally provide software updates to a non-compliant computer to upgrade itself to the level as required to access the network, using a Remediation Server. A conforming client is given a Health Certificate, which it then uses to access protected resources on the network.
A Network Policy Server, running Windows Server 2008 acts as health policy server and clients need to use Windows XP SP3 or later. A VPN server, RADIUS
server or DHCP server can also act as the health policy server.
Features new to Windows Vista
Windows Vista has many new features compared with previous Microsoft Windows versions, covering most aspects of the operating system.This article discusses the changes most likely to be of interest to non-technical users...
Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
, most of which are not available in any prior Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
release.
Beginning in early 2002 with Microsoft's announcement of their Trustworthy Computing
Trustworthy Computing
The term Trustworthy Computing has been applied to computing systems that are inherently secure, available, and reliable. The Committee on Information Systems Trustworthiness’ publication, Trust in Cyberspace, defines such a system as one which...
initiative, a great deal of work has gone into making Windows Vista a more secure operating system than its predecessors. Internally, Microsoft adopted a "Security Development Lifecycle
Trustworthy Computing Security Development Lifecycle
The Microsoft Security Development Lifecycle is a software development process used and proposed by Microsoft to reduce software maintenance costs and increase reliability of software concerning software security related bugs. It is based on the classical spiral model.- Versions :- Further reading...
" with the underlying ethos of "Secure by design, secure by default, secure in deployment". New code for Windows Vista was developed with the SDL methodology, and all existing code was reviewed and refactored to improve security.
Some specific areas where Windows Vista introduces new security and safety mechanisms include User Account Control, parental controls, Network Access Protection
Network Access Protection
Network Access Protection is a Microsoft technology for controlling network access of a computer host based on the system health of the host, first introduced in Windows Server 2008....
, a built-in anti-malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
tool, and new digital content protection mechanisms.
User Account Control
User Account Control is a new infrastructure that requires user consent before allowing any action that requires administrative privileges. With this feature, all users, including users with administrative privileges, run in a standard user mode by default, since most applications do not require higher privileges. When some action is attempted that needs administrative privileges, such as installing new software or changing system settings, Windows will prompt the user whether to allow the action or not. If the user chooses to allow, the process initiating the action is elevated to a higher privilege context to continue. While standard users need to enter a username and password of an administrative account to get a process elevated (Over-the-shoulder Credentials), an administrator can choose to be prompted just for consent or ask for credentials.UAC asks for credentials in a Secure Desktop mode, where the entire screen is faded out and temporarily disabled, to present only the elevation UI. This is to prevent spoofing of the UI or the mouse by the application requesting elevation. If the application requesting elevation does not have focus before the switch to Secure Desktop occurs, then its taskbar icon blinks, and when focussed, the elevation UI is presented (however, it is not possible to prevent a malicious application from silently obtaining the focus).
Since the Secure Desktop allows only highest privilege System applications to run, no user mode application can present its dialog boxes on that desktop, so any prompt for elevation consent can be safely assumed to be genuine. Additionally, this can also help protect against shatter attack
Shatter attack
In computing, a shatter attack is a programming technique employed by crackers on Microsoft Windows operating systems that can be used to bypass security restrictions between processes in a session...
s, which intercept Windows inter-process messages to run malicious code or spoof the user interface, by preventing unauthorized processes from sending messages to high privilege processes. Any process that wants to send a message to a high privilege process must get itself elevated to the higher privilege context, via UAC.
Applications written with the assumption that the user will be running with administrator privileges experienced problems in earlier versions of Windows when run from limited user accounts, often because they attempted to write to machine-wide or system directories (such as Program Files) or registry keys (notably HKLM) UAC attempts to alleviate this using File and Registry Virtualization, which redirects writes (and subsequent reads) to a per-user location within the user’s profile. For example, if an application attempts to write to “C:\program files\appname\settings.ini” and the user doesn’t have permissions to write to that directory, the write will get redirected to “C:\Users\username\AppData\Local\VirtualStore\Program Files\appname\.”
Bitlocker Drive Encryption
Formerly known as "Secure Startup", this feature offers full disk encryptionFull disk encryption
Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. Disk encryption prevents unauthorized access to data storage. The term "full disk encryption" is often used to signify that everything on a disk is encrypted, including the...
for the system volume. Using the command-line utility, it is possible to encrypt additional volumes. Bitlocker utilizes a USB key or Trusted Platform Module
Trusted Platform Module
In computing, Trusted Platform Module is both the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information, as well as the general name of implementations of that specification, often called the "TPM chip" or "TPM Security...
(compliant with the version 1.2 of the TCG specifications) to store its encryption key. It ensures that the computer running Windows Vista starts in a known-good state, and it also protects data from unauthorized access. Data on the volume is encrypted with a Full Volume Encryption Key (FVEK), which is further encrypted with a Volume Master Key (VMK) and stored on the disk itself.
Windows Firewall
Windows VistaWindows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
significantly improves the firewall to address a number of concerns around the flexibility of Windows Firewall in a corporate environment:
- IPv6IPv6Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
connection filtering - Outbound packet filtering, reflecting increasing concerns about spywareSpywareSpyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
and virusesComputer virusA computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
that attempt to "phone home". - With the advanced packet filter, rules can also be specified for source and destination IP addresses and port ranges.
- Rules can be configured for services by its service name chosen by a list, without needing to specify the full path file name.
- IPsecIPsecInternet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
is fully integrated, allowing connections to be allowed or denied based on security certificates, Kerberos authentication, etc. Encryption can also be required for any kind of connection. A connection security rule can be created using a wizard that handles the complex configuration of IPsec policies on the machine. Windows Firewall can allow traffic based on whether the traffic is secured by IPsec. - A new management consoleMicrosoft Management ConsoleMicrosoft Management Console is a component of Windows 2000 and its successors that provides system administrators and advanced users an interface for configuring and monitoring the system.- Snap-ins and consoles :...
snap-in named Windows Firewall with Advanced Security which provides access to many advanced options, including IPsecIPsecInternet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
configuration, and enables remote administration. - Ability to have separate firewall profiles for when computers are domain-joined or connected to a private or public network. Support for the creation of rules for enforcing server and domain isolation policies.
Windows Defender
Windows Vista includes Windows Defender, Microsoft's anti-spyware utility. According to Microsoft, it was renamed from 'Microsoft AntiSpyware' because it not only features scanning of the system for spyware, similar to other free products on the market, but also includes Real Time Security agents that monitor several common areas of Windows for changes which may be caused by spyware. These areas include Internet Explorer configuration and downloads, auto-start applications, system configuration settings, and add-ons to Windows such as Windows Shell extensions.Windows Defender also includes the ability to remove ActiveX
ActiveX
ActiveX is a framework for defining reusable software components in a programming language-independent way. Software applications can then be composed from one or more of these components in order to provide their functionality....
applications that are installed and block startup programs. It also incorporates the SpyNet
Microsoft SpyNet
Microsoft SpyNet is the network of Windows Defender and Microsoft Security Essentials users that help determine which programs are classified as spyware. The signatures created for any submitted programs by the users of the product are available to all users, displayed as a bar graph that shows the...
network, which allows users to communicate with Microsoft, send what they consider is spyware, and check which applications are acceptable.
Windows parental controls
Parental controls
Parental controls are features which may be included in digital television services, computer and video games, mobile phones and computer software...
for non-domain
Windows Server domain
A Windows domain is a collection of security principals that share a central directory database. This central database contains the user accounts and security information for...
user accounts. Windows Parental Controls rely on UAC
User Account Control
User Account Control is a technology and security infrastructure introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed version also present in Windows 7 and Windows Server 2008 R2...
to implement reduced rights account identities needed for offline restrictions. An administrator can apply parental control restrictions to other users on the computer. Facilities include:
- Web content blocking, including the ability to limit web browsing to "kids websites", as well as blocking particular categories of content such as "Pornography", "Drugs", "Web e-mail", "Web chat", and so on. File downloads may also be disabled. Web content filtering is implemented as a Winsock LSPLayered Service ProviderLayered Service Provider is a feature of the Microsoft Windows Winsock 2 Service Provider Interface . A Layered Service Provider is a DLL that uses Winsock APIs to insert itself into the TCP/IP protocol stack. Once in the stack, a Layered Service Provider can intercept and modify inbound and...
filter. - Time limitations on when the account may be used. When active, users are blocked from logging on if not already logged on. If they are logged on and the time limit is reached, user accounts are locked using Fast User SwitchingFast user switchingFast user switching is a feature on some modern multi-user operating systems such as Windows XP and newer, Mac OS X, Linux. It allows users to switch between user accounts on a single PC without quitting applications and logging out. Analogous functionality was first developed on consumer level...
without the users being logged out to prevent unsaved data in that account from getting lost. - Restrictions on what kind of games may be played. An administrator may choose from one of five different game rating services: ESRBEntertainment Software Rating BoardThe Entertainment Software Rating Board is a self-regulatory organization that assigns age and content ratings, enforces industry-adopted advertising guidelines, and ensures responsible online privacy principles for computer and video games as well as entertainment software in Canada, Mexico and...
(United States and Canada), PEGIPan European Game InformationPan European Game Information is a European video game content rating system established to help European parents make informed decisions on buying computer games with logos on games boxes. It was developed by the Interactive Software Federation of Europe and came into use in April 2003; it...
(Europe), USKUnterhaltungssoftware SelbstkontrolleUnterhaltungssoftware Selbstkontrolle is the organization responsible for computer game ratings in Germany.- Ratings :...
(Germany), OFLCOffice of Film and Literature ClassificationOffice of Film and Literature Classification may refer to:* Australian Classification Board, a defunct statutory censorship organisation who used to overlook the now Attorney General owned Australian Classification Board...
(Australia and New Zealand), or CEROComputer Entertainment Rating OrganizationThe is a Japanese entertainment rating organization based in Tokyo. rating video game content in console games with levels of rating that informs the customer of the nature of the product and for what age group it is suitable...
(Japan). Ratings are used to determine the highest allowed game rating. As with web content blocking, a number of categories of content may also be blocked regardless of game ratings. - Restrictions on what programs may be executed. Implemented using Windows Software Restriction Policies.
- Activity reports to monitor and log what was done under Parental Controls through event logging interfaces
- APIs expose the policy and in-box restrictions settings, and logging functionality for parental controls functionality to be extended or replaced.
Encrypting File System
Encrypting File SystemEncrypting File System
The Encrypting File System on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption...
(EFS) in Windows Vista can also be used to encrypt the system page file and the per-user Offline Files cache. EFS is also more tightly integrated with enterprise Public Key Infrastructure
Public key infrastructure
Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
(PKI), and supports using PKI-based key recovery, data recovery through EFS recovery certificates, or a combination of the two. There are also new Group Policies to require smart card
Smart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
s for EFS, enforce page file encryption, stipulate minimum key lengths for EFS, enforce encryption of the user’s Documents folder, and prohibit self-signed certificates. The EFS encryption key cache can be cleared when a user locks his workstation or after a certain time limit.
The Encrypting File System rekeying wizard allows the user to choose a certificate for EFS and to select and migrate existing files that will use the newly chosen certificate. Certificate Manager also allows users to export their EFS recovery certificates and private keys. Users are reminded to backup their EFS keys upon first use through a balloon notification. The rekeying wizard can also be used to migrate users in existing installations from software certificates to smart card
Smart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
s. The wizard can also be used by an administrator or users themselves in recovery situations. This method is more efficient than decrypting and reencrypting files.
Preventing exploits
Windows Vista uses Address Space Layout RandomizationAddress space layout randomization
Address space layout randomization is a computer security method which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space.- Benefits :Address space randomization hinders...
(ASLR) to load system files at random addresses in memory. By default, all system files are loaded randomly at any of the possible 256 locations. Other executables have to specifically set a bit in the header of the Portable Executable (PE)
Portable Executable
The Portable Executable format is a file format for executables, object code and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. The term "portable" refers to the format's versatility in numerous environments of operating system software architecture...
file, which is the file format for Windows executables, to use ASLR. For such executables, the stack and heap allocated is randomly decided. By loading system files at random addresses, it becomes harder for malicious code to know where privileged system functions are located, thereby making it unlikely for them to predictably use them. This helps prevent most remote execution attacks by preventing Return-to-libc buffer overflow
Buffer overflow
In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
attacks.
The Portable Executable
Portable Executable
The Portable Executable format is a file format for executables, object code and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. The term "portable" refers to the format's versatility in numerous environments of operating system software architecture...
format has been updated to support embedding of exception
Exception
Exception may refer to:* An action that is not part of ordinary operations or standards* Exception handling, in programming languages** or a programming interrupt itself of which exception handling is meant to deal with....
handler address in the header. Whenever an exception is thrown, the address of the handler is verified with the one stored in the executable header. If they match, the exception is handled, otherwise it indicates that the run-time stack has been compromised, and hence the process is terminated.
Function pointers are obfuscated by XOR-ing with a random number, so that the actual address pointed to is hard to retrieve. So would be to manually change a pointer, as the obfuscation key used for the pointer would be very hard to retrieve. Thus, it is made hard for any unauthorized user of the function pointer to be able to actually use it. Also metadata for heap blocks are XOR-ed with random numbers. In addition, check-sums for heap blocks are maintained, which is used to detect unauthorized changes and heap corruption. Whenever a heap corruption is detected, the application is killed to prevent successful completion of the exploit.
Windows Vista binaries include intrinsic support for detection of stack-overflow. When a stack overflow in Windows Vista binaries is detected, the process is killed so that it cannot be used to carry on the exploit. Also Windows Vista binaries place buffers higher in memory and non buffers, like pointers and supplied parameters, in lower memory area. So to actually exploit, a buffer underrun is needed to gain access to those locations. However, buffer underruns are much less common than buffer overruns.
Data Execution Prevention
Windows Vista offers full support for the NXNX bit
The NX bit, which stands for No eXecute, is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions or for storage of data, a feature normally only found in Harvard architecture processors...
(No-Execute) feature of modern processors. DEP was introduced in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. This feature, present as NX (EVP) in AMD's AMD64 processors and as XD (EDB) in Intel's processors, can flag certain parts of memory as containing data instead of executable code, which prevents overflow errors from resulting in arbitrary code execution.
If the processor supports the NX-bit, Windows Vista automatically enforces hardware-based Data Execution Prevention
Data Execution Prevention
Data Execution Prevention is a security feature included in modern operating systems.It is known to be available in Linux, Mac OS X, and Microsoft Windows operating systems and is intended to prevent an application or service from executing code from a non-executable memory region. This helps...
on all processes to mark some memory pages as non-executable data segments (like the heap and stack), and subsequently any data is prevented from being interpreted and executed as code. This prevents exploit code from being injected as data and then executed.
If DEP is enabled for all applications, users gain additional resistance against zero-day exploits. But not all applications are DEP-compliant and some will generate DEP exceptions. Therefore, DEP is not enforced for all applications by default in 32-bit versions of Windows and is only turned on for critical system components. However, Windows Vista introduces additional NX policy controls that allow software developers to enable NX hardware protection for their code, independent of system-wide compatibility enforcement settings. Developers can mark their applications as NX-compliant when built, which allows protection to be enforced when that application is installed and runs. This enables a higher percentage of NX-protected code in the software ecosystem on 32-bit platforms, where the default system compatibility policy for NX is configured to protect only operating system components. For x86-64 applications, backward compatibility is not an issue and therefore DEP is enforced by default for all 64-bit programs. Also, only processor-enforced DEP is used in x86-64 versions of Windows Vista for greater security.
Digital rights management
New digital rights managementDigital rights management
Digital rights management is a class of access control technologies that are used by hardware manufacturers, publishers, copyright holders and individuals with the intent to limit the use of digital content and devices after sale. DRM is any technology that inhibits uses of digital content that...
and content-protection features have been introduced in Windows Vista, to help digital content providers and corporations protect their data from being copied.
- PUMA: Protected User Mode Audio (PUMA) is the new User Mode Audio (UMA) audio stack. Its aim is to provide an environment for audio playback that restricts the copying of copyrighted audio, and restricts the enabled audio outputs to those allowed by the publisher of the protected content.
- Protected Video Path - Output Protection Management (PVP-OPM) is a technology that prevents copying of protected digital video streams, or their display on video devices that lack equivalent copy protection (typically HDCP). Microsoft claims that without these restrictions the content industry may prevent PCs from playing copyrighted content by refusing to issue license keys for the encryption used by HD DVD, Blu-ray Disc, or other copy-protected systems.
- Protected Video Path - User-Accessible Bus (PVP-UAB) is similar to PVP-OPM, except that it applies encryption of protected content over the PCI ExpressPCI ExpressPCI Express , officially abbreviated as PCIe, is a computer expansion card standard designed to replace the older PCI, PCI-X, and AGP bus standards...
bus. - Rights Management ServicesWindows Rights Management ServicesWindows Rights Management Services is a form of Information Rights Management used on Microsoft Windows that uses encryption and a form of selective functionality denial for limiting access to documents such as corporate e-mail, Word documents, and web pages, and the operations...
(RMS) support, a technology that will allow corporations to apply DRM-like restrictions to corporate documents, email, and intranets to protect them from being copied, printed, or even opened by people not authorized to do so. - Windows Vista introduces a Protected Process , which differs from usual processes in the sense that other processes cannot manipulate the state of such a process, nor can threads from other processes be introduced in it. A Protected Process has enhanced access to DRM-functions of Windows Vista. However, currently, only the applications using Protected Video Path can create Protected Processes.
The inclusion of new digital rights management
Digital rights management
Digital rights management is a class of access control technologies that are used by hardware manufacturers, publishers, copyright holders and individuals with the intent to limit the use of digital content and devices after sale. DRM is any technology that inhibits uses of digital content that...
features has been a source of criticism of Windows Vista.
Application isolation
Windows Vista introduces Mandatory Integrity Control to set integrity levels for processes. A low integrity process can not access the resources of a higher integrity process. This feature is being used to enforce application isolation, where applications in a medium integrity level, such as all applications running in the standard user context can not hook into system level processes which run in high integrity level, such as administrator mode applications but can hook onto lower integrity processes like Windows Internet Explorer 7Internet Explorer 7
Windows Internet Explorer 7 is a web browser released by Microsoft in October 2006. Internet Explorer 7 is part of a long line of versions of Internet Explorer and was the first major update to the browser in more than 5 years...
or 8
Internet Explorer 8
Windows Internet Explorer 8 is a web browser developed by Microsoft in the Internet Explorer browser series. The browser was released on March 19, 2009 for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. Both 32-bit and 64-bit builds are available...
. A lower privilege process cannot perform a window handle validation of higher process privilege, cannot SendMessage or PostMessage to higher privilege application windows, cannot use thread hooks to attach to a higher privilege process, cannot use Journal hooks to monitor a higher privilege process and cannot perform DLL–injection to a higher privilege process.
Windows Service Hardening
Windows Service Hardening compartmentalizes the services such that if one service is compromised, it cannot easily attack other services on the system. It prevents Windows services from doing operations on file systems, registry or networks which they are not supposed to, thereby reducing the overall attack surfaceAttack surface
The attack surface of a software environment is the code within a computer system that can be run by unauthenticated users. This includes, but is not limited to: user input fields, protocols, interfaces, and services....
on the system and preventing entry of malware by exploiting system services
Windows Service
On Microsoft Windows operating systems, a Windows service is a long-running executable that performs specific functions and which is designed not to require user intervention. Windows services can be configured to start when the operating system is booted and run in the background as long as...
. Services are now assigned a per-service Security identifier
Security Identifier
In the context of the Microsoft Windows NT line of operating systems, a Security Identifier is a unique name which is assigned by a Windows Domain controller during the log on process that is used to identify a subject, such as a user or a group of users in a network of NT/2000...
(SID), which allows controlling access to the service as per the access specified by the security identifier. A per-service SID may be assigned during the service installation via the ChangeServiceConfig2 API or by using the SC.EXE command with the sidtype verb. Services can also use access control list
Access control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...
s (ACL) to prevent external access to resources private to itself.
Services in Windows Vista also run in a less privileged account such as Local Service or Network Service, instead of the System account. Previous versions of Windows ran system services
Windows Service
On Microsoft Windows operating systems, a Windows service is a long-running executable that performs specific functions and which is designed not to require user intervention. Windows services can be configured to start when the operating system is booted and run in the background as long as...
in the same login session as the locally logged-in user (Session 0). In Windows Vista, Session 0 is now reserved for these services, and all interactive logins are done in other sessions. This is intended to help mitigate a class of exploits of the Windows message-passing system, known as Shatter attack
Shatter attack
In computing, a shatter attack is a programming technique employed by crackers on Microsoft Windows operating systems that can be used to bypass security restrictions between processes in a session...
s. The process hosting a service has only the privileges specified in the RequiredPrivileges registry value under HKLM\System\CurrentControlSet\Services.
Services also need explicit write permissions to write to resources, on a per-service basis. By using a write-restricted access token
Access token
In Microsoft Windows operating systems, an access token contains the security information for a login session and identifies the user, the user's groups, and the user's privileges.-Overview:...
, only those resources which have to be modified by a service are given write access, so trying to modify any other resource fails. Services will also have pre-configured firewall policy, which gives it only as much privilege as is needed for it to function properly. Independent software vendors can also use Windows Service Hardening to harden their own services. Windows Vista also hardens the named pipe
Named pipe
In computing, a named pipe is an extension to the traditional pipe concept on Unix and Unix-like systems, and is one of the methods of inter-process communication. The concept is also found in Microsoft Windows, although the semantics differ substantially...
s used by RPC
MSRPC
Microsoft RPC is a modified version of DCE/RPC. Additions include support for Unicode strings, implicit handles, inheritance of interfaces , and complex calculations in the variable-length string and structure paradigms already present in DCE/RPC.- Example :The DCE 1.0 reference implementation...
servers to prevent other processes from being able to hijack them.
Authentication and logon
Graphical identification and authenticationAuthentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
(GINA
Graphical identification and authentication
The graphical identification and authentication library is a component of some Microsoft Windows operating systems that provides secure authentication and interactive logon services....
), used for secure authentication and interactive logon has been replaced by Credential Providers
Credential Service Provider
A Credential Service Provider is an element of an authentication system, most typically identified as a separate entity in a Federated authentication system....
. Combined with supporting hardware, Credential Providers can extend the operating system to enable users to log on through biometric devices
Biometrics
Biometrics As Jain & Ross point out, "the term biometric authentication is perhaps more appropriate than biometrics since the latter has been historically used in the field of statistics to refer to the analysis of biological data [36]" . consists of methods...
(fingerprint, retinal, or voice recognition), passwords, PINs
Personal identification number
A personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
and smart card
Smart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
certificates, or any custom authentication package and schema third party developers wish to create. Smart card authentication is flexible as certificate requirements are relaxed. Enterprises may develop, deploy, and optionally enforce custom authentication mechanisms for all domain users. Credential Providers may be designed to support Single sign-on
Single sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
(SSO), authenticating users to a secure network access point
Network access point
A Network Access Point was a public network exchange facility where Internet Service Providers connected with one another in peering arrangements. The NAPs were a key component in the transition from the NSFNET era when many networks were government sponsored and commercial traffic was prohibited...
(leveraging RADIUS
RADIUS
Remote Authentication Dial In User Service is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for computers to connect and use a network service...
and other technologies) as well as machine logon. Credential Providers are also designed to support application-specific credential gathering, and may be used for authentication to network resources, joining machines to a domain, or to provide administrator consent for User Account Control
User Account Control
User Account Control is a technology and security infrastructure introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed version also present in Windows 7 and Windows Server 2008 R2...
. Authentication is also supported using IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
or Web service
Web service
A Web service is a method of communication between two electronic devices over the web.The W3C defines a "Web service" as "a software system designed to support interoperable machine-to-machine interaction over a network". It has an interface described in a machine-processable format...
s. A new Security Service Provider, CredSSP is available through Security Support Provider Interface
Security Support Provider Interface
Security Support Provider Interface is an API used by Microsoft Windows systems to perform a variety of security-related operations such as authentication....
that enables an application to delegate the user’s credentials from the client (by using the client-side SSP) to the target server (through the server-side SSP). The CredSSP is also used by Terminal Services to provide single sign-on
Single sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
.
Windows Vista can authenticate user accounts using Smart Card
Smart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
s or a combination of passwords and Smart Cards (Two-factor authentication
Two-factor authentication
Two-factor authentication is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security...
). Windows Vista can also use smart cards to store EFS
Encrypting File System
The Encrypting File System on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption...
keys. This makes sure that encrypted files are accessible only as long as the smart card is physically available. If smart cards are used for logon, EFS operates in a single sign-on
Single sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
mode, where it uses the logon smart card for file encryption without further prompting for the PIN.
Fast User Switching
Fast user switching
Fast user switching is a feature on some modern multi-user operating systems such as Windows XP and newer, Mac OS X, Linux. It allows users to switch between user accounts on a single PC without quitting applications and logging out. Analogous functionality was first developed on consumer level...
which was limited to workgroup computers on Windows XP, can now also be enabled for computers joined to a domain, starting with Windows Vista. Windows Vista also includes authentication support for the Read-Only Domain Controllers introduced in Windows Server 2008.
Cryptography
Windows Vista features an update to the Crypto API known as Cryptography API: Next Generation (CNG). The CNG API is a user mode and kernel mode API that includes support for elliptic curve cryptographyElliptic curve cryptography
Elliptic curve cryptography is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S...
(ECC) and a number of newer algorithms that are part of the National Security Agency
National Security Agency
The National Security Agency/Central Security Service is a cryptologic intelligence agency of the United States Department of Defense responsible for the collection and analysis of foreign communications and foreign signals intelligence, as well as protecting U.S...
(NSA) Suite B. It is extensible, featuring support for plugging in custom cryptographic APIs into the CNG runtime. It also integrates with the smart card
Smart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
subsystem by including a Base CSP
Cryptographic Service Provider
In Microsoft Windows, a Cryptographic Service Provider is a software library that implements the Microsoft CryptoAPI . CSPs implement encoding and decoding functions, which computer application programs may use, for example, to implement strong user authentication or for secure email. CSPs are...
module which implements all the standard backend cryptographic functions that developers and smart card manufacturers need, so that they do not have to write complex CSPs
Cryptographic Service Provider
In Microsoft Windows, a Cryptographic Service Provider is a software library that implements the Microsoft CryptoAPI . CSPs implement encoding and decoding functions, which computer application programs may use, for example, to implement strong user authentication or for secure email. CSPs are...
. The Microsoft Certificate Authority
Certificate authority
In cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...
can issue ECC certificates and the certificate client can enroll and validate ECC and SHA-2 based certificates.
Revocation improvements include native support for the Online Certificate Status Protocol
Online Certificate Status Protocol
The Online Certificate Status Protocol is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 2560 and is on the Internet standards track...
(OCSP) providing real-time certificate validity checking, CRL
Certificate revocation list
In the operation of some cryptosystems, usually public key infrastructures , a certificate revocation list is a list of certificates that have been revoked, and therefore should not be relied upon.-Revocation States:There are two different states of revocation defined in RFC 3280:* Revoked: A...
prefetching and CAPI2 Diagnostics. Certificate enrollment is wizard-based, allows users to input data during enrollment and provides clear information on failed enrollments and expired certificates. CertEnroll, a new COM-based enrollment API replaces the XEnroll library for flexible programmability. Credential roaming capabilities replicate Active Directory key pairs, certificates and credentials stored in Stored user names and passwords within the network.
Network Access Protection
Windows Vista introduces Network Access ProtectionNetwork Access Protection
Network Access Protection is a Microsoft technology for controlling network access of a computer host based on the system health of the host, first introduced in Windows Server 2008....
(NAP), which makes sure that computers connecting to a network or communicating over a network conform to a required level of system health as has been set by the administrator of the network. Depending on the policy set by the administrator, the computers which do not meet the requirements will either be warned and granted access or allowed a limited access to network resources or completely denied access. NAP can also optionally provide software updates to a non-compliant computer to upgrade itself to the level as required to access the network, using a Remediation Server. A conforming client is given a Health Certificate, which it then uses to access protected resources on the network.
A Network Policy Server, running Windows Server 2008 acts as health policy server and clients need to use Windows XP SP3 or later. A VPN server, RADIUS
RADIUS
Remote Authentication Dial In User Service is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for computers to connect and use a network service...
server or DHCP server can also act as the health policy server.
Other networking-related security features
- The interfaces for TCP/IP security (filtering for local host traffic), the firewall hook, the filter hook, and the storage of packet filter information has been replaced with a new framework known as the Windows Filtering PlatformWindows Filtering PlatformWindows Filtering Platform is a set of system services and an application programming interface introduced with Windows Vista that allows applications to tie into the packet processing and filtering pipeline of the new network stack. It provides features such as integrated communication and it can...
(WFP). WFP provides filtering capability at all layers of the TCP/IP protocol stack. WFP is integrated in the stack, and is easier for developers to build drivers, services, and applications that must filter, analyze, or modify TCP/IP traffic.
- In order to provide better security when transferring data over a network, Windows Vista provides enhancements to the cryptographic algorithms used to obfuscate data. Support for 256-bit and 384-bit Elliptic curve Diffie-HellmanElliptic Curve Diffie-HellmanElliptic curve Diffie–Hellman is a key agreement protocol that allows two parties, each having an elliptic curve public-private key pair, to establish a shared secret over an insecure channel. This shared secret may be directly used as a key, or better yet, to derive another key which can then be...
(DH) algorithms, as well as for 128-bit, 192-bit and 256-bit Advanced Encryption StandardAdvanced Encryption StandardAdvanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
(AES) is included in the network stack itself and in the Kerberos protocol and GSS messagesGeneric Security Services Application Program InterfaceThe Generic Security Services Application Program Interface is an application programming interface for programs to access security services....
. Direct support for SSLTransport Layer SecurityTransport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
and TLS connections in new WinsockWinsockIn computing, the Windows Sockets API , which was later shortened to Winsock, is a technical specification that defines how Windows network software should access network services, especially TCP/IP. It defines a standard interface between a Windows TCP/IP client application and the underlying...
API allows socket applications to directly control security of their traffic over a network (such as providing security policy and requirements for traffic, querying security settings) rather than having to add extra code to support a secure connection. Computers running Windows Vista can be a part of logically isolated networks within an Active DirectoryActive DirectoryActive Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
domain. Only the computers which are in the same logical network partition will be able to access the resources in the domain. Even though other systems may be physically on the same network, unless they are in the same logical partition, they won't be able to access partitioned resources. A system may be part of multiple network partitions. The Schannel SSP includes new cipher suites that support Elliptic curve cryptographyElliptic curve cryptographyElliptic curve cryptography is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S...
, so ECC cipher suites can be negotiated as part of the standard TLS handshake. The Schannel interface is pluggable so advanced combinations of cipher suites can substitute a higher level of functionality.
- IPsecIPsecInternet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
is now fully integrated with Windows FirewallWindows FirewallWindows Firewall is a software component of Microsoft Windows that provides firewalling and packet filtering functions. It was first included in Windows XP and Windows Server 2003...
and offers simplified configuration and improved authentication. IPsec supports IPv6, including support for Internet key exchangeInternet key exchangeInternet Key Exchange is the protocol used to set up a security association in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP...
(IKE), AuthIPAuthIPAuthIP is a Microsoft proprietary extension of the IKE cryptographic protocol. AuthIP is supported in Windows Vista and later on the client and Windows Server 2008 and later on the server. AuthIP adds a second authentication to the standard IKE authentication which, according to Microsoft,...
and data encryption, client-to-DCDomain controllerOn Windows Server Systems, a domain controller is a server that responds to security authentication requests within the Windows Server domain...
protection, integration with Network Access ProtectionNetwork Access ProtectionNetwork Access Protection is a Microsoft technology for controlling network access of a computer host based on the system health of the host, first introduced in Windows Server 2008....
and Network Diagnostics Framework support. To increase security and deployability of IPsecIPsecInternet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
VPNs, Windows Vista includes AuthIPAuthIPAuthIP is a Microsoft proprietary extension of the IKE cryptographic protocol. AuthIP is supported in Windows Vista and later on the client and Windows Server 2008 and later on the server. AuthIP adds a second authentication to the standard IKE authentication which, according to Microsoft,...
which extends the IKEInternet key exchangeInternet Key Exchange is the protocol used to set up a security association in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP...
cryptographic protocol to add features like authentication with multiple credentials, alternate method negotiation and asymmetric authentication.
- Security for wireless networks is being improved with improved support for newer wireless standards like 802.11iIEEE 802.11iIEEE 802.11i-2004 or 802.11i, implemented as WPA2, is an amendment to the original IEEE 802.11. The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks. It replaced the short Authentication and privacy clause of the original standard with...
(WPA2). EAP Transport Layer Security (EAP-TLS) is the default authentication mode. Connections are made at the most secure connection level supported by the wireless access point. WPA2 can be used even in ad-hoc mode. Windows Vista enhances security when joining a domain over a wireless network. It can use Single Sign OnSingle sign-onSingle sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
to use the same credentials to join a wireless network as well as the domain housed within the network. In this case, the same RADIUSRADIUSRemote Authentication Dial In User Service is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for computers to connect and use a network service...
server is used for both PEAPProtected Extensible Authentication ProtocolThe Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol within an encrypted and authenticated Transport Layer Security tunnel...
authentication for joining the network and MS-CHAP v2MS-CHAPMS-CHAP is the Microsoft version of the Challenge-handshake authentication protocol, CHAP. The protocol exists in two versions, MS-CHAPv1 and MS-CHAPv2...
authentication to log in to the domain. A bootstrap wireless profile can also be created on the wireless client, which first authenticates the computer to the wireless network and joins the network. At this stage, the machine still does not have any access to the domain resources. The machine will run a script, stored either on the system or on USB thumb drive, which authenticates it to the domain. Authentication can be done whether by using username and password combination or security certificates from a Public key infrastructurePublic key infrastructurePublic Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
(PKI) vendor such as VeriSignVeriSignVerisign, Inc. is an American company based in Dulles, Virginia that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc and .tv country-code...
.
- Windows Vista also includes an Extensible Authentication ProtocolExtensible Authentication ProtocolExtensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247....
Host (EAPHost) framework that provides extensibility for authentication methods for commonly used protected network access technologies such as 802.1XIEEE 802.1XIEEE 802.1X is an IEEE Standard for port-based Network Access Control . It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN....
and PPP. It allows networking vendors to develop and easily install new authentication methods known as EAP methods.
- Windows VistaWindows VistaWindows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
supports the use of PEAPProtected Extensible Authentication ProtocolThe Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol within an encrypted and authenticated Transport Layer Security tunnel...
with PPTPPoint-to-point tunneling protocolThe Point-to-Point Tunneling Protocol is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets....
. The authentication mechanisms supported are PEAPv0/EAP-MSCHAPv2 (passwords) and PEAP-TLS (smartcards and certificates).
- Windows Vista Service Pack 1 includes Secure Socket Tunneling ProtocolSecure Socket Tunneling ProtocolSecure Socket Tunneling Protocol is a form of VPN tunnel that provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. SSL provides transport-level security with key-negotiation, encryption and traffic integrity checking...
, a new Microsoft proprietaryProprietary protocolIn telecommunications, a proprietary protocol is a communications protocol owned by a single organization or individual.-Enforcement:Proprietors may enforce restrictions through patents and by keeping the protocol specification a trade secret...
VPN protocol which provides a mechanism to transport Point-to-Point ProtocolPoint-to-Point ProtocolIn networking, the Point-to-Point Protocol is a data link protocol commonly used in establishing a direct connection between two networking nodes...
(PPP) traffic (including IPv6IPv6Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
traffic) through an SSL channel.
x86-64 -specific features
- 64-bit versions of Windows Vista enforce hardware-based Data Execution PreventionData Execution PreventionData Execution Prevention is a security feature included in modern operating systems.It is known to be available in Linux, Mac OS X, and Microsoft Windows operating systems and is intended to prevent an application or service from executing code from a non-executable memory region. This helps...
(DEP), with no fallback software emulation. This ensures that the less effective software-enforced DEP (which is only safe exception handling and unrelated to the NX bit) is not used. Also, DEP, by default is enforced for all 64-bit applications and services on x86-64 versions and those 32-bit applications that opt-in. In contrast, in 32-bit versions, software-enforced DEP is an available option and by default, is enabled only for essential system components. - An upgraded Kernel Patch ProtectionKernel Patch ProtectionKernel Patch Protection , informally known as PatchGuard, is a feature of 64-bit editions of Microsoft Windows that prevents patching the kernel...
, also referred to as PatchGuard, prevents third-party software, including kernel-mode drivers from modifying the kernel, or any data structure used by the kernel, in any way; if any modification is detected, the system is shutdown. This mitigates a common tactic used by rootkitRootkitA rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...
s to hide themselves from user-mode applications. PatchGuard was first introduced in the x64 edition of Windows Server 2003 Service Pack 1, and was included in Windows XP Professional x64 edition. - Kernel-mode drivers on 64-bit versions of Windows Vista must be digitally signed; even administrators will not be able to install unsigned kernel-mode drivers. A boot-time option is available to disable this check for a single session of Windows. 64-bit user-mode drivers are not required to be digitally signed.
- Code Integrity check-sums signed code. Before loading system binaries, it is verified against the check-sum to ensure it has not modified. The binaries are verified by looking up their signatures in the system catalogs. The Windows Vista boot loader checks the integrity of the kernel, the Hardware Abstraction Layer (HAL), and the boot-start drivers. Aside from the kernel memory space, Code Integrity verifies binaries loaded into a protected process and system installed dynamic libraries that implement core cryptographic functions.
Other features and changes
A number of specific security and reliability changes have been made:- Support for the IEEE 1667 authentication standard for USB flash drives with a hotfix for Windows Vista Service Pack 2.
- The Kerberos SSP has been updated to support AESAdvanced Encryption StandardAdvanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
encryption. The SChannel SSP also has stronger AES encryption and ECCElliptic curve cryptographyElliptic curve cryptography is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S...
support. - Software Restriction Policies introduced in Windows XP have been improved in Windows Vista. The Basic user security level is exposed by default instead of being hidden. The default hashCryptographic hash functionA cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...
rule algorithm has been upgraded from MD5MD5The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
to the stronger SHA256. Certificate rules can now be enabled through the Enforcement Property dialog box from within the Software Restriction Policies snap-in extension. - To prevent accidental deletion of Windows, Vista does not allow formatting the boot partition when it is active (right-clicking the C: drive and choosing "Format", or typing in "Format C:" (w/o quotes) at the Command Prompt will yield a message saying that formatting this volume is not allowed). To format the main hard drive (the drive containing Windows), the user must boot the computer from a Windows installation disc or choose the menu item "Repair Your Computer" from the Advanced System Recovery Options by pressing F8 upon turning on the computer.
- Additional EFS settings allow configuring when encryption policies are updated, whether files moved to encrypted folders are encrypted, Offline Files cache files encryption and whether encrypted items can be indexed by Windows SearchWindows SearchWindows Search is an indexed desktop search platform released by Microsoft for the Windows operating system....
. - The Stored User Names and Passwords (Credentials Manager) feature includes a new wizard to backup user names and passwords to a file and restore them on systems running Windows VistaWindows VistaWindows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
or later operating systems. - A new policy setting in Group PolicyGroup PolicyGroup Policy is a feature of the Microsoft Windows NT family of operating systems. Group Policy is a set of rules that control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and...
enables the display of the date and time of the last successful interactive logon, and the number of failed logon attempts since the last successful logon with the same user name. This will enable a user to determine if the account was used without his or her knowledge. The policy can be enabled for local users as well as computers joined to a functional-level domain. - Windows Resource ProtectionWindows Resource ProtectionWindows Resource Protection is a feature in Windows Vista that replaces Windows File Protection. It protects registry keys and folders in addition to critical system files. The way it protects resources differs entirely from the method used by Windows File Protection.- Overview :Windows File...
prevents potentially damaging system configuration changes, by preventing changes to system files and settings by any process other than Windows InstallerWindows InstallerThe Windows Installer is a software component used for the installation, maintenance, and removal of software on modern Microsoft Windows systems...
. Also, changes to the registry by unauthorized software are blocked. - Protected-Mode Internet Explorer: Internet Explorer 7Internet Explorer 7Windows Internet Explorer 7 is a web browser released by Microsoft in October 2006. Internet Explorer 7 is part of a long line of versions of Internet Explorer and was the first major update to the browser in more than 5 years...
and later introduce several security changes such as phishing filter, ActiveXActiveXActiveX is a framework for defining reusable software components in a programming language-independent way. Software applications can then be composed from one or more of these components in order to provide their functionality....
opt-in, URL handling protection, protection against cross-domain scripting attacks and status-bar spoofing. They run as a low integrity process on Windows Vista, can write only to the Temporary Internet Files folder, and cannot gain write access to files and registry keys in a user's profile, protecting the user from malicious content and security vulnerabilities, even in ActiveX controls. Also, Internet Explorer 7 and later use the more secure Data Protection API (DPAPIDPAPIDPAPI is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems...
) to store their credentials such as passwords instead of the less secure Protected Storage (PStore). - Network Location Awareness integration with the Windows Firewall. All newly connected networks get defaulted to "Public Location" which locks down listening ports and services. If a network is marked as trusted, Windows remembers that setting for the future connections to that network.
- User-Mode Driver Framework prevents drivers from directly accessing the kernel but instead access it through a dedicated API. This new feature is important because a majority of system crashes can be traced to improperly installed third-party device drivers.
- Windows Security CenterWindows Security CenterThe Windows Action Center is a component included with Microsoft's Windows XP , Windows Vista and Windows 7 operating systems that provides users with the ability to view the status of computer security settings and services...
has been upgraded to detect and report the presence of anti-malwareMalwareMalware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
software as well as monitor and restore several Internet Explorer security settings and User Account Control. For anti-virus software that integrates with the Security Center, it presents the solution to fix any problems in its own user interface. Also, some Windows APIWindows APIThe Windows API, informally WinAPI, is Microsoft's core set of application programming interfaces available in the Microsoft Windows operating systems. It was formerly called the Win32 API; however, the name "Windows API" more accurately reflects its roots in 16-bit Windows and its support on...
calls have been added to let applications retrieve the aggregate health status from the Windows Security Center, and to receive notifications when the health status changes. - Protected Storage (PStore) has been deprecated and therefore made read-only in Windows Vista. Microsoft recommends using DPAPIDPAPIDPAPI is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems...
to add new PStore data items or manage existing ones. Internet Explorer 7 and later also use DPAPIDPAPIDPAPI is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems...
instead of PStore to store their credentials. - The built-in administrator account is disabled by default on a clean installation of Windows Vista. It cannot be accessed from safe modeSafe ModeSafe mode is a diagnostic mode of a computer operating system . It can also refer to a mode of operation by application software. Safe mode is intended to fix most, if not all problems within an operating system...
too as long as there is at least one additional local administrator account.
External links
- Vulnerability Report: Microsoft Windows Vista including known unpatched vulnerabilities from SecuniaSecuniaSecunia is a Danish computer security service provider best known for tracking vulnerabilities in a large variety of software and operating systems.Numbers of "unpatched" vulnerabilities in popular applications are frequently quoted in software comparisons....
- Vista vulnerabilities from SecurityFocus