Windows Vista Security Looks Promising

By Larry Seltzer  |  Posted 2005-07-28 Print this article Print

Opinion: There's some clever stuff in the next version of the Windows client, but we won't really know anything until late next year when lots of people are actually running it.

For several years, especially since Windows XP Service Pack 2, Microsoft has been tightening security in Windows and Internet Explorer. Its hard to see at times, but I do think they have been making progress. Nevertheless, with a completely new version of Windows, Microsoft has the opportunity to do some radical things that should help a lot more. Like Service Pack 2, these changes will break existing applications and require ISVs and device driver writers to make changes. Such is life, I say, and as with SP2, these people will have lots and lots of time to work on updating their software. With few exceptions, if a product doesnt work when Vista ships late next year (cross fingers) you can blame the ISV.

Many of these "new" features have been available in other operating systems or third-party products, but having them standard in Windows makes a difference. Id like to focus on some of the important ones.

Corporate IT has known for a long time (and if they dont, theyre incompetent) how to manage their Windows users with restricted permissions, both on the network and on the local computer. For the average home user it hasnt been hard to set up such accounts, but its common to run into applications that require greater privileges that are provided on Windows XP for a Limited User.

The problem is changed in Windows Vista first by attitude. The word "Limited" is gone and a "User Account" is now limited. Getting an account with Administrator privileges is now the extraordinary case, but its not generally going to be necessary. If you do something that requires admin privileges, such changing firewall settings, the system will offer you an opportunity to enter account credentials that have sufficient privileges, such as the Administrator account. So you can run normally as a non-Administrator. This is all called "User Account Protection," and in beta 1 it must be enabled manually.

This approach, of course, is straight out of Mac OS X, and Mac advocates like to point to it as the right way to do things, but there are definite limitations to how much it can protect you. Most spyware/adware installed on Windows is installed deliberately by the user out of carelessness. You want that cool toolbar and you know youre installing a program, so of course you are going to give it admin privileges or whatever it needs. Youd have to do the same to install a legit program. On the other hand, it should provide protection against silent drive-by downloads unless, once again, the user is stupid enough to let them proceed.

Another User Account Protection feature is that when programs write to protected areas of the file system and registry, these writes are actually stored in a separate area, maintained per user, called the Virtual Store. This is very similar to what is done on a Terminal Server, and in fact I wonder why the Virtual Store is stored in C:\Virtual Store rather than under each users Documents and Settings folder as is done on Terminal Server.

Next page: IE7 and a lot more.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel