Vista Takes Security Up a Notch

But new features will have greater impact on consumers than corporations

One of the advertised hallmarks of Windows Vista is security—as in Microsofts renewed focus on and dedication to tightening up the Windows operating system.

Indeed, Vista is chock-full of new security features—including a beefed-up firewall, in--tegrated anti-spyware functionality, BitLocker drive encryption and UAC (User Account Control) —-but these features will ultimately have greater benefits for consumers. For corporate customers demanding cross-platform functionality, centralized manageability and rock-solid reliability, these new features will likely be nothing more than window dressing.

eWeek Labs has been most interested in Bit-Lockers potential for the enterprise, as it encrypts all the contents of the system drive—operating system and data files alike.

BitLocker tries to pro-vide an experience that is seamless to the user. Ideally, the decryption key is stored on a chip on the motherboard, which automatically decrypts the hard drive upon boot. Administrators can configure BitLocker to require a user-entered PIN as well, as an embedded key can prevent a data thief from performing an offline attack from another boot drive but not an online brute-force attack once the drive is automatically loaded.

Corporations that plan to use BitLocker need to plan for it from the Vista get-go: System hard drives need to be partitioned in such a way that the boot manager and boot images are stored on a partition separate from the rest of the operating system, applications and data files. Although it is possible to repartition the drive on an existing installation, the process is not straightforward. In addition, administrators need to ensure that a computers BIOS is Vista-ready and that it has either an on-board TPM (Trusted Platform Management) chip or supports access to a USB stick under preboot conditions.

However, at this early stage in Vistas development, the necessary level of support from hardware manufacturers is still to come.

For example, although Vista comes with a generic TPM driver, we could not initially get the driver to install correctly on our Lenovo ThinkPad T60. We needed to update the BIOS to the most recent revision and then manually locate and install the driver. According to Microsoft en-gineers, the T60s TPM chip did not report a device ID that Vista would recognize, so the driver would not install automatically.

With the TPM chip finally enabled, we could start the encryption proc-ess through the BitLocker configuration wizard, which asked us to archive the decryption key before initiating a system check to ensure that BitLocker would work. The wizard rebooted the machine, tested whether the key was detected and then began encrypting the entire drive.

We found the actual disk encryption process to be slow: It took more than an hour for a 30GB partition. In addition, since the encryption keys must be created on a machine-by-machine basis, it will take considerable time and administrative effort to enable a fleet of notebooks with BitLocker.

According to docu-mentation, administrators will have to turn off BitLocker to decrypt the drive before initiating a BIOS upgrade. Simple BIOS changes can be done by temporarily disabling BitLocker, although we found that some changes—-such as changing the drive boot order—did not require that step.

We did note that when we booted our test machine with the Vista install CD still in the drive, we had to manually enter the recovery key to start the system, even though we chose not to actually boot from the media drive.

With a quick change to a Group Policy setting, we also could use BitLocker without a TPM chip—instead using a USB thumb drive inserted into the computer at boot time to provide the decryption key. The BIOS must be able to access the key during the boot process for this to work—something we couldnt achieve with our ThinkPad T60 but were able to do with a custom-built machine based on Advanced Micro Devices Athlon 64 3500+ processor and an Abit motherboard.

Anti-Spyware and Firewall

Vista comes bundled with the Windows Defender Anti-Spyware program. In previous tests, weve found Windows Defender to be an adequate solution for detecting, removing and preventing spyware, and that legacy continues in Vista.

Windows Defender could make a decent second line of defense behind a corporations standard anti-virus/--anti-spyware solution of choice. Because it lacks centralized policy control, status monitoring and reporting capabilities, corporations will need to have another solution in place to provide the documentation and controls necessary to comply with various regulations.

Through Active Di--rectory Group Policy, we could control only a few Windows Defender actions: We could disable or enable the program, enable a few logging metrics, and configure SpyNet reporting characteristics. We could not schedule scans, do much to change the signature update checking interval or designate some form of centralized reporting. The controls we could enable apply only to Vista machines and not to legacy versions of Windows that had Windows Defender installed as a stand-alone application.

Waiting in the wings to provide enterprise-grade management and reporting capabilities is Microsofts ForeFront Client Security suite. ForeFront, due in the second quarter of 2007, leverages the same anti-spyware capabilities as Windows Defender and the same anti-virus engine as OneCare. (A beta version of ForeFront can be downloaded at

Vista marks the first Windows operating system to provide an integrated two-way firewall, which we found to be satisfactory overall. Whereas the in--tegrated firewall that came with Windows XP blocked only inbound network traffic, Vistas firewall can also monitor and block outbound traffic, potentially cutting off unauthorized traffic from already-installed ap--plications.

The basic Windows Firewall Settings con-figuration pane looks similar to the configuration pane of the XP firewall, although a new button to block all incoming settings has replaced the old option to prohibit policy exceptions.

Drilling down, the Policy Exceptions page looks largely the same as with XPs iteration, but ICMP (Internet Control Message Protocol) exemption rules are conspicuously missing. These exemption policies, along with policy controls for outbound traffic, are now located in a new MMC (Microsoft Management Console)-based configuration screen called Windows Firewall with Advanced Security.

Although we found the entire integrated firewall solution highly functional, we doubt it will gain much traction in a large enterprise that must continue to support legacy Windows operating systems for the foreseeable future. For the sake of man-agement simplification, an organization that has already standardized on a third-party firewall solution for XP-based workstations will be highly disinclined to implement and manage Vistas Windows Firewall separately. Instead, they will more likely roll out the third partys Vista Firewall solution, whenever that becomes available.

User Account Control

Vistas UAC marks the first time that Microsoft has attempted to create an operating system on which the user is supposed to run with limited local rights rather than with administrator credentials.

Central administrators can dictate two UAC modes: Users can be denied the rights to administrative functions, such as installing software and changing system settings, or they can be warned in a secured interface whenever an administrative action is being initiated.

Run in the latter mode, UAC generates enough warning messages that users will likely become inured to the messages contents—likely clicking "yes," "yes," "yes" by rote. IT managers who figured out the ins and outs of LUA, or Least-Privilege User Account, on XP- or Windows 2000-based systems will likely not subject their users to this and will run UAC in the first mode described.

We like the leap of thinking Microsoft has taken with UAC, acknowledging that users should not be running with administrative privileges 100 percent of the time. But UAC provides measures that diligent IT departments should have taken—and hopefully did take—long ago.

Technical Analyst Andrew Garcia can be reached at