Sarà forse perché si avvicina il Natale, ma sono giorni pieni di (Service) Pack sotto l’albero … (miii che freddura… avete capito perché qui la temperatura è arrivata sotto zero? :-)))).
Sempre ieri è stata pubblicata la versione Release Candidate del Service Pack 1 di Windows Vista (come segnalato dal blog di prodotto): la pagina che vi ho linkato è ricca di risorse utili, per scaricarlo, valutarlo, distribuirlo in realtà aziendali complesse, e anche bloccarlo (nei casi in cui si desideri ritardare la sua adozione in azienda, per operare dei test preliminari di compatibilità applicativa). Tra questa documentazione non dovete assolutamente perdere la nuova pagina web che aumenta decisamente il livello di dettaglio delle novità funzionali che saranno presenti in questo atteso Service Pack (rispetto a quanto segnalato sinteticamente nel primo documento di overview, di cui vi avevo raccontato in occasione della Beta): ho pensato utile estrapolare quelle a vario titolo correlate con gli aspetti di sicurezza per una più comoda consultazione per voi, security professional:
• Windows Vista SP1 includes all previously released Security Bulletin fixes which affect Windows Vista.
• SP1 includes Secure Development Lifecycle process updates, where Microsoft identifies the root cause of each security bulletin and improves our internal tools to eliminate code patterns that could lead to future vulnerabilities.
• Service Pack 1 includes supported APIs by which third-party security and malicious software detection applications can work alongside Kernel Patch Protection on 64-bit versions of Windows Vista. These APIs have been designed to help security and non-security ISVs develop software that extends the functionality of the Windows kernel on 64-bit systems, in a documented and supported manner, and without disabling or weakening the protection offered by Kernel Patch Protection.
• Improves the security of running RemoteApp™ programs and desktops by allowing RDP files to be signed. Administrators now have the control to differentiate the user experience based on the publisher’s identity.
• Data Execution Protection (DEP) is a memory-protection feature available beginning with Windows XP and Server 2003. SP1 improves security with a new set of Win32 APIs to allow programmatic control over a process’s DEP policy. This will provide application developers with finer control on a process’s DEP settings for security, testability, compatibility, and reliability.
• Improves the trustworthiness of data presented in Windows Security Center (WSC) by ensuring that only authenticated security applications can communicate with WSC.
• Improves security on wired networks by enabling single sign on (SSO) for authenticated wired networks. The single sign on experience presents the user with a single point of credential entry rather than being double prompted for local and network logon.
• For customers upgrading from Windows XP to Windows Vista SP1, the MSRT (Malicious Software Removal Tool) will not run as part of the upgrade. Rather the up-to-date MSRT offered monthly by Windows Update will help protect PCs. · The cryptographic random number generation is improved to gather seed entropy from more sources, including a Trusted Platform Module (TPM) when available, and replaces the general purpose pseudo-random number generator (PRNG) with an AES-256 counter mode PRNG for both user and kernel mode.
• Improves security in smart card scenarios: o Introduction of a new PIN channel to securely collect smart card PINs via a PC. This new capability mitigates a number of attacks that today would require using an external PIN reader to prevent. o Enables smart cards that use biometric authentication instead of a PIN.
• Improves security over Teredo interface by blocking unsolicited traffic by default. This has already been addressed in a Security Update for Windows Vista (KB935807).
• Improves BitLocker Drive Encryption by offering an additional multi-factor authentication method that combines a key protected by the TPM (Trusted Platform Module) with a Startup Key stored on a USB storage device and a user-generated Personal Identification Number (PIN).
• Enhanced the BitLocker encryption support to volumes other than bootable volumes in Windows Vista (for Enterprise and Ultimate SKUs).
• Improves the OCSP (Online Certificate Status Protocol) implementation such that it can be configured to work with OCSP responses that are signed by trusted OCSP signers, separate from the issuer of the certificate being validated.
• Enables a standard user to invoke the CompletePC Backup application, provided that user can supply administrator credentials. Previously, only administrators could launch the application.
• The Remote Desktop client in Windows Vista SP1 provides user interface improvements for user and server authentication. The RDP client streamlines the multiple steps end users must follow to providing their credentials to Windows Server 2003 (or earlier) Terminal Servers, and simplifies the management of previously saved credentials.
Support for New Technologies and Standards
• Adds support for new strong cryptographic algorithms used in IPsec. SHA-256, AES-GCM, and AES-GMAC for ESP and AH, ECDSA, SHA-256, and SHA-384 for IKE and AuthIP.
• Adds the NIST SP 800-90 Elliptical Curve Cryptography (ECC) pseudo-random number generator (PRNG) to the list of available PRNG in Windows Vista.
• Adds support for SSTP (Secure Sockets Tunnel Protocol), a remote access VPN tunneling protocol that will be part of Microsoft’s RRAS (Routing and Remote Access Service) platform. SSTP helps provide full-network VPN remote access connections over SSL, removing some of the VPN connectivity challenges that other VPN tunnels face traversing NAT, web proxies, and firewalls.
• Adds full support for the latest IEEE draft of 802.11n wireless networking.
• Adds support for obtaining identity and invoke identity UI from an inner method via a new EAPHost runtime API as well as a configuration UI for tunnel methods. These APIs are useful for developers working on tunneling/multi-phased EAP authentication methods as well as those who implement networking supplicants which consume EAP authentications.
• Adds support for Windows Smartcard Framework to enable compliance with the EU
• Digital Signature Directive and National ID / eID.
• Adds support for the Parental Controls Games Restrictions for ratings from the Korean Game Rating Board (GRB).
• Enhances TCP Chimney network card support so that a TCP Chimney network card can also support Compound TCP.
• Adds support in the Wireless Client for a new FIPS (Federal Information Processing) compliant mode. This mode is FIPS 140-2 compliant because it moves the cryptographic processing from the wireless network card to an existing FIPS-approved cryptographic library.
• Enhances Windows Firewall and IPsec to use the new cryptographic algorithms that are Suite B compliant.
Desktop Administration and Management
• Enables polling of RMS server at regular intervals to identify new templates and download them to the local template store. Previously these templates were pushed to clients via a combination of Group Policy and scripting. Additionally SP1 provides an API for applications to query and access template in the template store.
• Windows Vista SP1 includes a new Security Policy (UAC: Allow UAccess), which allows applications to prompt for elevation without using the secure desktop. This allows a remote helper to enter administrative credentials during a Remote Assistance session.
• Allows administrators to configure NAP Clients to: Receive updates from Windows Update or Microsoft Update, in addition to WSUS (Windows Server Update Services), as is the case for Windows Vista today. Define the time a client has to retrieve and submit Statements of Health. This allows the NAP client to respond in time when a particular connection has a timeout requirement. Use DNS server records to discover health registration authority (HRA) servers when there are no HRA’s configured through local configuration or group policy.
• Allow healthy clients used by the Help Desk to establish IPSec connections to unhealthy machines to help resolve problems. This improves the supportability of NAP by allowing Help Desk technicians with health compliant machines to establish connections (e.g. remote desktop, file share) to help resolve issues.
• Enhances the existing Vista EAPHost service by including an EAP (Extensible Authentication Protocol) Certification Program (ECP) Detection Mechanism. This mechanism makes delivery of EAP Methods submitted to the ECP available through Windows Update.
• Allows KMS (Key Management Service) to run within a Virtual Machine environment.
Setup and Deployment Improvements
• Enables support for hotpatching, a reboot-reduction servicing technology designed to maximize uptime. It works by allowing Windows components to be updated (or "patched") while they are still in use by a running process. Hotpatch-enabled update packages are installed via the same methods as traditional update packages, and will not trigger a system reboot.
General Improvements and Enhancements
• SP1 reduces the number of UAC (User Account Control) prompts from 4 to 1 when creating or renaming a folder at a protected location.
• Users are now required to enter a password hint during the initial setup of Windows Vista SP1. This change was made based on feedback from top PC manufactures that many customers frequently do not remember their password and because the administrator account is turned off by default on Windows Vista, these users do not have a way to access to their PCs. A password hint helps avoid this frustrating scenario.
• While not reflected in the initial release candidate this week, we will also be making changes effective with SP1 in how we differentiate the experience customers have using non-genuine versions of our software. This is based on feedback we heard from volume license customers in particular as part of our Windows Genuine Advantage program.
• Also coming with SP1 but not in the current release candidate, we will also be including updates that deal with two exploits we have seen, which can affect system stability for our customers. The OEM Bios exploit, which involves modifying system files and the BIOS of the motherboard to mimic a type of product activation performed on copies of Windows that are pre-installed by OEMs in the factory. The Grace Timer exploit, which attempts to reset the “grace time” limit between installation and activation to something like the year 2099 in some cases.
• Improves reliability of IPSec connections over IPv6 by ensuring by ensuring that all Neighbor Discovery RFC traffic is IPsec exempted.
• Improves Windows Vista’s built-in file backup solution to include EFS encrypted files in the backup.
Pensavo anch’io ci fosse poca security stuff nel SP1… e invece … WOW!