Security – One of The Key Reasons to Migrate to Windows Vista (part 1)

The value of Windows Vista is often questioned. There are a lot of customers who still think that there might be nor reason to migrate to Windows Vista. I will publish two blog posts giving you some views on the security of our latest operating system. Most of the facts in here are widely known but this might give you some additional guidance.

Let’s start with the Operating System itself. We published the Windows Vista Security Guide, which is split into different sections as shown below:

Let’s look at some of the key challenges to face:

Defend Against Malware

There is different technology in Vista to help you to defend against malware and I would like to touch on a few (some of them not in the guide):

  • ASLR (Address Space Layout Randomization): This is a piece of technology which just helps to defend against attacks against buffer overflows and similar. Basically it just makes sure that a potential exploit does not know where a vulnerable piece of software is located. There is actually a pretty good blog post (on Beta 2 of Vista but the technology is the same) by Michael Howard: Address Space Layout Randomization in Windows Vista.
  • DEP (Dynamic Execution Prevention): Well, this was in Windows XP SP2 already. Basically it leverages a processor feature which is able to distinguish between executable and non-executable memory (to NX flag). Unfortunately a lot of hardware vendors disable this on processor level…
  • User Account Control (UAC): The most hated/loved feature in Vista. There were so many debates about this but I am still a big supporter of UAC. Might well be that we have to adapt the User Interface (well, we have to adapt the user interface). Nevertheless it showed the value several times already: The last time with the out of band release where we could rate the update “only” Important for Vista but Critical for XP.
  • Additionally, there is technology in the platform which was either available for download or built in to Windows XP (Windows Defender, Windows Firewall, Windows Security Center, Malicious Software Removal Tool, Software Restriction Policies). This technology and these tools help you to run the platform in a secure and safe way.
  • Last but definitely not least, there are a lot of improvements around Internet Explorer 7. With one exception (Protected Mode), the features are available on XP as well. However, having the ability to run IE in protected mode by itself allows for a safer browsing experience.

You see, even without active protection, there is already a lot being done around the defense against malware.

So, looking at the next area:

Protect Sensitive Data

The nightmare scenario: You lost your notebook with sensitive data on! So, there is different technology you can use to protect information on your Notebook:

  • Bitlocker Drive Encryption: This is well known and often discussed. I know that there is third-party software being able to deliver drive encryption but Bitlocker is built in to the platform, is part of your license, and can be managed through Active Directory (the recovery key can be mandated to be stored in AD). What a lot of people do not know is that Bitlocker has actually two components (see technical information):
    • It encrypts your disk
    • It verifies the integrity of some key boot components. This helps to boot into a more or less trusted state
  • In order to protect your sensitive information, there is even more you can do. To me the most important piece of technology is Rights Management Services (RMS) in this space as it keeps the protection of the information persistent which allows you not to care anymore where the data resides.

And there is a lot, lot more but I do not want to write too long blogs which then nobody reads :)

I would like you to look into this and I would like you to look into the above mentioned guide and the really go for Windows Vista deployment…

Roger