Security and safety features new to Windows Vista
There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.
Beginning in early 2002 with Microsoft's announcement of its
Some specific areas where Windows Vista introduces new security and safety mechanisms include User Account Control, parental controls, Network Access Protection, a built-in anti-malware tool, and new digital content protection mechanisms.
User Account Control
User Account Control is a new infrastructure that requires user consent before allowing any action that requires administrative privileges. With this feature, all users, including users with administrative privileges, run in a standard user mode by default, since most applications do not require higher privileges. When some action is attempted that needs administrative privileges, such as installing new software or changing system or security settings, Windows will prompt the user whether to allow the action or not. If the user chooses to allow, the process initiating the action is elevated to a higher privilege context to continue. While standard users need to enter a username and password of an administrative account to get a process elevated (Over-the-shoulder Credentials), an administrator can choose to be prompted just for consent or ask for credentials. If the user doesn't click Yes, after 30 seconds the prompt is denied.
UAC asks for credentials in a Secure Desktop mode, where the entire screen is faded out and temporarily disabled, to present only the elevation UI. This is to prevent spoofing of the UI or the mouse by the application requesting elevation. If the application requesting elevation does not have focus before the switch to Secure Desktop occurs, then its taskbar icon blinks, and when focussed, the elevation UI is presented (however, it is not possible to prevent a malicious application from silently obtaining the focus).
Since the Secure Desktop allows only highest privilege System applications to run, no user mode application can present its dialog boxes on that desktop, so any prompt for elevation consent can be safely assumed to be genuine. Additionally, this can also help protect against shatter attacks, which intercept Windows inter-process messages to run malicious code or spoof the user interface, by preventing unauthorized processes from sending messages to high privilege processes. Any process that wants to send a message to a high privilege process must get itself elevated to the higher privilege context, via UAC.
Applications written with the assumption that the user will be running with administrator privileges experienced problems in earlier versions of Windows when run from limited user accounts, often because they attempted to write to machine-wide or system directories (such as Program Files) or registry keys (notably
Encryption
BitLocker, formerly known as "Secure Startup", this feature offers
Windows Vista is the first Microsoft Windows operating system to offer native support for the TPM 1.2 by providing a set of APIs, commands, classes, and services for the use and management of the TPM.[4][5] A new system service, referred to as TPM Base Services, enables the access to and sharing of TPM resources for developers who wish to build applications with support for the device.[6]
Encrypting File System (EFS) in Windows Vista can be used to encrypt the system
The EFS rekeying wizard allows the user to choose a certificate for EFS and to select and migrate existing files that will use the newly chosen certificate. Certificate Manager also allows users to export their EFS recovery certificates and private keys. Users are reminded to back up their EFS keys upon first use through a
Windows Firewall
Windows Vista significantly improves the firewall[7] to address a number of concerns around the flexibility of Windows Firewall in a corporate environment:
- IPv6 connection filtering
- Outbound packet filtering, reflecting increasing concerns about spyware and viruses that attempt to "phone home".
- With the advanced packet filter, rules can also be specified for source and destination IP addresses and port ranges.
- Rules can be configured for services by its service name chosen by a list, without needing to specify the full path file name.
- IPsec is fully integrated, allowing connections to be allowed or denied based on security certificates, Kerberos authentication, etc. Encryption can also be required for any kind of connection. A connection security rule can be created using a wizard that handles the complex configuration of IPsec policies on the machine. Windows Firewall can allow traffic based on whether the traffic is secured by IPsec.
- A new management console snap-in named Windows Firewall with Advanced Security which provides access to many advanced options, including IPsec configuration, and enables remote administration.
- Ability to have separate firewall profiles for when computers are domain-joined or connected to a private or public network. Support for the creation of rules for enforcing server and domain isolation policies.
Windows Defender
Windows Vista includes Windows Defender, Microsoft's anti-spyware utility. According to Microsoft, it was renamed from 'Microsoft AntiSpyware' because it not only features scanning of the system for spyware, similar to other free products on the market, but also includes Real Time Security agents that monitor several common areas of Windows for changes which may be caused by spyware. These areas include Internet Explorer configuration and downloads, auto-start applications, system configuration settings, and add-ons to Windows such as Windows Shell extensions.
Windows Defender also includes the ability to remove
Device Installation Control
Windows Vista allow administrators to enforce hardware restrictions via Group Policy to prevent users from installing devices, to restrict device installation to a predefined white list, or to restrict access to removable media and classes of devices.[8][9]
Parental Controls
Windows Vista includes a range of
Windows Parental Controls includes an extensible set of options, with
Exploit protection functionality
Windows Vista uses
The Portable Executable format has been updated to support embedding of exception handler address in the header. Whenever an exception is thrown, the address of the handler is verified with the one stored in the executable header. If they match, the exception is handled, otherwise it indicates that the run-time stack has been compromised, and hence the process is terminated.
Function pointers are obfuscated by
Windows Vista binaries include intrinsic support for detection of stack-overflow. When a stack overflow in Windows Vista binaries is detected, the process is killed so that it cannot be used to carry on the exploit. Also Windows Vista binaries place buffers higher in memory and non buffers, like pointers and supplied parameters, in lower memory area. So to actually exploit, a buffer underrun is needed to gain access to those locations. However, buffer underruns are much less common than buffer overruns.
Application isolation
Windows Vista introduces Mandatory Integrity Control to set integrity levels for processes. A low integrity process can not access the resources of a higher integrity process. This feature is being used to enforce application isolation, where applications in a medium integrity level, such as all applications running in the standard user context can not hook into system level processes which run in high integrity level, such as administrator mode applications but can hook onto lower integrity processes like Windows Internet Explorer 7 or 8. A lower privilege process cannot perform a window handle validation of higher process privilege, cannot SendMessage or PostMessage to higher privilege application windows, cannot use thread hooks to attach to a higher privilege process, cannot use Journal hooks to monitor a higher privilege process and cannot perform DLL–injection to a higher privilege process.
Data Execution Prevention
Windows Vista offers full support for the
If the processor supports the NX-bit, Windows Vista automatically enforces hardware-based
If DEP is enabled for all applications, users gain additional resistance against
Digital rights management
New digital rights management and content-protection features have been introduced in Windows Vista to help digital content providers and corporations protect their data from being copied.
- PUMA: Protected User Mode Audio (PUMA) is the new User Mode Audio (UMA) audio stack. Its aim is to provide an environment for audio playback that restricts the copying of copyrighted audio, and restricts the enabled audio outputs to those allowed by the publisher of the protected content.[12]
- HDCP). Microsoft claims that without these restrictions the content industry may prevent PCs from playing copyrighted content by refusing to issue license keys for the encryption used by HD DVD, Blu-ray Disc, or other copy-protected systems.[12]
- Protected Video Path - User-Accessible Bus (PVP-UAB) is similar to PVP-OPM, except that it applies encryption of protected content over the PCI Expressbus.
- Rights Management Services(RMS) support, a technology that will allow corporations to apply DRM-like restrictions to corporate documents, email, and intranets to protect them from being copied, printed, or even opened by people not authorized to do so.
- Windows Vista introduces a Protected Process,Protected Video Pathcan create Protected Processes.
The inclusion of new digital rights management features has been a source of criticism of Windows Vista.
Windows Service Hardening
Windows Service Hardening compartmentalizes the services such that if one service is compromised, it cannot easily attack other services on the system. It prevents Windows services from doing operations on file systems, registry or networks
Services in Windows Vista also run in a less privileged account such as Local Service or Network Service, instead of the System account. Previous versions of Windows ran system services in the same login session as the locally logged-in user (Session 0). In Windows Vista, Session 0 is now reserved for these services, and all interactive logins are done in other sessions.[15] This is intended to help mitigate a class of exploits of the Windows message-passing system, known as Shatter attacks. The process hosting a service has only the privileges specified in the RequiredPrivileges registry value under HKLM\System\CurrentControlSet\Services.
Services also need explicit write permissions to write to resources, on a per-service basis. By using a write-restricted
Authentication and logon
Graphical identification and
Windows Vista can authenticate user accounts using
Cryptography
Windows Vista features an update to the crypto API known as Cryptography API: Next Generation (CNG). The
Revocation improvements include native support for the Online Certificate Status Protocol (OCSP) providing real-time certificate validity checking, CRL prefetching and CAPI2 Diagnostics. Certificate enrollment is wizard-based, allows users to input data during enrollment and provides clear information on failed enrollments and expired certificates. CertEnroll, a new COM-based enrollment API replaces the XEnroll library for flexible programmability. Credential roaming capabilities replicate Active Directory key pairs, certificates and credentials stored in Stored user names and passwords within the network.
Metadata removal
The Remove Properties and Personal Information feature allows users to remove metadata from files before sharing them to protect their privacy. It supports a small number of file formats and the removal of a limited number of properties. However, it's possible for software developer to develop extension for this feature, to make it support additional file formats and properties. It has been criticized for its very limited support of file formats and metadata elements and for having a misleading user interface.[16]
Network Access Protection
Windows Vista introduces Network Access Protection (NAP), which ensures that computers connecting to or communicating with a network conform to a required level of system health as set by the administrator of a network. Depending on the policy set by the administrator, the computers which do not meet the requirements will either be warned and granted access, allowed access to limited network resources, or denied access completely. NAP can also optionally provide software updates to a non-compliant computer to upgrade itself to the level as required to access the network, using a Remediation Server. A conforming client is given a Health Certificate, which it then uses to access protected resources on the network.
A Network Policy Server, running
- The interfaces for TCP/IP security (filtering for local host traffic), the firewall hook, the filter hook, and the storage of packet filter information has been replaced with a new framework known as the Windows Filtering Platform (WFP). WFP provides filtering capability at all layers of the TCP/IP protocol stack. WFP is integrated in the stack, and is easier for developers to build drivers, services, and applications that must filter, analyze, or modify TCP/IP traffic.
- In order to provide better security when transferring data over a network, Windows Vista provides enhancements to the cryptographic algorithms used to obfuscate data. Support for 256-bit and 384-bit Elliptic curve cryptography, so ECC cipher suites can be negotiated as part of the standard TLS handshake. The Schannel interface is pluggable so advanced combinations of cipher suites can substitute a higher level of functionality.
- IKE cryptographic protocol to add features like authentication with multiple credentials, alternate method negotiation and asymmetric authentication.[17]
- Security for wireless networks is being improved with better support for newer wireless standards like VeriSign.
- Windows Vista also includes an Extensible Authentication Protocol Host (EAPHost) framework that provides extensibility for authentication methods for commonly used protected network access technologies such as 802.1X and PPP.[19] It allows networking vendors to develop and easily install new authentication methods known as EAP methods.
- Windows Vista supports the use of PEAP with PPTP. The authentication mechanisms supported are PEAPv0/EAP-MSCHAPv2 (passwords) and PEAP-TLS (smartcards and certificates).
- SSLchannel.
x86-64-specific features
- 64-bit versions of Windows Vista enforce hardware-based Data Execution Prevention(DEP), with no fallback software emulation. This ensures that the less effective software-enforced DEP (which is only safe exception handling and unrelated to the NX bit) is not used. Also, DEP, by default, is enforced for all 64-bit applications and services on x86-64 versions and those 32-bit applications that opt in. In contrast, in 32-bit versions, software-enforced DEP is an available option and by default is enabled only for essential system components.
- An upgraded Kernel Patch Protection, also referred to as PatchGuard, prevents third-party software, including kernel-mode drivers, from modifying the kernel, or any data structure used by the kernel, in any way; if any modification is detected, the system is shut down. This mitigates a common tactic used by rootkits to hide themselves from user-mode applications.[20] PatchGuard was first introduced in the x64 edition of Windows Server 2003 Service Pack 1, and was included in Windows XP Professional x64 edition.
- Kernel-mode drivers on 64-bit versions of Windows Vista must be digitally signed; even administrators will not be able to install unsigned kernel-mode drivers.[21] A boot-time option is available to disable this check for a single session of Windows. 64-bit user-mode drivers are not required to be digitally signed.
- Code Integrity check-sums signed code. Before loading system binaries, it is verified against the check-sum to ensure it has not modified. The binaries are verified by looking up their signatures in the system catalogs. The Windows Vista boot loader checks the integrity of the kernel, the Hardware Abstraction Layer (HAL), and the boot-start drivers. Aside from the kernel memory space, Code Integrity verifies binaries loaded into a protected process and system installed dynamic libraries that implement core cryptographic functions.
Other features and changes
A number of specific security and reliability changes have been made:
- Stronger encryption is used for storing LSA secrets (cached domain records, passwords, EFS encryption keys, local security policy, auditing etc.)[22]
- Support for the IEEE 1667 authentication standard for USB flash drives with a hotfix for Windows Vista Service Pack 2.[23]
- The Kerberos SSP has been updated to support ECC support.[25]
- Software Restriction Policies introduced in Windows XP have been improved in Windows Vista.SHA256. Certificate rules can now be enabled through the Enforcement Property dialog box from within the Software Restriction Policies snap-in extension.
- To prevent accidental deletion of Windows, Vista does not allow formatting the boot partition when it is active (right-clicking the C: drive and choosing "Format", or typing in "Format C:" (w/o quotes) at the Command Prompt will yield a message saying that formatting this volume is not allowed). To format the main hard drive (the drive containing Windows), the user must boot the computer from a Windows installation disc or choose the menu item "Repair Your Computer" from the Advanced System Recovery Options by pressing F8 upon turning on the computer.
- Additional EFS settings allow configuring when encryption policies are updated, whether files moved to encrypted folders are encrypted, Offline Files cache files encryption and whether encrypted items can be indexed by Windows Search.
- The Stored User Names and Passwords (Credentials Manager) feature includes a new wizard to back up user names and passwords to a file and restore them on systems running Windows Vista or later operating systems.
- A new policy setting in Group Policy enables the display of the date and time of the last successful interactive logon, and the number of failed logon attempts since the last successful logon with the same user name. This will enable a user to determine if the account was used without his or her knowledge. The policy can be enabled for local users as well as computers joined to a functional-level domain.
- Windows Resource Protection prevents potentially damaging system configuration changes,[27] by preventing changes to system files and settings by any process other than Windows Installer. Also, changes to the registry by unauthorized software are blocked.
- Protected-Mode Internet Explorer: DPAPI) to store their credentials such as passwords instead of the less secure Protected Storage (PStore).
- Network Location Awareness integration with the Windows Firewall. All newly connected networks get defaulted to "Public Location" which locks down listening ports and services. If a network is marked as trusted, Windows remembers that setting for the future connections to that network.
- User-Mode Driver Framework prevents drivers from directly accessing the kernel but instead access it through a dedicated API. This new feature is important because a majority of system crashes can be traced to improperly installed third-party device drivers.[28]
- Windows Security Center has been upgraded to detect and report the presence of anti-malware software as well as monitor and restore several Internet Explorer security settings and User Account Control. For anti-virus software that integrates with the Security Center, it presents the solution to fix any problems in its own user interface. Also, some Windows APIcalls have been added to let applications retrieve the aggregate health status from the Windows Security Center, and to receive notifications when the health status changes.
- Protected Storage (PStore) has been deprecated and therefore made read-only in Windows Vista. Microsoft recommends using DPAPIinstead of PStore to store their credentials.
- The built-in administrator account is disabled by default on a clean installation of Windows Vista. It cannot be accessed from safe mode too as long as there is at least one additional local administrator account.
See also
References
- ^ Steve Lipner, Michael Howard (March 2005). "The Trustworthy Computing Security Development Lifecycle". Microsoft Developer Network. Retrieved 2006-02-15.
- ^ Charles (2007-03-05). "UAC - What. How. Why" (video). Retrieved 2007-03-23.
- ^ "Windows Vista Beta 2 BitLocker Drive Encryption Step-by-Step Guide". Microsoft TechNet. 2005. Retrieved 2006-04-13.
- ^ "Windows Trusted Platform Module Management Step-by-Step Guide". TechNet. Microsoft. Retrieved 18 November 2014.
- MSDN. Microsoft. Retrieved 18 November 2014.
- MSDN. Microsoft. Retrieved 18 November 2014.
- ^ The January 2006 issue of The Cable Guy covers the new features and interfaces in Windows Firewall in greater detail.
- MSDN. Microsoft. 11 May 2010.
- TechNet Magazine. Microsoft. 8 September 2016.
- ^ Howard, Michael (May 26, 2006). "Address Space Layout Randomization in Windows Vista". MSDN. Microsoft. Archived from the original on May 29, 2006. Retrieved March 20, 2023.
- ^ "Security advancements in Windows Vista". Archived from the original on 2007-04-11. Retrieved 2007-04-10.
- ^ a b "Output Content Protection and Windows Vista". WHDC. Microsoft. April 27, 2005. Archived from the original on 6 August 2005. Retrieved 2006-04-30.
- ^ Protected Processes in Windows Vista
- ^ "Windows Vista Security and Data Protection Improvements – Windows Service Hardening". TechNet. Microsoft. June 1, 2005. Retrieved 2006-05-21.
- ^ Impact of Session 0 Isolation on Services and Drivers in Windows Vista covers Windows Vista's session isolation changes.
- ^ Remove Properties and Personal Information: A Misleading Feature!
- ^ AuthIP in Windows Vista
- ^ The Cable Guy: Wireless Single Sign-On
- ^ EAPHost in Windows
- ^ Field, Scott (August 11, 2006). "An Introduction to Kernel Patch Protection". Windows Vista Security blog. MSDN Blogs. Retrieved August 12, 2006.
- ^ "Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista". WHDC. Microsoft. May 19, 2006. Archived from the original on April 12, 2006. Retrieved May 19, 2006.
- ^ Windows LSA Secrets
- ^ An update is available that enables the support of Enhanced Storage devices in Windows Vista and in Windows Server 2008
- ^ Kerberos Enhancements in Windows Vista: MSDN
- ^ TLS/SSL Cryptographic Enhancements in Windows Vista
- ^ Using Software Restriction Policies to Protect Against Unauthorized Software
- ^ Windows Vista Management features
- ^ CNET.com (2007). "Windows Vista Ultimate Review". Retrieved 2007-01-31.
- ^ "SPAP Deprecation (PStore)". Archived from the original on 2008-04-21. Retrieved 2007-04-17.