Windows Vista Security Features

Although the Windows Vista Aero user interface is the most obvious change to Windows Vista, some of the more important, if less obvious, changes in this new operating system regard security. In this article, we examine the various new security features in Windows Vista.

Security and Windows Vista It’s been a tough decade for Windows users. As Microsoft’s operating system entered the dominant phase of its existence, hackers began focusing almost solely on Windows, since that’s where all the users are. As a result, various Windows versions have suffered through a seemingly neverending series of electronic attacks, security vulnerabilities, and high-profile malware breakouts. In 2003, Microsoft halted development of its major operating system and application products and began an internal review of its software development practices. The company went back and re-examined the source code to its then-current projects and developed a new software engineering approach that is security-centric. Now, the software giant will not release any software product that hasn’t undergone a stringent series of security checks. Windows Vista is the first client operating system shipped since that time that’s been developed from the get-go with these principles in mind. It has been architected to be secure from the beginning. Is Windows Vista impenetrable? Of course not. No software is perfect. But Windows Vista is demonstrably more secure than its predecessors. And although we will no doubt face awesome security threats in the future, Microsoft at least has the lessons it learned from the mistakes of the past to fall back on. There’s little doubt that the security enhancements in Windows Vista will prove to be a major reason many people will upgrade to this version. It’s not a misplaced desire. Windows Vista’s security features extend all the way through the system, from the highprofile applications, applets, and control panels you will deal with every day to the lowlevel features most Windows users have never heard of. In this article, we’ll highlight most of Vista’s new security features, starting with those you will likely have to deal with as soon as you begin using Microsoft’s latest operating system.

Windows Security Center When Microsoft shipped Windows XP Service Pack 2 (SP2) in the wake of its 2003 code review, one of the major and obvious new features it added to the operating system was the Security Center, a dashboard or front end of sorts to many of the system’s security features. In Windows XP SP2, Security Center was designed to track the system’s firewall, virus protection, and Automatic Updates configuration to ensure that each were enabled and as up-to-date as possible. If any of these features were disabled or out of date, Security Center would warn the user via a shield icon in the notification area near the system clock, or via pop-up warning balloons. In Windows Vista, Security Center has been dramatically updated in order to support new security features in this Windows version. Shown in article 8-1, Vista’s Security Center looks superficially similar to the XP SP2 version, but there’s actually a lot more going on there once you begin examining its new functionality.

The basic way that Windows Security Center works hasn’t changed. Security Center still tracks certain security features and ensures that they’re enabled and up-to-date. If they’re not, Security Center will display its shield icon and alert you via pop-up balloons. But as you can see by looking at article 8-1, Security Center now tracks far more security features than before. Here’s what Security Center is monitoring:

Firewall: Security Center ensures that Windows Firewall is enabled and protecting your PC against malicious software that might travel to your PC via a network or Internet.

Automatic Updates: Like Windows XP, Windows Vista includes an Automatic Updates feature that can automatically download and install critical security fixes from Microsoft the moment they are released. Security Center ensures that Automatic Updates is enabled.

Antivirus protection: Although Windows Vista doesn’t ship with any antivirus protection, Security Center still checks to ensure that an antivirus service is installed and up-to-date. Modern antivirus solutions are designed to integrate with Security Center so that the system can perform this monitoring function.

Spyware and other malware protection: New to Windows Vista is Windows Defender, Microsoft’s antispyware and antimalware tool. Windows Security Center ensures that Windows Defender is enabled, active, and using up-to-date spyware definitions.

Internet security settings: New to Windows Vista, Security Center ensures that Internet Explorer 7 is configured in a secure manner. If you change any IE security settings, Security Center will warn you constantly about this issue.

User Account Control: Security Center ensures that the User Account Control (UAC) technology, also new to Windows Vista, is active. Described more fully in Article 9, User Account Control is one of the many security technologies in Windows Vista that is designed to ensure that the system is running with the minimum exposure to electronic threats. If all of the features Security Center is monitoring are enabled and up-to-date, you won’t ever see Security Center unless you manually navigate to it. (You can find Security Center in Control Panel -> Security -> Security Center.) However, if one or more of these features are disabled, misconfigured, or out of date, Security Center will provide the aforementioned alerts. It will also display its displeasure with red-highlight sections in the main Security Center window. In such a case, you can expand the offending section and resolve the issue using a button in the windows. For example, if you disabled User Account Control, you’ll see a Turn it on now button that will immediately enable that feature and return your system to a more secure state. One new Security Center feature in Windows Vista enables you to configure how Security Center alerts you when a security feature is not working properly. Open Security Center and click the link titled Change the way Security Center alerts me to see the dialog box shown in article 8-2. This way, you can optionally disable the popup alerts if you’d like.

The Security Center also provides handy links to the various security features it monitors, including Windows Update, Windows Firewall, Windows Defender, and Internet Options.

Windows Defender Over the years, hackers have adapted and come up with new and inventive ways to attack PCs. Recently, spyware, one of the most pervasive and difficult forms of malware yet invented, has become a serious issue. For this reason, Windows Vista includes an integrated antispyware and antimalware package called Windows Defender. Unlike some security products, you won’t typically see Windows Defender, as it’s designed to work in the background, keeping your system safe. However, if you’d like to manually scan your system for malware or update your spyware definitions, you can do so by loading the Windows user interface, available through the Start Menu. Shown in article 8-3, Windows Defender features a simple interface. You can trigger a malware scan, view the history of Defender’s activities, or access various tools and options.

Security researchers almost unanimously agree that no one antispyware product is enough to completely protect your PC from malware attacks. For this reason, we recommend that you always run at least two antispyware products at the same time. See the Windows Secrets Web site (www.windowssecrets.com) for a list of recommended antispyware solutions.

Windows Defender is also available for Windows XP. If you have other XP-based PCs, you might want to consider downloading Windows Defender for those systems as well. Curiously, Windows Vista does not include an antivirus solution, which we feel is a major omission. You can find a list of Vista-compatible antivirus products on the Microsoft web site

www.microsoft.com/security/partners/antivirus.asp.

One of the best features in Windows Defender is hidden a bit in the application’s user interface. The Software Explorer - found in Tools -> Software Explorer - lists the applications that run at startup (you can also change the display to list currently running applications, network-connected applications, and other features). Best of all, you can actually remove or disable startup applications. In previous versions of Windows, you would use the System Configuration utility (msconfig.exe) for this functionality; System Configuration is still available in Windows Vista, but Windows Defender’s Software Explorer feature is arguably a better solution because it provides so much information.

Windows Firewall Back when Microsoft first shipped Windows XP in 2001, it included a feature called Internet Connection Firewall (ICF) that could have thwarted many of the electronic attacks that crippled that system over the ensuing several years. There was just one problem: ICF was disabled by default, and enabling and configuring it correctly required a Master’s degree in Rocket Science. Microsoft wised up and shipped an improved ICF version, renamed as Windows Firewall, with Windows XP SP2. Now, in Windows Vista, you get an even better Windows Firewall. Unlike the SP2 version of Windows Firewall, the version in Windows Vista can monitor certain outbound network traffic as well as inbound network traffic. And because it’s integrated so deeply into the system, it can prevent Windows components from sending data out over the network if they’re not designed to do so. This should prevent problems that arise when certain Windows components are replaced by malicious code. There’s some confusion about how the Windows Firewall is configured in Windows Vista. Although it is indeed enabled to monitor both inbound and outbound network traffic, it is configured differently for each direction. Windows Firewall, by default, is configured to block all incoming network traffic that is not part of an exception rule, and allow all outgoing network traffic that is not blocked by an exception rule.

The Windows Firewall user interface is simplicity itself. Shown in article 8-4, Windows Firewall is initially configured to block any unknown or untrusted connections to the PC that originate over the network. You can enable exceptions to this behavior on the Exceptions tab. Typically, you just leave it alone of course.

The Windows Firewall interface described previously is quite similar to that found in Windows XP with Service Pack 2. But Microsoft also includes a second, secret interface to its firewall that presents far more options. It’s called Windows Firewall with Advanced Security, and you can access it via the also-hidden Administrative Tools that ship with all mainstream Windows Vista versions. To find it, navigate to Control Panel and turn on Class View. Then, navigate into Administrative Tools and then Windows Firewall with Advanced Security. 8-5, the tool loads into a Microsoft Management Console (MMC).

Here, you can inspect and configure advanced firewall features, such as inbound connection rules and outbound connection rules, and so on. This tool is almost identical to the one Microsoft will ship with the next Windows Server version and should be of interest to advanced users. As good as Vista’s firewall is, you should absolutely use a third-party firewall instead if you’re using a security software suite. In such cases, the security suite will typically disable Windows Firewall automatically and alert Windows Security Center that it is now handling firewalling duties. Unlike with antispyware applications, you should never run two firewalls at the same time, as they will interfere with each other.

Windows Update In previous Windows versions, Microsoft offered a Web-based service called Windows Update that provided software updates to Windows users. That service has since been superseded by Microsoft Update, which also provides updates to many other Microsoft software products. But Windows Update lives on in Windows Vista, albeit in a brand-new form. 8-6, Windows Update is now a client application that you can access from the Start Menu. From here, you can check for and install new updates, hide updates you don’t want to be alerted about any more, and view the history of updates you’ve already installed. You can also click a link to enable Microsoft Update functionality, allowing Windows Update to download and install updates for other Microsoft applications, like Microsoft Office.

Users of Windows Vista Ultimate can also access Windows Ultimate Extras from Windows Update. These extras include exclusive applications, services, and collections of tips and tricks. Windows Ultimate Extras appear in Windows Update whenever there are new updates to download.

Curiously, Windows Update doesn’t offer any links to Automatic Updates, the Windows feature that automatically downloads critical security fixes. Furthermore, you can’t access Automatic Updates from its old location in the System Properties dialog box as you could in Windows XP. That’s because Automatic Updates has been replaced by a new feature of Windows Update that’s logically named automatic updating. Configured when Windows Vista is first set up, automatic updating allows Windows Update to behave like the old Automatic Updates tool. To configure automatic updating, open Windows Update and click on the Change Settings link. You’ll see the window shown in article 8-7. This window also enables you to configure whether Windows Update will connect to the Microsoft Update service, which provides updates for Microsoft applications, as well as Windows itself.

User Account Security Features Windows Vista includes two major technologies that help protect different types of user accounts against outside threats. Dubbed User Account Control and Parental Control, these technologies are discussed in Article 9.

Internet Explorer 7 Security Features The version of Internet Explorer included with Windows Vista includes a number of advanced security technologies that make this the safest version of IE yet. In this section, we’ll examine the many security features Microsoft added to Internet Explorer 7. And let’s face facts, these features were necessary: Ever since Microsoft integrated Internet Explorer with the Windows shell beginning in the mid-1990s, Internet Explorer has been a major avenue of attack against Windows. With Windows Vista, finally, Microsoft has decoupled IE from the Windows shell and introduced advanced security controls that make IE safer.

ActiveX Opt-In Initially developed as a lightweight version of COM (Component Object Model) - executable code modules that would be small and fast enough to work over the Internet - Microsoft’s ActiveX technology has been maligned by security experts as being one of the most insecure technologies ever created. ActiveX controls literally litter every Windows system in existence, and hundreds of thousands of them are available online. Unfortunately, some of the controls - which can take various forms, such as browser helper objects, toolbars, and so on - are malicious and designed to hurt PCs. In previous Internet Explorer versions, Microsoft didn’t differentiate between ActiveX controls that were designed expressly for the Web - such the Adobe Reader add-on - and those that were really designed to be used locally on the PC only (Microsoft includes many such controls with Windows). With Internet Explorer 7, a new feature called ActiveX Opt-In automatically disables entire classes of ActiveX controls, including those that were not designed specifically for use over the Internet. If you know a particular control is safe, the Information Bar lets you enable the control and proceed.

Protected Mode Available only in Windows Vista, Internet Explorer Protected Mode ensures that Internet Explorer 7 runs with even lower security privileges than a standard user account. This ensures that automated electronic attacks cannot succeed against Internet Explorer 7, and since the browser is restricted from accessing any part of the user’s hard drive other than the Temporary Internet Files folder, Internet Explorer is effectively sandboxed from the rest of Vista. The net result is that should an attack succeed somehow, any malicious code that is injected into the system will find itself in a part of the system that is isolated from the rest of the file system. Furthermore, the code will simply be deleted when Vista reboots.

Fix My Settings In the past, it was sometimes necessary to temporarily change Internet Explorer’s security settings in order to run a certain Web application or access certain online features. But once you did that, it was hard to tell what you needed to do to get Internet Explorer back to its default state. If you are forced to change Internet Explorer 7’s security settings in a way that lowers Vista’s security prowess, the browser will begin prompting you with its Information Bar. Then, you can access a simple new feature called Fix Settings for Me to return IE to its default security settings. 8-9, this feature simply requires you to click the Information Bar and select Fix Settings for Me. You’ll be prompted with a confirmation dialog box, and Internet Explorer reverts to its default settings. It’s easy and effective.

Phishing Filter Internet Explorer 7 includes an integrated Phishing Filter that can help prevent you from being a victim of identity theft. These so-called phishing attacks are described in Article 18. Curiously, the Phishing Filter is optional in Internet Explorer 7. We cannot stress this strongly enough: You should enable this feature the first time you run Internet Explorer 7 (you’ll be prompted). If you didn’t do so and would like to enable it now, click the Tools button in the IE command bar and select Phishing Filter and then Turn On Automatic Website Checking.

Delete Browsing History In previous Internet Explorer versions, it was difficult to delete various data related to Web browsing, such as temporary Internet files, cookies, web history, saved form data, or saved passwords. In Internet Explorer 7, this information can all be deleted from a single dialog, either individually or all at once. Shown in article 8-10, Delete Browsing History is available from the Tools button in the IE command bar.

Other Internet Explorer Security Features The list of Internet Explorer 7 security features is vast, although you won’t likely run into most of them unless you’re truly unlucky. IE 7 integrates with Windows Defender to provide live scanning of web downloads to ensure you’re not infecting your system with spyware, and it integrates with Vista’s parental controls ( 9) to make sure your children are accessing only those parts of the Web you deem as safe. IE 7 provides International Domain Name (IDN) support so that hackers can’t construct malicious web sites that mix character sets in order to fool unsuspecting users. And there are various low-level changes that prevent cross-domain or -window scripting attacks. Should Internet Explorer 7 somehow be compromised, there’s even a way out. A new Internet Explorer mode called Add-ons Disabled mode loads IE with only a minimal set of add-ons so you can scrub the system of any malicious code. You access this mode by navigating to All Programs -> Accessories -> System Tools -> Internet Explorer (No Add-Ons) in the Start Menu.