It seems that every time I sit down with Microsoft to discuss Windows Vista, something has been changed or added, which is good. In some cases, something has been removed, which is bad. One and a half years from launch, I understand that beta code changes frequently. Here's my standard disclaimer: the following article is based on the last build from Microsoft, Windows Vista build 5219, released September 2005. It is one more semi-public build later than the Beta 1 currently in limited circulation, but Microsoft is careful not to call it Beta 2, although the code is based on code that will eventually be Beta 2 (got that?).
Like Linux, like Mac...
Microsoft seems keenly aware of its competition. For years, Linux and the Mac OS have designated administrator privileges to a separate user account, not the default user account, so malware has found it harder to infect those operating systems. Microsoft had argued that Windows was easier for everyone to use; Microsoft's user-cum-administrator access within Windows allowed you to make changes within the operating system with ease. But the downside of this convenience is steep; viruses and malicious code picked up over the Internet could also perform changes and could even take over your computer.
In Vista, Microsoft offers something called User Account Protection (UAP). Under UAP, standard users can still install software and make changes within the OS, but they'll first be prompted to enter an administrator password. Even Administrator accounts (like those in XP) will be limited, requiring additional passwords to perform high-level tasks. That might seem a hassle, but there's an immediate benefit to this extra layer of passwords: you'll be prompted before anything rogue attempts to install on your machine. This should reduce the need for anti-spyware applications in the future.
And speaking of restrictions, Microsoft also plans to reduce the amount of kernel-level code in Vista, relocating a number of device drivers and virus scanners that currently write to the protected areas of the system registry. For example, all printer drivers write to the kernel, requiring a reboot. The downside is that if the printer driver ever misbehaves, it'll take down your entire system. Under the new Vista plan, printer drivers, antivirus scanners and other devices will install on the user level only -- not within the OS kernel. As a result, look for new Vista-compatible antivirus products to be released next autumn.
Internet Explorer 7 for Vista
IE 7 for Vista (as opposed to IE 7 for XP SP2, which will be released first) will operate in a restricted mode as well. The browser will be able to write only to the History and Temporary Internet folders; it cannot, for example, upgrade privileges without your Administrator password. This should prevent malware from hijacking your browser and taking control of your PC.
IE 7 will also require you to turn on or off any add-ins, such as the Flash player, and IE 7 for Vista will have built-in anti-phishing technology. Whenever you attempt to access a page that Microsoft determines to contain the potential for ID theft, you'll receive a warning. You may proceed, but at your own risk. The plan here is that users will report suspected phishing sites, and the MSN division of Microsoft will check them out and maintain a database of blacklisted sites. The details of this technology are sketchy, and I suspect this feature will change before the final release.
Hits and misses
One of the really wild ideas being discussed for Windows Vista is self-healing software. The applications and the OS will contain a list of key hash files; if any of the files have changed over time or are missing, the software will automatically reinstall the file upon loading. Also, whenever the OS is updated, Windows Update will check your system for and remove known malware. These are cool ideas, should they become implemented.
Then there are some obvious misses. Microsoft plans to finally roll out its two-way firewall, but once again, the new firewall feature won't be on by default. Given Microsoft's past performance with firewalls, though, I'd say you're better off using a third-party product such as ZoneAlarm instead. Still, providing a two-way firewall shouldn't be such a hassle. Microsoft says it doesn't want the user to experience 'dialogue fatigue' from accepting or denying applications that want to access the Internet. Microsoft will have a whitelist of programs permitted to run under Windows Firewall, but it sounds as though it won't be as thorough as that offered by ZoneAlarm or other major firewall vendors. I remain baffled as to why Microsoft can't seem to get a basic security feature like a personal firewall right.
It's coming: Microsoft antivirus
Also missing will be the much-rumoured Microsoft antivirus application. I wrote a while ago that I didn't think Microsoft would get into the antivirus business, displacing stalwarts such as Symantec and McAfee. It would also open the software giant up to charges of creating a monopoly. Instead, through the aegis of MSN, Microsoft will offer something called OneCare, a protection service that users subscribe to annually. OneCare will manage just about everything on your PC, from backups to disk defragmentation, and will also include Microsoft's GeCad-based antivirus program as part of the service. So OneCare won't really compete with Symantec and McAfee, but I think that's a fine legal distinction.
Talkback
Requiring an administrator password to install software might be a great idea in Linux geek world, but just is not suitable for real world computing. It is not reasonable to expect a user to log on twice or have additional passwords to install software,
Microsoft should just buy one of the major anti-virus software companies include it in its OS and give two fingers to the various interfering monopolies boards
Are you for real? Consider the present situation with malware taking over PC's on a minute by minute basis. It is NO inconvence to provide an extra level of protection. People wil just have to get used to it.
Steadily windows moves towards what linux provided in 1992.
Before you start mouthing off about Microsoft and how they can't provide this and that, please remember that Microsoft has lots of money, and this pile of money is very good for many poor companies/individuals/governments who will sue them for ANYTHING Microsoft develops/does. If Microsoft provided the best firewall, ZoneLabs and Symantec would sue them, if they included Anti-Virus software, Symantec would sue them, if they do anything like this to the OS, everybody will sue them for some dumbass reason.
Think about it, it's quite clear, Microsoft is unlike many other companies, everything they attempt to do has to be clearled by legal pretty much these days to ensure that the chance that they can be sued over it is eliminated. If you don't like Windows or the way it's going in certain fields, blame those annoying people like the EU who will sue with baseless grounds, demand things that nobody wants just to make money off Microsoft's money.
Vista...
too little, too late.
More copycat then innovation.
Domino effect (will require additional investments; e.g.: third-party software).
Not there yet (check out their road map for the next several years).
Given history lessons, it's best to take a wait and see approach to see what actually gets delivered versus what's promised. And be mindfull of attached strings and pittfalls.
You can't take seriously an article where someone recommends ZoneAlarm....
Selfhealing is included in any MSI-application today as long as the keyfiles are setup correctly.
Quote: "For example, all printer drivers write to the kernel, requiring a reboot"
I have worked with Windows systems for a number of years. Whilst I admit that my knowledge of the 9x codebase is now sketchy at best (as I stopped using it years ago!) I can not ever recall having to reboot to use a printer driver on the NT codebase. AFAIK, the only time this could possibly happen is if a vendor created a service that had to be initialized at boot time. I have never seen this type of service used for printer drivers. Whilst I concede I may be wrong, perhaps the author would like to provide examples of printer drivers on NT/2K/XP that require reboot before use.
Sadly, I fear that certain parties will leap on this as gospel truth since they are so desperate to believe it...
HP Deskjet920c printer drivers. I have to reboot every time I install them. Same for all-in-one printers I've installed for people. I don't randomly reboot, it actually says I must reboot to complete the installation.
The features you talk about are so overdue... however you only mention the good bits and not the factor microsoft is adding monitor lookout services.... I bought a Dell 24" widescreen, and now I understand when i upgrade a year later my monitor is not supported.... it is not like previous upgrades where my device cant perform well enough or I had an obvious alternative, the feature of content protection is not spoken much about...
Anyways, all these features come in other OS's and arent much to speak about....Tell the reader something new and dont be such a mouth piece for PR.....
Response to reader comments:
My wife agrees with Jon. She would rather run 3 different spyware/malware programs every morning before starting to work on the system than use a standard user account instead of an administrator level acct.
Of course she complains about it constantly and goes through her filesystem deleting any files that have recent datestamps on them without knowing what they are and why they are there (or why they might have a recent datestamp even if they aren't new files). She also can't ever find her XP install disk and constantly asks me where it is. I don't use XP so she's also never happy to hear me offer my W2k install disk. She hates 2000, but loves XP.
-------
I am also fascinated with Microsoft's genius wealth redistribution program where they benefit end users and small businesses by being an easy target for litigation. There's a professional IT notion for you!
Of course the cannibalization of Independent Software Vendors and business partners may have some negative effect on the economy as well.
On the other hand they could just write their own software and create a good product and give money away to those who need it through a distribution plan that isn't so time consuming and wasteful. Another positive side-effect would be the reduced income for lawyers if they just gave money away instead of creating liabilities in order to help the needy and deserving (who are also willing to go to court). But innovation is the key here, isn't it?
Now on to the article content:
I find it odd that protecting the system from programs with too high of a privilege level would be called User Account Protection. Seems backwards. It is a much needed feature though. I also like that it has better granularity than just having one privilege level. This is a valuable addition as long as the OS can be modularly re-installed based on which part gets eaten by malware or viruses that jump over the privilege boundary to destroy part of the OS.
Reducing kernel level code is a good thing as long as they don't go too far. Little danger of that though since this is the first step in a remedial action. More work will/should no doubt be done in later releases.
How can programs write to a "protected" area of the Registry? Is it protected, or not? Seems like this is a good place to tighten up the privilege level fixes. Or reduce the reliance on the Registry.
I'm very impressed with the improvements in IE 7. Being able to turn plugins on and off is a big plus based on the number of complaints I hear from end users about various plugins. Removing the ability to install malware and viruses automatically is a good thing too (unless you are a virus writer).
The anti-phishing implementation is badly needed but why use a black-list when a phishing site can just change URLs and go back online once it's been discivered? This is vulnerable to the "counting to infinity" attack whereas legitimate sites would be finite even if very large. A whitelist seems more practical unless phishing becomes so unrewarding that it becomes trivial to list all phishing sites. Any progress is good in this area though.
The self-healing feature sounds like a new point of attack. Why not attack and change the hash files in the list and then just be able to install any file or version of a file that you want? Hopefully it will be well defended.
Building a software firewall into the target system isn't a very good security practice unless there are other routers and firewalls in place in front of it. It's better than putting a screaming bullseye naked on the Internet though. MS should consider offering a hardware firewall for systems that face the Internet. At least until they get some reasonable security in place within the OS.
I will leave it to the other readers to evaluate the service offering through MSN for anti-virus, backups and disk defragmentation. If you find it worth paying for those serv
Vista viruses.
Anybody know if there is a fix for these viruses yet?
computerworld.com.sg/ShowPage.aspx?pagetype=2&articleid=2305&pubid=3&issueid=59
This is from last August, a few days after the new Monad command line shell was released. So I'm hoping some progress has been made in regard to this vulnerability.
This Microsoft page has a lot of good resources (webcasts, podcasts, etc.) about Windows Vista's security features if you want to learn more.
http://www.microsoft.com/events/series/technetvista.aspx