Post a comment

Story: Windows Vista's new security features

Response to reader comments:

My wife agrees with Jon. She would rather run 3 different spyware/malware programs every morning before starting to work on the system than use a standard user account instead of an administrator level acct.

Of course she complains about it constantly and goes through her filesystem deleting any files that have recent datestamps on them without knowing what they are and why they are there (or why they might have a recent datestamp even if they aren't new files). She also can't ever find her XP install disk and constantly asks me where it is. I don't use XP so she's also never happy to hear me offer my W2k install disk. She hates 2000, but loves XP.
-------
I am also fascinated with Microsoft's genius wealth redistribution program where they benefit end users and small businesses by being an easy target for litigation. There's a professional IT notion for you!

Of course the cannibalization of Independent Software Vendors and business partners may have some negative effect on the economy as well.

On the other hand they could just write their own software and create a good product and give money away to those who need it through a distribution plan that isn't so time consuming and wasteful. Another positive side-effect would be the reduced income for lawyers if they just gave money away instead of creating liabilities in order to help the needy and deserving (who are also willing to go to court). But innovation is the key here, isn't it?

Now on to the article content:

I find it odd that protecting the system from programs with too high of a privilege level would be called User Account Protection. Seems backwards. It is a much needed feature though. I also like that it has better granularity than just having one privilege level. This is a valuable addition as long as the OS can be modularly re-installed based on which part gets eaten by malware or viruses that jump over the privilege boundary to destroy part of the OS.

Reducing kernel level code is a good thing as long as they don't go too far. Little danger of that though since this is the first step in a remedial action. More work will/should no doubt be done in later releases.

How can programs write to a "protected" area of the Registry? Is it protected, or not? Seems like this is a good place to tighten up the privilege level fixes. Or reduce the reliance on the Registry.

I'm very impressed with the improvements in IE 7. Being able to turn plugins on and off is a big plus based on the number of complaints I hear from end users about various plugins. Removing the ability to install malware and viruses automatically is a good thing too (unless you are a virus writer).

The anti-phishing implementation is badly needed but why use a black-list when a phishing site can just change URLs and go back online once it's been discivered? This is vulnerable to the "counting to infinity" attack whereas legitimate sites would be finite even if very large. A whitelist seems more practical unless phishing becomes so unrewarding that it becomes trivial to list all phishing sites. Any progress is good in this area though.

The self-healing feature sounds like a new point of attack. Why not attack and change the hash files in the list and then just be able to install any file or version of a file that you want? Hopefully it will be well defended.

Building a software firewall into the target system isn't a very good security practice unless there are other routers and firewalls in place in front of it. It's better than putting a screaming bullseye naked on the Internet though. MS should consider offering a hardware firewall for systems that face the Internet. At least until they get some reasonable security in place within the OS.

I will leave it to the other readers to evaluate the service offering through MSN for anti-virus, backups and disk defragmentation. If you find it worth paying for those serv

Full Talkback thread