[ISN] Vista Takes Security Up a Notch

From: InfoSec News (alerts@private)
Date: Tue Nov 28 2006 - 01:30:44 PST


http://www.eweek.com/article2/0,1895,2063967,00.asp

By Andrew Garcia
November 26, 2006

Review: But new features will have greater impact on consumers than 
corporations.

One of the advertised hallmarks of Windows Vista is securityas in 
Microsoft's renewed focus on and dedication to tightening up the Windows 
operating system.

Indeed, Vista is chock-full of new security featuresincluding a 
beefed-up firewall, integrated anti-spyware functionality, BitLocker 
drive encryption and UAC (User Account Control) but these features will 
ultimately have greater benefits for consumers. For corporate customers 
demanding cross-platform functionality, centralized manageability and 
rock-solid reliability, these new features will likely be nothing more 
than window dressing.

eWEEK Labs has been most interested in BitLocker's potential for the 
enterprise, as it encrypts all the contents of the system driveoperating 
system and data files alike.

BitLocker tries to provide an experience that is seamless to the end 
user. Ideally, the decryption key is stored on a chip on the 
motherboard, which automatically decrypts the hard drive upon boot. 
Administrators can configure BitLocker to require a user-entered PIN 
code as well, as an embedded key can prevent a data thief from 
performing an offline attack from another boot drive but not an online 
brute force attack once the drive is automatically loaded.

Corporations that plan to use BitLocker need to plan for it from the 
Vista get-go: System hard drives need to be partitioned in such a way 
that the boot manager and boot images are stored on a partition separate 
from the rest of the operating system, applications and data files. 
Although it is possible to repartition the drive on an existing 
installation, the process is not straightforward. Also, administrators 
need to ensure that a computer's BIOS is Vista-ready, and that it has 
either an on-board TPM (Trusted Platform Management) chip or supports 
access to a USB stick under preboot conditions.

However, at this early stage in Vista's development, the necessary level 
of support from hardware manufacturers is still to come. For example, 
although Vista comes with a generic TPM driver, we could not initially 
get the driver to install correctly on our Lenovo ThinkPad T60. We 
needed to update the BIOS to the most recent revision, and then manually 
locate and install the driver. According to Microsoft engineers, the 
T60's TPM chip did not report a device ID that Vista would recognize, so 
the driver would not install automatically.

With the TPM chip finally enabled, we could start the encryption process 
through the BitLocker configuration wizard, which asked us to archive 
the decryption key before initiating a system check to ensure that 
BitLocker would work. The wizard rebooted the machine, tested whether 
the key was detected and then began encrypting the entire drive.

We found the actual disk encryption process to be slow: It took more 
than an hour for a 30GB partition. In addition, since the encryption 
keys must be created on a machine-by-machine basis, it will take 
considerable time and administrative effort to enable a fleet of 
notebooks with BitLocker.

According to documentation, administrators will have to turn off 
BitLocker to decrypt the drive before initiating a BIOS upgrade. Simple 
BIOS changes can be done by temporarily disabling BitLocker, although we 
found that some changessuch as changing the drive boot orderdid not 
require that step. We did note that when we booted our test machine with 
the Vista install CD still in the drive, we had to manually enter the 
recovery key to start the system, even though we chose not to actually 
boot from the media drive.

With a quick change to a Group Policy setting, we also could use 
BitLocker without a TPM chipinstead using a USB thumb drive inserted 
into the computer at boot time to provide the decryption key. The BIOS 
must be able to access the key during the boot process for this to 
worksomething we couldn't achieve with our ThinkPad T60 but were able to 
do with a custom-built machine based on Advanced Micro Devices' Athlon 
64 3500+ processor and an Abit motherboard.


Anti-spyware and Firewall

Vista comes bundled with the Windows Defender Anti-Spyware program. In 
previous tests, we've found Windows Defender to be an adequate solution 
for detecting, removing and preventing spyware, and that legacy 
continues in Vista.

Windows Defender could make a decent second line of defense behind a 
corporation's standard anti-virus/anti-spyware solution of choice. 
Because it lacks centralized policy control, status monitoring and 
reporting capabilities, corporations will need to have another solution 
in place to provide the documentation and controls necessary to comply 
with various regulations.

Through Active Directory Group Policy, we could control only a few 
Windows Defender actions: We could disable or enable the program, enable 
a few logging metrics, and configure SpyNet reporting characteristics. 
We could not schedule scans, do much to change the signature update 
checking interval or designate some form of centralized reporting. The 
controls we could enable apply only to Vista machines and not to legacy 
versions of Windows that had Windows Defender installed as a stand-alone 
application.

Waiting in the wings to provide enterprise-grade management and 
reporting capabilities is Microsoft's ForeFront Client Security suite. 
ForeFront, due in the second quarter of 2007, leverages the same 
anti-spyware capabilities as Windows Defender and the same anti-virus 
engine as OneCare. (A beta version of ForeFront can be downloaded here. 
[1])

Vista marks the first Windows operating system to provide an integrated 
two-way firewall, which we found to be satisfactory overall. Whereas the 
integrated firewall that came with Windows XP blocked only inbound 
network traffic, Vista's firewall can also monitor and block outbound 
traffic, potentially cutting off unauthorized traffic from already 
installed applications.

The basic Windows Firewall Settings configuration pane looks similar to 
the configuration pane of the XP firewall, although a new button to 
block all incoming settings has replaced the old option to prohibit 
policy exceptions.

Drilling down, the Policy Exceptions page looks largely the same as with 
XP's iteration, but ICMP (Internet Control Message Protocol) exemption 
rules are conspicuously missing. These exemption policies, along with 
policy controls for outbound traffic, are now located in a new MMC 
(Microsoft Management Console)-based configuration screen called Windows 
Firewall with Advanced Security.

Although we found the entire integrated firewall solution highly 
functional, we doubt it will gain much traction in a large enterprise 
that must continue to support legacy Windows operating systems for the 
foreseeable future. For the sake of management simplification, an 
organization that has already standardized on a third-party firewall 
solution for XP-based workstations will be highly disinclined to 
implement and manage Vista's Windows Firewall separately. Instead, they 
will more likely roll out the third party's Vista Firewall solution, 
whenever that becomes available.


User Account Control

Vista's UAC marks the first time that Microsoft has attempted to create 
an operating system on which the user is supposed to run with limited 
local rights rather than with administrator credentials.

Central administrators can dictate two UAC modes: Users can be denied 
the rights to administrative functions, such as installing software and 
changing system settings, or they can be warned in a secured interface 
whenever an administrative action is being initiated.

Run in the latter mode, UAC generates enough warning messages that users 
will likely become inured to the messages' contentslikely clicking 
"yes," "yes," "yes" by rote. IT managers who figured out the ins and 
outs of LUA (Least User Privilege) on XP- or Windows 2000-based systems 
will likely not subject their users to this and will run UAC in the 
first mode described.

We like the leap of thinking Microsoft has taken with UAC, acknowledging 
that users should not be running with administrative privileges 100 
percent of the time. But UAC provides measures that diligent IT 
departments should have takenand hopefully did takelong ago.

Technical Analyst Andrew Garcia can be reached at andrew_garcia (at) 
ziffdavis.com.

[1] http://www.microsoft.com/forefront/clientsecurity/default.mspx


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Tue Nov 28 2006 - 01:43:32 PST