Priming Vista Security for the Enterprise

Microsoft is right to tout Vista security enhancements, but some of them feel kind of make-do. After all, Microsoft jettisoned security technologies like Palladium just to get Vista out the door. The hardware-software combination promised to deliver a two-punch to hackers and malware. Where is Palladium--er, Next-Generation Secure Computing Base--now? Could it be in the WinFS graveyard?

Still, Windows Vista is more rugged than its predecessors. Internet Explorer is more secure, and Microsoft has changed Windows' user rights so that most people run as standard users, even when logged in as administrators.

Partners, Customers Will Make the Difference
The problem I see: Some of the best, potential security enhancements won't do without partner support. One example: Kernel Patch Protection, or PatchGuard. The controversial feature found in 64-bit versions of Windows XP, Windows Server 2003 and Windows Vista is supposed to harden the kernel against malware and hacking. But PatchGuard also heavily restricts some third-party security software, too. Microsoft is right to treat the kernel as sacrosanct. Whether Microsoft can keep out the hackers along with the security vendors is a major part of the PatchGuard debate. Meanwhile, Microsoft and partner squabbling creates for customers' unnecessary uncertainty about Vista security.

A better example: OEM support for ASLR (Address Space Layout Randomization). ASLR requires BIOS' supporting DEP (Data Execution Prevention). Together, the hardware and software apply a trick used by some open-source software: randomization of key data areas, which deters some malware. Simply stated: It's more difficult to deliver the malware package if the address is unknown (I wish my postal carrier had the same problem with ad circulars and junk mail).

My Windows Vista laptop supports DEP. Today, I changed Vista DEP to "all programs and services" from the default setting of "essential Windows programs and services only." I also followed Microsoft evangelist Michael Howard's instructions and changed Internet Explorer 7 to "enable memory protection to help mitigate online attacks." Now I have DEP working for me when browsing with IE 7.

Some of that DEP benefit may work against me, however. Howard explains that IE 7 DEP "is off by default. When it is enabled many plug-in components fail to run, often crashing the browser." Ah, yeah. If Windows-wide DEP is similar, using the security feature could negatively affect the Vista user experience.

Education Is Key
The process of enabling DEP and even understanding the technology reveals the other reason why Windows Vista security is still a work in progress: Businesses have got to understand what's new, how it works, and how they will support it. Because ASLR is new, its benefits must be articulated by Microsoft and its partners. Then IT managers must evaluate existing PCs for which they are considering Vista upgrades.

Merrill Lynch's recent CIO survey shows that businesses are thinking about hardware upgrades such as memory and graphics. DEP may not be on CIO's radars or supported by many older PCs, however. Finding out if older PCs may be arduous, with IT managers manually checking each PC BIOS to see if DEP is there and if it is turned on. Then there are software compatibility considerations and evaluations of performance risk weighed against security benefits.

ASLR is just one new security enhancement. The new user-rights scheme introduces new layers of management complexity--at least in the beginning before IT managers understand what the changes are, what they're for and how they work. My experience today is an example. To enable DEP in Internet Explorer, I had to use the "run as administrator" option, even though my account has administrator privileges. Windows Vista's new token-based user-rights mechanism offers layered administrator rights. Anyone using Unix systems would be familiar with the rights approach, although Vista's technology execution is different.

Windows Vista's approach to rights and its User Accounts Control mechanism will require two levels of education, said Dan Cogswell, senior technical trainer for South Burlington, Vt.-based KnowledgeWave Training. Cogswell expects technical training of businesses' IT staff to start over the next six months. "The training for the end users will follow behind that," he said.

Software Is Risky Business
I don't see Windows Vista as a security panacea, but, damn, it's got to be better than Windows XP. Realizing the security benefits will mean lots more cooperation among partners and Microsoft, and lots more partner support for enterprises considering Vista deployments.

Meanwhile, risks continue to rise. According to the U.S. Department of Homeland Security's National Vulnerability Database, there have been 6,140 reported security vulnerabilities in 2006 so far. For 2005, there were 4,869 vulnerabilities, and 2,357 and 1,257 in, respectively, 2004 and 2003.

Security vulnerabilities touch all classes of software. How about not one but two zero-day vulnerabilities affecting Word?

The Homeland Security database reveals more vulnerabilities. For individual products, I can't speak for the accuracy of the database. I have seen the number of vulnerabilities change over time, which could be a function of delayed reporting or the database's search and sorting mechanisms. I searched for all product versions and got back these numbers: Internet Explorer, 93 vulnerabilities in 2006, compared with 33 in 2005; Firefox, 92 vulnerabilities during the same time period, up from 75 the previous year; Windows XP, 49 vulnerabilities in 2006, compared with 66 in 2005; Mac OS X, which has a reputation for good security, 101 vulnerabilities in 2006 and 96 the previous year.

So far, this year, Mac OS X vulnerabilities are more than double Windows XP. Of course, no one seems to care.