|
|
|
|
|
Back to Article Index
|
Submit An Article |
|
 |
Article on Windows Vista
|
|
Windows Vista and New
Security
by Christopher Dolliver
|
With the release of Microsoft’s Windows
Vista comes a whole new wealth of
information, new terms and features not
familiar to most of the average users, or
even some pros, out there today. While this
is true of any new software, or IT related
gadgetry, it seems to be truer with Windows
Vista - mainly due to its new, yet unknown,
functionalities and its connection with
Microsoft.
Thus, I’ve been writing a series of articles
on Windows Vista in an attempt to give the
average user out there a better
understanding of its new features in order
to unravel some of the mysteries and to give
answers to those long awaited questions;
including “Why did Microsoft develop Windows
Vista and add so many new features?”
To start with, Microsoft has spent a lot of
time and resources to develop and release
Windows Vista in an attempt to deliver a
better client operating system to its
end-users. One of the main goals was to
deliver a more secure system. How? Windows
Vista is intended to protect users and
organizations from all of the new types of
malicious software and viruses that now
flood the internet. Those malware and
spyware cost billions of dollars in revenue
every year, which also cost jobs and
economic growth, too. Its architecture was
also changed to solve many other issues and
to lessen the administrative duties required
to support it.
The information that follows will focus on
new features for both local and remote
network users. It can be useful for both
network users and network administrators,
whether in a small company or in a large
organization, who are not yet familiar with
the new architectural features found in
Windows Vista. It can be helpful to those
who still might need some insight into those
new features related in particular to
clients
Protection of Network Access
An agent is included with Windows Vista that
provides information about a client’s state
of health and its configuration for
accessing network servers or peers in its
group(s). With the advent of Network Access
Protection (NAP), any clients that lack
updates for current security, new virus
signatures, or fail to otherwise meet the
computer health requirements on a network
will not be able to communicate anywhere on
that private network.
The NAP agent can be used to protect a
network from both remote access clients as
well as from local area network (LAN)
clients using either wired or wireless
connections. The agent will send updated
reports on a Windows Vista client machine’s
health status, for instance having installed
current software updates and up-to-date
virus signatures, to a server-based NAP
enforcement service. A NAP infrastructure,
included with Windows Server "Longhorn",
will then determine whether to grant a
client machine access to a private network
or to a restricted network.
Wireless Single Sign-On
With the deployment of wireless networks
entails further support to use Layer 2
network authentication, like the 802.1X
protocol, to guarantee that only appropriate
users or devices are permitted to access a
protected network and to ensure that all
data is secure at the radio transmission
level.
This is done by a Single Sign-On feature
that will execute the Layer 2 network
authentication at the appropriate time given
by network security configuration, while
simultaneously integrating with the user's
Windows log-on experience.
Administrators can choose to use either
Group Policy Objects or the Command Line
Interface to deploy Single Sign-On profiles
individually to each client machine. After
the configuration of a Single Sign-On
profile has been made, the 802.1X protocol
authentication will precede any Windows
logon features.
In addition, this feature also enables the
use of scenarios such as GPO updates, Log-On
scripts and wireless Bootstrap; which all
require network connectivity before a user
logon has been performed.
Wireless Security Protocols
The native WiFi architecture in Windows
Vista has am unprecedented wide-range of
support for the latest security protocols
used today by desktops, which include
Extensible Authentication Protocol (EAP),
Protected Extensible Authentication
Protocol-Transport Layer Security (PEAP-TLS),
WiFi Protected Access (WPA), WiFi Protected
Access 2 (WPA2), Wired Equivalent Privacy (WEP),
and more.
This wide-range of support will undoubtedly
ensure the interoperability between any
Windows Vista client machine and almost any
wireless communications network. Personal
networks either at home or in small
businesses can also be more secure now,
through the use of WPA-PSK and WPA2-PSK, via
a pre-shared key.
When setting up a new wireless network
Windows Vista, by default, will examine the
capabilities of a wireless network card and
then chose the most secure protocol. These
security features in Windows Vista are also
extensible. By using the EAP-HOST structure,
Windows Vista is even capable of supporting
custom authentication mechanisms as defined
by a hardware vendor or by an organization.
Platform Improvements
Windows Vista's authentication capabilities
are more flexible, providing a variety of
choices for customized authentication
mechanisms such as fingerprint scanners and
smart cards. Both deployment and management
tools, such as self-service personal
identification number (PIN) reset tools, now
make smart cards much easier to manage and
deploy. Smart cards can now be used to log
on to Windows Vista, too. Windows Vista also
enables authentication via Internet Protocol
version 6 (IPv6) and web services.
Certificate enrollment is made easier
because Windows Vista includes enhancements
for the Credential Manager that enable
backing up and restoring any credentials
stored on a local computer. The new Digital
Identity Management Service (DIMS) provides
certificate and credential roaming within an
Active Directory forest (much larger than
the old tree structure) and end-to-end
certificate life cycle management scenarios.
With the inclusion of Windows Vista's
auditing capabilities comes an easier way to
track what users do. Auditing categories now
include multiple subcategories, thus
reducing the number of irrelevant events.
Windows Vista integrated audit event enables
enterprises to better organize and analyze
audit data by collecting and forwarding
critical audit data to a central location.
Multi-Tiered Data Protection
Microsoft has improved support for data
protection at the document, file, directory,
and machine levels on Windows Vista’s
architecture in order to lesson the theft
and/or loss of corporate intellectual
property; which is always a major concern
for organizations. An integrated Rights
Management client now allows organizations
to enforce policies around their document
usage. The Encrypting File System, which
provides user-based file and directory
encryption, has been enhanced to now allow
storage of encryption keys on smart cards,
thus providing improved protection of toe
encryption keys.
In addition, the new enterprise BitLocker™
Drive Encryption feature adds to
machine-level data protection. It provides a
full volume encryption of the system volume,
including Windows all system files and the
hibernation file, which helps protect data
from being compromised on a lost, stolen, or
out-of-service machine.
In order to make available a solution that
is easy to both deploy and manage a Trusted
Platform Module (TPM) 1.2 chip is used to
store keys that encrypt and decrypt sectors
on a Windows Vista’s hard drive. It requires
both the TPM and an enterprise management
infrastructure to ensure its ease of use by
end users.
User Account Control
Before Windows Vista, IT departments had to
choose between application compatibility and
the convenience of having users log on as an
administrator, with Windows XP and earlier
operating systems, and the security and
stability provided by having users log on as
a standard user. Windows Vista User Account
Control now allows administrators an option
to restrict permissions while still enabling
most applications to run.
This combination of security and
compatibility are provided by File and
Registry Virtualization automatically
redirecting hard drive writes and subsequent
reads to areas that a standard user does not
have access to. Changes made to the
virtualized registry settings and folders
are visible only to the user account that
created them and only to the applications
that the user runs. Thus the integrity of
the computer is much better protected.
Windows Vista will prompt a user for
credentials, if an application requires
administrator credentials, before allowing
an application to run. |
| |
|
|
|
|
|
|
See Chris' other articles on Windows:
|
|
|
|
|
 |
|
|
