Review of Windows Vista final code shows security needs admin attention

Corporate administrators need to take pains to set security specifics.

Our Clear Choice Test shows Vista Ultimate has much to like, and issues to fear, because of security holes.


How we tested Vista

Slide show: Getting the slide show from Vista

Archive of Network World tests

Subscribe to the Network Product Test Results newsletter


We also found Vista Ultimate’s much-needed hierarchical user security model -- called User Access Control (UAC) -- will likely become problematic in a widespread deployment from both systems security and administrative points of view. Historically, many Windows-based applications have presumed they be given the right to root access to some operating-system features.

When an application does this on a machine running Vista Ultimate, the attempt triggers an automatic response from the operating system that asks the user whether this access should be granted and demands some level of administrative password to complete a requested operation desired by an application. (The text for this response is often cryptic and offers only a registry entry when a user requests "details" regarding an exception pop-up message.) Both good software as well as malware in our testing consistently provoked these messages and subsequent choices.

MICROSOFT VISTA ULTIMATE EDITION Microsoft Vista Ultimate Edition

Microsoft

3.13
Price:$399
Pros:Very slick UI; Multiple deployment options; highly tailorable security details.
Cons:Feels like an incremental upgrade; numerous security issues still present.
The breakdown
Features 25%4Scoring Key: 5: Exceptional4: Very good3: Average2: Below average1: Subpar or not available
Security 25%2

Administration/ease of use 25%

3
Installation/documentation 25%3.5
TOTAL SCORE3.13

Users of Windows XP SP2 may be accustomed to root-access-intervention messaging, but Vista Ultimate goes much further, preventing even with some of its own utilities from effecting changes to the underlying operating system without user or administrator permission. The temptation is to accept, rather than reject, these requests in order to get access to the applications users will need. The downside to that decision would be letting a virus, Trojan or malware application infect the system through the front door despite the presence of Windows Defender antimalware application and despite numerous security settings put in place by a careful administrator.

We were easily able to infect our Vista Ultimate machines with variations of the Blaster Trojan by letting an application proceed as described. Microsoft elected to lay this decision on the hapless user and their support mechanisms, rather than force thousands of applications vendors to modify their code to behave in a hierarchical user access model.

Unless administrators preload all possible enterprise applications before the users get their new Vista Ultimate machines, any application exception will require mitigation by administrative/help desk support personnel, because users won’t know what to do when presented with the options.

We also found issues with how Vista Ultimate in combination with the new Internet Explorer 7 handles digital certificate interactions with -protected Web sites and services. Vista Ultimate and Internet Explorer 7 change the way digital certificates are processed and can cause error messages that don’t typically provide details about the certificate in question. Users or administrators have almost no information with which to debug the sometimes thorny problems that SSL can cause, let alone track down attackers who attempt to spoof sites by using invalid/inappropriate certificates.

Migration and installation

We received two preloaded HP dual-core PCs from Microsoft, one desktop and one notebook with Vista Ultimate Edition installed on them. We found that tightening security on a fresh install is a matter of using an appropriately configured registry hive, a packaged group of registry changes, to "cure" the weak defaults provided.

Security check of Vista final code reveals dangerous defaults In our extensive testing of the final code for Microsoft's Vista Ultimate, we found many of the default settings and the developed security parameters leave the system open to breaches.
Issue FoundSecurity Concern
The default password setting when adding a user is no password at all.Accounts created under this scheme are unsafe until hardened.
The default policy for the outbound firewall is "pass traffic unless there's a rule blocking it."This policy is less safe than enforcing a policy of "denying all traffic unless it's explicitly allowed by policy."
The default for an installation from a CD does not include "Windows Live OneCare," which is the antivirus subscription-based solution.Opens the door to viruses.
As reported in the OneCare interface, the default for IE 7 is to have antiphishing features turned off.According to the IE 7 setup screen, anti phishing is configured out of the box. This conflicting information leaves users unclear about protection.
If you log on with an administrator account, there is no evidence of this in the event log.Considering auditing practices and general, role-based access policies, we'd expect all administrative logons to generate an event.
The dialog box for a digital-certificate error shows no details of the incident.You can't determine if the dialog box has been generated by an attacker or a legitimate certificate.
If you accept an erroneous certificate, it is stored for the life of the browser instance.Because users tend not to stop the browser, "for the life of the browser" is too long a period of time to accept a dodgy certificate.
The root certificate store has only 16 trusted certificate authorities (CA) and five intermediate CAs listed, as opposed to the more than 100 CAs shipped with Windows XP SP2.Microsoft has a existing CA root-certificate download facility that's used to update the CA list. That implies the list can be changed dynamically. Conventional security behavior sets this as a static list unless it's updated by the administrator.
The dialog boxes that indicate normal operations requiring privileges are very vague.This provides insufficient information for the user to determine if he should accept the operation. It could lead to blind approval of a detrimental operation.
IPv6 is enabled by default, including dynamic router discovery.This could have an impact if an attacker can get on a LAN segment and set up enough IPv6 protocol processing to connect to a system.
If you start IE with the default (MSN) home page and then shut it down, a burst of TCP Reset packets are transmitted.While technically correct, the bursty nature of the transmission might appear malicious to intrusion-detection equipment.
There are limitations to when you can manipulate files ending in the .dll extension.This may have patch management implications Ð if you can't update application (not system) DLLs, patch management becomes problematic.
There are apparently limitations to when you can manipulate files ending in the .asc extension.Any enterprise using encryption technologies is likely to have .asc files. If there are issues around using this file extension it will affect the use of encryption.

This may need attention for some organizations, as the fresh local security policies prevented us from accessing all but the most recent SAMBA versions on our Linux servers. In order to have these clients access our other lab servers, we had to upgrade our Mac OS-based Xservers’ Samba implementation, or diminish Vista Ultimate’s NTLM password strength setting, a problem we first noted with Windows 2003 Server Editions.

To aid in preconfiguration and migration, Microsoft has updated its User State Migration Tool (USMT) for Windows 2003 Server Enterprise Editions to allow two different types of Vista Ultimate installations: an in situ migration where a user’s settings and data are moved in their entirety, and wipe-and-retrofit migration. Also available is a toolkit called Windows Easy Transfer, which is an old-fashioned DVD-based installation that took three-plus hours to load to on an HP/Compaq 32-bit desktop with 512MB of DRAM and an 80MB disk. A simple system wipe-and-replace took just 35 minutes. Clearly, migrations need to be planned.

The USMT application produces Windows Imaging file (WIM) payloads, which can be subsequently used as distributed Vista Ultimate operating-system samples as varietals to match certain hardware types. Unlike prior editions of Windows, Vista Ultimate is driven solely by a GUI, and drivers can be loaded at install time from USB drives, CD/DVDs or nonfloppy-disk sources — or embedded within a USMT organizational distribution image. Several such different images (variations for differing hardware or application selections and settings) can be used in the same WIM file. Users that employ a homogeneous Microsoft operating system and application environment will have little trouble with these processes.

Some of the Vista Ultimate’s communications applications, such as Windows Meeting Space, require that an administrator down-rate some security settings unless users are authenticated against Windows Active Directory. This application allows application or desktop sharing between (as many 10) users that have all met permissions and authentication tests. Sessions can be established if a user is authenticated against Active Directory, but can’t be authenticated against SAMBA (the SMB/Active Directory emulator), we found in our testing.

What we liked

Disks installed in a Vista Ultimate machine can now be completely encrypted, thanks to a reworked encryption implementation in Microsoft BitLocker. It requires two partitions (one is encrypted) and a Trusted Platform Module chip (V1.2 or higher) and a BIOS that supports it. Some versions of the chip/BIOS combination support storing keys on the chip itself, others require an external USB flash drive. Machines using Windows XP that are upgraded to Vista Ultimate will likely need disk repartitioning to use this.

Windows Mobility Center, designed to wrap the various settings needed for a PC to function in mobile networking situations, amalgamates the myriad applications (such as settings which formerly required navigating several applications) needed in Windows XP into a single area, making them easier to understand and adding a few critical features, such as native IEEE // WPA2 support (even in ad-hoc mode) and connection status.

And depending on the quality level of a display adapter (we used nVidia adapters throughout our tests), the revamped user interface is far easier on the eyes (dare we say — approaching Mac quality?) and is much easier to navigate, as icon boundaries are defined better, and overall scrolling and object movements are smoother.

Users also can synchronize their data via the Sync Center, this year’s reworking of Microsoft’s original BriefCase concept, except that this one seems to work very well. Potentially, it can synchronize information across numerous platforms and with flexibility not found in prior versions.  It can do without needing to subscribe to a service, though it’ll likely be compatible with third party services soon.

Overall

As we said, we like Vista Ultimate, but that endorsement comes with the important caveat that is must be controlled before its released to users. User Access Controls must be dealt with in organizational policy, or a user will unwittingly hurt himself and potentially the entire corporate network by making incorrect choices. We were shocked at the uniformly inarticulate error messages, a criticism of Microsoft for more than a dozen years, and what we saw will drive help-desk support personnel to the pharmacy.

Henderson is principal of, and Szenes is a researcher for, ExtremeLabs in Indianapolis. Thayer is a private network security consultant in Mountain View, Calif.

NW Lab Alliance

Henderson, Szenes and Thayer are also members of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.

Copyright © 2006 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022