Knowledge

Security and safety features new to Windows Vista

Source đź“ť

540:
can mark their applications as NX-compliant when built, which allows protection to be enforced when that application is installed and runs. This enables a higher percentage of NX-protected code in the software ecosystem on 32-bit platforms, where the default system compatibility policy for NX is configured to protect only operating system components. For x86-64 applications, backward compatibility is not an issue and therefore DEP is enforced by default for all 64-bit programs. Also, only processor-enforced DEP is used in x86-64 versions of Windows Vista for greater security.
1156:(DEP), with no fallback software emulation. This ensures that the less effective software-enforced DEP (which is only safe exception handling and unrelated to the NX bit) is not used. Also, DEP, by default, is enforced for all 64-bit applications and services on x86-64 versions and those 32-bit applications that opt in. In contrast, in 32-bit versions, software-enforced DEP is an available option and by default is enabled only for essential system components. 90:
some action is attempted that needs administrative privileges, such as installing new software or changing system or security settings, Windows will prompt the user whether to allow the action or not. If the user chooses to allow, the process initiating the action is elevated to a higher privilege context to continue. While standard users need to enter a username and password of an administrative account to get a process elevated (
699:, only those resources which have to be modified by a service are given write access, so trying to modify any other resource fails. Services will also have pre-configured firewall policy, which gives it only as much privilege as is needed for it to function properly. Independent software vendors can also use Windows Service Hardening to harden their own services. Windows Vista also hardens the 486:. A lower privilege process cannot perform a window handle validation of higher process privilege, cannot SendMessage or PostMessage to higher privilege application windows, cannot use thread hooks to attach to a higher privilege process, cannot use Journal hooks to monitor a higher privilege process and cannot perform DLL–injection to a higher privilege process. 142:, which redirects writes (and subsequent reads) to a per-user location within the user's profile. For example, if an application attempts to write to “C:\program files\appname\settings.ini” and the user doesn't have permissions to write to that directory, the write will get redirected to “C:\Users\username\AppData\Local\VirtualStore\Program Files\appname\.” 330: 126:, which intercept Windows inter-process messages to run malicious code or spoof the user interface, by preventing unauthorized processes from sending messages to high privilege processes. Any process that wants to send a message to a high privilege process must get itself elevated to the higher privilege context, via UAC. 1181:
check-sums signed code. Before loading system binaries, it is verified against the check-sum to ensure it has not modified. The binaries are verified by looking up their signatures in the system catalogs. The Windows Vista boot loader checks the integrity of the kernel, the Hardware Abstraction Layer
1079:
authentication to log into the domain. A bootstrap wireless profile can also be created on the wireless client, which first authenticates the computer to the wireless network and joins the network. At this stage, the machine still does not have any access to the domain resources. The machine will run
745:
certificates, or any custom authentication package and schema third-party developers wish to create. Smart card authentication is flexible as certificate requirements are relaxed. Enterprises may develop, deploy, and optionally enforce custom authentication mechanisms for all domain users. Credential
539:
in 32-bit versions of Windows and is only turned on for critical system components. However, Windows Vista introduces additional NX policy controls that allow software developers to enable NX hardware protection for their code, independent of system-wide compatibility enforcement settings. Developers
477:
to set integrity levels for processes. A low integrity process can not access the resources of a higher integrity process. This feature is being used to enforce application isolation, where applications in a medium integrity level, such as all applications running in the standard user context can not
450:
with a random number, so that the actual address pointed to is hard to retrieve. So would be to manually change a pointer, as the obfuscation key used for the pointer would be very hard to retrieve. Thus, it is made hard for any unauthorized user of the function pointer to be able to actually use it.
1266:
enables the display of the date and time of the last successful interactive logon, and the number of failed logon attempts since the last successful logon with the same user name. This will enable a user to determine if the account was used without his or her knowledge. The policy can be enabled for
1239:
To prevent accidental deletion of Windows, Vista does not allow formatting the boot partition when it is active (right-clicking the C: drive and choosing "Format", or typing in "Format C:" (w/o quotes) at the Command Prompt will yield a message saying that formatting this volume is not allowed). To
992:
domain. Only the computers which are in the same logical network partition will be able to access the resources in the domain. Even though other systems may be physically on the same network, unless they are in the same logical partition, they won't be able to access partitioned resources. A system
987:
API allows socket applications to directly control security of their traffic over a network (such as providing security policy and requirements for traffic, querying security settings) rather than having to add extra code to support a secure connection. Computers running Windows Vista can be a part
199:
The EFS rekeying wizard allows the user to choose a certificate for EFS and to select and migrate existing files that will use the newly chosen certificate. Certificate Manager also allows users to export their EFS recovery certificates and private keys. Users are reminded to back up their EFS keys
89:
is a new infrastructure that requires user consent before allowing any action that requires administrative privileges. With this feature, all users, including users with administrative privileges, run in a standard user mode by default, since most applications do not require higher privileges. When
451:
Also metadata for heap blocks are XOR-ed with random numbers. In addition, check-sums for heap blocks are maintained, which is used to detect unauthorized changes and heap corruption. Whenever a heap corruption is detected, the application is killed to prevent successful completion of the exploit.
910:
as set by the administrator of a network. Depending on the policy set by the administrator, the computers which do not meet the requirements will either be warned and granted access, allowed access to limited network resources, or denied access completely. NAP can also optionally provide software
297:
Windows Vista includes Windows Defender, Microsoft's anti-spyware utility. According to Microsoft, it was renamed from 'Microsoft AntiSpyware' because it not only features scanning of the system for spyware, similar to other free products on the market, but also includes Real Time Security agents
172:
Windows Vista is the first Microsoft Windows operating system to offer native support for the TPM 1.2 by providing a set of APIs, commands, classes, and services for the use and management of the TPM. A new system service, referred to as TPM Base Services, enables the access to and sharing of TPM
454:
Windows Vista binaries include intrinsic support for detection of stack-overflow. When a stack overflow in Windows Vista binaries is detected, the process is killed so that it cannot be used to carry on the exploit. Also Windows Vista binaries place buffers higher in memory and non buffers, like
442:
handler address in the header. Whenever an exception is thrown, the address of the handler is verified with the one stored in the executable header. If they match, the exception is handled, otherwise it indicates that the run-time stack has been compromised, and hence the process is terminated.
423:
file, which is the file format for Windows executables, to use ASLR. For such executables, the stack and heap allocated is randomly decided. By loading system files at random addresses, it becomes harder for malicious code to know where privileged system functions are located, thereby making it
1174:
Kernel-mode drivers on 64-bit versions of Windows Vista must be digitally signed; even administrators will not be able to install unsigned kernel-mode drivers. A boot-time option is available to disable this check for a single session of Windows. 64-bit user-mode drivers are not required to be
168:
for the system volume. Using the command-line utility, it is possible to encrypt additional volumes. Bitlocker utilizes a USB key or Trusted Platform Module (TPM) version 1.2 of the TCG specifications to store its encryption key. It ensures that the computer running Windows Vista starts in a
679:
in the same login session as the locally logged-in user (Session 0). In Windows Vista, Session 0 is now reserved for these services, and all interactive logins are done in other sessions. This is intended to help mitigate a class of exploits of the Windows message-passing system, known as
263:
authentication, etc. Encryption can also be required for any kind of connection. A connection security rule can be created using a wizard that handles the complex configuration of IPsec policies on the machine. Windows Firewall can allow traffic based on whether the traffic is secured by
562:
PUMA: Protected User Mode Audio (PUMA) is the new User Mode Audio (UMA) audio stack. Its aim is to provide an environment for audio playback that restricts the copying of copyrighted audio, and restricts the enabled audio outputs to those allowed by the publisher of the protected
629:
compartmentalizes the services such that if one service is compromised, it cannot easily attack other services on the system. It prevents Windows services from doing operations on file systems, registry or networks which they are not supposed to, thereby reducing the overall
129:
Applications written with the assumption that the user will be running with administrator privileges experienced problems in earlier versions of Windows when run from limited user accounts, often because they attempted to write to machine-wide or system directories (such as
758:
and other technologies) as well as machine logon. Credential Providers are also designed to support application-specific credential gathering, and may be used for authentication to network resources, joining machines to a domain, or to provide administrator consent for
298:
that monitor several common areas of Windows for changes which may be caused by spyware. These areas include Internet Explorer configuration and downloads, auto-start applications, system configuration settings, and add-ons to Windows such as Windows Shell extensions.
523:
on all processes to mark some memory pages as non-executable data segments (like the heap and stack), and subsequently any data is prevented from being interpreted and executed as code. This prevents exploit code from being injected as data and then executed.
1240:
format the main hard drive (the drive containing Windows), the user must boot the computer from a Windows installation disc or choose the menu item "Repair Your Computer" from the Advanced System Recovery Options by pressing F8 upon turning on the computer.
879:
prefetching and CAPI2 Diagnostics. Certificate enrollment is wizard-based, allows users to input data during enrollment and provides clear information on failed enrollments and expired certificates. CertEnroll, a new COM-based enrollment API replaces the
1314:
integration with the Windows Firewall. All newly connected networks get defaulted to "Public Location" which locks down listening ports and services. If a network is marked as trusted, Windows remembers that setting for the future connections to that
101:
mode, where the entire screen is faded out and temporarily disabled, to present only the elevation UI. This is to prevent spoofing of the UI or the mouse by the application requesting elevation. If the application requesting elevation does not have
960:(WFP). WFP provides filtering capability at all layers of the TCP/IP protocol stack. WFP is integrated in the stack, and is easier for developers to build drivers, services, and applications that must filter, analyze, or modify TCP/IP traffic. 1167:, prevents third-party software, including kernel-mode drivers, from modifying the kernel, or any data structure used by the kernel, in any way; if any modification is detected, the system is shut down. This mitigates a common tactic used by 573:). Microsoft claims that without these restrictions the content industry may prevent PCs from playing copyrighted content by refusing to issue license keys for the encryption used by HD DVD, Blu-ray Disc, or other copy-protected systems. 169:
known-good state, and it also protects data from unauthorized access. Data on the volume is encrypted with a Full Volume Encryption Key (FVEK), which is further encrypted with a Volume Master Key (VMK) and stored on the disk itself.
61:" with the underlying ethos of "Secure by design, secure by default, secure in deployment". New code for Windows Vista was developed with the SDL methodology, and all existing code was reviewed and refactored to improve security. 589:(RMS) support, a technology that will allow corporations to apply DRM-like restrictions to corporate documents, email, and intranets to protect them from being copied, printed, or even opened by people not authorized to do so. 1321:
prevents drivers from directly accessing the kernel but instead access it through a dedicated API. This new feature is important because a majority of system crashes can be traced to improperly installed third-party device
1243:
Additional EFS settings allow configuring when encryption policies are updated, whether files moved to encrypted folders are encrypted, Offline Files cache files encryption and whether encrypted items can be indexed by
775:
that enables an application to delegate the user's credentials from the client (by using the client-side SSP) to the target server (through the server-side SSP). The CredSSP is also used by Terminal Services to provide
419:(ASLR) to load system files at random addresses in memory. By default, all system files are loaded randomly at any of the possible 256 locations. Other executables have to specifically set a bit in the header of the 121:
applications to run, no user mode application can present its dialog boxes on that desktop, so any prompt for elevation consent can be safely assumed to be genuine. Additionally, this can also help protect against
455:
pointers and supplied parameters, in lower memory area. So to actually exploit, a buffer underrun is needed to gain access to those locations. However, buffer underruns are much less common than buffer overruns.
282:
Ability to have separate firewall profiles for when computers are domain-joined or connected to a private or public network. Support for the creation of rules for enforcing server and domain isolation policies.
1080:
a script, stored either on the system or on USB thumb drive, which authenticates it to the domain. Authentication can be done whether by using username and password combination or security certificates from a
1001:, so ECC cipher suites can be negotiated as part of the standard TLS handshake. The Schannel interface is pluggable so advanced combinations of cipher suites can substitute a higher level of functionality. 955:
The interfaces for TCP/IP security (filtering for local host traffic), the firewall hook, the filter hook, and the storage of packet filter information has been replaced with a new framework known as the
805:
which was limited to workgroup computers on Windows XP, can now also be enabled for computers joined to a domain, starting with Windows Vista. Windows Vista also includes authentication support for the
963:
In order to provide better security when transferring data over a network, Windows Vista provides enhancements to the cryptographic algorithms used to obfuscate data. Support for 256-bit and 384-bit
1760: 1171:
to hide themselves from user-mode applications. PatchGuard was first introduced in the x64 edition of Windows Server 2003 Service Pack 1, and was included in Windows XP Professional x64 edition.
110:
occurs, then its taskbar icon blinks, and when focussed, the elevation UI is presented (however, it is not possible to prevent a malicious application from silently obtaining the focus).
1645: 1288:
opt-in, URL handling protection, protection against cross-domain scripting attacks and status-bar spoofing. They run as a low integrity process on Windows Vista, can write only to the
642:(SID), which allows controlling access to the service as per the access specified by the security identifier. A per-service SID may be assigned during the service installation via the 368:, which prevents standard users from logging in during a date or time specified by an administrator (and which locks restricted accounts that are already logged in during such times); 596:, which differs from usual processes in the sense that other processes cannot manipulate the state of such a process, nor can threads from other processes be introduced in it. A 364:
filter to function across all Web browsers—which prohibits access to websites based on categories of content or specific addresses (with an option to block all file downloads);
1340:
calls have been added to let applications retrieve the aggregate health status from the Windows Security Center, and to receive notifications when the health status changes.
188:(PKI), and supports using PKI-based key recovery, data recovery through EFS recovery certificates, or a combination of the two. There are also new Group Policies to require 516:'s processors, can flag certain parts of memory as containing data instead of executable code, which prevents overflow errors from resulting in arbitrary code execution. 504:(No-Execute) feature of modern processors. DEP was introduced in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. This feature, present as NX (EVP) in 795:
keys. This makes sure that encrypted files are accessible only as long as the smart card is physically available. If smart cards are used for logon, EFS operates in a
321:
to prevent users from installing devices, to restrict device installation to a predefined white list, or to restrict access to removable media and classes of devices.
1292:
folder, and cannot gain write access to files and registry keys in a user's profile, protecting the user from malicious content and security vulnerabilities, even in
860:
module which implements all the standard backend cryptographic functions that developers and smart card manufacturers need, so that they do not have to write complex
569:(PVP-OPM) is a technology that prevents copying of protected digital video streams, or their display on video devices that lack equivalent copy protection (typically 478:
hook into system level processes which run in high integrity level, such as administrator mode applications but can hook onto lower integrity processes like Windows
208:. The wizard can also be used by an administrator or users themselves in recovery situations. This method is more efficient than decrypting and reencrypting files. 976: 1332:
software as well as monitor and restore several Internet Explorer security settings and User Account Control. For anti-virus software that integrates with the
558:
and content-protection features have been introduced in Windows Vista to help digital content providers and corporations protect their data from being copied.
94:), an administrator can choose to be prompted just for consent or ask for credentials. If the user doesn't click Yes, after 30 seconds the prompt is denied. 58: 57:
initiative, a great deal of work has gone into making Windows Vista a more secure operating system than its predecessors. Internally, Microsoft adopted a "
1954: 196:, and prohibit self-signed certificates. The EFS encryption key cache can be cleared when a user locks his workstation or after a certain time limit. 1927: 1236:. Certificate rules can now be enabled through the Enforcement Property dialog box from within the Software Restriction Policies snap-in extension. 884:
library for flexible programmability. Credential roaming capabilities replicate Active Directory key pairs, certificates and credentials stored in
425: 1609: 1203:
Stronger encryption is used for storing LSA secrets (cached domain records, passwords, EFS encryption keys, local security policy, auditing etc.)
1042:
cryptographic protocol to add features like authentication with multiple credentials, alternate method negotiation and asymmetric authentication.
1810: 1095:
Host (EAPHost) framework that provides extensibility for authentication methods for commonly used protected network access technologies such as
1978: 1649: 1057:(EAP-TLS) is the default authentication mode. Connections are made at the most secure connection level supported by the wireless access point. 1673: 309:
network, which allows users to communicate with Microsoft, send what they consider is spyware, and check which applications are acceptable.
1106: 1072: 1273:
prevents potentially damaging system configuration changes, by preventing changes to system files and settings by any process other than
726: 64:
Some specific areas where Windows Vista introduces new security and safety mechanisms include User Account Control, parental controls,
1255:(Credentials Manager) feature includes a new wizard to back up user names and passwords to a file and restore them on systems running 17: 1433: 852:. It is extensible, featuring support for plugging in custom cryptographic APIs into the CNG runtime. It also integrates with the 615: 1354:
The built-in administrator account is disabled by default on a clean installation of Windows Vista. It cannot be accessed from
1067:
to use the same credentials to join a wireless network as well as the domain housed within the network. In this case, the same
1054: 253:
Rules can be configured for services by its service name chosen by a list, without needing to specify the full path file name.
1388: 733:. Combined with supporting hardware, Credential Providers can extend the operating system to enable users to log on through 1061:
can be used even in ad hoc mode. Windows Vista enhances security when joining a domain over a wireless network. It can use
1343:
Protected Storage (PStore) has been deprecated and therefore made read-only in Windows Vista. Microsoft recommends using
1113:. The authentication mechanisms supported are PEAPv0/EAP-MSCHAPv2 (passwords) and PEAP-TLS (smartcards and certificates). 772: 695:
Services also need explicit write permissions to write to resources, on a per-service basis. By using a write-restricted
377: 1851:
An update is available that enables the support of Enhanced Storage devices in Windows Vista and in Windows Server 2008
1092: 872: 586: 468: 416: 1206:
Support for the IEEE 1667 authentication standard for USB flash drives with a hotfix for Windows Vista Service Pack 2.
1516: 1485: 1110: 964: 404: 250:
With the advanced packet filter, rules can also be specified for source and destination IP addresses and port ranges.
1099:
and PPP. It allows networking vendors to develop and easily install new authentication methods known as EAP methods.
1771: 1120: 535:. But not all applications are DEP-compliant and some will generate DEP exceptions. Therefore, DEP is not enforced 373: 906:(NAP), which ensures that computers connecting to or communicating with a network conform to a required level of 868:
can issue ECC certificates and the certificate client can enroll and validate ECC and SHA-2 based certificates.
204:. The rekeying wizard can also be used to migrate users in existing installations from software certificates to 1713: 861: 857: 738: 192:
for EFS, enforce page file encryption, stipulate minimum key lengths for EFS, enforce encryption of the user's
911:
updates to a non-compliant computer to upgrade itself to the level as required to access the network, using a
345:
for administrators to monitor and restrict computer activity of standard user accounts that are not part of a
1839: 36: 1784: 1011:
and offers simplified configuration and improved authentication. IPsec supports IPv6, including support for
1907: 1894: 1210: 1116: 968: 268: 1749: 1547: 424:
unlikely for them to predictably use them. This helps prevent most remote execution attacks by preventing
1931: 1614: 1454: 1270: 1225: 1214: 998: 876: 841: 828:
Windows Vista features an update to the crypto API known as Cryptography API: Next Generation (CNG). The
730: 464: 1584: 1973: 1318: 1045:
Security for wireless networks is being improved with better support for newer wireless standards like
957: 600:
has enhanced access to DRM-functions of Windows Vista. However, currently, only the applications using
1623: 1818: 1153: 1081: 1024: 994: 903: 897: 788: 611: 555: 520: 495: 185: 65: 1050: 799:
mode, where it uses the logon smart card for file encryption without further prompting for the PIN.
1988: 1872: 1861: 980: 845: 361: 1681: 393: 259:
is fully integrated, allowing connections to be allowed or denied based on security certificates,
1883: 1325: 1160: 1131: 579:(PVP-UAB) is similar to PVP-OPM, except that it applies encryption of protected content over the 159: 1701: 1220:
Software Restriction Policies introduced in Windows XP have been improved in Windows Vista. The
1983: 792: 372:, which allows administrators to block games based on names, contents, or ratings defined by a 155: 225:
significantly improves the firewall to address a number of concerns around the flexibility of
1347:
to add new PStore data items or manage existing ones. Internet Explorer 7 and later also use
1039: 1012: 865: 346: 54: 1737: 1139: 1124: 760: 751: 602: 549: 350: 201: 165: 81: 519:
If the processor supports the NX-bit, Windows Vista automatically enforces hardware-based
8: 1281: 972: 927: 811: 802: 657: 639: 483: 479: 435: 420: 260: 177: 1560: 1410: 439: 135: 931: 1714:"Windows Vista Security and Data Protection Improvements – Windows Service Hardening" 1459: 1368: 1336:, it presents the solution to fix any problems in its own user interface. Also, some 1274: 1027:
and Network Diagnostics Framework support. To increase security and deployability of
1020: 823: 342: 305:
applications that are installed and block startup programs. It also incorporates the
173:
resources for developers who wish to build applications with support for the device.
103: 44: 849: 388:
games with mild language will still be blocked if mild language itself is blocked);
1589: 1190:
and system installed dynamic libraries that implement core cryptographic functions.
1008: 989: 532: 306: 292: 217: 47: 1811:"Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista" 329: 1293: 676: 635: 428: 176:
Encrypting File System (EFS) in Windows Vista can be used to encrypt the system
1245: 1063: 796: 777: 747: 722: 681: 631: 244: 123: 400:, which monitors and records activities of restricted standard user accounts. 380:, with content restrictions taking precedence over rating restrictions (e.g., 1967: 1958: 1550:
covers the new features and interfaces in Windows Firewall in greater detail.
1256: 1102: 729:), used for secure authentication and interactive logon has been replaced by 222: 181: 39: 1884:
Using Software Restriction Policies to Protect Against Unauthorized Software
1358:
too as long as there is at least one additional local administrator account.
1263: 1046: 696: 648: 318: 193: 1561:"Step-By-Step Guide to Controlling Device Installation Using Group Policy" 1304:) to store their credentials such as passwords instead of the less secure 1224:
security level is exposed by default instead of being hidden. The default
1850: 1337: 1096: 837: 768: 684:. The process hosting a service has only the privileges specified in the 580: 663:
Services in Windows Vista also run in a less privileged account such as
317:
Windows Vista allow administrators to enforce hardware restrictions via
1182:(HAL), and the boot-start drivers. Aside from the kernel memory space, 853: 784: 742: 734: 700: 205: 189: 1738:
Impact of Session 0 Isolation on Services and Drivers in Windows Vista
1284:
and later introduce several security changes such as phishing filter,
1199:
A number of specific security and reliability changes have been made:
403:
Windows Parental Controls includes an extensible set of options, with
1619: 1594: 1570: 1526: 1495: 1464: 1355: 1277:. Also, changes to the registry by unauthorized software are blocked. 1267:
local users as well as computers joined to a functional-level domain.
833: 333:
Parental Controls of Windows Vista displaying features to restrict a
151: 1434:"Windows Vista Beta 2 BitLocker Drive Encryption Step-by-Step Guide" 1085: 919:, which it then uses to access protected resources on the network. 716: 707:
servers to prevent other processes from being able to hijack them.
164:
BitLocker, formerly known as "Secure Startup", this feature offers
1213:
encryption. The SChannel SSP also has stronger AES encryption and
407:(APIs) for developers to replace bundled features with their own. 1329: 1285: 1168: 1076: 984: 829: 660:(ACL) to prevent external access to resources private to itself. 576: 566: 358: 302: 240: 69: 771:. A new Security Service Provider, CredSSP is available through 239:
Outbound packet filtering, reflecting increasing concerns about
1455:"Windows Trusted Platform Module Management Step-by-Step Guide" 1233: 1068: 1035: 1016: 939: 755: 501: 1348: 1344: 1301: 1028: 1004: 967:(DH) algorithms, as well as for 128-bit, 192-bit and 256-bit 949: 704: 513: 509: 276: 256: 53:
Beginning in early 2002 with Microsoft's announcement of its
1386: 1328:
has been upgraded to detect and report the presence of anti-
844:(ECC) and a number of newer algorithms that are part of the 634:
on the system and preventing entry of malware by exploiting
1565: 1521: 1490: 1135: 1058: 943: 764: 570: 233: 184:
cache. EFS is also more tightly integrated with enterprise
1389:"The Trustworthy Computing Security Development Lifecycle" 1296:. Also, Internet Explorer 7 and later use the more secure 875:(OCSP) providing real-time certificate validity checking, 275:
which provides access to many advanced options, including
1229: 1127: 1031: 993:
may be part of multiple network partitions. The Schannel
971:(AES) is included in the network stack itself and in the 935: 737:(fingerprint, retinal, or voice recognition), passwords, 505: 447: 1152:
64-bit versions of Windows Vista enforce hardware-based
353:
enforces administrative restrictions. Features include:
871:
Revocation improvements include native support for the
1610:"Address Space Layout Randomization in Windows Vista" 930:
acts as health policy server and clients need to use
301:
Windows Defender also includes the ability to remove
72:
tool, and new digital content protection mechanisms.
1873:
TLS/SSL Cryptographic Enhancements in Windows Vista
791:). Windows Vista can also use smart cards to store 783:Windows Vista can authenticate user accounts using 567:
Protected Video Path - Output Protection Management
410: 1740:covers Windows Vista's session isolation changes. 1585:"Managing Hardware Restrictions via Group Policy" 1130:protocol which provides a mechanism to transport 946:server can also act as the health policy server. 279:configuration, and enables remote administration. 1965: 1731: 1668: 1666: 438:format has been updated to support embedding of 1540: 787:or a combination of passwords and Smart Cards ( 43:, most of which are not available in any prior 384:games may be permitted to run in general, but 312: 1674:"Output Content Protection and Windows Vista" 1663: 1351:instead of PStore to store their credentials. 1209:The Kerberos SSP has been updated to support 1194: 1862:Kerberos Enhancements in Windows Vista: MSDN 1785:"An Introduction to Kernel Patch Protection" 891: 621: 543: 489: 1680:. Microsoft. April 27, 2005. Archived from 1387:Steve Lipner, Michael Howard (March 2005). 1146: 1075:authentication for joining the network and 710: 531:, users gain additional resistance against 950:Other networking-related security features 675:account. Previous versions of Windows ran 638:. Services are now assigned a per-service 577:Protected Video Path - User-Accessible Bus 500:Windows Vista offers full support for the 378:Entertainment Software Rating Board (ESRB) 1817:. Microsoft. May 19, 2006. Archived from 1803: 1601: 1577: 988:of logically isolated networks within an 763:. Authentication is also supported using 1905: 1646:"Security advancements in Windows Vista" 1426: 1402: 997:includes new cipher suites that support 750:(SSO), authenticating users to a secure 458: 328: 1478: 1408: 273:Windows Firewall with Advanced Security 138:) UAC attempts to alleviate this using 75: 14: 1966: 1761:The Cable Guy: Wireless Single Sign-On 1607: 1553: 1228:rule algorithm has been upgraded from 690:HKLM\System\CurrentControlSet\Services 1979:Microsoft Windows security technology 1782: 746:Providers may be designed to support 1702:Protected Processes in Windows Vista 446:Function pointers are obfuscated by 324: 1548:January 2006 issue of The Cable Guy 773:Security Support Provider Interface 286: 211: 30: 24: 1509: 1447: 1380: 1280:Protected-Mode Internet Explorer: 1093:Extensible Authentication Protocol 873:Online Certificate Status Protocol 469:User Interface Privilege Isolation 417:Address Space Layout Randomization 405:application programming interfaces 341:Windows Vista includes a range of 25: 2000: 1948: 1895:Windows Vista Management features 915:. A conforming client is given a 1783:Field, Scott (August 11, 2006). 1608:Howard, Michael (May 26, 2006). 1186:verifies binaries loaded into a 1121:Secure Socket Tunneling Protocol 411:Exploit protection functionality 374:video game content rating system 140:File and Registry Virtualization 1920: 1908:"Windows Vista Ultimate Review" 1899: 1888: 1877: 1866: 1855: 1844: 1833: 1776: 1765: 1754: 1743: 1706: 1695: 1638: 1253:Stored User Names and Passwords 1091:Windows Vista also includes an 1019:and data encryption, client-to- 886:Stored user names and passwords 817: 606:can create Protected Processes. 537:for all applications by default 396:for specific applications; and 856:subsystem by including a Base 840:API that includes support for 614:features has been a source of 512:processors and as XD (EDB) in 117:allows only highest privilege 97:UAC asks for credentials in a 59:Security Development Lifecycle 13: 1: 1391:. Microsoft Developer Network 1374: 1023:protection, integration with 1007:is now fully integrated with 965:Elliptic curve Diffie–Hellman 721:Graphical identification and 247:that attempt to "phone home". 145: 92:Over-the-shoulder Credentials 1117:Windows Vista Service Pack 1 1055:EAP Transport Layer Security 969:Advanced Encryption Standard 808:Read-Only Domain Controllers 656:verb. Services can also use 229:in a corporate environment: 134:) or registry keys (notably 7: 1928:"SPAP Deprecation (PStore)" 1789:Windows Vista Security blog 1362: 1271:Windows Resource Protection 1259:or later operating systems. 999:Elliptic curve cryptography 983:and TLS connections in new 842:elliptic curve cryptography 592:Windows Vista introduces a 475:Mandatory Integrity Control 465:Mandatory Integrity Control 313:Device Installation Control 10: 2005: 1319:User-Mode Driver Framework 1312:Network Location Awareness 1306:Protected Storage (PStore) 1195:Other features and changes 958:Windows Filtering Platform 895: 821: 714: 616:criticism of Windows Vista 587:Rights Management Services 547: 493: 462: 290: 215: 149: 79: 1720:. Microsoft. June 1, 2005 1436:. Microsoft TechNet. 2005 1154:Data Execution Prevention 1134:(PPP) traffic (including 1082:Public key infrastructure 1034:, Windows Vista includes 1025:Network Access Protection 904:Network Access Protection 902:Windows Vista introduces 898:Network Access Protection 892:Network Access Protection 789:Two-factor authentication 627:Windows Service Hardening 622:Windows Service Hardening 612:digital rights management 556:digital rights management 544:Digital rights management 521:Data Execution Prevention 496:Data Execution Prevention 490:Data Execution Prevention 473:Windows Vista introduces 200:upon first use through a 186:Public Key Infrastructure 66:Network Access Protection 18:Windows Service Hardening 1290:Temporary Internet Files 1262:A new policy setting in 1147:x86-64-specific features 1071:server is used for both 846:National Security Agency 711:Authentication and logon 421:Portable Executable (PE) 390:Application Restrictions 355:Windows Vista Web Filter 1750:AuthIP in Windows Vista 1326:Windows Security Center 1161:Kernel Patch Protection 1132:Point-to-Point Protocol 160:Trusted Platform Module 1411:"UAC - What. How. Why" 1409:Charles (2007-03-05). 1163:, also referred to as 394:application whitelists 338: 156:Encrypting File System 1955:Vista vulnerabilities 1084:(PKI) vendor such as 1013:Internet key exchange 979:. Direct support for 924:Network Policy Server 866:certificate authority 688:registry value under 610:The inclusion of new 459:Application isolation 337:standard user account 332: 106:before the switch to 55:Trustworthy Computing 1138:traffic) through an 1105:supports the use of 888:within the network. 761:User Account Control 752:network access point 731:Credential Providers 658:access control lists 646:API or by using the 644:ChangeServiceConfig2 603:Protected Video Path 550:Protected Media Path 529:for all applications 351:User Account Control 236:connection filtering 202:balloon notification 166:full disk encryption 87:User Account Control 82:User Account Control 76:User Account Control 35:security and safety 1840:Windows LSA Secrets 1597:. 8 September 2016. 1517:"TPM Base Services" 1298:Data Protection API 1282:Internet Explorer 7 928:Windows Server 2008 812:Windows Server 2008 803:Fast User Switching 640:Security identifier 480:Internet Explorer 7 436:Portable Executable 415:Windows Vista uses 382:Everyone 10+ (E10+) 1772:EAPHost in Windows 1123:, a new Microsoft 1038:which extends the 917:Health Certificate 913:Remediation Server 686:RequiredPrivileges 527:If DEP is enabled 357:—implemented as a 339: 269:management console 68:, a built-in anti- 1974:Software features 1906:CNET.com (2007). 1821:on April 12, 2006 1486:"Win32_Tpm class" 1369:Computer security 1275:Windows Installer 1188:protected process 1175:digitally signed. 824:Cryptographic API 735:biometric devices 671:, instead of the 652:command with the 598:Protected Process 594:Protected Process 533:zero-day exploits 370:Game Restrictions 343:parental controls 325:Parental Controls 180:and the per-user 45:Microsoft Windows 16:(Redirected from 1996: 1943: 1942: 1940: 1939: 1930:. Archived from 1924: 1918: 1917: 1915: 1914: 1903: 1897: 1892: 1886: 1881: 1875: 1870: 1864: 1859: 1853: 1848: 1842: 1837: 1831: 1830: 1828: 1826: 1807: 1801: 1800: 1798: 1796: 1780: 1774: 1769: 1763: 1758: 1752: 1747: 1741: 1735: 1729: 1728: 1726: 1725: 1710: 1704: 1699: 1693: 1692: 1690: 1689: 1684:on 6 August 2005 1670: 1661: 1660: 1658: 1657: 1648:. Archived from 1642: 1636: 1635: 1633: 1631: 1622:. Archived from 1605: 1599: 1598: 1590:TechNet Magazine 1581: 1575: 1574: 1557: 1551: 1544: 1538: 1537: 1535: 1533: 1513: 1507: 1506: 1504: 1502: 1482: 1476: 1475: 1473: 1471: 1451: 1445: 1444: 1442: 1441: 1430: 1424: 1423: 1421: 1420: 1415: 1406: 1400: 1399: 1397: 1396: 1384: 1294:ActiveX controls 1232:to the stronger 1009:Windows Firewall 990:Active Directory 864:. The Microsoft 651: 398:Activity Reports 293:Windows Defender 287:Windows Defender 227:Windows Firewall 218:Windows Firewall 212:Windows Firewall 194:Documents folder 48:operating system 33:are a number of 32: 27:Overview article 21: 2004: 2003: 1999: 1998: 1997: 1995: 1994: 1993: 1989:Microsoft lists 1964: 1963: 1951: 1946: 1937: 1935: 1926: 1925: 1921: 1912: 1910: 1904: 1900: 1893: 1889: 1882: 1878: 1871: 1867: 1860: 1856: 1849: 1845: 1838: 1834: 1824: 1822: 1809: 1808: 1804: 1794: 1792: 1781: 1777: 1770: 1766: 1759: 1755: 1748: 1744: 1736: 1732: 1723: 1721: 1712: 1711: 1707: 1700: 1696: 1687: 1685: 1672: 1671: 1664: 1655: 1653: 1644: 1643: 1639: 1629: 1627: 1626:on May 29, 2006 1606: 1602: 1583: 1582: 1578: 1559: 1558: 1554: 1545: 1541: 1531: 1529: 1515: 1514: 1510: 1500: 1498: 1484: 1483: 1479: 1469: 1467: 1453: 1452: 1448: 1439: 1437: 1432: 1431: 1427: 1418: 1416: 1413: 1407: 1403: 1394: 1392: 1385: 1381: 1377: 1365: 1334:Security Center 1197: 1149: 952: 900: 894: 826: 820: 719: 713: 682:Shatter attacks 677:system services 669:Network Service 647: 636:system services 624: 552: 546: 498: 492: 471: 463:Main articles: 461: 429:buffer overflow 413: 327: 315: 295: 289: 220: 214: 162: 150:Main articles: 148: 124:shatter attacks 84: 78: 37:features new to 28: 23: 22: 15: 12: 11: 5: 2002: 1992: 1991: 1986: 1981: 1976: 1962: 1961: 1950: 1949:External links 1947: 1945: 1944: 1919: 1898: 1887: 1876: 1865: 1854: 1843: 1832: 1802: 1775: 1764: 1753: 1742: 1730: 1705: 1694: 1662: 1637: 1600: 1576: 1573:. 11 May 2010. 1552: 1539: 1508: 1477: 1446: 1425: 1401: 1378: 1376: 1373: 1372: 1371: 1364: 1361: 1360: 1359: 1352: 1341: 1323: 1316: 1309: 1278: 1268: 1260: 1249: 1246:Windows Search 1241: 1237: 1218: 1207: 1204: 1196: 1193: 1192: 1191: 1184:Code Integrity 1179:Code Integrity 1176: 1172: 1157: 1148: 1145: 1144: 1143: 1114: 1100: 1089: 1064:Single Sign On 1043: 1002: 961: 951: 948: 932:Windows XP SP3 896:Main article: 893: 890: 822:Main article: 819: 816: 810:introduced in 797:single sign-on 778:single sign-on 748:Single sign-on 723:authentication 715:Main article: 712: 709: 632:attack surface 623: 620: 608: 607: 590: 584: 574: 564: 548:Main article: 545: 542: 494:Main article: 491: 488: 460: 457: 426:return-to-LIBC 412: 409: 326: 323: 314: 311: 291:Main article: 288: 285: 284: 283: 280: 271:snap-in named 265: 254: 251: 248: 237: 216:Main article: 213: 210: 147: 144: 115:Secure Desktop 108:Secure Desktop 99:Secure Desktop 80:Main article: 77: 74: 26: 9: 6: 4: 3: 2: 2001: 1990: 1987: 1985: 1984:Windows Vista 1982: 1980: 1977: 1975: 1972: 1971: 1969: 1960: 1959:SecurityFocus 1956: 1953: 1952: 1934:on 2008-04-21 1933: 1929: 1923: 1909: 1902: 1896: 1891: 1885: 1880: 1874: 1869: 1863: 1858: 1852: 1847: 1841: 1836: 1820: 1816: 1812: 1806: 1790: 1786: 1779: 1773: 1768: 1762: 1757: 1751: 1746: 1739: 1734: 1719: 1715: 1709: 1703: 1698: 1683: 1679: 1675: 1669: 1667: 1652:on 2007-04-11 1651: 1647: 1641: 1625: 1621: 1617: 1616: 1611: 1604: 1596: 1592: 1591: 1586: 1580: 1572: 1568: 1567: 1562: 1556: 1549: 1543: 1528: 1524: 1523: 1518: 1512: 1497: 1493: 1492: 1487: 1481: 1466: 1462: 1461: 1456: 1450: 1435: 1429: 1412: 1405: 1390: 1383: 1379: 1370: 1367: 1366: 1357: 1353: 1350: 1346: 1342: 1339: 1335: 1331: 1327: 1324: 1320: 1317: 1313: 1310: 1307: 1303: 1299: 1295: 1291: 1287: 1283: 1279: 1276: 1272: 1269: 1265: 1261: 1258: 1257:Windows Vista 1254: 1250: 1247: 1242: 1238: 1235: 1231: 1227: 1223: 1219: 1216: 1212: 1208: 1205: 1202: 1201: 1200: 1189: 1185: 1180: 1177: 1173: 1170: 1166: 1162: 1158: 1155: 1151: 1150: 1141: 1137: 1133: 1129: 1126: 1122: 1118: 1115: 1112: 1108: 1104: 1103:Windows Vista 1101: 1098: 1094: 1090: 1087: 1083: 1078: 1074: 1070: 1066: 1065: 1060: 1056: 1052: 1048: 1044: 1041: 1037: 1033: 1030: 1026: 1022: 1018: 1014: 1010: 1006: 1003: 1000: 996: 991: 986: 982: 978: 975:protocol and 974: 970: 966: 962: 959: 954: 953: 947: 945: 941: 937: 933: 929: 925: 920: 918: 914: 909: 908:system health 905: 899: 889: 887: 883: 878: 874: 869: 867: 863: 859: 855: 851: 847: 843: 839: 835: 831: 825: 815: 813: 809: 804: 800: 798: 794: 790: 786: 781: 779: 774: 770: 766: 762: 757: 753: 749: 744: 740: 736: 732: 728: 724: 718: 708: 706: 702: 698: 693: 691: 687: 683: 678: 674: 670: 666: 665:Local Service 661: 659: 655: 650: 645: 641: 637: 633: 628: 619: 617: 613: 605: 604: 599: 595: 591: 588: 585: 582: 578: 575: 572: 568: 565: 561: 560: 559: 557: 551: 541: 538: 534: 530: 525: 522: 517: 515: 511: 507: 503: 497: 487: 485: 481: 476: 470: 466: 456: 452: 449: 444: 441: 437: 432: 430: 427: 422: 418: 408: 406: 401: 399: 395: 392:, which uses 391: 387: 383: 379: 375: 371: 367: 363: 360: 356: 352: 348: 344: 336: 331: 322: 320: 310: 308: 304: 299: 294: 281: 278: 274: 270: 266: 262: 258: 255: 252: 249: 246: 242: 238: 235: 232: 231: 230: 228: 224: 223:Windows Vista 219: 209: 207: 203: 197: 195: 191: 187: 183: 182:Offline Files 179: 174: 170: 167: 161: 157: 153: 143: 141: 137: 133: 132:Program Files 127: 125: 120: 116: 111: 109: 105: 100: 95: 93: 88: 83: 73: 71: 67: 62: 60: 56: 51: 49: 46: 42: 41: 40:Windows Vista 38: 19: 1936:. Retrieved 1932:the original 1922: 1911:. Retrieved 1901: 1890: 1879: 1868: 1857: 1846: 1835: 1823:. Retrieved 1819:the original 1814: 1805: 1793:. Retrieved 1791:. MSDN Blogs 1788: 1778: 1767: 1756: 1745: 1733: 1722:. Retrieved 1717: 1708: 1697: 1686:. Retrieved 1682:the original 1677: 1654:. Retrieved 1650:the original 1640: 1628:. Retrieved 1624:the original 1613: 1603: 1588: 1579: 1564: 1555: 1542: 1530:. Retrieved 1520: 1511: 1499:. Retrieved 1489: 1480: 1468:. Retrieved 1458: 1449: 1438:. Retrieved 1428: 1417:. Retrieved 1404: 1393:. Retrieved 1382: 1333: 1311: 1305: 1297: 1289: 1264:Group Policy 1252: 1221: 1198: 1187: 1183: 1178: 1164: 1159:An upgraded 1062: 977:GSS messages 934:or later. A 923: 921: 916: 912: 907: 901: 885: 881: 870: 827: 818:Cryptography 807: 801: 782: 769:Web services 754:(leveraging 720: 697:access token 694: 689: 685: 672: 668: 664: 662: 653: 643: 626: 625: 609: 601: 597: 593: 553: 536: 528: 526: 518: 499: 474: 472: 453: 445: 433: 414: 402: 397: 389: 385: 381: 376:such as the 369: 365: 354: 340: 334: 319:Group Policy 316: 300: 296: 272: 226: 221: 198: 175: 171: 163: 139: 131: 128: 118: 114: 112: 107: 98: 96: 91: 86: 85: 63: 52: 34: 29: 1532:18 November 1501:18 November 1470:18 November 1338:Windows API 1125:proprietary 838:kernel mode 785:Smart Cards 701:named pipes 581:PCI Express 366:Time Limits 206:smart cards 190:smart cards 1968:Categories 1938:2007-04-17 1913:2007-01-31 1795:August 12, 1724:2006-05-21 1688:2006-04-30 1656:2007-04-10 1440:2006-04-13 1419:2007-03-23 1395:2006-02-15 1375:References 1222:Basic user 1165:PatchGuard 1077:MS-CHAP v2 942:server or 926:, running 854:smart card 743:smart card 146:Encryption 113:Since the 1630:March 20, 1620:Microsoft 1595:Microsoft 1571:Microsoft 1527:Microsoft 1496:Microsoft 1465:Microsoft 1356:safe mode 1119:includes 834:user mode 440:exception 431:attacks. 178:page file 152:BitLocker 50:release. 1363:See also 1322:drivers. 1315:network. 1217:support. 1169:rootkits 1142:channel. 1086:VeriSign 973:Kerberos 938:server, 717:Winlogon 703:used by 563:content. 335:Danielle 261:Kerberos 1825:May 19, 1718:TechNet 1460:TechNet 1414:(video) 1330:malware 1286:ActiveX 1047:802.11i 1015:(IKE), 985:Winsock 882:XEnroll 850:Suite B 830:CNG API 654:sidtype 448:XOR-ing 359:Winsock 303:ActiveX 245:viruses 241:spyware 70:malware 1234:SHA256 1097:802.1X 1069:RADIUS 1036:AuthIP 1017:AuthIP 940:RADIUS 848:(NSA) 756:RADIUS 673:System 649:SC.EXE 347:domain 307:SpyNet 267:A new 264:IPsec. 158:, and 119:System 1957:from 1349:DPAPI 1345:DPAPI 1302:DPAPI 1109:with 1029:IPsec 1005:IPsec 832:is a 514:Intel 510:AMD64 277:IPsec 257:IPsec 104:focus 31:There 1827:2006 1815:WHDC 1797:2006 1678:WHDC 1632:2023 1615:MSDN 1566:MSDN 1546:The 1534:2014 1522:MSDN 1503:2014 1491:MSDN 1472:2014 1251:The 1226:hash 1136:IPv6 1111:PPTP 1107:PEAP 1073:PEAP 1059:WPA2 1051:WPA2 1032:VPNs 944:DHCP 862:CSPs 836:and 765:IPv6 741:and 739:PINs 727:GINA 583:bus. 571:HDCP 554:New 467:and 434:The 386:E10+ 243:and 234:IPv6 136:HKLM 1230:MD5 1215:ECC 1211:AES 1140:SSL 1128:VPN 1053:). 1040:IKE 995:SSP 981:SSL 936:VPN 877:CRL 858:CSP 793:EFS 767:or 705:RPC 667:or 508:'s 506:AMD 482:or 362:LSP 1970:: 1813:. 1787:. 1716:. 1676:. 1665:^ 1618:. 1612:. 1593:. 1587:. 1569:. 1563:. 1525:. 1519:. 1494:. 1488:. 1463:. 1457:. 1021:DC 922:A 814:. 780:. 692:. 618:. 502:NX 349:; 154:, 1941:. 1916:. 1829:. 1799:. 1727:. 1691:. 1659:. 1634:. 1536:. 1505:. 1474:. 1443:. 1422:. 1398:. 1308:. 1300:( 1248:. 1088:. 1049:( 725:( 484:8 20:)

Index

Windows Service Hardening
features new to
Windows Vista
Microsoft Windows
operating system
Trustworthy Computing
Security Development Lifecycle
Network Access Protection
malware
User Account Control
focus
shatter attacks
HKLM
BitLocker
Encrypting File System
Trusted Platform Module
full disk encryption
page file
Offline Files
Public Key Infrastructure
smart cards
Documents folder
balloon notification
smart cards
Windows Firewall
Windows Vista
IPv6
spyware
viruses
IPsec

Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.

↑