Microsoft Vista could do better on security

The world still holds its breath while waiting for the arrival of Window's Vista in 2006, but for security at least, it seems you just might die of asphyxiation before anything changes.

Despite all the proclamations of Next Generation Secure Computing Base (NGSCB) and Trusted Computing, on the face of it, Microsoft is only paying marketing-attention to security. While some aspects of Vista are going to make your computer more secure, there are plenty of other well-tried technologies that are missing or have yet to be announced.

Take the Trusted Platform Module. More commonly known as the TPM, it is based on standards from the Trusted Computer Group, a working party of nearly all major software and hardware manufactures, including Microsoft.

TPM is a hardware security device for storing encryption keys and enabling encryption services. It is currently shipped on most laptops and business grade PCs, and is soon to be ubiquitous on devices of all sorts.

Vista makes use of it for Secure Startup and disk encryption (a service known as Full Volume Encryption or FVE), but uses its own algorithms. According to new research from analyst firm Gartner, this leaves "a possibility of in-memory attacks for keys."

Ironically, unless encryption keys are held in tamper-proof hardware, malicious software can easily locate memory-stored keys by seeking the tell-tale signature of random bytes. This is one of the main reasons for a company to utilise the TPM.

But it's not just the failure to use readily available features that is surprising. After the long wait for a comprehensive firewall – the one shipped with XP SP2 filters incoming data only, meaning once installed, spyware and other ill-conceived applications can phone-home at will – Vista's effort will merely play catch-up, replicating features of other firewalls but adding nothing new.

As Gartner says: "You should already have a more-capable firewall product for your laptops today."

The analyst lists half a dozen features a modern firewall should contain but that are missing from Vista's, including: Per application port-access blocking; Universal Serial Bus firewalling; centralised alerting and reporting; Integration with antivirus/anti-spyware console.

It does make you wonder if Microsoft has been totally honest about their focus on security. Vista will certainly be a much-needed improvement, but it is not a quantum leap, not Next Generation, and if you are security savvy, you'll gain little from Vista.

Which is why Gartner says that most users who have standardised their OS on Windows XP SP2, and higher, will not find the value proposition of Windows Vista compelling enough to migrate en masse.

There is a feeling that MS is spreading itself too thin. In the effort to provide everything bundled up with the OS, it is failing to implement the details. You certainly don't get the impression that independent security vendors have much to fear. In fact, Microsoft offering less-than-complete security features merely serves to educate users to the need for proper investment.

However, in discussion with Contractor UK senior analyst at Butler Group, Richard Edwards, says this may be part of a canny game, which in fact, enterprises are not yet ready for the complications of hardware and software security, and Microsoft knows it.

If Vista took full advantage of the TPM, he believes more data would be lost through poor management of encryption keys than through espionage or malware attacks.

On security, Edwards expects "No great innovation [from Microsoft] in the next 12 months," but believes once the markets have shown a readiness for tighter security and have met the challenge of encryption key management, the Seattle behemoth will be ready with more sophisticated products.

He advises looking to Microsoft's new Win Live services such as Safety Center [sic] and Integrated protection, for a fuller picture of its consumer security strategy.

Rather than worrying about what's missing from Vista, Edwards suggests Microsoft are building steadily upon the good work of XP SP2. And yet, he does wonder about Microsoft's disclosure strategy that is keeping analysts and media guessing.

One recent news item suggested Gartner were advising businesses to stay away from Vista until at least 2008. Yet speaking to Contractor UK, its research VP and author of the research, Michael A. Silver, said press reports were exaggerated and missed the point.

Role out for Vista should be treated like any other system upgrade, he says, with careful planning, change control and phased implementations.

"Vista is not something you can ignore," Mr Silver explained.

In the end of course, for the majority of couldn't-care-less users without the technical sophistication to install Linux, there will be no choice but to move "up" to Vista.

Like all MS operating systems before, one way or the other, and usually by default, it finds its way onto your PC.

William Knight

Printer Friendly, PDF & Email

Sign up to our Weekly Newsletter

Keep up to date with everything in the world of contracting.


Contractor's Question

If you have a question about contracting please feel free to ask us!

Ask a question