Windows Vista Security One Year Later

Now that Windows Vista has been available to business customers for more than a year, it's a good time to go back and look at how it's holding up from a security perspective. I think that it's fair to say that Windows Vista is proving to be the most secure version of the Windows to date. Our investments in the SDL and our defense in depth approach to building Windows Vista seem to be paying off. Let's take a look at some areas that we've made progress in: the impact of defense-in-depth; Internet Explorer 7's protection of personal information; vulnerabilities and infections; and cost savings. First, let's look at the impact of defense-in-depth features like User Account Control and Internet Explorer Protected Mode. These features have helped reduce both the risk and severity of security bulletins, giving enterprises more time to deploy patches:

  • Running as standard user, which is the recommended configuration and made easier in Windows Vista thanks to User Account Control, helps reduce the impact of any particular vulnerability. Of the 23 security bulletins that have been released for Windows Vista through January 2008, 12 specifically call out a lower impact for those running without administrative privileges: MS07-033, 034, 040, 042, 045, 047, 048, 050, 057, 064, 068, and 069. This is a great illustration of the importance of User Account Control and why we included it in the product. It's also the reason I personally run as a standard user on every machine I use.
  • Because of IE Protected Mode, the MS07-056 bulletin from October '07 was rated important on Windows Vista and critical on Windows XP. The bulletin rating helps organizations determine the urgency with which they need to deploy the update. Fewer critical updates help organizations maintain regular processes around patch management.

View: Full Story @ MSDN Blogs


Report a problem with article
Previous Story

Flock 1.0.7

Next Story

slimKEYS 1.2.8069 with new slimSMOKE plug-in

38 Comments

Commenting is disabled on this article.

There's just one thing that I can add to that: Most people don't like Vista.

People who never had a computer before, don't mind, they don't know better. But people who have work with XP for years, don't like Vista. People don't mind change, they just don't like drastic change. Especially if most of these become an annoyance.

Super-user are more open to change, they don't mind as much, but most of the one I work with wouldn't trade their XP for Vista.

I'am a network engineer by trade for the last 30 years. I started on mainframe that ran network at 2400 bds. I've seen all kind of evolution and I had to adapt. So I'am not close minded when it comes to new software. I think Vista miss the boat completely.

I can fix any network problem on a XP/2003 network but give me a network problem with a Vista machine and I'm pulling my hair out after a while. They simplify the whole thing to the point where if it doesn't work, it's a nightmare.

That's why most company don't even plan on going to Vista.

My recommandation to any of my customers is wait. XP is good until 2014. And Vienna will be available before long. So skip over Vista and lets hope MS learn from their mistakes.

And my point is, stevehoot analysis is right, but it is just not good enough reason to switch to Vista.

Captain555 -

Please take this as tounge in cheek, but after 30 years as a network engineer I thought you'd be using the command line rather than GUI due to speed - and the Windows networking command line tools haven't really changed since NT4/2000!

The commands to do network troubleshooting on Vista haven't changed since XP - in fact more are introduced if you wish to use them, but netsh, ipconfig, netdiag, ping, arp, netbt, tracert, nslookup etc. are the same as far back as I can remember.

For more basic network troubleshooting that doesn't warrant the command line then Vista adds one extra step over XP. (Instead of going to 'Network Connections' as you would in XP, Vista makes you go to the 'Network and Sharing Center' first. There is a link in there to the old fashioned 'Network Connections' and the GUI is then as XP)

If however you are commenting on the fact that Vista 'hides' itself from other devices on the network depending on the network profile then this again is a welcome security change for the majority of the security professionals. This is a firewall thing rather than a GUI change or similar. When a Vista machine is connected to a new network, the user is asked if this is a home, work or public network. Non-Admin users can select home/public (I think) without admin rights which hardens the firewall compared to the 'work' profile. This adds extra flexibility to portable machines without compromising on network security.
I personally like that when the sales guys are at work their firewall is relaxed enough for me to do remote administration - but when it's plugged into some god-awful starbucks wi-fi it's maxed up so that it's not even visible by conventional methods. (e.g. 'browsing' the network or a subnet ping sweep etc.)


Regarding the 'most people don't like Vista' statement:
IMHO, I think some people get on well with change, others don't. 2000 to XP wasn't a huge change to the end-users other than the childish GUI theme and awful control panel interface. Vista changes quite a lot with the GUI, and some users are happy with change, whilst others are not. Similar to Office 2007.
At my place most users think Vista is alright and a small handful think it's great. The same is true of Office 2007 as well - although there are one or two that still think the new Office UI is designed to hamper them rather than help.
Overally, this really is a subjective thing down to each individual person. The GUI is difference, and seasoned IT pro's / power users will be put off with UAC and the odd extra step to do things - but as with most OS's - it's fully customisable so you can add in shortcuts and turn off UAC if you wish.

Vista seems more than reasonable to me. Modern hardware runs Vista around about the same as XP ran on 2002 based hardware, driver and software issues have never really been an issue for me or my company (and we use a mixture of models and vendors) and reliability has been superb - miles better than XP.

However if your hardware is over 2 years old then I wouldn't suggest even looking at an upgrade. But if your hardware is new enough, and you have £100 to spend on improving your security - I would then suggest upgrading to Vista as the security improvements (see my first post) and end-user stuff (Media Center, Parental Controls, Integrated Search, DX10, SuperFetch, stability, improved GUI (IMHO) ReadyBoost etc.) are probably worth £100.

Put it another way - a lot of home users are happy to pay £60 for a bloated 'security suite' that does spam, AV, firewall, IDS etc. Compared to a £100 upgrade and £20 on just a AV, your going to get a lot more for your cash than two copies of Norton's latest and greatest.

All fine and dandy. I know the tools are still there, my point is sometimes, everything says that it is working but it doesn't work.

"welcome security change for the majority of the security professionals"
Maybe in your neck of the woods but not in mine.

"some people get on well with change, others don't"
That was my point, there are more "don't" than "do".

"Vista changes quite a lot with the GUI"
GUI is eye-candy, that's all. You can add a theme to XP that makes it look just like Vista.

Talk about Office 2007, there's an article circulating on the Net, you can find it on Softpedia, about XP running twice as fast than Vista while running office application. That's real life. Most PCs in the world are use for business and that mean office.

On your last statement, I disagree with you completely, better security can be achieved in XP at a lot better price than an upgrade to Vista even on a mobile laptop.

Guys,

This isn't a 'Vista rocks whilst XP isn't as good' - this is a factual post regarding the differences between the two.

Whilst SP3 and IE7 for XP are highly recommended, and obviously SP1 is good for Vista, there are some key points.

1. Whilst IE7 is generally better, IE7 for Vista is internally called IE7+. The reason for this is because IE7 on Vista works with UAC. Together they provide 'Protected Mode', which essentially means that the IExplorer.exe process can only access about three folders on the system and a couple of registry hives - regardless what user launched the process. (Close to a complete sandbox environment)
On XP IE7 is ran under the local security context and thus in theory has access to everything the end-user has. This means that IE7 on Vista is far, far more secure that IE7 on XP can ever be.

2. SP1 for Vista is essentially a cumalitive update for Vista. If you fully patch your system, you are already pretty much running SP1 - there is little difference.

3. SP3 for XP is the same, it's more of a wrapping up exercise. Why get IT to have to slipstream 99 hotfixes in their SP2 builds when MS can do it for you? There are little to none new features in either Vista SP1 or XP SP3 compared to a fully patched RTM/SP2 release.

ThaCrip:
XP was made more secure by introduction of the security centre, automated updates and Windows Firewall. Vista introduces protected kernel, UAC, IE7+ Protected Mode, a vastly improved firewall (it's very good actually), parental controls, more GPO's, further refined permissions, Address Space Layout Randomization and Windows Defender. Whilst Defender can be ADDED to XP, nothing else on that list can be. Looking at Secuina, Vista had 17 advisories in 2007 (whilst technically it was released to businesses in Nov 2006, I think 2007 is a bit fairer). XP however had 30 in 2003.

With this in mind, plus the end-user benifits (aero, the improved GUI, integrated instant search, parental controls, media center, stability etc.) I can see little reason to recommend XP over Vista. I wouldn't recommended every goes out and upgrades for the sake of it - Vista is a evolutionary update rather than revolutionary - but any machine that can have Vista on at little or no cost should do it.

Since when did Neowin become a place for manufacturers to post their advertising? This isn't news or comment, its just pure PR. Wake up Neowin!

Well, so good it may seems. XP with SP3 and IE7 aren't that far away either.

It is proving to be much more stable and secure.

It is proving to be much more stable and secure.

It's a lie.
XP with SP3 is not more secure than Vista. Please refrain from saying nonsence from now on.

Why quote sources from MS's own site?

You're not likely to get an unbiased point of view, or actually anything that isn't pro-MS 'w00t'... this isn't 'reporting' it's simply quoting MS propaganda.

Anyone that isn't 'all about the shineys' knows the problem that is Vista.. you're not going to persuade us otherwise... you only really hurt the integrity of the site with shoddy faux-news articles.

Well I only read what was posted here and veryyyy quickly skimmed the full article, but it all seems to be true based on what I saw. Sure it's probably a biased source but at least it seems more or less factual and refrained from mentioning Linux/OSX ect. As a comparison against only XP, the article seems pretty much right so I haven't got that big a problem where it comes from.

Anyway I use Vista and not for the UI...it's not that huge a deal IMHO. My favorite changes really are the under the hood things like memory management and networking which felt ok in XP at the time but when I go back to it it really feels like a real pain to do. That and I wouldn't be able to get by on other OS due to the application support, in particullar due to the fact I game alot.

(The Walker said @ #8)
Why quote sources from MS's own site?

Since when did Secunia.com and Apple.com become Microsoft sites??
Go back and RTFA. Go to secunia and browse the lists of vulnerabilities. Then go to apple site (there are links in the articles) and see for yourself.

(RealFduch said @ #8.4)
It's LAME to quote yourself to make a point.. especially when your point is LAME too.

I DID read the f**king article... and it's all about MS blowing itself... how less than inteligent of you not to realise that an article that say.."well, Vista's better than it was."... isn't exactly a huge sales pitch.

Also you point me to two sites then make out that it's all connected.. MY ARSE!... So now you expect me to go on my OWN verification hunt for the truth of the articles posted here?.. That's just as bad as my post accusing Neowin off UTTERLY BIASED 'reporting'.. and still points to the unreliablity of the site... if it does get to the point that before reading ANY of the articles I had to remember to not only verify the truth of their article, but also the truth of their sources.. then I'll go somewhere more reputable.

One last thing.. even IF MS are telling the truth of this 'positive' matter, they certainly can't be counted upon to tell the whole truth when the matter maybe negative..and being unreliable to tell both sides of the truth, is utterly biased and reduces the site's worth to nothing more than some scattered info and a sales pitch.and that much I can work out for myself.

things have been so great, i haven't had the need to use panda scan, spybot lavasoft or any of those goodies i used to use every single day on XP.

yeah... even viruses have failed to infect my system upon venturing into dangerous websites... i think we have a new champ in the ring!

i haven't had the need to use panda scan, spybot lavasoft or any of those goodies i used to use every single day on XP.

I have difficulty believing that, but if it's true it was no doubt caused by IBK errors.

"The year 2007 has been an interesting year that brought us improved security with Windows Vista and Mac OS X Leopard (10.5). But to get some perspective of how many publicly known holes found in these two operating systems, I�ve compiled all the security flaws in Mac OS X and Windows XP and Vista and placed them side by side. This is significant because it shows a trend that can give us a good estimate for how many flaws we can expect to find in the coming months. The more monthly flaws there are in the historical trend, the more likely it is that someone will find a hole to exploit in the future. For example back in April of this year, hackers took over a fully patched Macbook and won $10,000 plus the Macbook they hacked."


http://blogs.zdnet.com/security/?p=758

Thank you Emil for writing such a good report for Vista. Which is the truth - " Vista is the most secure OS to date ! " The next thing is to finish and release the most secure server " Server 2008 ! ", which will make things even more secure. Due to the fact every computer on the net today must use a server to read or connect with the information they need or want.
Microsoft has taken this goal as the most important factor to securing the internet for everyones safety.
Thanks again and keep up the good work there!
SGT

i have to agree with Mark...

And you do realise most servers on the net are linux servers... althoguh IIS has improved over the years, i'd still go with a linux/unix box for most web services..

(whocares78 said @ #3.2)
i have to agree with Mark...

And you do realise most servers on the net are linux servers... althoguh IIS has improved over the years, i'd still go with a linux/unix box for most web services..

In what whay do you meen that any linux web server is more reliable or more secure then IIS7? Or even IIS6?
How many security holes do you think has been discovered in IIS6 to this date? Much less then Apache.
So my choice today is ABSOLUTELY IIS7 on Windows Server 2008 even if it's still just RC.

but the choice os yours, of course..

/Zeb - think about IT - http://Micros0ft.se

(zeb - http://Micros0ft.se said @ #3.3)

In what whay do you meen that any linux web server is more reliable or more secure then IIS7? Or even IIS6?
How many security holes do you think has been discovered in IIS6 to this date? Much less then Apache.
So my choice today is ABSOLUTELY IIS7 on Windows Server 2008 even if it's still just RC.

but the choice os yours, of course..

/Zeb - think about IT - http://Micros0ft.se

did i mention anythign about stability or security... i just said i'd go with a linux server.. no real reasoning behind it..just personal preference...

i know IIS is a lot more secure now than in the IIS 5 days, but usually once iget burned i stay away from the fire, if they put the fire out, i am still a little hesitant to go near it, just encase

(zeb - http://Micros0ft.se said @ #3.3)
In what whay do you meen that any linux web server is more reliable or more secure then IIS7?

In the way that the most reliable (as in uptime, response time and query time) run Linux or BSD with the usual LAMP / Apache / Tomcat solution - if in doubt, refer to Netcraft.


Vista is doing a lot better than any other version of Windows for sure, but I'd like to see this from an unbiased point of view as well (MSDN isn't exactly an objective source).

But I have no doubt it's in better shape, just one of the reasons I'll be running it next to OS X soon.

I agree that Vista has the default configurations right for proper security. Even if you have complaints about how UAC and such are implemented, they do provide the functionality to elevate permissions up from a default unpriveleged user.

XP brought user account separation to the home user. Vista brings running as user. It's been needed, and it will be a great benefit (though there is never a cure for user stupidity).

This coming from a 100% Linux user for the past 5 years. I would say I'm reasonably unbiased.

vista secure? like you dont need third party software to protect yourself?

I dont get it. MS got huge problem with security. I think the only good thing about vista is the new interface. Its still unsecured if you dont use third party software to protect yourself.

If you doubt just install all windows vista updates and go to some sites without antivrus and internet security, you will be amazed .....