megamanXplosion Posted June 1, 2005 Share Posted June 1, 2005 I have been reading up on all of the security changes that will appear in Longhorn (final). Can any of you help point out some of the enhancements? So far, I have found Proactive Firewall Protection, Secure Startup, bundled Microsoft Anti-Spyware, Least-privilege User Access, and the ability to automatically renew anti-virus subscriptions via the Antivirus API. Is there any enhancements that I have missed? Will the Windows Firewall in Longhorn support the ability to stop outbound connections? If possible, please link to your source of information :) Link to comment Share on other sites More sharing options...
EduardValencia Posted June 1, 2005 Share Posted June 1, 2005 look something about palladium,you'll find it quite interesting :) Link to comment Share on other sites More sharing options...
neostyle Posted June 1, 2005 Share Posted June 1, 2005 (edited) here are some links https://www.trustedcomputinggroup.org/home http://www.microsoft.com/whdc/winhec/track...ediapcarch.mspx http://www.microsoft.com/whdc/system/platf...start_exec.mspx http://www.microsoft.com/whdc/system/platf...gn/default.mspx http://www.microsoft.com/whdc/system/platf...start_tech.mspx http://www.microsoft.com/whdc/system/platf...TPM_secure.mspx Edited June 1, 2005 by neostyle Link to comment Share on other sites More sharing options...
megamanXplosion Posted June 1, 2005 Author Share Posted June 1, 2005 EduardValencia, I don't think Palladium will be entirely implemented. Palladium was renamed to Next-Generation Secure Computing Base, which was later put down because it required application developers to rewrite their software to take advantage of it. Microsoft has brought NGSCB back but will be implementing it in a different way that doesn't require software developers to cater for it. Secure Startup, from my understanding, is a part of the plans for NGSCB. Because of the new way NGSCB is being implemented, it is hard to find recent/valid information concerning the plans and what will and will-not make it into Longhorn :( Neostyle, the first link doesn't seem to describe which features Longhorn will support. It is an interesting source of security-related information but it doesn't really say anything about Longhorn specifically, as far as I can tell. Has it been officially confirmed that Longhorn will support everything there? The second link is mostly about digital rights management and improving media input/output, I don't see anything which deals with security from a user's perspective. The third link is about Secure Startup, which I've already talked about. The fourth link looks like it may contain something relevant to my question and will take a while to digest fully (and download on 56k, for that matter), I will report back later with my findings. The last link is, again, about Secure Startup which I've already mentioned. Any other links and confirmed security enhancements? Link to comment Share on other sites More sharing options...
megamanXplosion Posted June 2, 2005 Author Share Posted June 2, 2005 I have finished poking around the fourth link, nothing really interesting. One of the powerpoint slides mentioned Microsoft Baseline Security Analyzer 2.0 but doesn't say wether or not it will be included with Longhorn, and I've known of MBSA2 for a while now... Does anyone know of any other confirmed security enhancements? Link to comment Share on other sites More sharing options...
andyandy Posted June 2, 2005 Share Posted June 2, 2005 I have finished poking around the fourth link, nothing really interesting. One of the powerpoint slides mentioned Microsoft Baseline Security Analyzer 2.0 but doesn't say wether or not it will be included with Longhorn, and I've known of MBSA2 for a while now...Does anyone know of any other confirmed security enhancements? 586004602[/snapback] A lot of multimedia related security will be there. Checkout the WinHEC2005 slides. Link to comment Share on other sites More sharing options...
jphillips59 Posted June 3, 2005 Share Posted June 3, 2005 Besides LUA there is the concept of "Protected Admin" where certain process won't use your admin token (like IE) Secure startup i believe is going to be using hardware (like the security chips currently used in some laptops) Link to comment Share on other sites More sharing options...
cyberjunkie Posted July 27, 2005 Share Posted July 27, 2005 (edited) I have to say I'm surprised there is so little talk about the Full Volume Encryption feature which is part of the Secure Startup feature... If I understood it correctly then this is a hardware implementation of what is otherwise known Full Disk Encryption (FDE). In other words, on the fly encryption/decryption of your whole boot drive. There are a number of software solutions like PGP's Whole Disk Encryption, SecurStar's DriveCrypt Plus Pack and other which do this exact same thing and with very little CPU overhead (maybe 1-2%) however a solution that's completely integrated into the operating system would be much neater. The only problems as see it with Microsoft's FDE solution would be the following: a) I don't trust Microsoft enough to believe that they won't put any backdoor into their solution. While not a major problem, full disk encrypted HDD's are more sensitive to bad sectors than unencrypted HDD's. Also, partitioning tools and the likes can mess up a FDE HDD. Even if there would not be any pressure on Microsoft on the part of law enforcement and the corporate world, the vast number of inexperienced users which may mess up their data with this feature could scare Microsoft into inserting a backdoor just in case... b) I dislike having the keys stored in an integrated hardware chip. The available software FDE solutions that I mentioned store the keys on the HDD itself and most give you the option to store them on a hardware token (a sort of USB security stick) which you can carry around with you. That way you can move around the FDE HDD's any way you please and you are not locked to one specific computer. What would for instance happen if the motherboard got fried for some reason (lightning, etc)? Then you would have to rely on that it could be fixed or you wouldn't be able to access your HDD anymore. Another issue is that by having a special chip for storing the keys, a sofisticated intruder would know exactly where to look for the keys. It wouldn't be that straightforward if they were stored somewhere on the FDE HDD itself seemingly containing only a huge amount of random binary data or if they were stored on a hardware token which you carry with you yourself... Edited July 27, 2005 by cyberjunkie Link to comment Share on other sites More sharing options...
+mram Subscriber² Posted July 27, 2005 Subscriber² Share Posted July 27, 2005 I don't trust Microsoft enough to believe that they won't put any backdoor into their solution. While not a major problem, full disk encrypted HDD's are more sensitive to bad sectors than unencrypted HDD's. Also, partitioning tools and the likes can mess up a FDE HDD. Even if there would not be any pressure on Microsoft on the part of law enforcement and the corporate world, the vast number of inexperienced users which may mess up their data with this feature could scare Microsoft into inserting a backdoor just in case... While I can see where the paranoia might come from this is highly unlikely. The days of hidden APIs are long since over, and MS has billions to lose from a thoroughly untrustworthy maneuver like that. Link to comment Share on other sites More sharing options...
Fred Derf Veteran Posted July 31, 2005 Veteran Share Posted July 31, 2005 [Thread Moved from Windows Beta to Vista Beta] Link to comment Share on other sites More sharing options...
Recommended Posts