Windows Vista and IE7 -- The Implications for IT

• By Stuart J. Johnston
• March 13, 2006

That gives IT staffers a chance to start figuring out what features are important for their users and to understand the complexities of improvements in areas such as deployment and security.

Also coming is Internet Explorer 7.0, which will run on Windows XP, but brings with it several important features that are only available if it is running on Windows Vista. Microsoft shipped the first beta of IE7 last summer.

But which new features in both products will actually contribute in an IT environment?

First and foremost, Microsoft, analysts and users agree, comes greatly enhanced security.

“The features in Windows Vista that are going to be of interest to IT are surely going to be headlined by the improved security technologies,” says Al Gillen, research director for system software at technology research firm IDC.

Loose Bits Sink Chips

Indeed, despite all the work Microsoft put into Windows XP Service Pack 2 – and all of the concomitant hype around it as the end-all security fix – that has proven not to be enough. So the company redoubled its efforts with Vista, adding new security features and capabilities top to bottom.

The major new security feature in Vista, called User Account Protection (UAP), modifies the way users are provided access for making system changes. In previous Windows releases, performing IT-related tasks such as installing programs, device drivers and the like required administrator privileges. Additionally, many existing applications require that they run in administrator-level security.

In UAP, a user has a basic set of “standard” low-level rights and privileges. Since many malware attack vectors exploit security holes that allow them to take on the current user’s or application’s security level, the standard mode provides only the privileges needed to perform basic tasks. Since the user in standard mode doesn’t have the rights to perform administrative tasks, a successful attack that took control of the user’s account would only let the attacker perform a limited set of actions.

Likewise, applications are no longer allowed to run at administrator-level, so many custom corporate applications may need to be modified to run under the new model. Thus, Microsoft has asked third-party developers and IT organizations to check their applications and make changes necessary to enable them to run.

At the same time, however, UAP provides a compromise as a means to enable the user to perform some functions without calling the help desk or the geek squad. The user can request temporary capability to perform certain tasks, such as program installation, that typically would require a higher level of security clearance. The user enters a password to temporarily upgrade his or her privileges in order to perform the function.

UAP also has a component, called User Interface Privilege Isolation (UIPI) that works with a new set of sandboxing capabilities in IE7, known as Protected Mode. According to statements on Microsoft’s site: “IE7’s Protected Mode helps to eliminate the silent install of malicious code through UAP by blocking writes outside of the Temporary Internet Files folder . . . [and] Protected Mode also leverages UAP’s UIPI to help prevent Windows messages from being sent to higher privilege processes.”

In addition, Protected Mode blocks IE’s execution of most ActiveX controls – another avenue that has been a popular means of attack in previous versions of IE. In order to enable use of safe controls, however, Microsoft has added a feature called ActiveX Opt-in that lets users list exceptions.

In Protected Mode, IE does not have permission to modify user files, system files or settings, or install programs such as malware. All communications occur via a "broker process" that mediates between IE and the operating system. To prevent scripted attacks, the broker process can only be started when the user clicks on IE menus and screens, thus helping to block elevation of privileges exploits and further isolating the browser.

Additionally, in order to give administrators more centralized control over Internet Explorer on users' desktops, all current and future IE settings will be configurable via Group Policy, according to Microsoft statements. The Group Policy control will extend to all browser add-ons, the company says, "ensuring that administrators will be able to enforce compliance with company standards among browser users."

The moves are applauded by analysts and industry observers.

“The protection of the kernel is significantly improved both by getting the user out of administrator mode and into user mode . . . making the OS much more resistant to hostile applications altogether -- the device driver issues are all but eliminated,” says Rob Enderle, principal analyst at research and advisory firm Enderle Group.

Although IE7 will be available to run on existing versions of Windows – most notably XP -- as well as on Vista, it’s important to note that Protected Mode functions are only available on Vista.

But Wait – There’s More

At the operating system level, Microsoft has made other changes, as well. For example, most device drivers will now load at the user level, not in kernel mode.

“Windows Vista . . . includes many changes to the kernel, including the ability to run drivers as user-mode processes,” says Greg Sullivan, lead product manager in the Windows Client division. Because of this, a driver that crashes can be restarted like an application can. Sullivan adds that he expects this will help eliminate a major cause of instability today – drivers running in the kernel where a crash can take down the whole system.

Security has been enhanced in other areas as well. For instance, Vista provides BitLocker disk encryption to encode the entire Windows volume, which requires a 48-digit key in order to decrypt the computer’s data. The key can be stored on a PC’s Trusted Computing Module chip or on a flash drive (as long as the PC’s BIOS recognizes USB devices during the boot process). Bear in mind that BitLocker encryption is only available on the Enterprise and Ultimate editions of Vista.

Another addition in Vista: the new Windows Firewall now blocks both outgoing traffic as well as incoming traffic. This can be used, for instance, to prevent malware from “phoning home,” or to only allow use of a single standardized instant messaging client. It, too, can be managed from Group Policy. (One caveat: All outgoing connections are currently enabled by default.)

IE7 also provides an anti-phishing filter and other anti-phishing features. It not only keeps third parties from opening windows that do not display a source URL, it also provides an address bar that changes color to red to indicate if a site is on a Microsoft-maintained list of known phishing sites or yellow if it’s questionable.

Here Comes the Future

Security improvements won’t stop with Vista. When Microsoft releases Windows Server “Longhorn” in 2007, it will provide even further security enhancements that work in concert with Vista through what Microsoft calls Network Access Protection or NAP.

According to a Microsoft whitepaper posted online, “Network Access Protection . . . provides components and an application programming interface that help administrators enforce compliance with health policies for network access or communication.” Using NAP, both third-party developers and administrators can build solutions for validating computers that connect to their networks, provide needed updates or access to needed resources, and limit the access of noncompliant computers.

With NAP in place, when a user tries to connect to the network, that computer’s health state is validated against the health policies defined by the administrator. Depending on the results, the computer can be granted access, denied, or given only limited access until required configuration changes are made.

Because both Vista and Longhorn are currently in beta, IT staffers can also begin experimenting with NAP now.

Deploy This!

On the deployment front, Vista provides a new system image format aimed at letting staff create many fewer system images that need to be deployed and maintained.

“In the past, [for] each language, each form factor, each role, an IT administrator would need to create an individual profile,” Brad Goldberg, general manager of the Windows Client division, told media and analysts in a late February Vista briefing.

The new format is called the Windows Imaging Format (WIM). WIM is a file-based imaging format designed to enable a single image to be deployed to different types of computer hardware with different language requirements, according to Microsoft statements online. Maintaining WIM images is easy, the company claims, “because you can add and remove drivers, updates and Windows components offline, without ever booting the operating system image.”

Microsoft believes this will be another welcome addition for IT departments.

“One of the significant causes for the complexity, cost argument [around deployment] was the number of images that a typical customer had to deal with . . . adding new hardware, and language specific versions resulted in new images, as well as specific patches or drivers could result in hundreds of ‘standard’ images,” says Microsoft’s Sullivan.

Several analysts like what they see in Microsoft’s system imaging plans.

“WIM allows you to apply patches and updates to the OS without it being installed and running somewhere [which] has some interesting, and potentially very powerful capabilities, especially in a dynamic IT environment,” says Gillen.

Michael Cherry, lead analyst for operating systems at Directions on Microsoft, agrees.

“The new imaging, as well as tools to manage images and deploy them could reduce the costs and problems of deploying Windows,” Cherry says.

Not Just Another Pretty Interface?

The most visible of the changes coming in Vista, of course, is the Aero user interface, which features 3-D translucent graphics and a radically redesigned feel. Despite all the coolness of great graphics and a “new” look and feel, there are some features that Microsoft hopes will make users more productive.

For instance, the new Document Explorer, which replaces the My Documents folder and its file icons, displays high-resolution thumbnails to preview each document, which may help users be more efficient.

But analysts and other observers, while they tend to favor Aero, disagree over whether or not it will have that much impact in IT environments. Will major changes in even things as simple as the location of buttons in the browser have some short-term impact on end-user productivity?

“My initial reaction is yes,” says Cherry. “Talking with several analysts working with the February CTP we are all frustrated with some of the changes, and are calling and asking each other, do you know where they moved this function? Do you know how to do this?”

Meanwhile however, analyst Enderle disagrees, projecting “minimal” impact. But, he suggests, it’s the bait for the whole sale.

“The truly important parts have more to do with reliability, performance and security than appearance but appearance will clearly be much of the sizzle that helps sell the steak,” Enderle adds.