Feeds

Vista security overview: too little too late

But some progress has been made

Securing Web Applications Made Simple and Scalable

A few irritating details

The default folder view options could be improved for the security conscious user. One should definitely not hide file extensions, as the default file view has it, because it is possible to spoof icons and use bogus extensions that can make executables appear to be other than they are. Yes, UAC and DEP are supposed to help with this, but DEP will be set to its lower setting, and UAC will be turned off, on the vast majority of Vista boxes, for reasons we've already discussed. And since it's very likely that you will still be running your Windows box as an admin, if you're going to open a file with Windows Explorer, you'd better look to see whether or not it's an executable, because it will run with your privileges. So, at a minimum, the folder view should default to showing file extensions.

As usual, Windows enables far too many services by default. It would be a tremendous help if MS could somehow use its many wizards to enable only the services needed for each bit of hardware or software installed. That would take some effort on Microsoft's part, and on the part of device and software vendors, but the alternative so far has been to leave every single bell and whistle blaring. Unnecessary services waste RAM, and worse, those related to networking are a needless target for worms and other online attacks.

Data hygiene

The start menu now offers the option of not storing or displaying a list of recently-accessed files and programs. This used to be a real nightmare for data hygiene. Finally, it's fixed.

Oh wait; it's not fixed. In fact, things just got a lot worse. There is the new "Recently Changed" directory, which will show up as one of your "Favourite Links" in the left-hand column of your home or user directory, and in Windows Explorer. And guess what: all the files you've been fiddling with recently will show up in it. Its contents are identical to the "Recent Documents" folder that Microsoft let you think you had shut off.

But worse, the contents of your recently-changed directory will not show up in main search, even if you use advanced search, and search "everywhere". So you might not even know it's there. And still worse, you can't empty this directory without deleting all of the files it points to. You can empty your "Recent Documents" folder, and only the pointers or links will be gone; you don't lose the actual files. But with this new gimmick, you've got an archive of all the files you've looked at, regardless of where you've buried them in the file system hierarchy in hopes of keeping prying eyes off them, and you can't empty it unless you want to say goodbye to the files themselves.

The worst part of this is that by offering the option to disable the list of recent files, MS has given users a false sense of privacy and security. The reality is that privacy and data hygiene are even more difficult than before. What a blunder.

Child safety first

Now there is some good news, finally. Vista ships with parental controls that are reasonably easy to implement. You can set up accounts for the kiddies, and prevent them using all sorts of programs, like email, chat, and IM, or even deny them internet access altogether if they're too young. One thing that I like is the ability to prevent the little porn fiends from downloading files via IE7. But remember, if you have any other browsers loaded on the system, you must disable them all individually via the parental controls, because download blocking only works with IE.

The basic setup is sensible and allows for fine-tuning depending on each child's level of maturity and responsibility. And parents can schedule regular reports on their children's internet use.

Now, parental controls and filtering are all well and good, but we should beware of any false sense of security they might encourage. In a recent Today Show interview (video), Billg dilated glowingly about Vista's new parental control centre; but we should remember that it's merely a tool, not a solution. Parental controls are not a substitute for adult supervision. The internet is adult space, and so it should remain. Nothing sends my blood pressure into aneurysm territory faster than talk of legislation that would make the internet safe for children. The internet has been created by adults for adults, and children venturing online simply have got to be supervised, either by a parent or by a mature and responsible older sibling. Filtering is not a panacea.

Package deal

Now, for the Vista Security Centre. This has been controversial, involving MS in skirmishes with security software vendors who claim that Vista's built-in product is anti-competitive.

I'm not sure why anyone would worry. The Security Centre doesn't do very much except remind users, "Message: We Care". It's a little craplet with a stereotypical icon that looks like a shield, and it simply informs you of whether or not the firewall is on, whether or not you've got anti-virus software installed, and so on. It is integrated with an improved version of the malicious software removal tool, or anti-spyware tool, in the form of Windows Defender.

There's nothing much in Security Centre that XP SP2 doesn't have, except a warning that you've turned off UAC. It's something that one might wish to run or consult after installation, and maybe once a month thereafter. But it's on all the time, ready to harangue you, and it's rather difficult to make it go away.

It doesn't contain AV software, but a query for further information on virus issues will bring you to this web page, where MS recommends the vendors it thinks are ready to handle Vista (McAfee is notably absent). Nor does it have a packet filter (firewall) with many features. It's not too bad to configure, but third-party packet filters offer many more options in terms of notification and controlling individual applications. I noticed one exception in the default firewall configuration that I didn't care for, for allowing remote assistance. I don't think that should be allowed unless you're actually using remote assistance.

Windows Defender is certainly better than nothing; it monitors files for changes that can indicate malicious activity, and searches for known spyware. It is also integrated with IE7 to some extent. However, what constitutes spyware is a judgment call, and it's never a bad idea to use more than one anti-spyware/anti-adware product, in hopes that one will pick up what another overlooks. (And WD does seem to miss an awful lot of spyware.) I certainly wouldn't recommend depending solely on Windows Defender. But it's nice that it's there.

In a nutshell

So, what have we got here? An adequately secure version of Windows, finally? I think not. We have got, instead, a slightly more secure version than XP SP2. There are good features, and there are good ideas, but they've been implemented badly. The old problems never go away: too many networking services enabled by default; too many owners running their boxes as admins and downloading every bit of malware they can get their hands on. But MS has, in a sense, shifted the responsibility onto users: it has addressed numerous issues where too much was going on automatically and with too many privileges. But this simply means that the owner will be the one making a mess of their Windows box.

Data hygiene is still an absolute disaster on Windows. In fact, it's worse than it ever was in some ways, and that's very bad indeed. Browser traces still in the registry, heavy and complicated indexing to improve search, new locations where data is being stored. It all adds up to a privacy nightmare. Keeping a Vista box "clean" is going to be impossible for all but the most knowledgeable and fastidious users.

So don't rush out to buy Vista in hopes of getting much in return security-wise. I do like some of the changes, at least in theory, or as a decent platform on which to build an adequately secure version of Windows one day. But that day, if it ever comes, will be well in the future. ®

Correction I'm grateful to a Reg reader who pointed out an error in a previous edition of this story. I had stated incorrectly that IE7 doesn't allow blocking third-party cookies. It defaults to accepting them, but can be made to block them.

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.