Welcome to the Windows Vista Security Blog


Thousands of people from around the world have been hard at work to ensure that Windows Vista is the most secure versions of Windows ever released. From new engineering best practices as part of the Security Development Lifecycle (SDL) to new data protection features like BitLocker™ drive encryption, Windows Vista will help make large enterprises, small businesses, and home users more secure.


The purpose of this blog is to make you aware of what makes Windows Vista more secure, keep you updated on the latest developments, and give you a behind-the-scenes look at the development process from the people building the product.


We plan to update the blog at least several times a month so add it to your favorites and subscribe to the feeds.  In the meantime, here are links to some of the key Windows Vista security resources we’ve published already:


·         Widows Vista Security Home page on TechNet


·         White Paper: Microsoft Windows Vista Security Advancements (.doc file, 222 kb)


·         Video: Windows Vista Security Enhancements (.wmv file, 27 min. 58 sec.)


·         Windows Vista Security Home Page on MSDN


·         The other Product Team Blogs that are listed on the right of the page.  Here are a few key postings that would have been on this blog if it had existed at the time:


o        Address Space Layout Randomization in Windows Vista


o        Windows Firewall: the best new security feature in Vista?


o        [BitLocker] Back-door nonsense


o        Reducing Elevation Prompts in User Account Control


Thank you for reading and we look forward to your comments—we will do our best to address them all.


Ben Fathi
Corporate Vice President
Security Technology Unit


 


(Comments have been turned off to deter spam.)

Comments (13)

  1. Steve Riley says:

    Mandatory Integrity Control is one of my favorite new security features. I wrote about it here: http://blogs.technet.com/steriley/archive/2006/07/21/442870.aspx

  2. Dan says:

    The the new Windows Firewall:

    • Block all incoming traffic unless it is solicited or it matches a configured rule.

    • Allow all outgoing traffic unless it matches a configured rule.

    I’d like the new Windows Firewall for outgoing connections be configurable also like this:

    • Block all outgoing traffic unless it is solicited or it matches a configured rule.

  3. Luke says:

    Please force the Windows Vista users to create a mandatory second Standard user account during installation setup. Because I see in every Windows Vista forum a lot of people that use only the first administrator account and this is not good; yes it’s safer than windows xp thanks to UAC, but the standard user is better.

    So each home user will have 2 user accounts:

    1. Administrator protected by UAC, for the administrative tasks

    2. Standard user protected by UAC, for daily use

    and so each home user will use the Standard user and for administrative tasks UAC will automatically ask for the Administrator password; the Administrator password is well know because it has been created by the user so there are not problems.

  4. Luke says:

    Please force the Windows Vista users to create a mandatory second Standard user account during installation setup. Because I see in every Windows Vista forum a lot of people that use only the first administrator account and this is not good; yes it’s safer than windows xp thanks to UAC, but the standard user is better.

    So each home user will have 2 user accounts:

    1. Administrator protected by UAC, for the administrative tasks

    2. Standard user protected by UAC, for daily use

    and so each home user will use the Standard user and for administrative tasks UAC will automatically ask for the Administrator password; the Administrator password is well know because it has been created by the user so there are not problems.

  5. PatriotB says:

    Mandatory Integrity Control is a great innovation.  Its corresponding APIs seem to be in the latest Windows SDK headers, but the documentation for these APIs is not yet online.  Can we expect this sometime soon?

    Since IE7 uses MIC, they obviously have access to some sort of documentation beyond the header files.  If I were working on Firefox or some other browser, I’d want just as much access to that documentation as the IE team has.

  6. Alex Heaton [MS} says:

    PatriotB, MIC is something that we would like 3rd parties to take advantage of. There is documentation at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/IETechCol/dnwebgen/ProtectedMode.asp, see “Starting Low Integrity Processes”, or is that the existing documentation you were refering to? If so, what other aspects would you like documented?

    Thanks, Alex

  7. Ed Krievins says:

    Re: Windows Vista Security

    Brilliant as an upgrade from XP. However, I am a poor user of Vista Beta 2 using a 56k Dial-up Modem. I can bring up most pages on the Internet under the Protected Mode with a Modem, but I cannot bring up any Microsoft page whatsoever. Anything that ends in .microsoft.com, or is microsoft.com/downloads for example. Protected Mode just completely blocks me out of Microsoft’s web site altogether.

    Have checked my connection using the new Check Your Connection feature, and have performed independent tests. Modem is working fine and as fast as possible. Have been reading about the second user account, but when tried, produces the same problem.

    I have not switched off User Account Control becuase this defeats the purpose of Vista. Through feedback page, I have suggested that he use of a Modem access to the Internet be totally removed from Vista. FOrcing myself and others to finally upgrade to DSL or Cable. Am saving up for this.

    Can anyone help me with bringing up microsoft.com on the Internet under and using the new Protected Mode? Many thanks.

    Ed Krievins

  8. windowsvistasecurity says:

    Ed, we are sorry to hear of your problems accessing internet sites. This type is issue is not one that would be caused by Protected Mode. Protected Mode runs the Internet Explore process with lower privileges to make it harder for malware to harm your computer. But it does not affect what sites you can visit. What you are experiencing is likely some kind of networking issue, perhaps with your ISP. Hopefully the problem will resolve itself, unfortunately we cannot provide more technical support through this blog, though there are a number of newsgroups where you may be able to find more help:

    • microsoft.public.windows.vista.general

    • microsoft.public.windows.vista.administration_account

    • microsoft.public.windows.vista.hardware_devices

    • microsoft.public.windows.vista.installation_setup

    • microsoft.public.windows.vista.mail

    • microsoft.public.windows.vista.networking_sharing

    • microsoft.public.windows.vista.performance_maintenance

    • microsoft.public.windows.vista.print_fax_scan

    • microsoft.public.windows.vista.security

    You can use Windows Mail included in Windows Vista to access these newsgroups, you should be able to find them using the Microsoft Communities link on the left side.

    Good Luck!

    – Alex

  9. Ed Krievins says:

    Alex,

    Thanks for your reply. I understand your reasoning. However, it defies logic in terms of what Microsoft is trying to achieve. I can bring up every Microsoft site on my previously used Windows XP Pro w/SP2 with original IE 6.0, and then IE 7.0 b1, b2, and b3. IE 7.0 for WinXP having no Protected Mode.

    Therefore under these conditions, IE 7.0 runs with full vulnerability so to speak. With Protected Mode in Vista being on a LUA status to prevent Malware, this then tells me that the Servers operating Microsoft sites run compeletely unabated from Malware Protection if only I can bring them up on all versions of IE 7.0 before Protected Mode.

    Do you understand the logic that I am trying to present?

    Furthermore, if you turn off Protected Mode in the Security option for Internet when you go to Internet Options, you are notified that you have created a Security Breach. So as above, where is Protected Mode being of LUA if the user is being specifically notified of a Security Breach by turning Protected Mode off.

    If I am missing your intent or point in your reply, please enhance your explanation. I am very interested in this topic. I study Internet Security as a part-time hobby, and the more I am delving into it, I am starting to find that we are using the wrong logic for Internet Security enhancement based on the new types of Malware that are showing up on the market.

    Sincerely Yours,

    Ed K

  10. Bevan Findlay says:

    What comment do you have in response to the article "Vista’s Virgin Stack" on GRC.com’s SecurityNow (http://www.grc.com/sn/SN-051.htm)?

    I would say (as an IT Manager) I agree with their comment that calling something "secure" is earned, not claimed, and from the initial findings, Vista’s IP stack is far from secure.

    I am interested to hear thoughts from the Microsoft side of the fence on this.