Security Evolution Continues for Vista and XP

Carl Weinschenk

This Redmond Magazine piece doesn't give the date -- it was August 2004 -- that Microsoft released Windows XP Service Pack 2 (SP2).


At that point the company committed what, according to the writer, many think was a mistake: The default switching on of the host-based Internet Connection Firewall (ICF). The problem, he says, is that getting the host-based firewall running within an organization is an "Herculean effort" involving high levels of application testing and configuration tuning. The complexity forced many administrators to simply disable ICF.


The position of this story is that ICF is potentially a helpful security tool, at least in one particular implementation. The writer says that it remains difficult to deploy ICF within the enterprise, but that the "standard profile" turns on when the device is connecting through outside networks. This can be a boon to security for machines connecting from dangerous environments such as coffee shops and airports. The piece goes on to provide a good amount of detail on why this is good and how it works.


Security folks love to compare security: Open source versus proprietary, Mac versus Windows, Vista versus XP, and so on. This piece at Jesper's blog was stimulated by a post at Jeff Jones' Security Blog -- a link is provided -- that suggests Vista security is better than that offered by XP and other operating systems.


In his post, Jesper Johansson observes that much of the comparison between Vista and XP security is based on each operating systems' first year in the field. However, that is meaningless in terms of how XP works. To them, the important thing is a comparison of how each operating system performs now.


The long piece leads to several conclusions. It found that Vista had fewer vulnerabilities than XP and that open source Firefox had more "patching events" than Internet Explorer running on XP or Vista.


The sense of this InfoWorld piece is that Vista security is far better than previous Microsoft operating systems, but that the price is more user involvement and inconvenience. User Access Control (UAC) is a feature designed to cut down on malware by asking users for permission every time a piece of software is set for installation. While this clearly improves security, it can become burdensome. Indeed, some companies offer software that automates this process and only brings out-of-the-ordinary situations to the attention of users.


The story also discusses the BitLocker encryption feature. BitLocker either encrypts the entire C drive or nothing. Some issues have cropped up, such as encryption for organizations using a D partition, the piece says and difficulty in decrypting data on machines taken from terminated employees.


Though Vista is the immediate future of Microsoft operating systems, there is a huge installed base of XP users. The company is in the extended process of introducing Windows XP Service Pack 3, which is expected to be the last update to XP. details the release, which contains no drastic changes. There are, however, security-related tweaks. Network Access Protection (NAP) compatibility enables XP to use the NAP feature in Windows Server 2008. This is akin to Network Access Control (NAC) approaches in which devices requesting permission to join a network have their security assessed and, if necessary, are quarantined and their software cleaned and/or updated. This is particularly useful for mobile devices.


There also is additional cryptography on the kernel; added ability to detect routers that drop packets; easier rollout of IP Security (IPSec) virtual private networks; Digital Identity Management Service (DIMS) that enables seamless access to certificates; private keys for applications and services, and the addition of the more secure Wi-Fi Protected Access 2 (WPA2).


Last month, the National Institute of Standards and Technology (NIST) announced the first products that have achieved Security Content Automation Protocol (SCAP) certification. Network World reports that the products are from Gideon Technologies, Secure Elements and ThreatGuard. This is the fulfillment of an order from the Office of Management & Budget (OMB) last July that directed NIST to put a program in place to fulfill the Federal Desktop Core Configuration (FDCC) standard overseeing security configurations for federal computers running Vista and XP.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.