William Jackson | Cybereye: Trust in Vista?

William Jackson

Unless you're a hard-core geek or a masochist, you probably haven't rushed out to buy a copy of Windows Vista, released by Microsoft in late January. Administrators probably will want to take a long, hard look at the new operating system before introducing it into their networks.

It's not that Vista is bad, but it is new, and most of us prefer to let others work out the bugs while we stick with what is familiar.

Vista'n'e Longhorn'has been five years in the making. It was released to vendors in November and to consumers two months later. Most of those who have played with it report that it looks good and works pretty well, but unless you are a high-end gamer with an addiction to advanced graphics, there is little that is compelling.
It does hold some promise of improved security, however.

It is not bulletproof out of the box, of course. Nothing is, and it is not likely anything ever will be.

Advances in security tend to be incremental and collaborative, and Vista incorporates some features that third parties already are taking advantage of.

One is the Trusted Platform Module, a set of specifications from the Trusted Computing Group for implementing cryptography in silicon.

Introduced by IBM in 1999, every major PC manufacturer now offers TPM on at least some models, said Brian Berger of Wave Systems Corp. and marketing chairman for TCG.

About 50 million desktops, notebook PCs and motherboards shipped with TPM in 2006, and another 100 million are expected to ship this year, he said.

The chips can be used to support data protection, communications security, strong authentication, identity management, network access control and nonrepudiation; and Vista is the first operating system to natively support TPM.

Despite availability of the hardware, TPM use has been spotty because it is intentionally difficult to use. Trusted computing has been controversial because of concerns over the user's loss of control. So its design calls for TPM to be 'off' by default. The user has to opt in before the chip can be used by applications. This has been a roadblock for adoption of applications using TPM in enterprises because so many endpoints have to be touched by administrators.
But products that help take advantage of TPM are beginning to appear.

At this month's RSA security trade show in San Francisco, Wave Systems Corp., of Lee, Mass., announced its Embassy Remote Administration Server, which will enable centralized management of TPM so administrators do not have to visit every endpoint. It will work with Microsoft Active Directory to help administrators, who own the computers as far as TPM is concerned, enforce security policies on users.

Vista also recognizes the new Extended Validation SSL certificates that provide users of Internet Explorer 7 with extra information about the owners of certificates when visiting a secured Web site.

The idea is that knowing to whom the certificate was issued will help defeat sites attempting to harvest personal information or deliver malicious code.

At least two companies, Entrust Inc. of Addison, Texas, and Cybertrust Inc. of Herndon, Va., have announced new EV certificates that also work with Windows XP with Service Pack 2.

There is no word yet on how intrinsically secure and well-written the new operating system is, but I suspect hackers and security researchers will find it a fertile field for flaws, bugs and other surprises for the next year or so.

It probably is a safe bet that Patch Tuesday will be with us for the foreseeable future.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above