2. Improved Vista Security

While I like migrations and they suit my personality, I will never be at home with security projects. It seems I am not alone, half of the IT community fears security; the other half is bored by it. Consequently, if you want to establish a niche as a security expert there will be numerous opportunities for well paid jobs. Alternatively, if you just want to get the most from Vista, here is a list of topics that I suggest you investigate.

If you played last week’s game of valuing Vista’s features, then you may have assigned a relatively large value to Vista’s security. This week I want to expand the more nebulous heading "Vista Security" and introduce sub-headings, for example: Service Hardening, NX and NAP. There is also UAC and BitLocker drive encryption, which I have covered on my website.

From reading Microsoft’s White Paper Microsoft "Windows Vista Security Advancements", it was clear that Microsoft has redesigned Vista from scratch, making security a priority for each component. The buzzword for this new way of looking at security is SDL (Security Development Lifecycle). While this is a good idea, backed up with tools like PREfix and PREfast, I guess even Microsoft would agree that SDL is something they should have started a long time ago. When I looked at Vista in the flesh what surprised me the most was, not that it was different from XP, but that despite the under-the-covers changes, Vista had a similar look and feel to XP.

As ever my goal is to just to get you started, this is not exhaustive list of Vista security items. That Microsoft White paper ran to 25 pages. An example of Microsoft’s holistic approach to security is the link between Service Hardening and Firewalls; for example Services can be individually identified and confined to using only the ports they need for their day jobs.

Another example of a unified approach to security is the concept of NX (no eXecute). Where Vista code only needs to read or store data, NX hardware and software combine to stop Services and other software from executing code in these areas. The effect will be to prevent virus attacks using buffer overrun tricks. Although NX is possible with 32-bit processors, a 64-bit processor uses NX protection by default.

Microsoft’s Jim Allchin holds top level responsibility for Windows Vista. He has announced plans to retire after Vista is released.

NAP (Network Access Protection). The idea behind NAP is to allow only ’Healthy’ machines access to the network. In a nutshell, this is a system designed to stop rogue laptops joining your network, because of the risk of them infecting your machines with viruses. Don’t confuse NAP with NAT (Network Access Translation) or network quarantine. NAP is a client server technology to identify machines that you want on your network.