July 24, 2007

Windows Vista Security: Pros and Cons, Third Party Solutions Still Needed

Vista has a number of new security features, such as a two-way firewall, Windows Defender, UAC (User Account Control), BitLocker Drive Encryption, and more. These are certainly improvements over XP in terms of baking more security into Windows. My thoughts and experiences with them so far, along with recommendations for third-party security apps where needed:

Vista Firewall:
While Vista indeed comes with a two-way firewall, it's a mixed bag. While it blocks incoming requests (Windows XP does this too), it appears there's no easy way to configure Vista's firewall to block unauthorized outgoing communications (for example, spyware phoning home from your PC). A user would need to add blocking for each type of malware out there today, which as we know, numbers in the thousands. Not good, so I embarked on researching several of the Internet security suite products for easier and more robust protection, and posted my results below.

Windows Defender:
Windows Defender is basically the next generation of Microsoft's Windows AntiSpyware. For users that don't have any anti-spyware protection installed, this is certainly a step in the right direction. However, it's not an antivirus program. For that, you'd need to subscribe and pay for the Windows Live OneCare service, listing for $49.95/year on Microsoft's web site. The site lists OneCare's features as Antivirus, Antispyware, Anti-phishing, Firewall, Performance tune-ups, and Backup and Restore. It's interesting to note a number of these are already bundled in Vista, at least to some extent. Again, while I applaud Microsoft for offering additional security, they don't have a great track record in the security business, and for that price I found several Internet security suites that were more mature and robust for roughly the same price. Also, I still like having Spybot Search and Destroy installed to catch anything the other solutions missed, and vice versa.

UAC (User Account Control):
First off, if you haven't heard of or seen Vista's UAC prompts, you absolutely must view this hilarious Apple TV commercial. For certain types of actions, Windows will prompt you to confirm whether you want them to run or not. It's annoying and productivity-sapping as you're basically issuing commands twice. The idea behind it is to prevent malware from doing something unauthorized on your PC. As the commercial mentions, you could turn it off, but then it wouldn't provide any alerts or protection. I've read that Microsoft is looking to make it less intrusive and annoying in the future. One could only hope.

New User Account Types:
Vista helps address one of the support problems with Windows XP -- standard user vs. administrative rights. Under XP, it was common to have to log into Windows as a system administrator to install programs, make system changes, troubleshoot, etc. With Vista, standard user accounts can be temporarily escalated to administrator privileges simply by typing in an administrator password when prompted. Granted, I seriously doubt that corporate enterprises will allow their users such privileges, but for home use, it's a great feature that eliminates a lot of user swapping and logins back and forth. It also allows me to work as a standard user with limited privileges for better security, while providing me temporary superpowers when needed.

BitLocker Drive Encryption:
Wouldn't it be nice to know that if someone stole my laptop, they couldn't get access to my confidential e-mails, documents, financial information, and more? Hard drive encryption was one of the reasons I wanted to purchase Vista Ultimate, as it's only available in Vista Enterprise and Ultimate editions (so don't expect it in any Home version nor the smaller business editions). With the staggering number of laptop thefts and inadvertent disclosures of confidential data and corporate data privacy debacles, this is a welcome addition to Windows. Just for "fun", take a look at the very long Privacy Rights Clearinghouse list of data breaches since 2005. In your browser, press CTRL-F and type "laptop" to find each occurrence involving a laptop computer breach. Scary, isn't it?

Sure, there are plenty of third party drive encryption products available, but it's nice to see one incorporated into the OS itself. I haven't tried it yet, and there is some drive preparation required. As I understand it, BitLocker needs to create two hard drive volumes. One is unencrypted for all of Vista's system files for better performance. The other is encrypted and contains all of the non-system files (including your data). FYI, Vista Ultimate users can download a free "Extra" via Windows Update that streamlines this preparation process and makes it more user-friendly. As I prefer to use Norton Ghost to backup Windows installations, I haven't enabled BitLocker until I know that Ghost can handle backing up and restoring these encrypted volumes. Symantec just released Ghost 12.0 for Vista compatibility, so I'll be checking up on its ability to handle BitLockered drives.

Data Execution Prevention (DEP):
Vista continues to support DEP as did WinXP SP2. Per Microsoft, Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. In plain English, it prevents programs from running from memory marked for storing data, not programs. This is one way the system can stop malicious software exploits.

On my Toshiba laptop, I used SecurAble from Steve Gibson (of ShieldsUp! fame) to determine whether my new Core 2 Duo processor had hardware DEP capability and whether it was enabled. Sure enough, it had DEP, but Toshiba shipped the laptop with DEP disabled in the BIOS. After I enabled it, I have encountered a few instances where Windows closed Internet Explorer and other apps under DEP protection. As I have a clean system, I'm chalking these up to software bugs. As an educated guess, this is probably why Toshiba chose to leave it disabled -- less problems for users out of the box (but perhaps leaving them open for more problems down the road without hardware DEP protection). Most processors made in the past year or two support hardware DEP, which is preferable to the software-based DEP protection Vista will use if it doesn't detect it in the processor.

Why is DEP so important? I'll let Steve Gibson answer that by quoting from his site:

"Why would data or communications buffers ever contain executable code? . . . because so-called "Buffer Overrun" attacks are the predominant way Internet-connected computers have historically been remotely hacked and compromised. Hackers locate obscure software vulnerabilities which allow them to "overrun" the buffers with their own data. This tricks the computer into executing the hacker's supplied data (which is actually code) contained within that buffer. But if the operating system has marked that Internet communications buffer region of memory as only being valid for containing data and NOT code, the hacker's attack will never get started. Instead, the operating system will display a notice to the user that the vulnerable program is being terminated BEFORE any of the hacker's code has the chance to run.

The real beauty of this system is that it provides strong protection from UNKNOWN vulnerabilities in the system and user programs.

Anti-Virus and anti-malware software is useful, but as we know, virus signature files must be continually updated to keep A/V software aware of new threats. Significantly, A/V software is unable to protect against unknown viruses and malware intrusions because it searches for known malicious code rather than detecting and blocking potentially malicious behavior. Hardware DEP, on the other hand, when properly configured, hardens the entire system against both known and unknown vulnerabilities by detecting and preventing the behavior of code execution in data buffers.

Buffer overrun vulnerabilities are so difficult to prevent that scores of them are being found and exploited in operating system and application software every day. Taking advantage of modern processor XD/NX capabilities is a powerful way to fight back and prevent this most common class of Internet vulnerabilities."

Third-Party Internet Security Suites:
While Microsoft's emphasis on security is welcome, I have to say their security track record gave me great pause in relying exclusively on their solutions -- particularly when there are mature and tested security products available. For my new Vista laptop, I took a look at three leading Internet security suites from ZoneAlarm, Symantec (Norton), and McAfee. Only one met my definition of appropriate security features, ease of use, and system performance.

First off, Toshiba had preinstalled a 30-day trial of McAfee's Internet Security Suite. I've never been a big fan of McAfee's antivirus software, having seen first-hand some clunky performance and other issues in the past. Keeping an open mind, it was a good opportunity to see if they've corrected prior shortcomings. Sad to say, the new version only confirmed my concerns. Every time I used Outlook 2007 to send/receive e-mail, I saw my dual-core processors peg at 100% usage continuously. It literally brought my new Vista system to its knees. The entire system was running in extreme slow motion. At first I thought it was an Outlook problem, but the trusty Windows Task Manager pinpointed McAfee's e-mail proxy service as the culprit. Killing it fixed the problem. No, actually, spending several hours uninstalling, rebooting, and then manually removing all of the McAfee remnants in my system and registry fixed the problem. Even McAfee's special uninstaller from their web site didn't do a complete job. Let this be a lesson.

Next, I looked at both ZoneAlarm's and Norton's Internet security suite offerings. This took a bit more research, as both have produced excellent products in the past. ZoneAlarm has one of the best personal firewalls in the market, while Norton's Antivirus has never, ever, let me down. The ZoneAlarm suite now uses Kaspersky's highly-regarded antivirus, which brings it on par with Norton Antivirus. Previously, ZoneAlarm used CA's antivirus, a less impressive solution in my opinion. So how did they fare against each other in security features?

Like Norton, ZoneAlarm has a network and program firewall. However, ZoneAlarm has an added OS firewall, providing even greater protection at the operating system level. Score one for ZoneAlarm. Both provide full stealthing of ports. Both provide an option to block all traffic. ZoneAlarm provides a nice big red button for one-click blocking. Norton's "Block Traffic" feature requires you to perform several clicks and type an administrator password to confirm. Apparently they're taking lessons from Microsoft's UAC above, and this is bad. When you have an intrusion in either direction, you need to be able to kill all traffic quickly and easily, so ZoneAlarm easily wins this round for ease of use. Naturally, with Wi-Fi laptops, another easy way is to just turn off your Wi-Fi card, as many new laptops provide a handy off switch. Also, both suites provided anti-spyware, anti-phishing, rootkit, and wireless network protection, so those were a draw.

However, it's extremely critical to note that the ZoneAlarm Internet Security Suite for Vista is missing important features compared to their XP program. ZoneAlarm's Vista version lacks spy site blocking and blocking of confidential data. ZoneAlarm also lacks parental control, IM (instant messaging) protection, and ad blocking. ZoneAlarm's customer service explained that they were not included due to the fact that Vista and IE7 already include many of these features. While plausible, it did not excuse the most glaring omission of all: There was no adequate e-mail security. The Vista version of ZoneAlarm Internet Security Suite could not scan or repair e-mail attachments, quarantine them, or block infected outgoing messages. This was the tipping point for me.

As spam and e-mail attachments continue to be critical security threats, I opted for the excellent e-mail antivirus protection Norton provided. While the Norton Internet Security suites from 2005 and 2006 received a lot of negative feedback for being bloated and slow in scanning, the new NIS 2007 suite has been mostly recoded from the ground up. Increased scanning speed performance and reduced CPU usage were two of their main goals, and it shows. The installation went flawlessly, as did the initial scans and live updates. As for configuration, it was mostly automatic. By default, Norton Antivirus ignores all low-risk items, not something I like to see in a security program. It can be changed to prompt the user for those items, which I heartily recommend.

As further justification, I recently perused a copy of Windows Vista Magazine while killing time in an airport. They reviewed something like the top 7-8 Internet security suites including Norton, ZoneAlarm, and McAfee. They also concluded that Norton Internet Security 2007 was the top pick. While no suite is perfect, I've always liked the die-hard protection that Norton provides with virtually no false positives, easy updating of both programs and virus definitions alike, and that it just plain works. On the downside, if you should encounter a problem, Norton's customer service and support isn't what it used to be, and they tend to force you to buy new versions instead of solving problems with their installed user base. Something to consider if you aren't a power user.

FYI, Symantec has also just released Norton 360, an even more comprehensive suite that provides backup and performance tuning features in addition to the security features. While it sounds nice, all these additional features just seemed reminiscent of Norton SystemWorks -- a fairly bloated, invasive, and problematic suite for many users, and one which I strongly recommended against to friends and colleagues. Frankly, I just needed the Norton Internet Security suite features, and didn't want to overload my new Vista system with potential bloatware. Norton 360 may indeed prove to be a valuable package, but I emphasize the word, "prove", before recommending it.

Concluding Thoughts:
As you can see, Microsoft has beefed up security in Vista and IE7 to some extent. How effective these new features are, well, that remains to be seen. I still recommend installing a separate security suite with good firewall, antivirus, anti-spyware, and other features to more fully protect your system. Yes, they cost a little more, but they're worth it.

BitLocker hard drive encryption sounds promising. As faster dual- and quad-core processors and faster hybrid hard drives (those with added flash memory) hit the market, we may indeed see a mobile data security solution with reduced performance lag. For once, I'd love to read this headline: "Laptop with Critical Data Stolen -- Encryption Saved Company, Customers, and Employees From Yet Another Identity Theft and Data Privacy Fiasco." However, I have to wonder why Microsoft omitted BitLocker from other Vista versions that will obviously be installed on business and personal laptops? It just seems to lessen their stance on security by making it subordinate to profitability.

Overall, I like the attention on added security. I think that over time, with additional service packs and updates, Vista will surpass XP's popularity -- particularly as newer and faster hardware will put its performance on par with XP.

Topic(s):   Feature Articles  |  Privacy & Security
Posted by Jeff Beard