Windows Hacks: Vista Comes Into View

Safer Windows

Right out of the chute, Vista is more secure than its predecessor. If you install the initial version of Windows XP on an Internet-connected PC, the Blaster worm will bring your whole computer down in a matter of minutes. Microsoft started to take security more seriously in XP Service Packs 1 and 2, enabling the Windows Firewall and automatic updates by default.

Vista gets tougher on Internet-based attacks by including an antispyware tool, and by enhancing Internet Explorer's default security. The new Spyware Protection section in the Windows Security Center reports whether Windows Defender, Vista's antispyware utility (formerly known as Microsoft AntiSpyware), is running. The new General Security section tracks whether the security settings in IE have been lowered to unsafe levels, opening the door to browser-borne attacks. Vista's version of IE won't even let you see the Web until you raise the Internet Zone's security back to 'Medium-High', a setting essentially the same as Windows XP Service Pack 2's 'Medium' setting.

Despite these improvements, Vista fails to close one gaping security hole, at least for ordinary computer users. Windows has long needed a firewall that blocks unauthorized traffic--both incoming and outgoing--to prevent viruses, spyware, worms, and other malware from delivering your private data to servers or from spreading themselves to other computers. Like the one in Windows XP, Vista's firewall does an excellent job of blocking the Blaster worm and other incoming attacks. When you install an application that accepts incoming connections (such as a browser or an instant messenger), the firewall asks you to allow or block the connections. But don't mistake such requests for outgoing-connection security.

Vista's firewall can control whether individual programs initiate outgoing connections, but this feature isn't intended for mere mortals. (Microsoft claims that only IT departments will have reason to use this setting.) By delving deep into the Local Security Policy Settings in Control Panel's Administrative Tools, I was able to block outgoing traffic and create exceptions for individual programs. But these settings are too obscure for most people. If Vista's firewall remains as is, you'll simply need to install a third-party bidirectional firewall such as ZoneLabs' free ZoneAlarm, which is what we recommend for Windows XP users today.

Lockdown, Vista Style

You can also reduce the threat from malicious software by restricting access to key system settings and hardware. Linux, Mac OS X, Unix, and similar operating systems discourage the use of high-privilege accounts for day-to-day computing. That way, when a bad program does get loose, the damage it can do is minimized. When tasks requiring an administrator account's privileges pop up, you simply run that program as the administrator by entering a password.

Windows has offered lower-privilege accounts for quite a while, but they are painful to use, since performing tasks that require higher privileges (such as installing programs or changing security settings) means logging out and then logging back in to an administrator account.

Vista's limited-rights accounts are easier to tolerate: Standard user accounts (which XP calls Limited accounts) and any rogue software running under them are still blocked from many sensitive tasks. But now, Windows pops up a dialog box that allows you to enter an administrator password for the task (see FIGURE 1 ). Unfortunately, in Beta 2, when you are logged in under an administrator account, a similar dialog box pops up asking you to confirm every high-privilege task.

Windows XP's log-in security and disk encryption make life difficult for casual snoops, but determined data thieves can still decode the contents of a stolen laptop or hard disk, if they have sufficient time and the right tools. Vista's Secure Startup feature moves the drive encryption key off the disk itself and onto a motherboard-mounted Trusted Platform Module chip, a USB drive, or good old paper.

You can still encrypt volumes and folders as in Windows XP Professional, but Vista's Secure Startup walks you through the process of encrypting the entire drive and saving a 48-bit key to a file on another PC or on a USB drive, or of printing the key on paper (see FIGURE 2 ). Afterward, no one can boot Vista on the PC without first accessing the TPM chip (impossible when the disk drive is separated from the system), inserting the USB device, or entering the 48-digit key by hand. Write down or save the key in a file--my USB drive failed to provide the key when I tried to boot a freshly encrypted Vista volume. According to Microsoft, Secure Startup will be included only in the OS's Enterprise Edition, limiting the feature to corporate Windows users.

Keeping Kids Safe

Previous versions of Internet Explorer have parental controls for filtering out adult content, but Vista expands on them by giving administrators (presumably reasonable adults) control over what non-administrator accounts (presumably children in need of protection) can view on the computer, whether it's in a browser, an instant message window, or a game.

Vista's Web controls block content by topic--drugs, alcohol, firearms, and hate speech, for example--and they also filter browser-based e-mail and chat. You can thwart or allow games according to Entertainment Software Rating Board categories, including games that are already installed on the PC (see FIGURE 3 ). Even better, for parents who aren't always around to monitor their kids' computer usage, Parental Controls let you specify times when the account can't be used. If you've always wished you could magically disable your child's computer every night at bedtime, now you can. Vista even monitors account activity and reports what the little darlings have been up to, such as the sites they've visited and the time they've spent using various programs.

Unfortunately, in the current beta version, Vista's Web filtering didn't prevent me from viewing adult content in Internet Explorer or Firefox, nor did the reports note my furtive online explorations--or any of my other activity, for that matter.