Anilrgowda

Vista has its strong points but hackers are looking for flaws

In last week's column about Windows users becoming increasingly disenchanted with Microsoft because of security issues, I suggested that the improvements in Windows Vista may have come too late and may not be enough.

Will users who are frustrated with viruses and other malware be willing to trust Microsoft one more time with a significant investment in another version of Windows? It's a case of Microsoft saying, "Trust us, really, we got it right this time. Honest."

As I wrote last week, even the best protections can't protect users who are intent on shooting themselves in the CPU. With that in mind, let's take a look at Vista's user-level security features and see just how secure they really are:

In Windows XP, accounts are set up with administrator privileges by default. Administrators can do anything to the system, while limited user accounts are, well, really limited. They are so reined in, in fact, as to be frustrating and thus are not often used.

There are ways to fine-tune this via administrative tools, but they aren't obvious to most home users — and even if they are discovered, they are hopelessly complex.

In Vista, the limited account has been renamed to "standard account," and it can do a lot more. But anything that changes the operating system in a way that affects other users requires administrator approval. More on how that happens later.

This is a better design, because it makes lower-permissions accounts more desirable and less frustrating. However, if you set up only one account when you install Vista for the first time on a PC, it's the administrator by default — which is the same scheme Windows XP used. That means the sole user of a PC has immediate access to the very guts of the operating system.

Microsoft recommends that users set up a standard account for everyday uses, but how many people will actually do that? Very few, I'd wager. Most folks who upgrade to Vista will stick with the configuration they're used to.

The User Account Control or UAC is one of the most controversial features in Vista, requiring a confirmation to perform certain system tasks. Users see it as a darkening of the screen, followed by a popup that requires a confirmation of the action.

If you're logged into an administrator account, the UAC dialog requires a simple click to clear it. But if you're logged into a standard account, you must enter an administrator password before the action can continue.

The UAC process is new to Windows, but not to personal computing. Both the Mac OS and Linux require a similar confirmation when system-level changes are made. I've been using Vista in beta, release-candidate and finished forms for almost six months — and using it as my primary OS since RC2 — and while the UAC irritated the heck out of me at first, I've gotten used to it.

Still, I predict many people will turn it off completely, which is ridiculously easy to do (Click the Start button, type MSCONFIG in the search box, click OK to clear the UAC dialog — ah, geeky irony! — click the Tools tab, then check the "Disable UAC" box).

Of course, Windows users already have popups that warn about the harmfulness of certain actions — downloading a file from the Web and running it gets you two or three dialog boxes, depending on your configuration — but that hasn't stopped them from happily clicking OK, lured by everything from free iPods to silly emoticons to access to gambling and porn sites. The UAC will only protect against certain types of stupidity, but not all.

If you've downloaded Internet Explorer 7 for Windows XP, you already know that it's quite different from IE6. I think it's a lot better, and its security features are part of the reason.

In Vista, its security is even tighter. It now runs with the lowest set of permissions.

For the most part, this is a good thing, although it is going to create some frustration on the part of users who are used to friendlier — but less safe — behavior in IE. For example, you cannot run a mix of trusted and standard Internet sites in the same browser window via tabs. If you have, say, chron.com in a window, and type in a site that begins with https — indicating your connection to the site will be securely encrypted — that site will open in a new window. You can only run other https sites in the tabs in that window.

Windows Vista does not come with built-in antivirus protection, but it does have an excellent antispyware program in Windows Defender, which is also available as a free download for Windows XP SP2 users. Microsoft sells a security suite called Windows Live OneCare, which includes an antivirus program, an enhanced version of the Windows Firewall, a file-backup program and a background defragmenter.

Windows Defender can protect users who blithely click past warnings. It works quite well, and it has caught things that made it through defenses on my Windows Vista box.

For example, I followed a link on a mainstream site that took me to a site that specializes in candid photos of celebrities in, um, various states of undress. The site was rife with popup ads, some of which got through both Internet Explorer 7's and Google Toolbar's popup blockers. When I tried to click on the X in one popup's window to close it, I missed my target and wound up clicking on the full-window image. That, in turn, caused part of a known spyware package to be saved to my Temporary Internet Files folder. Another couple of windows popped up, urging me to "run a scan for viruses," which undoubtedly would have installed the file and saddled me with spyware.

But Windows Defender spotted it, flagged me to the danger and quarantined it. I was impressed.

I've recommended Windows Defender since its original release as Microsoft Antispyware, and I continue to like it. I'm glad it's built-in to Vista.

There are other features worth noting, including an improved firewall that now monitors both outbound and inbound connections — although the outbound feature is turned off by default and requires mucking around in the Administrative Tools to turn it on. The firewall also has different rules for different types of networks, which is very handy for those using notebook computers at both public and private locations.

Perhaps the most powerful tools for families are the parental controls, which go beyond just restricting Web content. For example, Vista lets you create schedules for computer use, so Betsy can't stay up 'til 2 a.m. playing World of Warcrack on a school night.

Will Vista's architecture be more secure than past versions of Windows? Microsoft insists it is, but judging from reports that there already is a hot market among hackers for code that takes advantage of apparently unpatched flaws in Vista, that remains to be seen.