Security and safety features new to Windows Vista

Last updated

There are a number of security and safety features new to Windows Vista , most of which are not available in any prior Microsoft Windows operating system release.

Contents

Beginning in early 2002 with Microsoft's announcement of its Trustworthy Computing initiative, a great deal of work has gone into making Windows Vista a more secure operating system than its predecessors. Internally, Microsoft adopted a "Security Development Lifecycle" [1] with the underlying ethos of "Secure by design, secure by default, secure in deployment". New code for Windows Vista was developed with the SDL methodology, and all existing code was reviewed and refactored to improve security.

Some specific areas where Windows Vista introduces new security and safety mechanisms include User Account Control, parental controls, Network Access Protection, a built-in anti-malware tool, and new digital content protection mechanisms.

User Account Control

User Account Control is a new infrastructure that requires user consent before allowing any action that requires administrative privileges. With this feature, all users, including users with administrative privileges, run in a standard user mode by default, since most applications do not require higher privileges. When some action is attempted that needs administrative privileges, such as installing new software or changing system or security settings, Windows will prompt the user whether to allow the action or not. If the user chooses to allow, the process initiating the action is elevated to a higher privilege context to continue. While standard users need to enter a username and password of an administrative account to get a process elevated (Over-the-shoulder Credentials), an administrator can choose to be prompted just for consent or ask for credentials. If the user doesn't click Yes, after 30 seconds the prompt is denied.

UAC asks for credentials in a Secure Desktop mode, where the entire screen is faded out and temporarily disabled, to present only the elevation UI. This is to prevent spoofing of the UI or the mouse by the application requesting elevation. If the application requesting elevation does not have focus before the switch to Secure Desktop occurs, then its taskbar icon blinks, and when focussed, the elevation UI is presented (however, it is not possible to prevent a malicious application from silently obtaining the focus).

Since the Secure Desktop allows only highest privilege System applications to run, no user mode application can present its dialog boxes on that desktop, so any prompt for elevation consent can be safely assumed to be genuine. Additionally, this can also help protect against shatter attacks, which intercept Windows inter-process messages to run malicious code or spoof the user interface, by preventing unauthorized processes from sending messages to high privilege processes. Any process that wants to send a message to a high privilege process must get itself elevated to the higher privilege context, via UAC.

Applications written with the assumption that the user will be running with administrator privileges experienced problems in earlier versions of Windows when run from limited user accounts, often because they attempted to write to machine-wide or system directories (such as Program Files) or registry keys (notably HKLM) [2] UAC attempts to alleviate this using File and Registry Virtualization, which redirects writes (and subsequent reads) to a per-user location within the user's profile. For example, if an application attempts to write to “C:\program files\appname\settings.ini” and the user doesn't have permissions to write to that directory, the write will get redirected to “C:\Users\username\AppData\Local\VirtualStore\Program Files\appname\.”

Encryption

BitLocker, formerly known as "Secure Startup", this feature offers full disk encryption for the system volume. Using the command-line utility, it is possible to encrypt additional volumes. Bitlocker utilizes a USB key or Trusted Platform Module (TPM) version 1.2 of the TCG specifications to store its encryption key. It ensures that the computer running Windows Vista starts in a known-good state, and it also protects data from unauthorized access. [3] Data on the volume is encrypted with a Full Volume Encryption Key (FVEK), which is further encrypted with a Volume Master Key (VMK) and stored on the disk itself.

Windows Vista is the first Microsoft Windows operating system to offer native support for the TPM 1.2 by providing a set of APIs, commands, classes, and services for the use and management of the TPM. [4] [5] A new system service, referred to as TPM Base Services, enables the access to and sharing of TPM resources for developers who wish to build applications with support for the device. [6]

Encrypting File System (EFS) in Windows Vista can be used to encrypt the system page file and the per-user Offline Files cache. EFS is also more tightly integrated with enterprise Public Key Infrastructure (PKI), and supports using PKI-based key recovery, data recovery through EFS recovery certificates, or a combination of the two. There are also new Group Policies to require smart cards for EFS, enforce page file encryption, stipulate minimum key lengths for EFS, enforce encryption of the user's Documents folder, and prohibit self-signed certificates. The EFS encryption key cache can be cleared when a user locks his workstation or after a certain time limit.

The EFS rekeying wizard allows the user to choose a certificate for EFS and to select and migrate existing files that will use the newly chosen certificate. Certificate Manager also allows users to export their EFS recovery certificates and private keys. Users are reminded to back up their EFS keys upon first use through a balloon notification. The rekeying wizard can also be used to migrate users in existing installations from software certificates to smart cards. The wizard can also be used by an administrator or users themselves in recovery situations. This method is more efficient than decrypting and reencrypting files.

Windows Firewall

Windows Vista significantly improves the firewall [7] to address a number of concerns around the flexibility of Windows Firewall in a corporate environment:

Windows Defender

Windows Vista includes Windows Defender, Microsoft's anti-spyware utility. According to Microsoft, it was renamed from 'Microsoft AntiSpyware' because it not only features scanning of the system for spyware, similar to other free products on the market, but also includes Real Time Security agents that monitor several common areas of Windows for changes which may be caused by spyware. These areas include Internet Explorer configuration and downloads, auto-start applications, system configuration settings, and add-ons to Windows such as Windows Shell extensions.

Windows Defender also includes the ability to remove ActiveX applications that are installed and block startup programs. It also incorporates the SpyNet network, which allows users to communicate with Microsoft, send what they consider is spyware, and check which applications are acceptable.

Device Installation Control

Windows Vista allow administrators to enforce hardware restrictions via Group Policy to prevent users from installing devices, to restrict device installation to a predefined white list, or to restrict access to removable media and classes of devices. [8] [9]

Parental Controls

Parental Controls of Windows Vista displaying features to restrict a Danielle standard user account Windows Vista Parental Controls.PNG
Parental Controls of Windows Vista displaying features to restrict a Danielle standard user account

Windows Vista includes a range of parental controls for administrators to monitor and restrict computer activity of standard user accounts that are not part of a domain; User Account Control enforces administrative restrictions. Features include: Windows Vista Web Filter—implemented as a Winsock LSP filter to function across all Web browsers—which prohibits access to websites based on categories of content or specific addresses (with an option to block all file downloads); Time Limits, which prevents standard users from logging in during a date or time specified by an administrator (and which locks restricted accounts that are already logged in during such times); Game Restrictions, which allows administrators to block games based on names, contents, or ratings defined by a video game content rating system such as the Entertainment Software Rating Board (ESRB), with content restrictions taking precedence over rating restrictions (e.g., Everyone 10+ (E10+) games may be permitted to run in general, but E10+ games with mild language will still be blocked if mild language itself is blocked); Application Restrictions, which uses application whitelists for specific applications; and Activity Reports, which monitors and records activities of restricted standard user accounts.

Windows Parental Controls includes an extensible set of options, with application programming interfaces (APIs) for developers to replace bundled features with their own.

Exploit protection functionality

Windows Vista uses Address Space Layout Randomization (ASLR) to load system files at random addresses in memory. [10] By default, all system files are loaded randomly at any of the possible 256 locations. Other executables have to specifically set a bit in the header of the Portable Executable (PE) file, which is the file format for Windows executables, to use ASLR. For such executables, the stack and heap allocated is randomly decided. By loading system files at random addresses, it becomes harder for malicious code to know where privileged system functions are located, thereby making it unlikely for them to predictably use them. This helps prevent most remote execution attacks by preventing return-to-LIBC buffer overflow attacks.

The Portable Executable format has been updated to support embedding of exception handler address in the header. Whenever an exception is thrown, the address of the handler is verified with the one stored in the executable header. If they match, the exception is handled, otherwise it indicates that the run-time stack has been compromised, and hence the process is terminated.

Function pointers are obfuscated by XOR-ing with a random number, so that the actual address pointed to is hard to retrieve. So would be to manually change a pointer, as the obfuscation key used for the pointer would be very hard to retrieve. Thus, it is made hard for any unauthorized user of the function pointer to be able to actually use it. Also metadata for heap blocks are XOR-ed with random numbers. In addition, check-sums for heap blocks are maintained, which is used to detect unauthorized changes and heap corruption. Whenever a heap corruption is detected, the application is killed to prevent successful completion of the exploit.

Windows Vista binaries include intrinsic support for detection of stack-overflow. When a stack overflow in Windows Vista binaries is detected, the process is killed so that it cannot be used to carry on the exploit. Also Windows Vista binaries place buffers higher in memory and non buffers, like pointers and supplied parameters, in lower memory area. So to actually exploit, a buffer underrun is needed to gain access to those locations. However, buffer underruns are much less common than buffer overruns.

Application isolation

Windows Vista introduces Mandatory Integrity Control to set integrity levels for processes. A low integrity process can not access the resources of a higher integrity process. This feature is being used to enforce application isolation, where applications in a medium integrity level, such as all applications running in the standard user context can not hook into system level processes which run in high integrity level, such as administrator mode applications but can hook onto lower integrity processes like Windows Internet Explorer 7 or 8. A lower privilege process cannot perform a window handle validation of higher process privilege, cannot SendMessage or PostMessage to higher privilege application windows, cannot use thread hooks to attach to a higher privilege process, cannot use Journal hooks to monitor a higher privilege process and cannot perform DLL–injection to a higher privilege process.

Data Execution Prevention

Windows Vista offers full support for the NX (No-Execute) feature of modern processors. [11] DEP was introduced in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. This feature, present as NX (EVP) in AMD's AMD64 processors and as XD (EDB) in Intel's processors, can flag certain parts of memory as containing data instead of executable code, which prevents overflow errors from resulting in arbitrary code execution.

If the processor supports the NX-bit, Windows Vista automatically enforces hardware-based Data Execution Prevention on all processes to mark some memory pages as non-executable data segments (like the heap and stack), and subsequently any data is prevented from being interpreted and executed as code. This prevents exploit code from being injected as data and then executed.

If DEP is enabled for all applications, users gain additional resistance against zero-day exploits. But not all applications are DEP-compliant and some will generate DEP exceptions. Therefore, DEP is not enforced for all applications by default in 32-bit versions of Windows and is only turned on for critical system components. However, Windows Vista introduces additional NX policy controls that allow software developers to enable NX hardware protection for their code, independent of system-wide compatibility enforcement settings. Developers can mark their applications as NX-compliant when built, which allows protection to be enforced when that application is installed and runs. This enables a higher percentage of NX-protected code in the software ecosystem on 32-bit platforms, where the default system compatibility policy for NX is configured to protect only operating system components. For x86-64 applications, backward compatibility is not an issue and therefore DEP is enforced by default for all 64-bit programs. Also, only processor-enforced DEP is used in x86-64 versions of Windows Vista for greater security.

Digital rights management

New digital rights management and content-protection features have been introduced in Windows Vista to help digital content providers and corporations protect their data from being copied.

The inclusion of new digital rights management features has been a source of criticism of Windows Vista.

Windows Service Hardening

Windows Service Hardening compartmentalizes the services such that if one service is compromised, it cannot easily attack other services on the system. It prevents Windows services from doing operations on file systems, registry or networks [14] which they are not supposed to, thereby reducing the overall attack surface on the system and preventing entry of malware by exploiting system services. Services are now assigned a per-service Security identifier (SID), which allows controlling access to the service as per the access specified by the security identifier. A per-service SID may be assigned during the service installation via the ChangeServiceConfig2 API or by using the SC.EXE command with the sidtype verb. Services can also use access control lists (ACL) to prevent external access to resources private to itself.

Services in Windows Vista also run in a less privileged account such as Local Service or Network Service, instead of the System account. Previous versions of Windows ran system services in the same login session as the locally logged-in user (Session 0). In Windows Vista, Session 0 is now reserved for these services, and all interactive logins are done in other sessions. [15] This is intended to help mitigate a class of exploits of the Windows message-passing system, known as Shatter attacks. The process hosting a service has only the privileges specified in the RequiredPrivileges registry value under HKLM\System\CurrentControlSet\Services.

Services also need explicit write permissions to write to resources, on a per-service basis. By using a write-restricted access token, only those resources which have to be modified by a service are given write access, so trying to modify any other resource fails. Services will also have pre-configured firewall policy, which gives it only as much privilege as is needed for it to function properly. Independent software vendors can also use Windows Service Hardening to harden their own services. Windows Vista also hardens the named pipes used by RPC servers to prevent other processes from being able to hijack them.

Authentication and logon

Graphical identification and authentication (GINA), used for secure authentication and interactive logon has been replaced by Credential Providers. Combined with supporting hardware, Credential Providers can extend the operating system to enable users to log on through biometric devices (fingerprint, retinal, or voice recognition), passwords, PINs and smart card certificates, or any custom authentication package and schema third-party developers wish to create. Smart card authentication is flexible as certificate requirements are relaxed. Enterprises may develop, deploy, and optionally enforce custom authentication mechanisms for all domain users. Credential Providers may be designed to support Single sign-on (SSO), authenticating users to a secure network access point (leveraging RADIUS and other technologies) as well as machine logon. Credential Providers are also designed to support application-specific credential gathering, and may be used for authentication to network resources, joining machines to a domain, or to provide administrator consent for User Account Control. Authentication is also supported using IPv6 or Web services. A new Security Service Provider, CredSSP is available through Security Support Provider Interface that enables an application to delegate the user's credentials from the client (by using the client-side SSP) to the target server (through the server-side SSP). The CredSSP is also used by Terminal Services to provide single sign-on.

Windows Vista can authenticate user accounts using Smart Cards or a combination of passwords and Smart Cards (Two-factor authentication). Windows Vista can also use smart cards to store EFS keys. This makes sure that encrypted files are accessible only as long as the smart card is physically available. If smart cards are used for logon, EFS operates in a single sign-on mode, where it uses the logon smart card for file encryption without further prompting for the PIN.

Fast User Switching which was limited to workgroup computers on Windows XP, can now also be enabled for computers joined to a domain, starting with Windows Vista. Windows Vista also includes authentication support for the Read-Only Domain Controllers introduced in Windows Server 2008.

Cryptography

Windows Vista features an update to the crypto API known as Cryptography API: Next Generation (CNG). The CNG API is a user mode and kernel mode API that includes support for elliptic curve cryptography (ECC) and a number of newer algorithms that are part of the National Security Agency (NSA) Suite B. It is extensible, featuring support for plugging in custom cryptographic APIs into the CNG runtime. It also integrates with the smart card subsystem by including a Base CSP module which implements all the standard backend cryptographic functions that developers and smart card manufacturers need, so that they do not have to write complex CSPs. The Microsoft certificate authority can issue ECC certificates and the certificate client can enroll and validate ECC and SHA-2 based certificates.

Revocation improvements include native support for the Online Certificate Status Protocol (OCSP) providing real-time certificate validity checking, CRL prefetching and CAPI2 Diagnostics. Certificate enrollment is wizard-based, allows users to input data during enrollment and provides clear information on failed enrollments and expired certificates. CertEnroll, a new COM-based enrollment API replaces the XEnroll library for flexible programmability. Credential roaming capabilities replicate Active Directory key pairs, certificates and credentials stored in Stored user names and passwords within the network.

Network Access Protection

Windows Vista introduces Network Access Protection (NAP), which ensures that computers connecting to or communicating with a network conform to a required level of system health as set by the administrator of a network. Depending on the policy set by the administrator, the computers which do not meet the requirements will either be warned and granted access, allowed access to limited network resources, or denied access completely. NAP can also optionally provide software updates to a non-compliant computer to upgrade itself to the level as required to access the network, using a Remediation Server. A conforming client is given a Health Certificate, which it then uses to access protected resources on the network.

A Network Policy Server, running Windows Server 2008 acts as health policy server and clients need to use Windows XP SP3 or later. A VPN server, RADIUS server or DHCP server can also act as the health policy server.

x86-64-specific features

Other features and changes

A number of specific security and reliability changes have been made:

See also

Related Research Articles

<span class="mw-page-title-main">Next-Generation Secure Computing Base</span> Software architecture by Microsoft

The Next-Generation Secure Computing Base is a software architecture designed by Microsoft which claimed to provide users of the Windows operating system with better privacy, security, and system integrity. NGSCB was the result of years of research and development within Microsoft to create a secure computing solution that equaled the security of closed platforms such as set-top boxes while simultaneously preserving the backward compatibility, flexibility, and openness of the Windows operating system. Microsoft's primary stated objective with NGSCB was to "protect software from software."

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

LAN Manager is a discontinued network operating system (NOS) available from multiple vendors and developed by Microsoft in cooperation with 3Com Corporation. It was designed to succeed 3Com's 3+Share network server software which ran atop a heavily modified version of MS-DOS.

<span class="mw-page-title-main">Windows Registry</span> Database for Microsoft Windows

The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.

Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and is updated by RFC 5247. EAP is an authentication framework for providing the transport and usage of material and parameters generated by EAP methods. There are many methods defined by RFCs, and a number of vendor-specific methods and new proposals exist. EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages.

<span class="mw-page-title-main">Architecture of Windows NT</span> Structure of the operating system

The architecture of Windows NT, a line of operating systems produced and sold by Microsoft, is a layered design that consists of two main components, user mode and kernel mode. It is a preemptive, reentrant multitasking operating system, which has been designed to work with uniprocessor and symmetrical multiprocessor (SMP)-based computers. To process input/output (I/O) requests, it uses packet-driven I/O, which utilizes I/O request packets (IRPs) and asynchronous I/O. Starting with Windows XP, Microsoft began making 64-bit versions of Windows available; before this, there were only 32-bit versions of these operating systems.

<span class="mw-page-title-main">Windows Vista</span> Seventh major release of Windows NT

Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, released five years earlier, which was then the longest time span between successive releases of Microsoft Windows. It was released to manufacturing on November 8, 2006, and over the following two months, it was released in stages to business customers, original equipment manufacturers (OEMs), and retail channels. On January 30, 2007, it was released internationally and was made available for purchase and download from the Windows Marketplace; it is the first release of Windows to be made available through a digital distribution platform.

As the next version of Windows NT after Windows 2000, as well as the successor to Windows Me, Windows XP introduced many new features but it also removed some others.

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system, which is governed by Group Policy settings, for which different versions of Windows have different default settings.

<span class="mw-page-title-main">BitLocker</span> Disk encryption software for Microsoft Windows

BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the Advanced Encryption Standard (AES) algorithm in cipher block chaining (CBC) or "xor–encrypt–xor (XEX)-based Tweaked codebook mode with ciphertext Stealing" (XTS) mode with a 128-bit or 256-bit key. CBC is not used over the whole disk; it is applied to each individual sector.

<span class="mw-page-title-main">User Account Control</span> Security software

User Account Control (UAC) is a mandatory access control enforcement feature introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed version also present in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows 11. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorises an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges and malware are kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorises it.

Data Protection Application Programming Interface (DPAPI) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by Bursztein et al.

Windows Vista has many significant new features compared with previous Microsoft Windows versions, covering most aspects of the operating system.

In computing, Microsoft's Windows Vista and Windows Server 2008 introduced in 2007/2008 a new networking stack named Next Generation TCP/IP stack, to improve on the previous stack in several ways. The stack includes native implementation of IPv6, as well as a complete overhaul of IPv4. The new TCP/IP stack uses a new method to store configuration settings that enables more dynamic control and does not require a computer restart after a change in settings. The new stack, implemented as a dual-stack model, depends on a strong host-model and features an infrastructure to enable more modular components that one can dynamically insert and remove.

Mandatory Integrity Control (MIC) is a core security feature of Windows Vista and later that adds mandatory access control to running processes based on their Integrity Level (IL). The IL represents the level of trustworthiness of an object. This mechanism's goal is to restrict the access permissions for potentially less trustworthy contexts, compared with other contexts running under the same user account that are more trusted.

Security Support Provider Interface (SSPI) is a component of Windows API that performs security-related operations such as authentication.

Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection. RDS was first released in 1998 as Terminal Server in Windows NT 4.0 Terminal Server Edition, a stand-alone edition of Windows NT 4.0 Server that allowed users to log in remotely. Starting with Windows 2000, it was integrated under the name of Terminal Services as an optional component in the server editions of the Windows NT family of operating systems, receiving updates and improvements with each version of Windows. Terminal Services were then renamed to Remote Desktop Services with Windows Server 2008 R2 in 2009.

Pre-boot authentication (PBA) or power-on authentication (POA) serves as an extension of the BIOS, UEFI or boot firmware and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer. The PBA prevents anything being read from the hard disk such as the operating system until the user has confirmed they have the correct password or other credentials including multi-factor authentication.

Windows XP and Windows Vista differ considerably in regards to their security architecture, networking technologies, management and administration, shell and user interface, and mobile computing. Windows XP has suffered criticism for security problems and issues with performance. Vista has received criticism for issues with performance and product activation. Another common criticism of Vista concerns the integration of new forms of DRM into the operating system, and User Account Control (UAC) security technology.

A distributed firewall is a security application on a host machine of a network that protects the servers and user machines of its enterprise's networks against unwanted intrusion. A firewall is a system or group of systems that implements a set of security rules to enforce access control between two networks to protect the "inside" network from the "outside" network. They filter all traffic regardless of its origin—the Internet or the internal network. Usually deployed behind the traditional firewall, they provide a second layer of defense. The advantages of the distributed firewall allow security rules (policies) to be defined and pushed out on an enterprise-wide basis, which is necessary for larger enterprises.

References

  1. Steve Lipner, Michael Howard (March 2005). "The Trustworthy Computing Security Development Lifecycle". Microsoft Developer Network. Retrieved 2006-02-15.
  2. Charles (2007-03-05). "UAC - What. How. Why" (video). Retrieved 2007-03-23.
  3. "Windows Vista Beta 2 BitLocker Drive Encryption Step-by-Step Guide". Microsoft TechNet. 2005. Retrieved 2006-04-13.
  4. "Windows Trusted Platform Module Management Step-by-Step Guide". TechNet . Microsoft . Retrieved 18 November 2014.
  5. "Win32_Tpm class". MSDN . Microsoft . Retrieved 18 November 2014.
  6. "TPM Base Services". MSDN . Microsoft . Retrieved 18 November 2014.
  7. The January 2006 issue of The Cable Guy covers the new features and interfaces in Windows Firewall in greater detail.
  8. "Step-By-Step Guide to Controlling Device Installation Using Group Policy". MSDN . Microsoft. 11 May 2010.
  9. "Managing Hardware Restrictions via Group Policy". TechNet Magazine . Microsoft. 8 September 2016.
  10. Howard, Michael (May 26, 2006). "Address Space Layout Randomization in Windows Vista". MSDN . Microsoft. Archived from the original on May 29, 2006. Retrieved March 20, 2023.
  11. "Security advancements in Windows Vista". Archived from the original on 2007-04-11. Retrieved 2007-04-10.
  12. 1 2 "Output Content Protection and Windows Vista". WHDC. Microsoft. April 27, 2005. Archived from the original on 6 August 2005. Retrieved 2006-04-30.
  13. Protected Processes in Windows Vista
  14. "Windows Vista Security and Data Protection Improvements – Windows Service Hardening". TechNet. Microsoft. June 1, 2005. Retrieved 2006-05-21.
  15. Impact of Session 0 Isolation on Services and Drivers in Windows Vista covers Windows Vista's session isolation changes.
  16. AuthIP in Windows Vista
  17. The Cable Guy: Wireless Single Sign-On
  18. EAPHost in Windows
  19. Field, Scott (August 11, 2006). "An Introduction to Kernel Patch Protection". Windows Vista Security blog. MSDN Blogs. Retrieved August 12, 2006.
  20. "Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista". WHDC. Microsoft. May 19, 2006. Archived from the original on April 12, 2006. Retrieved May 19, 2006.
  21. Windows LSA Secrets
  22. An update is available that enables the support of Enhanced Storage devices in Windows Vista and in Windows Server 2008
  23. Kerberos Enhancements in Windows Vista: MSDN
  24. TLS/SSL Cryptographic Enhancements in Windows Vista
  25. Using Software Restriction Policies to Protect Against Unauthorized Software
  26. Windows Vista Management features
  27. CNET.com (2007). "Windows Vista Ultimate Review" . Retrieved 2007-01-31.
  28. "SPAP Deprecation (PStore)". Archived from the original on 2008-04-21. Retrieved 2007-04-17.