The two types of saved Internet Explorer passwords

I already mentioned in my post about the Windows Vault that some saved Internet Explorer passwords can be managed with the Credential Manager. These are HTTP authentication passwords, that is, passwords that are used to authenticate against a Web server (Internet Information Server, Apache, etc.). Passwords that are used to log on to a Web site with an HTML form (through a content management system) are not stored in the Windows Vault.

You can make out the difference between these two authentication forms easily. HTTP authentication always prompts a separate dialog window in Internet Explorer where you have to enter the credentials. HTML authentication is usually integrated within the Web page. This also makes clear why these passwords are not stored in the Window Vault.

Internet Explorer uses its auto-complete feature to manage passwords that you have to enter in HTML forms. The advantage is that you can use different accounts for a specific Web site. You just have to start typing the user name, and Internet Explorer will fill out the form fields for the user name and the password automatically.

Manually disable Internet Explorer saved passwords

As mentioned in my last posts, storing passwords always poses a risk, especially if you use functions integrated in Windows. If your organization values security above all, then you should consider disabling Internet Explorer saved passwords.

Users can turn off this feature themselves if they don’t want to be bothered by the AutoComplete feature. In Internet Explorer 8, you will find the AutoComplete settings in the Content Tab under Tools | Internet Options.

Disable Internet Explored saved passwords with Group Policy

If you don’t trust your users in these matters, you might want to disable Internet Explorer saved passwords network-wide with Group Policy. The name of the GPO settings is “Turn on the auto-complete feature for user names and passwords on forms.” You can find it under User Configuration | Administrative Templates | Windows Components | Internet Explorer. You have to disable this setting if you want to disallow Internet Explorer saved passwords.

If you just don’t want new passwords to be saved and allow users to be able to still use old credentials, you can enable this GPO setting and leave the “Prompt me to save passwords” option unchecked.

Notice that you can’t pre-configure these settings with the Group Policy Preferences because the Content tab is missing here. These security relevant settings should be enforced with policies.

Delete saved Internet Explorer passwords

Notice that disabling saved Internet Explorer passwords won’t delete the passwords. If you change the GPO setting to “not configured” again, then users will be able to use their old stored passwords. Users can delete saved Internet Explorer passwords at the General tab in Internet Options by deleting the corresponding Browsing History.

Saved Internet Explorer passwords storage location

If you don’t want to rely on your users, then you can delete all saved Internet Explorer passwords with a script. Windows stores the Internet Explorer password in the Registry under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms.

Recover saved Internet Explorer passwords

Of course, the Internet Explorer passwords are encrypted in the Registry. However, it is not a big deal to recover these passwords with third-party tools. This can be useful if a user forgot the password and can’t log on after you disabled Internet Explorer saved passwords. A good free tool to recover saved Internet Explorer passwords is IE Passview. Of course, you can’t recover the passwords with this tool if you already deleted the stored passwords in the Registry.

• Microsoft Desktop Optimization Pack (MDOP): Diagnostic and Recovery Toolset (DaRT) (7)
• Raffle: JiJi Password and Account Expiration Notification Tool (3)
• Raffle: JiJi Account Lockout Tool – Resolve account lockout issues (2)
• FREE: NetWrix Privileged Account Manager – Password Manager (0)
• FREE: Lepide User Management – Remote password reset tool (4)

GFI WebMonitor Freeware

• FREE: Veeam ONE Free Edition – Real-time Hyper-V and VMware monitoring (0)
• FREE: FrameFlow – Web-based Windows monitoring (1)
• Raffle: PA Server Monitor – Easy Windows server monitoring (0)
• Poll: Are you currently using a monitoring solution? (12)
• SCOM 2012 review – Part 8: Dashboards (0)

Darren Canavor, a Microsoft program manager wrote almost three years ago about Vista:

In Windows Vista we made numerous changes to our user account model. Standard users are now the default user type for new accounts created after initial setup.

Is this really true? I seriously doubt that.

First of all, the first account that is created when Vista is installed is a member of the administrators group. Most home users who bought computers with Vista pre-installed use this account. Therefore, the majority of all Windows users still have administrator privileges more or less in the same sense as with Windows 95 or MS DOS.

You might object that Vista’s UAC makes sure that administrators run with limited privileges by default. Whenever a Vista administrator launches an application it runs only with standard user privileges (medium integrity level). This is true and certainly a good thing. However, this doesn’t change the fact that most end users still work with administrator privileges on their Windows machine. All they have to do is to confirm a UAC prompt and everything is just like in the good old Windows 95 days.

There are new reports that the infection rate of Windows Vista is much lower than that of Windows XP. This might partly be attributed to UAC. However, the interesting questions is whether the UAC prompts helped to prevent infections? I believe that the UAC was never really designed to prevent infections with warning dialogs because most users are trained to confirm all kinds of popups anyway.

It is no secret that Microsoft’s main reason of introducing UAC was to force developers to program applications that only require standard user rights. No software vendor can afford to annoy customers with constant prompts. Now that the UAC is established we will see far less UAC prompts than after Vista’s release.

Moreover, the fact that Windows 7 by default will only issue a UAC dialog whenever a program tries to make changes to the system, but not if the user changes Windows settings, will further reduce the number of UAC prompts. So everything is perfect now? No more nagging UAC and still a secure Windows? I don’t think so. In my opinion, the silent elevation security hole in Windows 7 shows that the whole UAC concept is flawed.

The real problem is that most home users and also many end users in corporate environments are still administrators on their machines. This hasn’t changed with the introduction of UAC. It is the main reason why the number of Windows computers that are part of a botnet is increasing steadily. The guys behind these botnets are a lot smarter than those script kiddies who just use virus kits to create the next killer worm. These infected machines most likely don’t appear in Microsoft’s statistics because the botnet creators don’t just want attention like the script kiddies. Thus, they do everything not to be detected, in particular they don’t damage computers like old-fashioned computer viruses. I seriously doubt that UAC or similar technologies is an effective remedy against the rising threat of rootkits and botnets.

What has to be changed is that end users need to not be allowed to make system changes. Thanks to the Internet, this is possible. In the pre-Internet era, people went to computer shops and bought software in colorful cardboard boxes to install it at home on their computers. This is not necessary anymore. In fact, I don’t understand why software still has to be installed at all. The only reason why end users require administrator privileges on their machines is because they have to install software.

This is an outdated desktop model. In my view, Microsoft shouldn’t focus on gimmicks like the superbar, UAC modifications and XPMode. Instead, as the biggest software company, they should lead us into a new era where users only use computers but no longer have to administer them. Computer administration is the job of system administrators, but not of end users. New technologies such as application virtualization and rich internet applications made this possible. Microsoft only has to fully embrace these new technologies instead of fiddling around with an outdated desktop model. But please don’t get me wrong. I am not saying that the future belongs to web apps. I am still a fat PC.

• Saved Internet Explorer passwords (1)
• FREE: GFI WebMonitor – Web filtering for ISA Server (3)
• Thoughts about User Account Control’s (UAC) primary design goal (4)
• Windows 7 RC UAC security vulnerability: Auto elevation (5)
• The myths about so-called hidden built-in administrator account in Windows Vista and Windows 7 (3)

But, this is not the topic of this post. It is about the “word of caution” at the beginning of the article. Sekhy, the author of the article, warns his readers not to “tamper around” with the Administrator account. Ever since Microsoft decided to disable the built-in Administrator account in Windows Vista, there is a myth about the magical powers of the “true administrator account” circulating on the net. Hence, those people who don’t really know about these true powers should not dare to use the supersecret administrator account.

There are myriads of articles on the web that explain how to enable the built-in Administrator account in Windows Vista. Usually they tell you the “command line trick” (net user administrator /active: yes) which makes the whole thing look like even more of a secret, that is, knowledge only real hackers have. (You probably know this other myth that “true administrators” work on the command prompt.) Usually these articles don’t tell you that the built-in Administrator account can also just be enabled through the Local Users and Groups snap-in or simply Computer Management, just like the Guest account which is also disabled by default. What I find interesting is that I wasn’t able to find one article that also tells you what these magical, super secret, true administrator powers are.

Well, there are indeed a few differences between members of the administrators group and the built-in administrator account. Let’s see how powerful they really are:

The built-in Administrator account and UAC (User Account Control)

Approval mode for the local Administrator account is disabled by default. There is a special Group Policy setting where this behavior can be changed: “Admin Approval Mode for the Built-in Administrator account”. Running Vista in Admin Approval Mode is nothing other than running Vista with UAC enabled. Hence, this simply means that UAC is disabled by default for the built-in Administrator account.

Of course you can change these setting also for all other administrator accounts by disabling UAC through the User accounts applet in the Control Panel or by disabling the policy “Run all administrators in Admin Approval Mode“. Note that this doesn’t just disable the UAC prompts like if you set the policy “Behavior of the elevation prompt for administrators in Admin Approval Mode” to “Elevate without prompting”. It disables UAC altogether, which basically means that every program an administrator launches will be elevated automatically. You can test this if you save a file with notepad in the Windows folder. If UAC is enabled you can’t do that if you didn’t elevate notepad before.

Thus the main difference between the built-in Administrator account and all other admins is that every program will run with elevated privileges. Since these default settings can be changed for the built-in admin account and the other administrator accounts there are no super secret powers involved here.

The local Administrator account and the “run as administrator” function

Another myth is that every time you launch a program with admin privileges it runs under the built-in Administrator account. I suppose Windows’ “run as administrator” function is the origin of this myth. The fact that you can use this function even if the local Administrator account is disabled should make it clear that there is no such connection between the two. You also can’t launch a program under the local Administrator account using the runas command line tool if this account is disabled. Perhaps the term “run as administrator” is a bit misleading. What this function really does is to run programs with elevated privileges or more precisely at the high integrity level, which can be done by every account that is a member of the Administrators group.

Modifying the built-in Administrator account

Another difference to other accounts is that the local Administrator account can’t be deleted. Moreover, you can’t remove this account from the built-in Administrators group. However, as noted above, it can be disabled which is the case by default. It is also possible to rename the local Administrator account.

Legacy applications and the built-Administrator account

There are some legacy applications that can only be installed or run using the built-in Administrator account. I haven’t encountered such an application for a while. As far as I know, this behavior has nothing to do with special capabilities of the local Administrator account; it is just a matter of bad programming. If you rename the built-in Administrator account and create a new one called “Administrator” these programs will just use this new account.

Basically the super powers of the Administrator account boil down to the differences with regard to the default UAC settings. As far as I know, there is nothing that can be done with the built-in Administrator account which can’t be done with a member account of the administrators group. Please, tell me if I am wrong.

By the way, Vista really has this super powerful account, just that it is not the built-in Administrator. It is the TrustedInstaller service (Windows Module Installer service), which can modify everything on a Vista machine, in particular system files. However, that is the topic of another story.

In one of my next posts, I will address a related myth, the myth about the standard user in Windows Vista.

• Saved Internet Explorer passwords (1)
• FREE: GFI WebMonitor – Web filtering for ISA Server (3)
• Thoughts about User Account Control’s (UAC) primary design goal (4)
• The myth about the standard user in Windows Vista and Windows 7 (10)
• Windows 7 RC UAC security vulnerability: Auto elevation (5)

So what is behind all this? The source of this new Vista bashing campaign is Simon Clausen, CEO of PC Tools, a security vendor. This is how InformationWeek cites him:

Ironically, the new operating system has been hailed by Microsoft as the most secure version of Windows to date. However, recent research conducted with statistics from over 1.4 million computers within the ThreatFire community has shown that Windows Vista is more susceptible to malware than the eight year old Windows 2000 operating system, and only 37% more secure than Windows XP.

If you are an IT pro, you probably already smell a rat. If a security vendor claims that a new Windows version is not really as secure as Microsoft wants us to us believe, then something fishy might be going on. But if this were the only thing one could say about this case, I wouldn’t have started writing this blog post.

What I find interesting is how many news sites pounced on this story without even taking the time to read the data provided by PC Tools. Everyone who knows a little about computers should be taken aback if such “evidence” is provided:

Vista let 639 threats per thousand computers through, compared with 586 for Windows 2000, 478 for Windows 2003, and 1,021 for Windows XP.

Later the author makes it even more clear what this data implies:

Given an infection rate of 639 per 1,000 PCs, almost 64% of Vista users should have compromised machines.

64% of all Vista machines are infected??? I am pretty sure that mine is clean which means that it is quite likely that yours is running some malware while you read those lines. Well, I read quite a few articles on different news sites about this topic and none of them really questioned this data. A Techworld article made it even worse by mixing up infections with vulnerabilities which probably comes from the fact that a Microsoft spokesman was not able to keep these terms apart.

I am not sure if it even makes sense to try explaining this implausible data. But it could be that these numbers are not at all about infections, but about the alarms ThreatFire triggered. Since this software uses heuristics instead of signatures, most of those alarms are probably false positives. If that is the case, then you could as well measure the number of UAC prompts to gather data about the threats your computer is exposed to. Agreed, Vista’s UAC uses very crude heuristics to determine possible threats, but according to Clausen’s data, ThreatFire seems not to be that smarter.

The fact that Windows 2000 triggered fewer alarms than Vista is easily explained. Typical Windows 2000 users just launch their Word 6.0 every day and their browser once a week. The last time they installed software was when their grandchild came to see them and insisted on trying a new fabulous game which probably didn’t work on this outdated machine, anyway. Thus, the ThreatFire heuristics had fewer chances to trigger false alarms.

It didn’t surprise me either that Windows XP came off only third in this questionable contest. XP lacks so many features that their users are busy all day downloading and installing all those tools and features that Vista already has. Okay, that was a joke. I just thought some XP bashing would be nice, too. I leave it to you to find a better explanation.

So this is how rumors come into being. I am pretty sure that many readers of these articles really believe now that Vista is more vulnerable to malware than Windows 2000. I think, this is a classic example how easy it is to convince people of something they really want to believe. And that’s why the Vista bashing industry is so successful.

• Saved Internet Explorer passwords (1)
• Well-known Windows basher Randall C. Kennedy unmasked – Don’t always take “objective” reports as real (13)
• How 4sysops readers like Windows Vista and Windows 7 (8)
• Seven reasons why IT Pros who skipped Vista should regret it now (21)
• FREE: GFI WebMonitor – Web filtering for ISA Server (3)

His article addresses eight fields: Security, Manageability, Reliability, Usability, Performance, Hardware compatibility, Microsoft software compatibility, Third-party software compatibility, Developer tools support, and Future-proofing. Today, I will only cover the security aspect. In future posts I will blog about the other fields. Not all of them deserve a single post though.

I will always summarize Kennedy’s main arguments in italics before my reply. However, I encourage you to read the original article. Please, let me know if you believe that I missed something or if you think that I didn’t get the main point of his argument.

UAC is annoying and doesn’t really improve security in a corporate environment because there are ways to circumvent UAC, and domain users usually don’t have admin privileges, anyway.

I agree that UAC prompts are annoying and I explained in detail why I believe that these prompts might even decrease security a while back. However, UAC improves security even if you turn off the prompts. The fact that UAC can be circumvented under certain conditions is no argument against UAC. This is true for every security mechanism. When it comes to security, the only interesting question is if a certain feature raises the bar for certain attacks and this certainly applies to UAC.

I covered some of the benefits of UAC in another article, so I won’t repeat them here in detail. The main benefits are a lower risk for so-called shatter attacks, virtualization techniques for legacy apps requiring admin privileges, and the ability to give temporary admin rights to standard users.

It might also be true that in most corporate environments, distinguishing standard users from administrators is already common practice since the times of the good old Windows NT. But the main point about UAC is that developers programming for the consumer market are forced now to make this distinction which will improve the overall security of the whole Internet. We will all benefit from this development. It is correct to criticize the way UAC was implemented, but Microsoft definitely made a step into the right direction.

The other security-related features such as the updated firewall or Address Space Layout Randomization, are nice, but not compelling because we have other security measures like hardware firewalls and third-party software that take care of security.

I must admit that I am not sure if I really understand this argument because it seems to be quite far-fetched for me. You don’t have to be a security expert to know that the essence of any security strategy is to have as many lines of defense as possible. Every new security features is welcome as long as its costs for productivity aren’t too high.

But when it comes to Vista’s improved security it is not UAC or the other new security features that are most important, but the fact that Vista is Microsoft’s first operating system where security was a primary concern. This means that developers were urged to always have security in mind with every line of code they write. The fact that there were far less security-related updates for Vista than for XP proves this point.

This does not only reduce the costs for patch management, it also shows that Vista is simply much more secure than XP. Microsoft has been slapped by journalists all over the years for their lax attitude towards security. There is no doubt about it that this criticism was justified. For the first time they really valued security over other features only to hear now that we have third-party security software anyway.

What is your view? Does Vista improve security or not? Is XP secure enough? What are your favorite security-related Vista features? In my next post I will address manageability. Stay tuned!

• Saved Internet Explorer passwords (1)
• FREE: GFI WebMonitor – Web filtering for ISA Server (3)
• The myth about the standard user in Windows Vista and Windows 7 (10)
• The myths about so-called hidden built-in administrator account in Windows Vista and Windows 7 (3)
• Is Vista less secure than Windows 2000? How the Vista bashing industry works (4)

(The website is in German but has a translation link at the top.)

This is a great tool allowing users with standard rights to run programs with local admin privileges. It is based on SuDown and integrated in the Windows shell. Just right click on the icon of the program you want to run as admin and the context menu will give you the option to “Start as Administrator”. The current stable version doesn’t support global groups, so it won’t work on computers in a Windows domain. There is a beta that the developer put out on 02/24/2008 that is very stable and it works with global groups, too.

See about the new features of the latest release in the comments below.

SuRun

• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)
• How to disable USB drive use in an Active Directory domain (2)
• Service Account best practices – Part 2: Least Privilege implementation (0)
• Four fast ways to improve security in SQL Server 2008 R2 (12)
• Managed Service Accounts in Windows Server 2008 R2 (7)

Here are the numbers:

I am not referring to the fact that Windows had 4 extremely critical flaws and Mac OS X had none in this category. In my opinion such statistics do not say much about security. There were similar statistics about Internet Explorer 6 some time ago. Every week or so, a new serious vulnerability was found. People usually inferred that using IE6 is highly insecure. However, the number of vulnerabilities and their severity are only a couple of the many factors when it comes to security.

If you want to know something about security, you have to calculate the probability of a security breach. Of course, this probability gets higher if there are more vulnerabilities. However, far more important is how many bad guys are out there who are capable and willing to writing an exploit. Another important factor is how many hackers and script kiddies can get their hands on the exploit. And the most important factor is the number of machines where this exploit will actually work. Think of a worm that spreads from one computer to another. The more food this worm finds, the bigger it will get and so will its threat.

Thus there is no doubt that Windows is still less secure than Mac OS X. However, there is one thing that this statistics really shows. Microsoft is doing a much better job than Apple regarding security recently. And if you want to know which company is more evil, then you might want to look at this post.

• Saved Internet Explorer passwords (1)
• FREE: GFI WebMonitor – Web filtering for ISA Server (3)
• The myth about the standard user in Windows Vista and Windows 7 (10)
• The myths about so-called hidden built-in administrator account in Windows Vista and Windows 7 (3)
• Is Vista less secure than Windows 2000? How the Vista bashing industry works (4)

I never liked this misuse of the term hacker. This idea of ethical hackers originally came from hackers who enjoyed cracking other people’s computer systems, but didn’t want to be treated as criminals. Companies hired them to improve the security of their systems. They still liked to be called hackers, because being a hacker is just cool, whereas being a penetration tester or security expert is uncool.

My problem with the term white hat hacker is that it plays down the fact that most hackers are or were criminals. Many script kiddies take famous hackers as an example, because being a hacker is really so cool. I wonder just how long will it take until the first terrorist says that he is just a white hat terrorist.

Anyway, I am curious to know what Microsoft’s penetration testers have to tell us. I am sure they know of many security holes in Microsoft products. But will they really blog about this? I guess not. Let’s hope it will not be just about promoting Forefront products. I have subscribed to their blog.

• Saved Internet Explorer passwords (1)
• FREE: GFI WebMonitor – Web filtering for ISA Server (3)
• The myth about the standard user in Windows Vista and Windows 7 (10)
• The myths about so-called hidden built-in administrator account in Windows Vista and Windows 7 (3)
• Is Vista less secure than Windows 2000? How the Vista bashing industry works (4)

Well, if you have read my blog for a while, you would know that I belong to the other 86%. These UAC pop-ups are often breaking my concentration still. However, I promised myself to keep the default UAC settings for at least a year on our desktops to give it a fair chance. If UAC will prevent the execution of just one malicious program, we will keep the default configuration. Otherwise, we will probably disable the UAC prompts.

The fact that only 50% of IT managers want to adopt Vista because of its security features perfectly reflects my own assessment. There is no doubt that Vista’s security has improved. However, I am not sure if this is enough reason to upgrade our XP machines. Service Pack 2 for XP has greatly improved security, too. Thus, I do not feel any pressure or desire to move to Vista just for security reasons.

It is interesting to note that only 22% of the IT managers in this study think that an upgrade to Vista is worth it because of its improved functionality. I suppose this is due to the fact that they are not working with Vista on their own desktops. As I said before, it takes quite sometime until you find your personal must-have-features. It is really difficult to judge Vista by just reading reviews or by checking feature lists. So if you have to decide if Vista should be deployed in your organization, I recommend using it yourself for some time.

• Saved Internet Explorer passwords (1)
• FREE: GFI WebMonitor – Web filtering for ISA Server (3)
• Thoughts about User Account Control’s (UAC) primary design goal (4)
• The myth about the standard user in Windows Vista and Windows 7 (10)
• Windows 7 RC UAC security vulnerability: Auto elevation (5)

Of course, such studies where companies compare themselves with competitors are always a suspect. There are so many ways to manipulate objective data in statistics just to get the results you want. (I am currently writing my annual report, so I know what I am talking about.) But the results of this vulnerability report are quite impressive, anyway.

In the first 90 days after its release, Vista had 5 vulns which is not much if you compare it to Windows XP which had 17 in its first 90 days. It is also interesting to compare this data with the vulns of other operating systems during the same period. MAC OS X 10.4 had 20, Ubuntu 71, for example.

There is a hearty discussion going on his blog. One commentator remarked that these results are not so convincing since the installed base of Vista is too small. This also was my first thought. Jeff Jones replied that the install base of Red Hat Enterprise Linux 4 Workstation is much lower than Vista’s and RHEL4WS had more than 180 vulns in this period.

Joe Wilcox from Microsoft Watch also has some convincing arguments. He accuses Jeff Jones of having fallen into the “counting trap“. Joe Wilcox refers to the data from the Department of Homeland Security National Vulnerability Database. According to them there were another 11 vulns in the past three weeks. And this data is more telling because of Vista’s limited availability before March. He adds that one also should include alerts mentioning IE since it is part of the operating system. And there were about two dozen of them, some related to third party ActiveX controls.

The question now is it is reasonable to consider third party software? Well, most Linux distributions mostly consist of “third party software”. Does it make sense at all to compare vulnerabilities? Joe Wilcox correctly concludes that “alerts are not a measure of security”.

I’d like to add that the number of vulns is only one factor (and a minor one at that) when it comes to security. Many other factors have to be taken into account, too (how often is an OS targeted by the bad guys, malware in the wild, know-how of its users, etc.)

However, I think that Joe Wilcox is wrong when he asserts that Vista didn’t improve in respect to security. It is obvious that Microsoft invested a lot of money in Vista’s security. Thus, it would be a big surprise if all this money was just spent for nothing. Besides, there is no doubt about it that Vista has many new security features. If you argue that Vista didn’t improve, then you have to explain why all these new security features are useless.

• Saved Internet Explorer passwords (1)
• FREE: GFI WebMonitor – Web filtering for ISA Server (3)
• The myth about the standard user in Windows Vista and Windows 7 (10)
• The myths about so-called hidden built-in administrator account in Windows Vista and Windows 7 (3)
• It seems the big Linux projects in Vienna and Munich are about to fail (6)

Sometime ago, I published an article about a performance comparison between 64-bit and 32-bit editions of Windows. This post got quite a few hits, recently. Meanwhile, it has rank 8 of all posts here on 4sysops (see right sidebar). Obviously, many seem to be undecided which Vista edition they would like to use. In this post, I summarized the pros and cons of Vista x64 and Vista x86.

Vista x64 Pros

Security: Kernel Patch Protection (PatchGuard) is probably the most interesting security-related feature of Vista x64. It prevents unauthorized software from modifying the kernel. This reduces the risk that malware, especially rootkits, infects your system.

Reliability: In Vista x64 only signed drivers can be installed (Mandatory Kernel Module and Driver Signing). This means that kernel mode software requires a digital signature from Microsoft. Buggy drivers can make a system very unstable. But what’s the use of a reliable OS , in the face of a third party driver crashing your PC once a day? I had this experience with Vista x86, already.

Performance: A computer with a 64-bit CPU is supposed to be more powerful than one with a 32-bit processor. Of course, you need a 64-bit OS to utilize its 64-bit capabilities. The problem is, not only that the OS, but also the applications must support 64 bit to improve performance. Since 32-bit is still predominant in the Windows area, Vista x64 won’t speed up your system in most cases. Here are some benchmark tests comparing Vista x64 and Vista x86: [1] [2] [3].

Memory: The 32 bit editions of Vista only support 4 GB RAM. With Vista x64, you can use up to 128 GB , if your hardware supports it. However, there are differences between the different editions of Vista x64. Check out this comparison table for more information. Note that many applications have limitations with respect to the amount of RAM they can use. Hence, you usually only need more than 4 GB RAM, if you are using many apps with high memory consumption, simultaneously. If you are working with VMware Workstation, you might be interested to know that version 6.0 supports Vista x64, and that’s up to 8 GB RAM.

Vista x64 Cons

Hardware compatibility: This certainly is the number one caveat in using a 64-bit Vista edition. 32-bit drivers don’t work. Therefore, hardware manufacturers have to produce new ones for every piece of hardware. The fact that drivers have to be signed can also be a disadvantage since it is more time-consuming for hardware vendors to deliver new drivers. Thus, before you can move to Vista x64, you have to check if your hardware is supported. Don’t forget your peripheral devices like printers and scanners.

Software compatibility: Most 32-bit software should be running on Vista x64. However, 16-bit programs are not supported, anymore. Note that some 32 apps still use 16-bit installers. Even though the program itself might work under Vista x64, you might not be able to install it. Another problem is that Vista x64 doesn’t support registry and folder virtualization. Some legacy apps need to write in security sensitive areas like C:\Windows or C:\Programs and Files. Vista x86 can present a virtual version of these folders to apps for compatibility reasons. Essentially, this means that some 32-bit apps might not work properly if you run them with standard user rights in Vista x64. There are workarounds, though. By the way, even 64-bit apps that were developed for the 64-bit version of Windows XP might have problems under Vista x64 if they have conflicts with Vista standards.

Price: You can only upgrade the Windows XP x64 edition to Vista x64, but not from the 32 bit version of Windows XP. So moving to Vista x64 might cost you more if you have already Windows XP licenses with an upgrade option.

Deployment: Vista images are hardware independent, which probably is the most important new feature from a system administrator’s point of view. However, this doesn’t apply to 32 and 64 bit images, i.e. you’ll need different images for Vista x86 and Vista x64. If you can’t move entirely to the 64 bit edition, then this might double your workload.

Problem diagnosis: Even though, all your hardware and software supports Vista x64, you’ll always ask yourself if a certain problem is 64-bit-related. After all, Vista x64 is a different OS than Vista x86. The same applies to applications which were specifically developed for the 64-bit editions. Thus, solving a problem might often be more time-consuming.

Conclusion: In my view, for the overall majority Vista x86 is the better choice. Even Microsoft writes that “the 64-bit editions are not for everyone.” Only if you have very high security demands or work in fields like engineering (CAD/CAM) or digital content creation, then Vista x64 might be an option for you. I suppose that 64-bit will only play a major role when Vienna, the next Windows version, comes out. There are even rumors that Windows Vienna will only support 64-bit. So perhaps it makes sense to wait a few more years before jumping into the 64-bit bandwagon.

Did I miss a point? Please, let me know!

• Saved Internet Explorer passwords (1)
• Office 2010 32-bit vs. 64-bit – Part 2: Advantages and disadvantages of Office 2010 64-bit (2)
• Office 2010 – 64-bit vs. 32-bit – Part 1: Installation (6)
• FREE: GFI WebMonitor – Web filtering for ISA Server (3)
• Windows 7 x64 vs. Windows x86 – Reliability, security, and licensing (4)

The argument against the use of personal firewalls is that malware can disable the personal firewall or leverage another program to access the internet. Malware often uses the Internet Explorer to phone home since it is usually allowed to access the internet.

In my view, both arguments are wrong with regards to standard users in the case of Vista’s desktop firewall. The first argument can easily be refuted. If users don’t have administrator privileges on their desktops (which I strongly recommend), then the malware will simply not have enough rights to disable Windows Firewall or to change its setting.

However, if you logged on as admin, it is indeed possible for malware to change the settings. The strange thing is that in my test this could be done without getting User Account Control (UAC) involved. I configured the Windows Firewall with the Local Security Policy tool (just enter the name on the Program Search Prompt). When I start this tool, I didn’t get an UAC prompt. I tried the same on another machine which belongs to a Windows domain and there I got an UAC pop-up.

Anyway, if you logged on as an Administrator and the malware is smart enough to change the firewall settings before connecting to the internet, then it could indeed be possible that Windows Firewall is useless in this case.

To investigate the second argument, which assumes that malware always can use another program to access the internet, I installed the IE Tab add-on for Firefox. This plug-in allows you to use Internet Explorer to load web pages within Firefox.

First, I changed the policy for outbound filtering for the Windows Firewall. You can do this by right clicking on “Windows Firewall” in the Local Security Policy tool (or Group Policy Editor) There, you can set outbound filtering to “block” for the different profiles (domain, private, public). Then, I added an outbound rule allowing IE to access the internet.

I was able to load web pages when I started IE, but internet access was blocked when I started IE within Firefox. This doesn’t prove that IE can’t be leveraged by malware to access the internet, but it shows, at least, that it wont be easy.

Next, I wanted to know if it is possible to trick Windows Firewall by exchanging exe files. In my test, I allowed Firefox to access the internet, then exchanged firefox.exe with putty.exe. I was indeed able to establish an internet connection with putty afterwards. Well, this is really disappointing. Most personal firewalls use hash codes to identify applications. Windows Firewall only uses file name and path.

Now, you might argue, what is the use of outbound filtering if it can be outsmarted so easily. The point is, standard users are not allowed to make any changes with the Program Files folder. So if a user starts a malware program, it won’t be able to use this trick. I, therefore, conclude that outbound filtering with Windows Firewalls makes sense for standard users, but not for administrators.

• FREE: Microsoft Standalone System Sweeper – Standalone antivirus software (0)
• How to configure TMG for SSL Client Certificate Authentication (0)
• Using TMG, one-time passwords and Kerberos Constrained Delegation (2)
• FREE: Kaspersky Rescue Disk – Offline antivirus tool (2)
• How to use Kerberos Constrained Delegation with Forefront TMG (0)

Paul’s article gives an introduction to the following topics: Address Space Layout Randomizer, User Account Control, Windows Security Center, Windows Defender, Windows Firewall, Internet Explorer 7 Protected Mode, Phishing Filter, Windows Update, Parental Controls, Windows BitLocker Drive Encryption, and USB Device Lockdown.

Even if it seems that some of these features might not be relevant for computers in a company network, you should have a look at them. For example, the Webfilter of Parental Controls might not only be useful for preventing children’s access to certain Web sites.

For me, it was interesting to read that User Account Control (UAC) is used by other security tools and components in Vista. For example the Protected Mode feature of Internet Explorer 7 relies on UAC. That’s why Protected Mode isn’t available for the Windows XP version of IE7.

I, still, doubt that UAC improves security for system administrators. Security is not only a technical issue, but mostly a psychological problem. In theory, it might seem obvious that warning messages popping up whenever critical system components are involved could help prevent malware execution. In praxis, system administrators will get used to confirming UAC messages. This will blindfold them for really important security messages. This way UAC could even decrease security in the long run.

Most interesting for me is Paul’s conclusion about Vista’s new security features:

Windows Vista is dramatically more secure than is Windows XP. But over time, we’ll need to see how Vista withstands the real-world electronic attacks that will no doubt hound this OS. A year from now, we’ll be able to step back and evaluate how Vista performed in the wild. For now, Microsoft can at least take some comfort in the fact that Vista is, perhaps, the most secure OS it’s ever created. There’s just no doubt about that.

• Saved Internet Explorer passwords (1)
• FREE: GFI WebMonitor – Web filtering for ISA Server (3)
• The myth about the standard user in Windows Vista and Windows 7 (10)
• The myths about so-called hidden built-in administrator account in Windows Vista and Windows 7 (3)
• Is Vista less secure than Windows 2000? How the Vista bashing industry works (4)

This is certainly true, but then he commented:

I expect that soon after Vista ships, we’ll see a slew of security patches. Even out the door, it will be safer than XP. And over time, I expect it to be much more secure, although it may be a painful process to get there.

I think, this view is wrong. There is no such painful process which will finally lead to a much more secure Windows Vista.

First of all, I think that Microsoft will update Vista with new features more often than with Windows XP. The transition from XP to Vista was simply too long. These new features will certainly contain new security holes, which will be patched again, and so on.

Secondly, the fact that some clever hackers cracked an OS doesn’t say so much about its security. The only thing that counts when it comes to security is the probability of someone or some malware intruding my system. If there is only one hacker out there who knows how to crack my system, then the change of this probability can hardly be measured. I elaborated on this argument some days ago already.

• Saved Internet Explorer passwords (1)
• FREE: GFI WebMonitor – Web filtering for ISA Server (3)
• The myth about the standard user in Windows Vista and Windows 7 (10)
• The myths about so-called hidden built-in administrator account in Windows Vista and Windows 7 (3)
• Is Vista less secure than Windows 2000? How the Vista bashing industry works (4)

You probably have read already about the more prominent security enhancements of Windows Vista, like User Account Control, Network Access Protection or Windows Defender. This paper gives a good overview of them, plus it covers less known improvements like EFS enhancements or Integrated Rights Management Clients.

There is one sentence that surprised me a bit:

Although passwords are still supported, the primary focus for strong authentication in Windows Vista is smart cards.

So, you still can use passwords with Windows Vista, interesting isn’t? Seriously, I think it is good news that Microsoft focuses more on smart cards now. I don’t like passwords because I often need three attempts to enter the correct password before the first cup of coffee in the morning.

Via Michael Howard’s Web Log

Related: Is Windows Vista’s firewall crippled?

This is the table of contents of the paper:

• Introduction

• Engineering for a Secure Platform

• Security Development Lifecycle

• Windows Service Hardening

• Mitigating Buffer Overruns With Hardware Protection

• 64-Bit Security Enhancements: Kernel Patch Protection and Mandatory Driver Signing

• Secure Access

• User Account Control

• New Logon Architecture

• Easier Smart Card Deployments

• Network Access Protection

• Protection Against Malware and Intrusions

• Windows Security Center

• Windows Defender

• Windows Firewall

• Malicious Software Removal Tool

• Security Advances in Internet Explorer 7

• Protections Against Malware

• Personal Data Safeguards

• Data Protection

• BitLocker Drive Encryption

• Integrated Rights Management Services Client

• Encrypting File System Enhancements

• USB Device Control

• Conclusion

• Saved Internet Explorer passwords (1)
• FREE: GFI WebMonitor – Web filtering for ISA Server (3)
• The myth about the standard user in Windows Vista and Windows 7 (10)
• The myths about so-called hidden built-in administrator account in Windows Vista and Windows 7 (3)
• Is Vista less secure than Windows 2000? How the Vista bashing industry works (4)

Michael Kleef, for example, thinks that other security measures should be used to prevent malware from infecting the computer in the first place. He listed several new technologies of Windows Vista, like User Access Protection, Windows Defender and Sandbox of IE7, that should do the job.

I think, this is not a good argument. The more lines of defences you have, the better it is. If the malware manages to get around one defence line, there is still the next in line which stops the malicious program from causing more damage. So, enumerating other features of software to explain away a security weakness is not convincing.

A second argument, which was also put forward by Mitch Tulloch, is that outbound filtering is not important anyway since clever malware can simply use another open port like port 80 to connect to other computers in the network.

There is a big difference between personal firewalls and gateway firewalls. Good personal firewalls don’t just filter ports; they also allow you to specify which desktop applications can connect to the internet. This is very important in corporate networks. If a user starts an application which is infected by a virus or other malware from his USB stick, for example, it can’t infect other computers in the network even if it uses port 80 since the personal firewall will block this application. I wonder, if the firewall of Windows Visa has this feature?

In my view it only makes sense for the home edition of Windows Vista to disable outbound filtering by default. Usually, the configuration is too complicated and time consuming that most users would just turn off the firewall, anyway. This way usability does improve security since security software that is too complicated to handle will simply not be used. So the overall security of the internet wouldn’t be improved.

However, in a corporate environment outbound filtering is very useful even if there is gateway firewall. As network administrators can do the configuration, usability is not an issue here.

• How to configure TMG for SSL Client Certificate Authentication (0)
• Using TMG, one-time passwords and Kerberos Constrained Delegation (2)
• How to use Kerberos Constrained Delegation with Forefront TMG (0)
• Secure your Exchange 2010 Server with Forefront TMG – Part 2 (0)
• Secure your Exchange 2010 Server with Forefront TMG – Part 1 (0)