Want CNET to notify you of price drops and the latest stories?

Allchin: Buy Vista for the security

Windows chief Jim Allchin says stronger defenses are a key selling point for Microsoft's new OS.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
6 min read
If new features won't get you to upgrade to Vista, security enhancements should, Windows chief Jim Allchin has urged.

Microsoft has already touted the bells and whistles it is putting into Windows Vista, the operating system successor to XP that's due out by the end of the year. There will be flashy new graphics, a spiffed-up user interface and advanced search features. Other changes include improved touch-screen support and a Windows sidebar that can display all kinds of information such as upcoming appointments, just-in e-mail messages and a clock.

But if none of that strikes your fancy, Vista will still be worth getting, thanks to its better defenses against phishing attacks, spyware and other malicious code, Allchin said.

"Safety and security is the overriding feature that most people will want to have Windows Vista for," the co-president of Microsoft's platform, products and services division said in an interview with CNET News.com. "Even if they are not into home entertainment or in any of the specialty areas, they are just going to feel safer and more secure by using it."

"Safety and security is the overriding feature that most people will want to have Windows Vista for."
--Jim Allchin, group vice president, Microsoft

That said, Allchin maintained there are plenty of new things to try out in Vista, pointing to a chart filled with added features. In particular, he demonstrated a collaboration tool that uses a "People Near Me" feature, which searches over a Wi-Fi connection for other Vista users nearby and then sets up a peer-to-peer network with them. The tool is meant mostly to enable laptop users to share applications and files, among other things.

During the meeting, Microsoft also showed off new parental controls in Vista. These not only limit which Web sites can be visited, but log activity and restrict when and for how long children can be online.

All of these features shipped in the latest preview version of Vista, which Microsoft released in December. "There are literally thousands of features in this product," Allchin said.

But one of the features Microsoft wanted to include was a bit too much for some of its beta testers, the software maker found. It is reversing its plan to add virtual folders that contain all the files that match specific criteria, such as "created by Michelle" or "images," no matter where they are on the PC. Originally, Microsoft wanted virtual folders to replace standard views, which show the physical location of files on a hard disk drive, but it has backpedaled on that decision.

In the next preliminary Vista release, due in the next couple of months, virtual folders will be in the background. "The default view will be the physical storage space, and then you can create virtual folders on top of it," Allchin said. That should make it easier for people to migrate from Windows XP, he added.

The software maker had already scaled back on planned features for Vista, leaving some out so it could meet a ship date in 2006 for the update.

On the security front, Allchin said that Vista should be a significant leap forward, just as Service Pack 2 was a big improvement on the original Windows XP.

A standard Windows XP computer can get hacked the moment it is connected to the Internet, Allchin said. Service Pack 2 significantly increased security, in large part thanks to automatic security updates and a firewall that is enabled by default. Vista will go much further in protecting consumers, he said.

"If we ever find something trying to open a port that the developer said it should not be opening, it is immediately shut down."

Microsoft is following updated development practices to prevent security bugs and is using new approaches to analyze source code, Allchin said. Additionally, the innards of the operating system are being designed to ward off attacks. "We have put features into the product to double-check itself," he said.

As an example of double-checking, Allchin said Microsoft has marked the OS services to know what network ports they should open and what OS functions they should call. Then, another part of the OS verifies the process. "If we ever find something trying to open a port that the developer said it should not be opening, it is immediately shut down," he said.

Additionally, Vista aims to offer improved security by letting people run their PC with fewer privileges, which control how a particular person can interact with the software. In Windows XP most users have "administrator" privileges, which could be abused by malicious software to install itself on a computer. In Windows Vista, the default will likely be "protected administrator," a new privilege level that Microsoft is introducing with Vista, Allchin said.

If the system is set to protected administrator, people will have to change it to full administrator level to perform certain tasks, such as installing an application. The operating system will warn the person when full privileges are needed.

In the upcoming Vista preview, any action that requires full privileges will be displayed with a shield around it, Allchin said.

Vista will also offer a "standard user" mode, which has the fewest privileges. The standard user mode has been improved from Windows XP--people won't have to call IT to change their PC clock, for instance--but it won't allow a user to install applications, for example. Businesses will probably have software users run in this least-privileged mode, Allchin said.

Another security change at the operating system level involves Internet Explorer. In Vista, IE 7 will run in protected mode by default, Allchin said. This mode will prevent silent installs of malicious code by stopping the Web browser from writing data anywhere except in a temporary files folder without first seeking permission. "We sandboxed all of IE," he said.

On systems with 64-bit processors, Vista will require digital signatures to run kernel-mode software such as device drivers, Allchin said. This is an attempt to block unwanted software such as rootkits from nestling deep into the PC.

Microsoft also has updated the security software in Windows Vista to help fend off threats. The firewall has been updated and now looks at incoming as well as outgoing traffic--in XP SP 2 only incoming traffic was watched. Also, Microsoft has made its anti-spyware tool, Windows Defender, part of the operating system.

"The first step is protection from doing things inadvertently or warning you about the level of impact it could have," Allchin said. "Then, if you let something in, Defender is there to (warn you) and you can undo it. If the thing gets in and has really done some awful things, using the equivalent of System Restore in Windows XP you can back up time and undo it," he said. Microsoft doesn't yet have a new name for System Restore, he said.

Click here to Play

Microsoft Vista coming your way
Microsoft's Jim Allchin speaks about Vista.

Click here to Play

A vista of Vista
CNET News.com's Ina Fried asks Microsoft's Jim Allchin questions from readers.

Click here to Play

Does Vista mean business?
CNET News.com gets a look at Vista's office functions.

Other security features in Vista include BitLocker Drive Encryption to protect data on computers when lost or stolen. The encryption feature is designed to work with a chip called the Trusted Platform Module, which offers protected storage of encryption keys, passwords and digital certificates. BitLocker is the one remnant of Microsoft's grand hardware-based security plan originally envisioned for Vista.

For businesses, Vista will offer tighter control over removable storage devices by letting administrators centrally block the installation of, for example, USB (universal serial bus) flash drives and external hard drives. This feature is designed to help prevent intellectual property or sensitive data from being compromised or stolen.

IDC analyst Al Gillen said that Microsoft has taken much-needed steps with the operating system, such as the USB-blocking abilities.

"Those kinds of things are incremental improvements that really were pretty important," Gillen said.

But, like any software, Vista isn't hack-proof. In fact, Microsoft has already had to issue a security update for the operating system. The patch fixed the same vulnerability related to the processing of Windows Meta File (WMF) images found in earlier versions of the operating system. "That torqued me," Allchin said.

Microsoft was in the process of checking the parsing of all kinds of files and hadn't made it down to WMF yet, according to Allchin. "We would have caught it. It was on the list; we didn't get to it" in time, he said.

"At no time am I saying this system is unbreakable," he added. "Security is going to be an issue for the industry in all pieces of software, not just the OS."