Security Minded - from Kai the Security Guy

Some thoughts on security (and other stuff) from a Microsoft security professional

It's Official: Windows Vista SP1 (Beta) News

It's Official: Windows Vista SP1 (Beta) News

  • Comments 3
  • Likes

(Info taken directly from the Windows Vista Team Site. I've saved you a click.

Introducing Windows Vista Service Pack 1

In addition to regular Windows Vista updates, application compatibility improvements, and device driver improvements, Windows Vista Service Pack 1 (SP1) is another way Microsoft will deliver improvements to the Windows Vista customer experience.

SP1 Whitepaper Intro

The goal of Windows Vista SP1 is to address key feedback Microsoft has received from its customers without regressing application compatibility. Windows Vista SP1 will deliver improvements and enhancements to existing features that significantly impact customers, but it does not deliver substantial new operating system features. For example, the service pack improves the performance of the desktop shell, but it does not provide a new search user interface or a new version of Windows® Media Center.

The updates in Windows Vista SP1 fall into three categories, which the following sections describe in detail:

  • Quality improvements, including all previously released updates, which address reliability, security, and performance.
  • Improvements to the administration experience, including BitLockerTM Drive Encryption (BDE).
  • Support for emerging hardware and standards, such as an Extensible Firmware Interface (EFI) and an Extended File Allocation Table (exFAT).

Quality Improvements

Quality improvements have the broadest impact on all customers. It is the foundation of Windows Vista SP1 and is about improving the overall Windows Vista experience.

First, Windows Vista SP1 will include all previously released updates for Windows Vista. It also will include security, reliability, and performance improvements. These improvements target some of the issues Microsoft has identified as the most common causes of operating system crashes and hangs, giving customers a more reliable experience. These updates also improve performance in key scenarios-for example, when copying files or shutting down the computer.

The following sections describe many of the security, reliability, and performance improvements that will be in Windows Vista SP1.

Security

Security improvements that will be in Windows Vista SP1 include:

  • Provides security software vendors a more secure way to communicate with Windows Security Center.
  • Includes application programming interfaces (APIs) by which third-party security and malicious software detection applications can work with kernel patch protection on x64 versions of Windows Vista. These APIs help ISVs develop software that extends the functionality of the Windows kernel on x64 computers without disabling or weakening the protection offered by kernel patch protection.
  • Improves the security of running RemoteApp programs and desktops by allowing Remote Desktop Protocol (RDP) files to be signed. Customers can differentiate user experiences based on publisher identity.
  • Adds an Elliptical Curve Cryptography (ECC) pseudo-random number generator (PRNG) to the list of available PRNGs in Windows Vista.
  • Enhances BitLocker Drive Encryption (BDE) to offer an additional multifactor authentication method that combines a key protected by the Trusted Platform Module (TPM) with a Startup key stored on a USB storage device and a user-generated personal identification number (PIN).
Reliability

Windows Vista SP1 will include improvements that target some of the most common causes of crashes and hangs, giving users a more consistent experience. Many of these improvements will specifically address issues identified from the Windows Error Reporting tool. The following list describes some of the reliability improvements that Windows Vista SP1 will include:

  • Improved reliability and compatibility of Windows Vista when used with newer graphics cards in several specific scenarios and configurations.
  • Improved reliability when working with external displays on a laptop.
  • Improved Windows Vista reliability in networking configuration scenarios.
  • Improved reliability of systems that were upgraded from Windows XP to Windows Vista.
  • Increased compatibility with many printer drivers.
  • Increased reliability and performance of Windows Vista when entering sleep and resuming from sleep.
Performance

The following list describes some of the performance improvements that Windows Vista SP1 will include:

  • Improves the speed of copying and extracting files.
  • Improves the time to become active from Hibernate and Resume modes.
  • Improves the performance of domain-joined PCs when operating off the domain; in the current release version of Windows Vista, users would experience long delays when opening the File dialog box.
  • Improves performance of Windows® Internet Explorer® 7 in Windows Vista, reducing CPU utilization and speeding JavaScript parsing.
  • Improves battery life by reducing CPU utilization by not redrawing the screen as frequently, on certain computers.
  • Improves the logon experience by removing the occasional 10-second delay between pressing CTRL-ALT-DEL and the password prompt displaying.
  • Addresses an issue in the current version of Windows Vista that makes browsing network file shares consume significant bandwidth and not perform as fast as expected.

Administration Experience

Many of the changes in Windows Vista SP1 will improve the deployment, management, and support experience for Windows Vista customers. The following list describes some of these enhancements:

  • BitLocker Drive Encryption encrypts extra local volumes. For example, instead of encrypting only drive C, customers can also encrypt drive D, E, and so on.
  • Addresses problems with printing to local printers from a Windows® Terminal Services session.
  • The Network Diagnostics tool will help customers solve the most common file sharing problems, in addition to the basic problems that it already diagnoses.
  • Administrators can control the volumes on which to run Disk Defragmenter.

In addition to these changes, Windows Vista SP1 will change the tools that customers use to manage Group Policy. Administrators requested features in Group Policy that simplify policy management. To do this, the service pack will uninstall the Group Policy Management Console (GPMC) and GPEdit.msc will edit local Group Policy by default. In the SP1 timeframe, administrators can download an out-of-band release that will give them the ability to add comments to Group Policy Objects (GPOs) or individual settings and search for specific settings.[1]

Emerging Hardware and Standards

The technology industry is fast-paced and constantly changing. Throughout the life cycle of any version of the Windows operating system, the industry creates new hardware innovations and defines new standards. Windows Vista SP1 will include support for some of these new hardware innovations and standards, because Microsoft expects them to become increasingly important in the near future. The following list describes some of the enhancements of Windows Vista SP1 that will support these emerging innovations and standards:

  • In the future, flash memory storage and consumer devices will use the exFAT file system. Windows Vista SP1 adds support for this file system to Windows Vista.
  • The service pack will include support for Secure Digital (SD) Advanced Direct Memory Access (DMA), which will be on compliant SD host controllers soon, to improve transfer performance and decrease CPU utilization.
  • x64 PCs can boot using the EFI. Windows Vista currently supports network boot by using Windows Deployment Services for x86, a PC's basic input/output system (BIOS) for x64 PCs, and EFI for IA-64 PCs. Windows Vista SP1 will add support for network boot by using x64 EFI.
  • The service pack will add support for Direct3D 10.1, adding application programming interfaces (APIs) and features that enable 3-D applications, so game developers can better take advantage of a new generation of Direct3D graphics hardware.
  • The Secure Socket Tunneling Protocol (SSTP) is a remote access tunneling protocol that will be part of the Routing and Remote Access Service (RRAS) platform. This protocol helps provide full-network virtual private network (VPN) remote access connections without challenges that other protocols face when traversing NATs, Web proxies, and firewalls. Windows Vista SP1 will include support for SSTP.

Evaluating Windows Vista Service Pack 1

In key areas, Windows Vista SP1 will compare favorably to earlier Windows service packs. Windows® 2000 Service Pack 4 (SP4) and Windows XP SP1 both made limited changes to the user interface and had limited impacts to application compatibility. Both service packs were small in download size. Windows XP SP2 was an exceptional case, as noted in the next paragraph. It significantly impacted the user interface and application compatibility, and was large in download size. While Windows Vista SP1 is still in beta, Microsoft's intention is that it will make limited changes to the user interface, have limited impact to application compatibility, and the Windows Update and WSUS download size will be small.

The purpose of Windows Vista SP1 is different from the purpose of Windows XP Service Pack 2 (SP2). Windows XP SP2 was a special update -- Microsoft recognized that it was in a unique position to address new and emerging security threats, and the service pack was the best answer. To address these threats, Microsoft incorporated significant, well-considered changes into the service pack, which had a significant impact on application compatibility. For example, the service pack enabled Windows Firewall by default, causing some applications to fail until the customer configured the exceptions in the firewall. However, Microsoft determined that the security benefit far outweighed any challenges the changes caused to end users and administrators. (Likewise, moving from Windows XP SP2 to Windows Vista introduced new, well-considered changes, such as User Account Control, which impacted compatibility).

Although Windows Vista SP1 does compare favorably to earlier service packs, specific benefits have certain costs:

Benefits

Tradeoffs

The standalone service pack will include all languages. It can update all PCs running Windows Vista -regardless of language[2].

Componentization brings benefits such as the ability to uninstall updates in any order more reliably.

The standalone package will be large (1 GB for x86).

Installing the service pack will require a large amount of free disk space (7 GB for x86 and 12 GB for x64). However, most of this space will be reclaimed after installation.

SP1 will improve the performance, reliability, and other areas of Windows Vista.

Windows Vista contains a significant amount of files shared with Windows Server 2008 and therefore benefits from the continual improvements made during the Windows Server 2008 development cycle.[3]

SP1 will change a significant number of files; customers cannot apply SP1 to offline Windows Vista images.

Deploying Windows Vista Service Pack 1

Windows Vista SP1 will support a number of deployment scenarios and methods, which the upcoming Windows Vista Service Pack 1 Deployment Guide will describe in detail. This section provides an overview of the delivery methods that Windows Vista SP1 will support.

Windows Vista SP1 will support the following delivery methods:

  • Express. Requires an Internet connection but minimizes the size of the download by sending only the changes needed for a specific computer (approximately 50 MB for x86-based operating systems).
  • Stand-alone. Recommended for computers with limited Internet connectivity and for applying the service pack to multiple computers. The download size is larger than the express package, but customers can apply a single package to any Windows Vista version and language combination (within a platform). Distribution tools like System Center Configuration Manager 2007 use stand-alone packages to deploy Windows Vista SP1.
  • Slipstream. The slipstream version of Windows Vista SP1 is media that already contains the service pack, which companies can use to deploy the operating system to new computers or to upgrade existing computers. Availability will be limited. Microsoft will update Windows Vista retail media with Windows Vista SP1 slipstream media in the future. Slipstream media will also be available to Volume Licensing customers.

For express and stand-alone deployment methods, Microsoft recommends the following:

  • Laptops must be plugged in to an AC power source.
  • A minimum of 7 GB free disk space on the system partition for x86-based operating systems and a minimum of 12 GB free disk space for x64-based operating systems.
  • The stand-alone deployment method requires administrative credentials.

Summary

Customers can take advantage of all that Windows Vista has to offer by evaluating and deploying the operating system now. They do not need to wait for Windows Vista SP1. Windows Vista enables higher levels of productivity and mobility than earlier versions of Windows, and it helps lower the cost of ownership. 

Customers currently evaluating and deploying Windows Vista should continue their evaluation, pilot programs, and deployment on the currently available version of Windows Vista. Microsoft provides the tools and guidance customers need to deploy Windows Vista today and will provide additional guidance, tools, and support for moving to Windows Vista SP1 when Microsoft releases it.

Customers just starting to evaluate Windows Vista should plan a pilot program based on the original release and then move to a pilot or deployment when Windows Vista SP1 becomes available. Pilot programs are an effective way to introduce the operating system into the production environment. Pilot testing is best performed on PCs that present a high business value or a simple upgrade path.

Customers waiting for Windows Vista SP1 should start their compatibility testing on the currently available release of Windows Vista now, and then begin their evaluation and pilot programs on the release candidate of Windows Vista SP1 when it is released. Windows Vista includes architectural changes relative to Windows XP that improve security and reliability. These changes can cause some applications which work on Windows XP not to work on Windows Vista. However, these architectural changes are also part of Windows Vista SP1. For this reason, testing applications on Windows Vista today will be a very good proxy for compatibility with Windows Vista SP1.

See the whitepaper How to Start a Windows Vista Pilot Deployment today to get started moving to Windows Vista so that your organization can begin taking advantage of the benefits that Windows Vista provides.


[1] Beta testers will find that after installing Windows Vista SP1, they no longer have access to GPMC, and that the new, enhanced version of GPMC has not yet been released. In this case, administrators can continue to edit Group Policy by opening a remote desktop session directly to the server or to a PC running the release to manufacturing (RTM) version of Windows Vista.

[2] The Windows Vista Service Pack 1 package is platform specific. Each platform (x86 or x64) requires a separate package.

[3] Windows Vista and Windows Server 2008 have been built from the same fundamental source code base since the beginning.  Many of the core files are identical between the two products, although each product has unique features, specific individual files and functional behaviors that are appropriate for the intended customer uses for the specific product. For example, Windows Media Center only appears in Windows Vista, while Active Directory or Windows Clustering only appear in Windows Server 2008.  Examples of common files shared between the two operating systems are the kernel and core OS files, the networking stack, file sharing.  In the past year since the Windows Vista public release, the common files in Windows Vista and Windows Server 2008 have been continually improved based on customer beta feedback, customer deployments, and Microsoft internal testing.

Comments
  • I'm feeling lazy today... Actually, that's far from the truth. I have completed the construction of my

  • I prefer the phrase "repurposing content". No need to make extra clicks. Mice don't last forever.

  • Good afternoon all of my Vista Security gurus! A huge thank you to Keith Combs and Shawn Travers for

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment