Robert Robinson said:
Microsoft deserves credit for making an effort to improve security, but
they do have a dismal past record in this regard. Security problems have
already been identified in Vista and, as yet, there is no evidence that
Vista will really be more secure than other Microsoft operating system.
The Vista betas had innumerable "security reminders". The programmers did
recognize this to be a problem and they did progressively reduce the
number of reminders. Interestingly, this annoyance is almost non-existent
in Longhorn possibly because Microsoft recognizes that professional users
aren't going to tolerate it.
UAC is one of the best new features of Vista. Now I can reasonably run my
PC in a non-administrative role without having to log off and then log on as
Administrator to do tasks that do require administrative access. Vista with
UAC is the first version of Windows that I have felt safe to let my kids and
grandkids use the same PC as I use.
A related issue is that in Vista assigning Administrator privileges does
not result in functionality that is equivalent to being the real
Administrator. Longhorn initial setup is with a real Administrator and,
although it may still be a problem, assigning Administrative privileges to
a user has worked properly based on limited testing. The ideal would be
the UNIX approach of being able to elevate a user to a real "super user"
(su) without having to logout/login.
Why do you need to be the "real administrator" on your desktop PC once it is
installed and running?
The Vista/Longhorn firewall does appear to be able to block specified,
unwanted incoming traffic, but, as far as I know, it doesn't notify about
or block outgoing traffic. ZoneAlarm, which is currently incompatible with
Vista/Longhorn, does provide control of incoming and outgoing traffic in
addition to screening for viruses and spyware. It is very instructive to
see how often application programs want to "call home".
I agree with you here. The firewall should default to blocking all Internet
traffic except port 80 requests by Internet Explorer. It needs to allow at
least that so that basic users don't get in the habit of always clicking
Allow to every popup that appears.
I use the Windows Live OneCare firewall. This firewall does block traffic
both ways but it decides by itself that it recognizes some programs and
simply allows them Internet access. There is no option to turn that off and
make it ask for every new program. The Live OneCare firewall has the
ability to block a request one time which is good. I find it odd that it
doesn't have the ability to allow access one time. So, if I want Windows
Media Player to access the Internet to find information on a specific CD, I
have to click Allow, get the information, and then quickly go into the
firewall settings and remove Windows Media Player's access to the Internet.
It's funny that I never get any notifications from the Live OneCare firewall
about things like TimeServer or other phone-home activities in Vista.
That's why I am thinking of installing a Linux based firewall/proxy server.
I want one that doesn't know a thing about Windows and what Windows wants to
get to the Internet for.
Microsoft is a major offender in this regard. If one doesn't believe this,
all you have to do is to run ZoneAlarm on XP/Windows 2003 Server. This kind
of spyware may be beneficial in the sense that it facilitates checking for
program updates and transmitting helpful messages like the news that pops
up every time that VisualStudio is executed. Nevertheless, any program that
"calls home" on its own is a potential security risk.
Phoning home, in and of itself, is only a security risk if I am in a James
Bond world and I am in the enemy's lair and trying to get secrets off their
computer in order to save the world. Then, I boot up the super-secret PC
triggering alarms on the firewall and the ultra-rich billionaire (insert
your own choice of billionaire here) with world domination goals suddenly
sees on his 1000 inch plasma display in the control center that I am in his
office. Now I am caught because of the phone-home feature in Windows. Of
course, this billionaire uses ZoneAlarm and not the built-in Windows Vista
firewall.
Vista, Microsoft application programs and those of an increasing number of
other software vendors now include this form of spyware in their programs.
An unfortunate Vista/Longhorn firewall problem is that remote access
cannot be used unless the firewall is turned on. This is a very reasonable
precaution except that it could prevent one from using an alternative
software firewall; for example, ZoneAlarm.
I agree again. Why limit that one service if the user doesn't use
Microsoft's choice of firewall when other services don't have the same
limitation? It seems sort of token in nature. And having to administer one
firewall is burden enough for most users; requiring them to administer two
would result in even more users turning the firewall off.
Finally, Microsoft has made a real mess of many of the user interfaces.
They tend to be overly complex, non-intuitive, and generally user
unfriendly. Windows Explorer is one of the worst examples. Longhorn does
have a menu choice called "Computer". With a little effort, it is possible
to create a desktop icon for "Computer". You can then access a display
that is similar to the old Widows Explorer.
Out with the old; in with the new. There are a lot of UI features that I
either don't like or that I am not yet comfortable with in it but that list
gets shorter and shorter the more I use Vista. In the end, there will be UI
choices that the Vista product team made that I will always think were
mistakes but, overall, it is a good operating system and has a good UI -
Windows Media Player 11 excepted.
Dale