Datasheet
Vista service hardening provides security in the following key areas:
Least privilege service permission: In previous Windows OSes, services
ran largely under the local system account — which is, essentially, the
most powerful account on your computer — even if they did not require
such privilege. Vista allows services to run with the least privilege that
they might require, such as Local Service or Network Service. Additional
restrictions can be placed on a service to limit the areas of the Registry
or file system that a particular system has the ability to write to.
Service isolation: This allows a service to be separated (isolated) from
other services or applications. Such isolation helps reduce the attack
surface.
Firewall policy integration: Vista allows firewall policies to now be
applied to services. Because network-facing services are often the target
of exploits, this feature can go a long way in limiting the attack surface of
your system.
Vista provides a very comprehensive security approach to service hardening.
With the exception of a few additional steps that can be taken to secure the
Registry with regard to least-privilege permissions, Vista handles service
hardening and requires no interaction by the end user.
For more on service hardening, see Chapter 7.
Internet Explorer 7
Although Internet Explorer 7 (IE7) is part of the Vista OS, it can be installed
as a separate application independently from Vista. Microsoft has put a great
deal of effort into making Internet browsing more secure and changes in IE7
certainly reflect that.
Internet Explorer 7 provides the following security features:
Protected Mode: This defense-in-depth security feature restricts where
files can be downloaded and executed, or the ability to invoke other pro-
grams without the user’s consent.
ActiveX protection: ActiveX are small, Microsoft application compo-
nents that provide functions to the end user via their Web browser.
Internet Explorer 7 provides security mechanisms that reduce potential
risks of ActiveX exploits, such as ActiveX Opt-In and the ability to con-
trol ActiveX for a particular zone or site. Chapter 13 covers ActiveX
security in more detail.
Cross-domain scripting protection: Cross-domain scripting attacks have
presented a significant security threat in previous versions of Internet
Explorer and Windows OSes. Internet Explorer 7 forces scripts to run in
15
Chapter 1: Getting Up to Speed on Vista Security
05_118054 ch01.qxp 10/11/07 9:38 AM Page 15