Security and safety features new to Windows Vista

Thereare a number ofsecurity and safetyfeatures new toWindows Vista,most of which are not available in any priorMicrosoft Windowsoperating systemrelease.

Beginning in early 2002 with Microsoft's announcement of itsTrustworthy Computinginitiative, a great deal of work has gone into making Windows Vista a more secure operating system than its predecessors. Internally, Microsoft adopted a "Security Development Lifecycle"^[1]with the underlying ethos of "Secure by design, secure by default, secure in deployment". New code for Windows Vista was developed with the SDL methodology, and all existing code was reviewed and refactored to improve security.

Some specific areas where Windows Vista introduces new security and safety mechanisms include User Account Control, parental controls,Network Access Protection,a built-in anti-malwaretool, and new digital content protection mechanisms.

User Account Controlis a new infrastructure that requires user consent before allowing any action that requires administrative privileges. With this feature, all users, including users with administrative privileges, run in a standard user mode by default, since most applications do not require higher privileges. When some action is attempted that needs administrative privileges, such as installing new software or changing system or security settings, Windows will prompt the user whether to allow the action or not. If the user chooses to allow, the process initiating the action is elevated to a higher privilege context to continue. While standard users need to enter a username and password of an administrative account to get a process elevated (Over-the-shoulder Credentials), an administrator can choose to be prompted just for consent or ask for credentials. If the user doesn't click Yes, after 30 seconds the prompt is denied.

UAC asks for credentials in aSecure Desktopmode, where the entire screen is faded out and temporarily disabled, to present only the elevation UI. This is to prevent spoofing of the UI or the mouse by the application requesting elevation. If the application requesting elevation does not havefocusbefore the switch toSecure Desktopoccurs, then its taskbar icon blinks, and when focussed, the elevation UI is presented (however, it is not possible to prevent a malicious application from silently obtaining the focus).

Since theSecure Desktopallows only highest privilegeSystemapplications to run, no user mode application can present its dialog boxes on that desktop, so any prompt for elevation consent can be safely assumed to be genuine. Additionally, this can also help protect againstshatter attacks,which intercept Windows inter-process messages to run malicious code or spoof the user interface, by preventing unauthorized processes from sending messages to high privilege processes. Any process that wants to send a message to a high privilege process must get itself elevated to the higher privilege context, via UAC.

Applications written with the assumption that the user will be running with administrator privileges experienced problems in earlier versions of Windows when run from limited user accounts, often because they attempted to write to machine-wide or system directories (such asProgram Files) or registry keys (notablyHKLM)^[2]UAC attempts to alleviate this usingFile and Registry Virtualization,which redirects writes (and subsequent reads) to a per-user location within the user's profile. For example, if an application attempts to write to “C:\program files\appname\settings.ini” and the user doesn't have permissions to write to that directory, the write will get redirected to “C:\Users\username\AppData\Local\VirtualStore\Program Files\appname\.”

BitLocker, formerly known as "Secure Startup", this feature offersfull disk encryptionfor the system volume. Using the command-line utility, it is possible to encrypt additional volumes. Bitlocker utilizes a USB key or Trusted Platform Module (TPM) version 1.2 of the TCG specifications to store its encryption key. It ensures that the computer running Windows Vista starts in a known-good state, and it also protects data from unauthorized access.^[3]Data on the volume is encrypted with a Full Volume Encryption Key (FVEK), which is further encrypted with a Volume Master Key (VMK) and stored on the disk itself.

Windows Vista is the first Microsoft Windows operating system to offer native support for the TPM 1.2 by providing a set of APIs, commands, classes, and services for the use and management of the TPM.^[4][5]A new system service, referred to as TPM Base Services, enables the access to and sharing of TPM resources for developers who wish to build applications with support for the device.^[6]

Encrypting File System (EFS) in Windows Vista can be used to encrypt the systempage fileand the per-userOffline Filescache. EFS is also more tightly integrated with enterprisePublic Key Infrastructure(PKI), and supports using PKI-based key recovery, data recovery through EFS recovery certificates, or a combination of the two. There are also new Group Policies to requiresmart cardsfor EFS, enforce page file encryption, stipulate minimum key lengths for EFS, enforce encryption of the user'sDocuments folder,and prohibit self-signed certificates. The EFS encryption key cache can be cleared when a user locks his workstation or after a certain time limit.

The EFS rekeying wizard allows the user to choose a certificate for EFS and to select and migrate existing files that will use the newly chosen certificate. Certificate Manager also allows users to export their EFS recovery certificates and private keys. Users are reminded to back up their EFS keys upon first use through aballoon notification.The rekeying wizard can also be used to migrate users in existing installations from software certificates tosmart cards.The wizard can also be used by an administrator or users themselves in recovery situations. This method is more efficient than decrypting and reencrypting files.

Windows Vistasignificantly improves the firewall^[7]to address a number of concerns around the flexibility ofWindows Firewallin a corporate environment:

• IPv6connection filtering
• Outbound packet filtering, reflecting increasing concerns aboutspywareandvirusesthat attempt to "phone home".
• With the advanced packet filter, rules can also be specified for source and destination IP addresses and port ranges.
• Rules can be configured for services by its service name chosen by a list, without needing to specify the full path file name.
• IPsecis fully integrated, allowing connections to be allowed or denied based on security certificates,Kerberosauthentication, etc. Encryption can also be required for any kind of connection. A connection security rule can be created using a wizard that handles the complex configuration of IPsec policies on the machine. Windows Firewall can allow traffic based on whether the traffic is secured by IPsec.
• A newmanagement consolesnap-in namedWindows Firewall with Advanced Securitywhich provides access to many advanced options, includingIPsecconfiguration, and enables remote administration.
• Ability to have separate firewall profiles for when computers are domain-joined or connected to a private or public network. Support for the creation of rules for enforcing server and domain isolation policies.

Windows Vista includes Windows Defender, Microsoft's anti-spyware utility. According to Microsoft, it was renamed from 'Microsoft AntiSpyware' because it not only features scanning of the system for spyware, similar to other free products on the market, but also includes Real Time Security agents that monitor several common areas of Windows for changes which may be caused by spyware. These areas include Internet Explorer configuration and downloads, auto-start applications, system configuration settings, and add-ons to Windows such as Windows Shell extensions.

Windows Defender also includes the ability to removeActiveXapplications that are installed and block startup programs. It also incorporates theSpyNetnetwork, which allows users to communicate with Microsoft, send what they consider is spyware, and check which applications are acceptable.

Windows Vista allow administrators to enforce hardware restrictions viaGroup Policyto prevent users from installing devices, to restrict device installation to a predefined white list, or to restrict access to removable media and classes of devices.^[8][9]

Windows Vista includes a range ofparental controlsfor administrators to monitor and restrict computer activity of standard user accounts that are not part of adomain;User Account Controlenforces administrative restrictions. Features include:Windows Vista Web Filter—implemented as aWinsockLSPfilter to function across all Web browsers—which prohibits access to websites based on categories of content or specific addresses (with an option to block all file downloads);Time Limits,which prevents standard users from logging in during a date or time specified by an administrator (and which locks restricted accounts that are already logged in during such times);Game Restrictions,which allows administrators to block games based on names, contents, or ratings defined by avideo game content rating systemsuch as theEntertainment Software Rating Board (ESRB),with content restrictions taking precedence over rating restrictions (e.g.,Everyone 10+ (E10+)games may be permitted to run in general, butE10+games with mild language will still be blocked if mild language itself is blocked);Application Restrictions,which usesapplication whitelistsfor specific applications; andActivity Reports,which monitors and records activities of restricted standard user accounts.

Windows Parental Controls includes an extensible set of options, withapplication programming interfaces(APIs) for developers to replace bundled features with their own.

Windows Vista usesAddress Space Layout Randomization(ASLR) to load system files at random addresses in memory.^[10]By default, all system files are loaded randomly at any of the possible 256 locations. Other executables have to specifically set a bit in the header of thePortable Executable (PE)file, which is the file format for Windows executables, to use ASLR. For such executables, the stack and heap allocated is randomly decided. By loading system files at random addresses, it becomes harder for malicious code to know where privileged system functions are located, thereby making it unlikely for them to predictably use them. This helps prevent most remote execution attacks by preventingreturn-to-LIBCbuffer overflowattacks.

ThePortable Executableformat has been updated to support embedding ofexceptionhandler address in the header. Whenever an exception is thrown, the address of the handler is verified with the one stored in the executable header. If they match, the exception is handled, otherwise it indicates that the run-time stack has been compromised, and hence the process is terminated.

Function pointers are obfuscated byXOR-ingwith a random number, so that the actual address pointed to is hard to retrieve. So would be to manually change a pointer, as the obfuscation key used for the pointer would be very hard to retrieve. Thus, it is made hard for any unauthorized user of the function pointer to be able to actually use it. Also metadata for heap blocks are XOR-ed with random numbers. In addition, check-sums for heap blocks are maintained, which is used to detect unauthorized changes and heap corruption. Whenever a heap corruption is detected, the application is killed to prevent successful completion of the exploit.

Windows Vista binaries include intrinsic support for detection of stack-overflow. When a stack overflow in Windows Vista binaries is detected, the process is killed so that it cannot be used to carry on the exploit. Also Windows Vista binaries place buffers higher in memory and non buffers, like pointers and supplied parameters, in lower memory area. So to actually exploit, a buffer underrun is needed to gain access to those locations. However, buffer underruns are much less common than buffer overruns.

Windows Vista introducesMandatory Integrity Controlto set integrity levels for processes. A low integrity process can not access the resources of a higher integrity process. This feature is being used to enforce application isolation, where applications in a medium integrity level, such as all applications running in the standard user context can not hook into system level processes which run in high integrity level, such as administrator mode applications but can hook onto lower integrity processes like WindowsInternet Explorer 7or8.A lower privilege process cannot perform a window handle validation of higher process privilege, cannot SendMessage or PostMessage to higher privilege application windows, cannot use thread hooks to attach to a higher privilege process, cannot use Journal hooks to monitor a higher privilege process and cannot perform DLL–injection to a higher privilege process.

Windows Vista offers full support for theNX(No-Execute) feature of modern processors.^[11]DEP was introduced in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. This feature, present as NX (EVP) inAMD'sAMD64processors and as XD (EDB) inIntel's processors, can flag certain parts of memory as containing data instead of executable code, which prevents overflow errors from resulting in arbitrary code execution.

If the processor supports the NX-bit, Windows Vista automatically enforces hardware-basedData Execution Preventionon all processes to mark some memory pages as non-executable data segments (like the heap and stack), and subsequently any data is prevented from being interpreted and executed as code. This prevents exploit code from being injected as data and then executed.

If DEP is enabledfor all applications,users gain additional resistance againstzero-day exploits.But not all applications are DEP-compliant and some will generate DEP exceptions. Therefore, DEP is not enforcedfor all applications by defaultin 32-bit versions of Windows and is only turned on for critical system components. However, Windows Vista introduces additional NX policy controls that allow software developers to enable NX hardware protection for their code, independent of system-wide compatibility enforcement settings. Developers can mark their applications as NX-compliant when built, which allows protection to be enforced when that application is installed and runs. This enables a higher percentage of NX-protected code in the software ecosystem on 32-bit platforms, where the default system compatibility policy for NX is configured to protect only operating system components. For x86-64 applications, backward compatibility is not an issue and therefore DEP is enforced by default for all 64-bit programs. Also, only processor-enforced DEP is used in x86-64 versions of Windows Vista for greater security.

Newdigital rights managementand content-protection features have been introduced in Windows Vista to help digital content providers and corporations protect their data from being copied.

• PUMA: Protected User Mode Audio (PUMA) is the new User Mode Audio (UMA) audio stack. Its aim is to provide an environment for audio playback that restricts the copying of copyrighted audio, and restricts the enabled audio outputs to those allowed by the publisher of the protected content.^[12]
• Protected Video Path - Output Protection Management(PVP-OPM) is a technology that prevents copying of protected digital video streams, or their display on video devices that lack equivalent copy protection (typicallyHDCP). Microsoft claims that without these restrictions the content industry may prevent PCs from playing copyrighted content by refusing to issue license keys for the encryption used by HD DVD, Blu-ray Disc, or other copy-protected systems.^[12]
• Protected Video Path - User-Accessible Bus(PVP-UAB) is similar to PVP-OPM, except that it applies encryption of protected content over thePCI Expressbus.
• Rights Management Services(RMS) support, a technology that will allow corporations to apply DRM-like restrictions to corporate documents, email, and intranets to protect them from being copied, printed, or even opened by people not authorized to do so.
• Windows Vista introduces aProtected Process,^[13]which differs from usual processes in the sense that other processes cannot manipulate the state of such a process, nor can threads from other processes be introduced in it. AProtected Processhas enhanced access to DRM-functions of Windows Vista. However, currently, only the applications usingProtected Video Pathcan create Protected Processes.

The inclusion of newdigital rights managementfeatures has been a source ofcriticism of Windows Vista.

Windows Service Hardeningcompartmentalizes the services such that if one service is compromised, it cannot easily attack other services on the system. It prevents Windows services from doing operations on file systems, registry or networks^[14]which they are not supposed to, thereby reducing the overallattack surfaceon the system and preventing entry of malware by exploitingsystem services.Services are now assigned a per-serviceSecurity identifier(SID), which allows controlling access to the service as per the access specified by the security identifier. A per-service SID may be assigned during the service installation via theChangeServiceConfig2API or by using theSC.EXEcommand with thesidtypeverb. Services can also useaccess control lists(ACL) to prevent external access to resources private to itself.

Services in Windows Vista also run in a less privileged account such asLocal ServiceorNetwork Service,instead of theSystemaccount. Previous versions of Windows ransystem servicesin the same login session as the locally logged-in user (Session 0). In Windows Vista, Session 0 is now reserved for these services, and all interactive logins are done in other sessions.^[15]This is intended to help mitigate a class of exploits of the Windows message-passing system, known asShatter attacks.The process hosting a service has only the privileges specified in theRequiredPrivilegesregistry value underHKLM\System\CurrentControlSet\Services.

Services also need explicit write permissions to write to resources, on a per-service basis. By using a write-restrictedaccess token,only those resources which have to be modified by a service are given write access, so trying to modify any other resource fails. Services will also have pre-configured firewall policy, which gives it only as much privilege as is needed for it to function properly. Independent software vendors can also use Windows Service Hardening to harden their own services. Windows Vista also hardens thenamed pipesused byRPCservers to prevent other processes from being able to hijack them.

Graphical identification andauthentication(GINA), used for secure authentication and interactive logon has been replaced byCredential Providers.Combined with supporting hardware, Credential Providers can extend the operating system to enable users to log on throughbiometric devices(fingerprint, retinal, or voice recognition), passwords,PINsandsmart cardcertificates, or any custom authentication package and schema third-party developers wish to create. Smart card authentication is flexible as certificate requirements are relaxed. Enterprises may develop, deploy, and optionally enforce custom authentication mechanisms for all domain users. Credential Providers may be designed to supportSingle sign-on(SSO), authenticating users to a securenetwork access point(leveragingRADIUSand other technologies) as well as machine logon. Credential Providers are also designed to support application-specific credential gathering, and may be used for authentication to network resources, joining machines to a domain, or to provide administrator consent forUser Account Control.Authentication is also supported usingIPv6orWeb services.A new Security Service Provider, CredSSP is available throughSecurity Support Provider Interfacethat enables an application to delegate the user's credentials from the client (by using the client-side SSP) to the target server (through the server-side SSP). The CredSSP is also used by Terminal Services to providesingle sign-on.

Windows Vista can authenticate user accounts usingSmart Cardsor a combination of passwords and Smart Cards (Two-factor authentication). Windows Vista can also use smart cards to storeEFSkeys. This makes sure that encrypted files are accessible only as long as the smart card is physically available. If smart cards are used for logon, EFS operates in asingle sign-onmode, where it uses the logon smart card for file encryption without further prompting for the PIN.

Fast User Switchingwhich was limited to workgroup computers on Windows XP, can now also be enabled for computers joined to a domain, starting with Windows Vista. Windows Vista also includes authentication support for theRead-Only Domain Controllersintroduced inWindows Server 2008.

Windows Vista features an update to the crypto API known as Cryptography API: Next Generation (CNG). TheCNG APIis auser modeandkernel modeAPI that includes support forelliptic curve cryptography(ECC) and a number of newer algorithms that are part of theNational Security Agency(NSA)Suite B.It is extensible, featuring support for plugging in custom cryptographic APIs into the CNG runtime. It also integrates with thesmart cardsubsystem by including a BaseCSPmodule which implements all the standard backend cryptographic functions that developers and smart card manufacturers need, so that they do not have to write complexCSPs.The Microsoftcertificate authoritycan issue ECC certificates and the certificate client can enroll and validate ECC and SHA-2 based certificates.

Revocation improvements include native support for theOnline Certificate Status Protocol(OCSP) providing real-time certificate validity checking,CRLprefetching and CAPI2 Diagnostics. Certificate enrollment is wizard-based, allows users to input data during enrollment and provides clear information on failed enrollments and expired certificates. CertEnroll, a new COM-based enrollment API replaces theXEnrolllibrary for flexible programmability. Credential roaming capabilities replicate Active Directory key pairs, certificates and credentials stored inStored user names and passwordswithin the network.

Windows Vista introducesNetwork Access Protection(NAP), which ensures that computers connecting to or communicating with a network conform to a required level ofsystem healthas set by the administrator of a network. Depending on the policy set by the administrator, the computers which do not meet the requirements will either be warned and granted access, allowed access to limited network resources, or denied access completely. NAP can also optionally provide software updates to a non-compliant computer to upgrade itself to the level as required to access the network, using aRemediation Server.A conforming client is given aHealth Certificate,which it then uses to access protected resources on the network.

ANetwork Policy Server,runningWindows Server 2008acts as health policy server and clients need to useWindows XP SP3or later. AVPNserver,RADIUSserver orDHCPserver can also act as the health policy server.

• The interfaces for TCP/IP security (filtering for local host traffic), the firewall hook, the filter hook, and the storage of packet filter information has been replaced with a new framework known as theWindows Filtering Platform(WFP). WFP provides filtering capability at all layers of the TCP/IP protocol stack. WFP is integrated in the stack, and is easier for developers to build drivers, services, and applications that must filter, analyze, or modify TCP/IP traffic.
• In order to provide better security when transferring data over a network, Windows Vista provides enhancements to the cryptographic algorithms used to obfuscate data. Support for 256-bit and 384-bitElliptic curve Diffie–Hellman(DH) algorithms, as well as for 128-bit, 192-bit and 256-bitAdvanced Encryption Standard(AES) is included in the network stack itself and in theKerberosprotocol andGSS messages.Direct support forSSLand TLS connections in newWinsockAPI allows socket applications to directly control security of their traffic over a network (such as providing security policy and requirements for traffic, querying security settings) rather than having to add extra code to support a secure connection. Computers running Windows Vista can be a part of logically isolated networks within anActive Directorydomain. Only the computers which are in the same logical network partition will be able to access the resources in the domain. Even though other systems may be physically on the same network, unless they are in the same logical partition, they won't be able to access partitioned resources. A system may be part of multiple network partitions. The SchannelSSPincludes new cipher suites that supportElliptic curve cryptography,so ECC cipher suites can be negotiated as part of the standard TLS handshake. The Schannel interface is pluggable so advanced combinations of cipher suites can substitute a higher level of functionality.
• IPsecis now fully integrated withWindows Firewalland offers simplified configuration and improved authentication. IPsec supports IPv6, including support forInternet key exchange(IKE),AuthIPand data encryption, client-to-DCprotection, integration withNetwork Access Protectionand Network Diagnostics Framework support. To increase security and deployability ofIPsecVPNs,Windows Vista includesAuthIPwhich extends theIKEcryptographic protocol to add features like authentication with multiple credentials, alternate method negotiation and asymmetric authentication.^[16]
• Security for wireless networks is being improved with better support for newer wireless standards like802.11i(WPA2).EAP Transport Layer Security(EAP-TLS) is the default authentication mode. Connections are made at the most secure connection level supported by the wireless access point.WPA2can be used even in ad hoc mode. Windows Vista enhances security when joining a domain over a wireless network. It can useSingle Sign Onto use the same credentials to join a wireless network as well as the domain housed within the network.^[17]In this case, the sameRADIUSserver is used for bothPEAPauthentication for joining the network andMS-CHAP v2authentication to log into the domain. A bootstrap wireless profile can also be created on the wireless client, which first authenticates the computer to the wireless network and joins the network. At this stage, the machine still does not have any access to the domain resources. The machine will run a script, stored either on the system or on USB thumb drive, which authenticates it to the domain. Authentication can be done whether by using username and password combination or security certificates from aPublic key infrastructure(PKI) vendor such asVeriSign.
• Windows Vista also includes anExtensible Authentication ProtocolHost (EAPHost) framework that provides extensibility for authentication methods for commonly used protected network access technologies such as802.1Xand PPP.^[18]It allows networking vendors to develop and easily install new authentication methods known as EAP methods.
• Windows Vistasupports the use ofPEAPwithPPTP.The authentication mechanisms supported are PEAPv0/EAP-MSCHAPv2 (passwords) and PEAP-TLS (smartcards and certificates).
• Windows Vista Service Pack 1includesSecure Socket Tunneling Protocol,a new MicrosoftproprietaryVPNprotocol which provides a mechanism to transportPoint-to-Point Protocol(PPP) traffic (includingIPv6traffic) through anSSLchannel.

• 64-bit versions of Windows Vista enforce hardware-basedData Execution Prevention(DEP), with no fallback software emulation. This ensures that the less effective software-enforced DEP (which is only safe exception handling and unrelated to the NX bit) is not used. Also, DEP, by default, is enforced for all 64-bit applications and services on x86-64 versions and those 32-bit applications that opt in. In contrast, in 32-bit versions, software-enforced DEP is an available option and by default is enabled only for essential system components.
• An upgradedKernel Patch Protection,also referred to asPatchGuard,prevents third-party software, including kernel-mode drivers, from modifying the kernel, or any data structure used by the kernel, in any way; if any modification is detected, the system is shut down. This mitigates a common tactic used byrootkitsto hide themselves from user-mode applications.^[19]PatchGuard was first introduced in the x64 edition of Windows Server 2003 Service Pack 1, and was included in Windows XP Professional x64 edition.
• Kernel-mode drivers on 64-bit versions of Windows Vista must be digitally signed; even administrators will not be able to install unsigned kernel-mode drivers.^[20]A boot-time option is available to disable this check for a single session of Windows. 64-bit user-mode drivers are not required to be digitally signed.
• Code Integritycheck-sums signed code. Before loading system binaries, it is verified against the check-sum to ensure it has not modified. The binaries are verified by looking up their signatures in the system catalogs. The Windows Vista boot loader checks the integrity of the kernel, the Hardware Abstraction Layer (HAL), and the boot-start drivers. Aside from the kernel memory space,Code Integrityverifies binaries loaded into aprotected processand system installed dynamic libraries that implement core cryptographic functions.

A number of specific security and reliability changes have been made:

• Stronger encryption is used for storing LSA secrets (cached domain records, passwords, EFS encryption keys, local security policy, auditing etc.)^[21]
• Support for the IEEE 1667 authentication standard for USB flash drives with a hotfix for Windows Vista Service Pack 2.^[22]
• The Kerberos SSP has been updated to supportAESencryption.^[23]The SChannel SSP also has stronger AES encryption andECCsupport.^[24]
• Software Restriction Policies introduced in Windows XP have been improved in Windows Vista.^[25]TheBasic usersecurity level is exposed by default instead of being hidden. The defaulthashrule algorithm has been upgraded fromMD5to the strongerSHA256.Certificate rules can now be enabled through the Enforcement Property dialog box from within the Software Restriction Policies snap-in extension.
• To prevent accidental deletion of Windows, Vista does not allow formatting the boot partition when it is active (right-clicking the C: drive and choosing "Format", or typing in "Format C:" (w/o quotes) at the Command Prompt will yield a message saying that formatting this volume is not allowed). To format the main hard drive (the drive containing Windows), the user must boot the computer from a Windows installation disc or choose the menu item "Repair Your Computer" from the Advanced System Recovery Options by pressing F8 upon turning on the computer.
• Additional EFS settings allow configuring when encryption policies are updated, whether files moved to encrypted folders are encrypted, Offline Files cache files encryption and whether encrypted items can be indexed byWindows Search.
• TheStored User Names and Passwords(Credentials Manager) feature includes a new wizard to back up user names and passwords to a file and restore them on systems runningWindows Vistaor later operating systems.
• A new policy setting inGroup Policyenables the display of the date and time of the last successful interactive logon, and the number of failed logon attempts since the last successful logon with the same user name. This will enable a user to determine if the account was used without his or her knowledge. The policy can be enabled for local users as well as computers joined to a functional-level domain.
• Windows Resource Protectionprevents potentially damaging system configuration changes,^[26]by preventing changes to system files and settings by any process other thanWindows Installer.Also, changes to the registry by unauthorized software are blocked.
• Protected-Mode Internet Explorer:Internet Explorer 7and later introduce several security changes such as phishing filter,ActiveXopt-in, URL handling protection, protection against cross-domain scripting attacks and status-bar spoofing. They run as a low integrity process on Windows Vista, can write only to theTemporary Internet Filesfolder, and cannot gain write access to files and registry keys in a user's profile, protecting the user from malicious content and security vulnerabilities, even inActiveX controls.Also, Internet Explorer 7 and later use the more secureData Protection API(DPAPI) to store their credentials such as passwords instead of the less secureProtected Storage (PStore).
• Network Location Awarenessintegration with the Windows Firewall. All newly connected networks get defaulted to "Public Location" which locks down listening ports and services. If a network is marked as trusted, Windows remembers that setting for the future connections to that network.
• User-Mode Driver Frameworkprevents drivers from directly accessing the kernel but instead access it through a dedicated API. This new feature is important because a majority of system crashes can be traced to improperly installed third-party device drivers.^[27]
• Windows Security Centerhas been upgraded to detect and report the presence of anti-malwaresoftware as well as monitor and restore several Internet Explorer security settings and User Account Control. For anti-virus software that integrates with theSecurity Center,it presents the solution to fix any problems in its own user interface. Also, someWindows APIcalls have been added to let applications retrieve the aggregate health status from the Windows Security Center, and to receive notifications when the health status changes.
• Protected Storage (PStore) has been deprecated and therefore made read-only in Windows Vista. Microsoft recommends usingDPAPIto add new PStore data items or manage existing ones.^[28]Internet Explorer 7 and later also useDPAPIinstead of PStore to store their credentials.
• The built-in administrator account is disabled by default on a clean installation of Windows Vista. It cannot be accessed fromsafe modetoo as long as there is at least one additional local administrator account.

• Computer security

• Vista vulnerabilitiesfromSecurityFocus