A secure Windows Vista?

There are quite a few "live" installations Linux that can run directly
from a CD or DVD, it seems Microsoft could "do no wrong" by creating an
unalterable, dare I say "secure" version of Windows Vista that could
run without a hard drive.

Even if such a 'creature' could be created to use a minimal amount of
hard drive space, it seems this would prevent viruses from infecting
*.exe and other types of files. In one fell swoop dozens or hundreds
of potential system exploits could be denied before having a chance to
be tested.

This would be in line with Mr. Gates' earlier statements regarding
security being a number one priority at Microsoft.

The early days of computing slow (2x, 4x, 8x) drives and smaller memory
architectures made such a machine impossibly slow to load and run, but
in these days of ultra-fast read ahead caching, front side busing and
dual-channel what-cha-ma-jiggys, a "hard disk-less" workstation seems
viable.

Imagine the tens of thousands of dollars a corporation could save by
performing operating system upgrades by simply swapping out CDs!

~ Dennis C.
11 year support veteran
22 year computer user

How are you going to process automatic updates or service packs? What about
drivers from third parties? Storing configuration settings? Unless you are
planning to burn a new DVD every tuesday, for each workstation in your
company, until the end of time.

But I suppose it would be possible, although unrealistic for all but the
smallest of businesses.

I think Windows continues to get closer and closer of forcing read-only
access to system files with every release. Now that the file system is
required to be NTFS on the system partition, and combined with the new user
account protection, and with the requirement of signed drivers on x64, it is
much, much harder to modify system files or load malicious drivers.

Granted, you can still give a malicious program permission to wipe out your
system ... but at least now you can't blame Windows

- JB

Vista FAQ
http://www.jimmah.com/vista/

"Jimmy Brush" <JimmyBrush@discussions.microsoft.com> wrote in message
news:B0400A9D-BF3D-4826-9F8E-3A3C05371BE9@microsoft.com...

Quote:

>
> Granted, you can still give a malicious program permission to wipe out
> your system ... but at least now you can't blame Windows
>
> - JB
>
> Vista FAQ
> http://www.jimmah.com/vista/

And yet they will. It is human propensity to not accept self-stupidity for
a dire consequence.

Do you remember when Audi was faced with the "Unintended-acceleration"
issue? The real cause was the pedals were a little close together and
people were hammering the throttle instead of the brake. Do you think you
could tell a parent who had just run over and killed their own child that
they were not able to tell the throttle from the brake? No, you blame
anyone else you can. Human nature at its finest.

Microsoft will be blamed for keyboards not being milk-proof as sure as you
and I breathe, and this will never cease.

But just because something in unalterable doesn't mean it's secure. There's
a million ways to breach security without altering any files at all. Putting
the OS on a read-only drive wouldn't accomplish much of anything in terms of
security. There's still RAM, where all the dirty work happens, and there
still has to be writeable disk storage, where you can store all kinds of
other nasties.

Loading common executables at random locations, as Vista does, certainly
hides many of the vulnerabilities of having those memory locations be widely
known and predictable. Coupling that with hardware DEP in 64-bit processes
certainly helps a lot. And there are plenty of other things Vista has along
those lines that never existed in earlier versions of Windows.

There's no such thing as a 100% secure computer or network. Never will be,
never has been. Even the highest-level top secret government installations
in the world know better than that. That's why they have to run intrusion
detection systems and everything else to secure they're security. Running
Windows Vista from a CD or DVD would do virtually nothing to make their
systems more secure, nor ours.




"Dennis the Nerf Herder" <Dennis the Nerf Herder@discussions.microsoft.com>
wrote in message news:FBE31E08-7B73-469D-AD59-DFEB0D2C942F@microsoft.com...

Quote:

> There are quite a few "live" installations Linux that can run directly
> from a CD or DVD, it seems Microsoft could "do no wrong" by creating an
> unalterable, dare I say "secure" version of Windows Vista that could
> run without a hard drive.
>
> Even if such a 'creature' could be created to use a minimal amount of
> hard drive space, it seems this would prevent viruses from infecting
> *.exe and other types of files. In one fell swoop dozens or hundreds
> of potential system exploits could be denied before having a chance to
> be tested.
>
> This would be in line with Mr. Gates' earlier statements regarding
> security being a number one priority at Microsoft.
>
> The early days of computing slow (2x, 4x, 8x) drives and smaller memory
> architectures made such a machine impossibly slow to load and run, but
> in these days of ultra-fast read ahead caching, front side busing and
> dual-channel what-cha-ma-jiggys, a "hard disk-less" workstation seems
> viable.
>
> Imagine the tens of thousands of dollars a corporation could save by
> performing operating system upgrades by simply swapping out CDs!
>
> ~ Dennis C.
> 11 year support veteran
> 22 year computer user
>

Agreed. Wait (not that long) for malware in the form of hypervisors and
other virtualization technologies that are memory-resident only and leave no
footprint when the system isn't running. We'll see this in the wild in the
next year.

"Alan Simpson" <alan@coolnerds.com> wrote in message
news:8C89A4F5-9632-4FCC-813B-8E76E86F43BE@microsoft.com...

Quote:

> But just because something in unalterable doesn't mean it's secure.
> There's a million ways to breach security without altering any files at
> all. Putting the OS on a read-only drive wouldn't accomplish much of
> anything in terms of security. There's still RAM, where all the dirty work
> happens, and there still has to be writeable disk storage, where you can
> store all kinds of other nasties.
>
> Loading common executables at random locations, as Vista does, certainly
> hides many of the vulnerabilities of having those memory locations be
> widely known and predictable. Coupling that with hardware DEP in 64-bit
> processes certainly helps a lot. And there are plenty of other things
> Vista has along those lines that never existed in earlier versions of
> Windows.
>
> There's no such thing as a 100% secure computer or network. Never will be,
> never has been. Even the highest-level top secret government installations
> in the world know better than that. That's why they have to run intrusion
> detection systems and everything else to secure they're security. Running
> Windows Vista from a CD or DVD would do virtually nothing to make their
> systems more secure, nor ours.

"Jimmy Brush" wrote:

Quote:

> How are you going to process automatic updates or service packs? What about
> drivers from third parties? Storing configuration settings? Unless you are
> planning to burn a new DVD every tuesday, for each workstation in your
> company, until the end of time.

Jimmy, I think that many basic drivers are submitted to Microsoft ahead of
being released with the O.S. or before they are made available to registered
product owners, companies or the public. So Microsoft can evaluate the
dependencies of these drivers (or co-dependencies) and roll-up the driver
into the next Service Pack update.

Is Microsoft talking about doing away with Service Packs in Vista? Sorry if
this question has been asked and answered already. I am a very new forum
member.

Many organizations are already downloading SPs and deploying them across
their enterprises in automated fashions, so it seems to me that physical
disks which could be traded would make tracking deployed copies easier.
Nobody gets a OS disk until they turn in an OS disk, and lost disks require
the end-user to fill out a form.

Someone else replied the OS isn't the only place to hide a virus, and I
understand that, but it seems to be the first place virii tend to get
"injected".

CD/DVD burning technology seems to have caught up with the speed people are
working at these days, and an OS on a disk means not having to physically
take the computer away from the user for 1, 2 or 3 hours to perform updates.
I know this is still happening at some companies because as a temporary
employee I have seen it. Perhaps those companies are doing things the hard
way, but that is what I have seen and it also seems to be inconvenient and
labor intensive (eg. expensive).

> Jimmy, I think that many basic drivers are submitted to Microsoft ahead of

Quote:

> being released with the O.S. or before they are made available to
> registered
> product owners, companies or the public.

Correct, for alot of hardware, Windows ships with a collection of drivers in
the box to support said hardware. However, there will always be legacy
hardware and BRAND new hardware that needs installed. Plus, driver updates
from third parties.

Quote:

> Is Microsoft talking about doing away with Service Packs in Vista? Sorry
> if
> this question has been asked and answered already. I am a very new forum
> member.

No, MS will continue to make service packs.

Quote:

> Many organizations are already downloading SPs and deploying them across
> their enterprises in automated fashions, so it seems to me that physical
> disks which could be traded would make tracking deployed copies easier.
> Nobody gets a OS disk until they turn in an OS disk, and lost disks
> require
> the end-user to fill out a form.

Why go through all the trouble of physical disks when administrators can
click a button from their workstation and upgrade all the computers in their
enterprise simultaniously?

Quote:

> Someone else replied the OS isn't the only place to hide a virus, and I
> understand that, but it seems to be the first place virii tend to get
> "injected".

Enforcing read-only system files would stop this type of attack, where
system files are infected. However, there are many, many more methods of
attack, and stopping this one without addressing the others will simply
cause the malware authors to take advantage of the other flaws.

Quote:

> CD/DVD burning technology seems to have caught up with the speed people
> are
> working at these days, and an OS on a disk means not having to physically
> take the computer away from the user for 1, 2 or 3 hours to perform
> updates.
> I know this is still happening at some companies because as a temporary
> employee I have seen it. Perhaps those companies are doing things the
> hard
> way, but that is what I have seen and it also seems to be inconvenient and
> labor intensive (eg. expensive).

Updates are generally done at night or when the least amount of users are
affected ... what kind of shop were these people running?? In any case, even
if you changed system DVD's while the user was running, they would not get
the benefit of the updates until the computer restarted.

The same thing happens when an update is done when a user is on a computer
but chooses not to restart the computer to make the changes take effect.

As for labor intensive, updates are generally tested on a single computer
and then pushed down to all the computer automatically.

In conclusion, enforcing read-only system files is a great idea and
definately a part of securing a system. However, doing this by using DVD
media as the system drive is not the best solution, IMHO.

- It is labor intensive (someone will always be testing and burning new
images)
- Slow. Sure, DVD-ROM's have high throughput these days, but latency is a
BIG ISSUE here. Think of how long it takes a DVD to spin up, and how long it
takes to go from one part of the DVD to another. Optical media is optimized
for sequential reading, and running an OS from a DVD doesn't fit into this
category. Unless you are planning on having the entire DVD loaded into
memory at the same time?

- JB

Vista FAQ
http://www.jimmah.com/vista/