Windows Vista was released to manufacturing on 8 November. Volume licensing release is expected at the end of this month; consumer release is in January 2007. The structural improvements are substantial; the deployment trajectory will be visible across the next several years.
This is a longer post because the structural significance is larger than any single product release.
What is in Vista
Three architectural changes that matter most from a security perspective.
User Account Control (UAC). Vista introduces the strongest user-privilege separation Windows has ever shipped. Specific operations that previously required administrator rights now produce UAC prompts; specific user-level operations that should not require administrator rights now run without escalation. The cumulative architectural shift is substantial.
The trade-off is real. UAC produces user-experience friction that some users find annoying; specific applications that were written assuming administrator rights now produce prompts. The cumulative cost is bounded; the security benefit is meaningful.
Address Space Layout Randomisation (ASLR). Vista randomises the memory layout of running processes. Specific exploitation techniques that depend on predictable memory addresses are disrupted; the cumulative attack surface for buffer-overflow exploitation shrinks substantially.
ASLR is not new (OpenBSD, Linux PaX/grsecurity have had ASLR for years), but Vista is the first mainstream Windows release with comprehensive ASLR coverage. The specific deployment matters.
Mandatory Integrity Control. Vista implements integrity levels — specific processes run at specific integrity levels; specific resources are protected at specific integrity levels; processes cannot affect resources at higher integrity levels than their own. Combined with UAC and Internet Explorer's protected-mode, the integrity-control mechanism produces meaningful structural compartmentalisation.
The cumulative architectural shift is the largest single security improvement in any Windows release I have observed.
What else is in Vista
Various smaller changes that collectively matter:
Improved kernel patching protection (PatchGuard). Specific kernel modifications by third-party software (rootkits, malware, but also some legitimate security tools) are restricted. The trade-off is real — specific legitimate tools have been disrupted — but the cumulative security benefit is meaningful.
Improved networking-stack security. Specific TCP/IP stack hardening; better default behaviours; specific architectural improvements. The cumulative network-attack surface is reduced.
Better default firewall. Vista's firewall handles inbound and outbound; specific rules are configurable through Group Policy; the cumulative defensive posture is improved.
Improved automatic-update infrastructure. Patch deployment is more reliable; specific update categories are clearer; the cumulative patching discipline is supported.
Internet Explorer 7's protected mode. IE 7 on Vista runs at low integrity level; specific compromise of IE has bounded impact on the host.
BitLocker drive encryption. Specific Vista versions include full-disk encryption. The cumulative protection for stolen or lost devices is meaningful.
The cumulative effect is the largest single change in Windows security architecture across multiple releases.
What is not in Vista
Some specific limitations worth being explicit about.
Significant application-compatibility friction. Specific older applications that worked fine under XP do not work under Vista. The cumulative migration cost across enterprise application portfolios is substantial.
Specific performance overhead. Vista is more resource-intensive than XP; specific older hardware does not run Vista well. The cumulative hardware-refresh cost across enterprise estates is meaningful.
The trustworthy-execution chain is still bounded. Specific hypervisor-level rootkits operate beneath Vista's mechanisms; specific hardware-level compromise techniques are not addressed. The cumulative protection is bounded by the lowest-level trust assumption.
Specific user-experience friction. UAC prompts annoy specific users; specific defaults are more conservative than some users prefer. The cumulative friction is real; specific organisations will configure away from the defaults.
These are predictable limitations rather than failures. The cumulative trajectory is still positive.
What this means for operators
For organisations running Windows infrastructure:
Deployment planning matters substantially. Vista is a much larger change than XP SP2; specific application-compatibility testing is critical; specific staged rollout is necessary. The deployment timeline for most organisations will be 12-24 months.
Hardware refresh is often necessary. Specific older machines do not run Vista; specific replacement is required. The cumulative refresh cost is non-trivial.
Application portfolio review is necessary. Specific applications need updating or replacing; specific vendor compatibility statements need reviewing; specific custom applications may need modification.
User communication and training matter. The user-experience changes are substantial; specific communication ahead of deployment reduces support load.
The XP long-tail will be substantial. Specific organisations will defer Vista deployment; specific applications will remain XP-only for years; the cumulative XP deployment will continue producing security exposure for years.
For organisations considering Vista timing:
Wait for SP1 if possible. Major Windows releases typically have substantial issues at initial release; SP1 (likely mid-to-late 2007) will produce more deployable software. The trade-off is bounded; deployment in early-to-mid 2008 is structurally rational for most enterprise estates.
Specific early-adopter benefits. Specific organisations with strong testing capability and high security requirements may benefit from earlier deployment. The decision is per-organisation; the structural pattern is to wait.
What this means structurally
Three observations.
The Trustworthy Computing trajectory continues to deliver. Vista is the most substantive single product release in the trajectory since the memo from 2002. The cumulative cultural and architectural shift at Microsoft has produced operationally significant improvements.
The cumulative platform-security improvement is structural. Specific exploitation techniques that worked against XP do not work against Vista; specific subsequent exploitation development must address Vista's architectural improvements. The cumulative defensive trajectory matters more than any single feature.
The Windows XP long-tail problem will continue. Specific organisations will run XP for years; specific applications will require XP for years; specific cumulative security exposure will continue. The structural problem is bounded but persistent.
The net trajectory is positive. Vista's architectural improvements will produce measurable improvement in the broader Windows security landscape over the next several years.
What I am paying attention to
Three things over the next 12 months.
Specific Vista vulnerabilities and how Microsoft handles them. Specific issues will emerge; the cumulative response cadence will be informative.
Cumulative deployment rate across enterprise and consumer estates. Specific deployment metrics will be visible; the trajectory will inform structural assessments.
Specific impact on the broader threat landscape. Specific worm propagation, specific exploitation patterns, specific malware effectiveness — all will be affected by Vista deployment over time.
What I am doing
For my own infrastructure: Vista on the test machine; production hosts will follow the standard cadence (deploy after SP1; deploy after specific application compatibility is verified; deploy in phases).
For Gala Coral: Vista deployment planning is in progress for 2007. Specific application-compatibility testing has started; specific user communication is being prepared.
For client work where I have advisory roles: standard advice — plan deployment, test compatibility, communicate with users, wait for SP1 if possible. The general patterns are consistent across organisations.
More as the trajectory develops.