[Leaplist] Microsoft NT 6.0 (Vista) technical realities -- WAS: ignorance-based FUD

[Carter Manucy]

Bryan Smith wrote:

> Facts:
>
> 1.  In all NT 5 releases (5.0=2000, 5.1=XP/2003), hardware driver signing
> is an option, it's enforcement is just optional.
>
> 2.  In all NT 5 releases, software signing an is an option, it's
> enforcement is rather pathetic (.inst "click through, .exe is "manual
> right-click").
>
> 3.  In all forthcoming NT 6 (Vista, "Longhorn Server", etc...). #1 and #2
> will become required defaults with less options to disable/better
> enforcement.
>
> 4.  To obtain a key for signature, you have to get pay for signing key
> with a select CA, and also deal with Microsoft.

I'd like a little futher clarification on #3.  From what I understand,
there will be no way to disable the Kernel Patch Protection (KPP) in
64-bit Vista for driver signing.  From what I understand, Microsoft only
did this in the 64-bit version because they wanted to 'start fresh' with
this KPP and keep the kernel clean (vs how it'd been violated 6 ways to
Sunday in previous versions).  So the 64-bit version is becoming "the
line" that future versions of Windows will build off of, and perhaps some
day take it even further to lock it down completely.

Obviously KPP will have some workarounds (there is already known hacks to
kill it), but it will stop the main channel vendors from hooking the
kernel with their software/drivers, thereby possibly de-stablizing the OS
- at the same time giving Microsoft the flexibility to change the kernel
without notice (which they haven't been able to do in ... forever?)

But again, I don't believe all of this added functionality is available in
the 32-bit version of Vista.  From what I understand, all you really have
in Vista (32-bit) over XP is some fancy new GUI, everything re-arranged on
the desktop, and malware protection built in.  Whoppee!  And oh yeah,
BitLocker.

-Carter