Tactical Advice

Securing the Sidebar

Understanding and addressing security issues with one of Vista's new features.
This story appears in the September 2007 issue of BizTech Magazine.

One of the whiz-bang features of Windows Vista is the Sidebar. It is a vertical bar on the side of the display that can contain a variety of tools and applets. You can configure it to only show on the actual Windows Desktop or to always be displayed alongside the applications you are running. You can include a clock, your local weather, a notepad, your RSS feeds, photos, a calendar and more. There are currently more than 1,300 Sidebar Gadgets available on the Windows Live Gallery. Only about six Sidebar Gadgets fit on one screen, but the Vista Sidebar lets you flip through multiple pages if you exceed the original Sidebar real estate.

The Sidebar Gadgets are just little HTML- or XML-enabled applets. Part of the nature of applets such as these is that they are developed by a variety of organizations and individuals. Some are well-written and professionally done; others are rudimentary and rough around the edges.

Sidebar Security Issues

Earlier this year Microsoft addressed issues with Vista Sidebar Gadgets, which could have been exploited to execute remote code on vulnerable systems. Security Bulletin MS07-048 (www.microsoft.com/technet/security/bulletin/MS07-048.mspx), and the patch associated with it, were aimed at correcting the flaw to protect Vista users. Microsoft has also published guidelines, titled Inspect Your Gadget (msdn2.microsoft.com/en-us/library/bb498012.aspx), to help developers create Gadgets securely.

Because it’s active code, all Sidebar Gadgets represent a potential security hole. Without knowing more about the individuals or organizations developing them, you need to take steps to ensure you are protected.

The first step to ensuring you use Sidebar Gadgets that are stable and secure is to review the user feedback. Gadgets on the Windows Live Gadget Gallery can be rated from one to five stars. Gadgets that are unstable will be ranked low by users. Reviewing the ranking of a Gadget and the number of times it was downloaded can help you find the ones that are user-tested and approved. One more word of advice: Look at how many users have ranked a Gadget. It may have five stars, but if it only has one review that gave it five stars, it is not as credible as a Gadget with four stars that has been reviewed and ranked by hundreds of users.

Vista Security Measures

With Windows Vista, Microsoft implemented a variety of new security controls. These controls also apply to Sidebar Gadgets and will help protect the user and the operating system from potential malicious activity. Again, Gadgets are just mini HTML- or XML-enabled applications, so Vista treats them like any other code installed from the Internet.

The actual Sidebar code, Sidebar.exe, runs in the context of the logged-in user. It has Medium integrity and no virtualization, and DEP (data execution prevention) is enabled. Sidebar Gadgets receive the same security scrutiny as other applications. They are protected by DEP, locked down by parental controls and scanned by Windows Defender.

Even during the initial installation of a Sidebar Gadget, Microsoft does its part to make sure the user is well aware of the risks. With UAC (User Account Control), the user receives at least three and possibly as many as five (if the Sidebar Gadget code is unsigned) warning messages before the installation is complete.

Here are some examples of warning messages

Managing Sidebar Gadget Security

Understanding the potential issues with Vista Sidebar Gadget security and taking the time to read Vista’s warning messages may work well for individuals, but organizations may wish to exert some control over how users can download and install Vista Sidebar Gadgets. Thankfully, there are four GPO (Group Policy Object) settings that can be used to lock down the Vista Sidebar.

  1. Turn off Windows Sidebar: Using this GPO setting, an administrator can disable the Sidebar altogether for users, preventing them from using Sidebar Gadgets at all.
  2. Disable unpacking and installation of gadgets that are not digitally signed. Software that is digitally signed provides some validity as to its source and the integrity of the code. With this GPO setting, an administrator can ensure that users do not install Sidebar Gadgets that are not digitally signed. Enabling this policy will not, however, disable or remove any Sidebar Gadgets that have already been downloaded and installed. Sidebar Gadgets without digital signatures that users have previously installed will continue to function.
  3. Turn off user-installed Windows Sidebar Gadgets. Administrators can allow Sidebar Gadgets but restrict access so users can only use designated acceptable Sidebar Gadgets. With this GPO setting, Gadgets found in the users’ personal directory will not be displayed in the Gadget Gallery and will be disabled. Administrators can designate acceptable Sidebar Gadgets by placing them into the Shared Gadgets folder, which can only be modified by members of the Administrator group.
  4. Override the More Gadgets link. The Gadget Gallery shows the available Sidebar Gadgets but also has a link to Get More Gadgets Online, which connects the user with a Microsoft Web site where hundreds of Sidebar Gadgets from a variety of sources can be reviewed and downloaded. With this setting, an administrator can override the link and redirect users to an internal site where approved Sidebar Gadgets are available, or to a static Web screen letting users know that downloading and installing unapproved Sidebar Gadgets is against security policy.

The bottom line is that Vista Sidebar Gadgets may, in fact, be insecure, and Sidebar Gadget vulnerabilities could potentially be exploited to hijack or compromise a Windows Vista system. However, it is not the Vista Sidebar itself that is insecure. Sidebar Gadgets are just applications and are no more or less secure than other applications. Organizations need to assess the stability and security of Sidebar Gadgets just as they would other applications deployed to the desktop. Using these GPO settings, administrators can manage if and how Sidebar Gadgets are employed and exert some control to enforce security policy and protect the desktops on the network.

Tony Bradley, a Microsoft MVP (Most Valuable Professional) in Windows Security, is a computer security consultant with BT INS in Houston, Texas, and author of Essential Computer Security.
Sign up for our e-newsletter

Security

Three Ways to Integrate Fire... |
Follow these tips to align the devices with log management and incident tracking systems.
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...
The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...