Security Improvements

• Windows Vista SP1 includes all previously released Security Bulletin fixes which affect Windows Vista.
   
• SP1 includes Secure Development Lifecycle process updates, where Microsoft identifies the root cause of each security bulletin and improves our internal tools to eliminate code patterns that could lead to future vulnerabilities.
   
• Data Execution Protection (DEP) is a memory-protection feature available beginning with Windows XP and Server 2003. SP1 improves security with a new set of Win32 APIs to allow programmatic control over a process's DEP policy. This will provide application developers with finer control on a process's DEP settings for security, testability, compatibility, and reliability.
   
• Improves the trustworthiness of data presented in Windows Security Center (WSC) by ensuring that only authenticated security applications can communicate with WSC.
   
• Improves security on wired networks by enabling single sign on (SSO) for authenticated wired networks. The single sign on experience presents the user with a single point of credential entry rather than being double prompted for local and network logon.
   
• The cryptographic random number generation is improved to gather seed entropy from more sources, including a Trusted Platform Module (TPM) when available, and replaces the general purpose pseudo-random number generator (PRNG) with an AES-256 counter mode PRNG for both user and kernel mode.
   
• Improves security in smart card scenarios:
  • Introduction of a new PIN channel to securely collect smart card PINs via a PC. This new capability mitigates a number of attacks that today would require using an external PIN reader to prevent.
  • Enables smart cards that use biometric authentication instead of a PIN.
     
• Improves security over Teredo interface by blocking unsolicited traffic by default. This has already been addressed in a Security Update for Windows Vista (KB935807).
   
• Improves BitLocker Drive Encryption by offering an additional multi-factor authentication method that combines a key protected by the TPM (Trusted Platform Module) with a Startup Key stored on a USB storage device and a user-generated Personal Identification Number (PIN).
   
• Enhanced the BitLocker encryption support to volumes other than bootable volumes in Windows Vista (for Enterprise and Ultimate SKUs).
   
• Enables a standard user to invoke the CompletePC Backup application, provided that user can supply administrator credentials. Previously, only administrators could launch the application.
   
• The Remote Desktop client in Windows Vista SP1 provides user interface improvements for user and server authentication. The RDP client streamlines the multiple steps end users must follow to providing their credentials to Windows Server 2003 (or earlier) Terminal Servers, and simplifies the management of previously saved credentials.