Windows Vista security settings

Microsoft's release of Windows Vista is here, and network administrators need to begin considering deployment details. A major area of interest is the improved security features in Vista. Microsoft recently released the Windows Vista Security Guide, which provides network administrators with the information they need to begin developing security strategies for Vista deployments. There has been much discussion lately about the benefits of embedding traditionally standalone security functionality directly into the operating system. Microsoft clearly is a believer in transforming Windows into a security platform, and the initial release of Vista is a step in that direction.

The recently released Windows Vista Security Guide provides much-needed detail regarding suggested security settings for devices running Vista. It also calls out the limitations of each security feature and emphasizes the need for additional security products where appropriate. (This is especially significant given recent statements by Microsoft's co-president, Jim Allchin, who suggested that it would be safe to run Vista with no additional third-party AV products.) Perhaps most important for network administrators, Microsoft also released an accompanying script for simplifying the setting of appropriate security configurations.

Microsoft's new Windows operating system has been five years in the making. Part of the reason the project took so long was that expectations for security have changed considerably since the last full update to Windows. Microsoft has done a significant amount of work in both hardening Vista and incorporating traditionally standalone threat-protection capabilities directly into the operating system. The result is a product that by all early accounts is head and shoulders above its predecessors with regard to security. To its credit, the new Vista security guide makes clear the often-painful tradeoffs between security and functionality.

Microsoft has released a scripting tool that allows network administrators to automatically create the group policy objects needed to apply the appropriate security policy to each end user and device. This is a significant enhancement from Windows XP, which required the use of cumbersome security templates to set security configurations. Templates will still be required for standalone computers, but networked computers that are joined to a domain using Active Directory will be able to use the scripting tool once an organizational unit (OU) structure has been created. (OUs are containers that hold objects -- e.g., users, devices -- their attributes, and rules in Active Directory.)

As has been well documented, the anti-malware support in Vista is extensive. It should be noted that Windows Defender (anti-spyware) and Windows Firewall (host-based, incoming, and outgoing traffic filtering) are configured to be turned on by default, while Malicious Software Removal Tool, which is designed primarily for consumers, runs more like an application and needs to be activated by the end user. Microsoft recommends the use of a "full antivirus solution" in addition to these tools.

Vista will also include the Windows Security Center, which will run (by default) in the background and constantly check and report on the security status of the device. Checks will include firewall, automatic updates, malware protection, IE settings, and user account control settings. Microsoft has significantly enhanced its ability to control user privileges. For example, Vista does not natively support the old Power Users group. Standard users will now be allowed to perform many of the mundane tasks that previous versions of Windows required admin rights to accomplish.

Vista includes several important data-protection features. These are BitLocker Drive Encryption, Encrypting File System, Rights Management Services, and device control. BitLocker encrypts the entire Windows volume to prevent unauthorized users from cracking Windows files or systems protections, and it supports the Trusted Computing Group's Trusted Platform Module for additional protection of user data. The Encrypting File System, which encrypts files and folders, now supports the storage of user keys and recovery keys on smart cards, as well as broader support of user certificates and keys. Rights Management Services provides on-the-fly encryption of sensitive emails, documents and Web content based on corporate policy. The device control feature allows Vista to restrict the use of hardware such as removable storage devices.

Microsoft missed the opportunity to broaden the security discussion a bit by including a discussion of Vista support for both Network Access Protection (NAP) and CardSpace, formerly known as InfoCard. Both these topics would have been useful and appropriate for this document. A still contentious aspect of the upcoming release of Vista from a security point of view is Microsoft's refusal to open up the Vista kernel to third-party security providers. The Windows Vista Security Guide makes it clear that end users should continue to employ anti-malware products even though Vista delivers much-improved security compared with previous versions of Windows. Microsoft is not, however, offering third-party security providers the same level of access to its core code as it did with previous versions of Windows.

About the author: Andrew Braunberg's main responsibility as a senior analyst in the Information Security module at Current Analysis is tracking the identity management and security management market segments. Before joining Current Analysis, Andrew was a journalist covering information technology in the defense and telecommunications sectors. He holds an M.A. in science, technology and public policy from George Washington University, and a B.S. in engineering physics from Rensselaer Polytechnic Institute.