Windows Vista Security Guide
Welcome to the WindowsVistaSecurity Guide. This guide provides instructions and recommendations to help strengthen the security of desktop and laptop computers running Windows Vista in a domain with the Active Directory directory service.
In addition to the solutions that the Windows Vista Security Guide prescribes, the guide includes tools, step-by-step procedures, recommendations, and processes that significantly streamline the deployment process. Not only does the guide provide you with effective security setting guidance, it also provides a reproducible method that you can use to apply the guidance to both test and production environments.
The key tool that the Windows Vista Security Guide provides for you is the GPOAccelerator.wsf script. The tool enables you to run a script that automatically creates all the Group Policy objects (GPOs) you need to apply this security guidance. The Windows Vista Security Guide Settings.xls file that also accompanies this guide provides another resource that you can use to compare setting values.
Microsoft engineering teams, consultants, support engineers, partners, and customers have reviewed and approved this prescriptive guidance to make it:
Consultants and system engineers develop best practices for the implementation of Windows Vista, Windows XP Professional, Windows Server 2003, and Windows 2000 in a variety of environments. If you are evaluating Windows Vista for your environment, the Windows Vista Hardware Assessment solution accelerator can help organizations determine the readiness of their computers to run the Windows Vista operating system. This tool quickly inventories computers, identifies the supported Windows Vista experience, and recommends specific hardware and device driver upgrades as appropriate.
Microsoft has published guides for both Windows XP with Service Pack 1 (SP1) and Windows XP with SP2. This guide references significant security enhancements in Windows Vista. The guide was developed and tested with computers running Windows Vista joined to a domain that uses Active Directory, as well as with stand-alone computers.
Note All references to Windows XP in this guide refer to Windows XP with SP2 unless otherwise stated.
On This Page
Whatever your environment, you are strongly advised to take security matters seriously. Many organizations underestimate the value of information technology (IT). If an attack on the servers in your environment is severe enough, it could significantly damage the entire organization. For example, if malware infects the client computers on your network, your organization could lose proprietary data, and experience significant overhead costs to return them to a secure state. An attack that makes your Web site unavailable also could result in a major loss of revenue or customer confidence.
Conducting a security vulnerability, risk, and exposure analysis informs you of the tradeoffs between security and functionality that all computer systems are subject to in a networked environment. This guide documents the major security-related countermeasures that are available in Windows Vista, the vulnerabilities that the countermeasures help address, and the potential negative consequences (if there are any) related to implementing each countermeasure.
This guide builds on the Windows XP Security Guide, which provides specific recommendations about how to harden computers running Windows XP with SP2. TheWindows Vista Security Guide provides recommendations to harden computers that use specific security baselines for the following two environments:
The organization of the guide enables you to easily access the information that you require. The guide and its associated tools help you to:
Although this guide is designed for enterprise customers, much of the guidance is appropriate for organizations of any size. To obtain the most value from this material, you will need to read the entire guide. However, it is possible to read individual portions of the guide to achieve specific aims. The "Chapter Summary" section in this overview briefly introduces the information in the guide. For further information about the security topics and settings that related to Windows XP, see Windows XP Security Guide and the companion guide, Threats and Countermeasures.
Who Should Read This Guide
The Windows Vista Security Guide is primarily for IT generalists, security specialists, network architects, and other IT professionals and consultants who plan application or infrastructure development and deployments of Windows Vista for both desktop and laptop client computers in an enterprise environment. The guide is not intended for home users. This guide is for individuals whose job roles include the following:
Note Users who want to apply the prescriptive guidance in this guide must, at a minimum, read and complete the steps to establish the EC environment in Chapter 1, "Implementing the Security Baseline."
Skills and Readiness
The following knowledge and skills are required for the intended audience of this guide, who develop, deploy, and secure client computers running Windows Vista in enterprise organizations:
The primary purposes of the guide are to enable you to:
The guide is designed to enable you to use only the relevant parts of it to meet the security requirements of your organization. However, readers will gain the most benefit by reading the entire guide.
This guide focuses on how to help create and maintain a secure environment for desktop and laptop computers that run Windows Vista. The guide explains the different stages of how to secure two different environments, and what each security setting addresses for the desktop and laptop computers deployed in either one. The guide provides prescriptive information and security recommendations.
Client computers in the EC environment can run either Windows XP or Windows Vista. However, the computers that manage these clients computers on the network must run Windows Server 2003 R2 or Windows Server 2003 with SP1. Client computers in the SSLF environment can only run Windows Vista.
The guide only includes the security settings available in the operating system that it recommends. For a thorough discussion of all the security settings in Windows Vista, refer to the companion guide, Threats and Countermeasures.
The Windows Vista Security Guide consists of five chapters, and an appendix that you can use to reference setting descriptions, considerations, and values. The Windows Vista Security Guide Settings.xls file that accompanies this guide provides another resource that you can use to compare the setting values. The following figure shows the guide structure to help inform you how to optimally implement and deploy the prescriptive guidance.
The overview states the purpose and scope of the guide, defines the guide audience, and indicates the organization of the guide to assist you in locating the information relevant to you. It also describes the tools and templates that accompany the guide, and the user prerequisites for the guidance. Brief descriptions follow for each chapter and the appendix in the guide.
Chapter 1: Implementing the Security Baseline
This chapter identifies the benefits to an organization of creating and deploying a security baseline. The chapter includes instructions and processes to implement the EC baseline settings and security guidance.
To accomplish this, the chapter includes instructions that explain how to use the GPOAccelerator.wsf script in combination with the GPMC to create, test, and deploy organizational units (OUs) and GPOs to establish this environment. The Windows Vista Security Guide Settings.xls file that also accompanies this guide provides another resource that you can use to compare setting values.
Chapter 2: Defend Against Malware
This chapter provides recommendations to take advantage of new security features and enhanced existing ones in Windows Vista to help protect client computers and corporate assets against malware, which includes viruses, worms, and Trojan horses. It includes information about how to most effectively use the following technologies in the operating system:
In addition, the chapter includes the following information about Internet Explorer 7 security technologies:
Chapter 3: Protect Sensitive Data
This chapter provides recommendations and best practice information about how to help protect data using encryption and access control technologies in Windows Vista. These technologies are especially relevant to mobile computing environments in which the potential of a device running Windows Vista to be lost or stolen is relatively higher.
The content in the chapter includes information about how to most effectively use the following technologies in Windows Vista:
Chapter 4: Application Compatibility
This chapter provides recommendations on how to use new and enhanced security features and settings in Windows Vista without compromising the functionality of existing applications in your environment. The content in this chapter:
Chapter 5: Specialized Security – Limited Functionality
This chapter includes an explanation of the SSLF environment and the broad differences between it and the EC environment. The chapter provides instructions and processes to implement the SSLF baseline settings and security guidance. The chapter includes instructions that explain how to use a script to leverage the GPMC to create, test, and deploy OUs and GPOs to establish this environment.
The guidance in this chapter enables you to establish the SSLF environment, which is distinct from the EC environment described in Chapter 1, "Implementing the Security Baseline." The guidance in this chapter is for high security environments only and is not a supplement to the guidance in Chapter 1.
Appendix A: Security Group Policy Settings
The appendix includes descriptions and tables that detail the prescribed settings in the EC and SSLF security baselines for the guide. The appendix describes each setting and the reason for its configuration or value. The appendix also indicates setting differences between Windows Vista and Windows XP.
Guidance and Tools
This solution accelerator includes several files, such as the Windows Vista Security Guide.doc, Appendix A of the Windows Vista Security Guide.doc, the Windows Vista Security Guide Settings.xls, and the GPOAccelerator tool to help you easily implement the guidance. After downloading the Windows Vista Security Guide solution accelerator from the Microsoft Download Center, use the Microsoft Windows Installer (.msi) file to install these resources on your computer in a location of your choice.
Note When you start the Windows Vista Security Guide installation, the GPOAccelerator tool is selected by default to install with the other guidance that accompanies this tool. To use this tool requires administrative privileges. The default location for the solution accelerator installation is your Documents folder. The installation places a shortcut to the guide that opens the Windows Vista Security Guide folder.
You can use the Group Policy Management Console (GPMC) to apply the tools and templates for either of the security baselines defined in the guide. The "Implementing the Security Baseline" and "Specialized Security – Limited Functionality" chapters describe the procedures you can use to accomplish these tasks.
This guide uses the following style conventions.
Table 1.1 Style Conventions
The following links provide additional information about security topics and in-depth discussion of the concepts and security prescriptions in this guide:
Support and Feedback
The Solution Accelerators – Security and Compliance (SASC) team would appreciate your thoughts about this and other solution accelerators.
Please contribute comments to the Discussions in Security newsgroup on the Windows Vista Help and Support Web site.
Or e-mail your feedback to: firstname.lastname@example.org.
We look forward to hearing from you.
The Solution Accelerators – Security and Compliance (SASC) team would like to acknowledge and thank the team that produced the Windows Vista Security Guide. The following people were either directly responsible or made a substantial contribution to the writing, development, and testing of this solution.
Authors and Experts
Richard Harrison, Content Master Ltd
David Coombes, Content Master Ltd
Jim Captainino, Content Master Ltd
Richard Hicks, QinetiQ
Vikrant Minhas, Infosys Technologies Ltd
Sumit Parikh, Infosys Technologies Ltd
Dharani Mohanam, Infosys Technologies Ltd
Swapna Jagannathan, Infosys Technologies Ltd
Prashant Japkar, Infosys Technologies Ltd
John Cobb, Wadeware LLC
Jennifer Kerns, Wadeware LLC
Steve Wacker, Wadeware LLC
Audrey Centola, Volt Information Sciences
Neil Bufton, Content Master Ltd
Kevin Leo, Excell Data Corporation
Contributors and Reviewers
Charles Denny, Ross Carter,
Derick Campbell, Chase Carpenter
Karl Grunwald, Mike Smith-Lonergan
Don Armstrong, Bob Drake
Eric Fitzgerald, Emily Hill
George Roussos, David Abzarian
Darren Canavor, Nils Dussart
Peter Waxman, Russ Humphries
Sarah Wahlert, Tariq Sharif
Ned Pyle, Bomani Siwatu
Kiyoshi Watanabe, Eric Lawrence
David Abzarian, Chas Jeffries
Vijay Bharadwaj, Marc Silbey
Sean Lyndersay, Chris Corio
Matt Clapham, Tom Daemen
Sanjay Pandit, Jeff Williams
Alex Heaton, Mike Chan
Bill Sisk, Jason Joyce
Mehul Mediwala, Infosys Technologies Ltd
In This Article