Windows Vista Security Guide
Welcome to the Windows Vista Security Guide. This guide provides instructions and recommendations to help strengthen the security of desktop and laptop computers running Windows Vista in a domain with the Active Directory directory service.
In addition to the solutions that the Windows Vista Security Guide prescribes, the guide includes tools, step-by-step procedures, recommendations, and processes that significantly streamline the deployment process. Not only does the guide provide you with effective security setting guidance, it also provides a reproducible method that you can use to apply the guidance to both test and production environments.
The key tool that the Windows Vista Security Guide provides for you is the GPOAccelerator.wsf script. The tool enables you to run a script that automatically creates all the Group Policy objects (GPOs) you need to apply this security guidance. The Windows Vista Security Guide Settings.xls file that also accompanies this guide provides another resource that you can use to compare setting values.
Microsoft engineering teams, consultants, support engineers, partners, and customers have reviewed and approved this prescriptive guidance to make it:
- Proven. Based on field experience.
- Authoritative. Offers the best advice available.
- Accurate. Technically validated and tested.
- Actionable. Provides the steps to success.
- Relevant. Addresses real-world security concerns.
Consultants and system engineers develop best practices for the implementation of Windows Vista, Windows XP Professional, Windows Server 2003, and Windows 2000 in a variety of environments. If you are evaluating Windows Vista for your environment, the Windows Vista Hardware Assessment solution accelerator can help organizations determine the readiness of their computers to run the Windows Vista operating system. This tool quickly inventories computers, identifies the supported Windows Vista experience, and recommends specific hardware and device driver upgrades as appropriate.
Microsoft has published guides for both Windows XP with Service Pack 1 (SP1) and Windows XP with SP2. This guide references significant security enhancements in Windows Vista. The guide was developed and tested with computers running Windows Vista joined to a domain that uses Active Directory, as well as with stand-alone computers.
Note All references to Windows XP in this guide refer to Windows XP with SP2 unless otherwise stated.
On This Page
Whatever your environment, you are strongly advised to take security matters seriously. Many organizations underestimate the value of information technology (IT). If an attack on the servers in your environment is severe enough, it could significantly damage the entire organization. For example, if malware infects the client computers on your network, your organization could lose proprietary data, and experience significant overhead costs to return them to a secure state. An attack that makes your Web site unavailable also could result in a major loss of revenue or customer confidence.
Conducting a security vulnerability, risk, and exposure analysis informs you of the tradeoffs between security and functionality that all computer systems are subject to in a networked environment. This guide documents the major security-related countermeasures that are available in Windows Vista, the vulnerabilities that the countermeasures help address, and the potential negative consequences (if there are any) related to implementing each countermeasure.
This guide builds on the Windows XP Security Guide, which provides specific recommendations about how to harden computers running Windows XP with SP2. TheWindows Vista Security Guide provides recommendations to harden computers that use specific security baselines for the following two environments:
- Enterprise Client (EC). Client computers in this environment are located in a domain that uses Active Directory and only need to communicate with systems running Windows Server 2003. The client computers in this environment include a mixture: some run Windows Vista whereas others run Windows XP. For instructions about how to test and deploy the EC environment, see Chapter 1, "Implementing the Security Baseline." And for information about the baseline security settings that this environment uses, see Appendix A, "Security Group Policy Settings."
Specialized Security – Limited Functionality (SSLF). Concern for security in this environment is so great that a significant loss of functionality and manageability is acceptable. For example, military and intelligence agency computers operate in this type of environment. The client computers in this environment run only Windows Vista. For instructions about how to test and deploy the SSLF environment, see Chapter 5, "Specialized Security – Limited Functionality." And for information about the SSLF settings that this environment uses, see Appendix A, "Security Group Policy Settings."
The SSLF security settings are not intended for the majority of enterprise organizations. The configuration for these settings has been developed for organizations where security is more important than functionality.
The organization of the guide enables you to easily access the information that you require. The guide and its associated tools help you to:
- Deploy and enable either of the security baselines in your network environment.
- Identify and use Windows Vista security features for common security scenarios.
- Identify the purpose of each individual setting in either security baseline and understand their significance.
Although this guide is designed for enterprise customers, much of the guidance is appropriate for organizations of any size. To obtain the most value from this material, you will need to read the entire guide. However, it is possible to read individual portions of the guide to achieve specific aims. The "Chapter Summary" section in this overview briefly introduces the information in the guide. For further information about the security topics and settings that related to Windows XP, see Windows XP Security Guide and the companion guide, Threats and Countermeasures.
Who Should Read This Guide
The Windows Vista Security Guide is primarily for IT generalists, security specialists, network architects, and other IT professionals and consultants who plan application or infrastructure development and deployments of Windows Vista for both desktop and laptop client computers in an enterprise environment. The guide is not intended for home users. This guide is for individuals whose job roles include the following:
- IT generalist. Users in this role handle security at every level in organizations ranging in size from 50 to 500 client computers. IT generalists focus on securing the computers that they manage quickly and simply.
- Security specialist. Users in this role focus on how to provide security across computing platforms within an organization. Security specialists require a reliable reference guide that addresses the security needs of every level of the organization that also offers proven methods to implement security countermeasures. Security specialists identify security features and settings and then provide recommendations on how their customers can most effectively use them in high risk environments.
- IT operations, help desk, and deployment staff. Users in IT operations focus on integrating security and controlling change in the deployment process, whereas deployment staff focuses on administering security updates quickly. Staff in these roles also troubleshoot security issues related to applications that involve how to install, configure, and improve the usability and manageability of software. They monitor these types of issues to define measurable security improvements and a minimum of impact on critical business applications.
- Network architect and planner. Users in these roles drive the network architecture efforts for computers in their organization.
- Consultant. Users in this role work in organizations ranging in size from 50 to 5,000 or more client computers. IT consultants are aware of many kinds of security scenarios that span all the business levels of an organization. IT consultants from both Microsoft Services and partners take advantage of knowledge transfer tools for enterprise customers and partners.
- Business analyst and business decision maker (BDM). Users in these roles have critical business objectives and requirements that need IT desktop or laptop support.
Note Users who want to apply the prescriptive guidance in this guide must, at a minimum, read and complete the steps to establish the EC environment in Chapter 1, "Implementing the Security Baseline."
Skills and Readiness
The following knowledge and skills are required for the intended audience of this guide, who develop, deploy, and secure client computers running Windows Vista in enterprise organizations:
- MCSE on Windows Server 2003 or a later certification and two or more years of security-related experience, or equivalent knowledge.
- In-depth knowledge of the organization’s domain and Active Directory environments.
- Experience with the Group Policy Management Console (GPMC).
- Experience in the administration of Group Policy using the GPMC, which provides a single solution for managing all Group Policy–related tasks.
- Experience using management tools including Microsoft Management Console (MMC), Gpupdate, and Gpresult.
- Experience deploying applications and client computers in enterprise environments.
The primary purposes of the guide are to enable you to:
- Use the solution guidance to efficiently create and apply tested security baseline configurations using Group Policy.
- Understand the reasoning for the security setting recommendations in the baseline configurations that are included in the guide, and their implications.
- Identify and consider common security scenarios, and how to use specific security features in Windows Vista to help you manage them in your environment.
The guide is designed to enable you to use only the relevant parts of it to meet the security requirements of your organization. However, readers will gain the most benefit by reading the entire guide.
This guide focuses on how to help create and maintain a secure environment for desktop and laptop computers that run Windows Vista. The guide explains the different stages of how to secure two different environments, and what each security setting addresses for the desktop and laptop computers deployed in either one. The guide provides prescriptive information and security recommendations.
Client computers in the EC environment can run either Windows XP or Windows Vista. However, the computers that manage these clients computers on the network must run Windows Server 2003 R2 or Windows Server 2003 with SP1. Client computers in the SSLF environment can only run Windows Vista.
The guide only includes the security settings available in the operating system that it recommends. For a thorough discussion of all the security settings in Windows Vista, refer to the companion guide, Threats and Countermeasures.
The Windows Vista Security Guide consists of five chapters, and an appendix that you can use to reference setting descriptions, considerations, and values. The Windows Vista Security Guide Settings.xls file that accompanies this guide provides another resource that you can use to compare the setting values. The following figure shows the guide structure to help inform you how to optimally implement and deploy the prescriptive guidance.
The overview states the purpose and scope of the guide, defines the guide audience, and indicates the organization of the guide to assist you in locating the information relevant to you. It also describes the tools and templates that accompany the guide, and the user prerequisites for the guidance. Brief descriptions follow for each chapter and the appendix in the guide.
Chapter 1: Implementing the Security Baseline
This chapter identifies the benefits to an organization of creating and deploying a security baseline. The chapter includes instructions and processes to implement the EC baseline settings and security guidance.
To accomplish this, the chapter includes instructions that explain how to use the GPOAccelerator.wsf script in combination with the GPMC to create, test, and deploy organizational units (OUs) and GPOs to establish this environment. The Windows Vista Security Guide Settings.xls file that also accompanies this guide provides another resource that you can use to compare setting values.
Chapter 2: Defend Against Malware
This chapter provides recommendations to take advantage of new security features and enhanced existing ones in Windows Vista to help protect client computers and corporate assets against malware, which includes viruses, worms, and Trojan horses. It includes information about how to most effectively use the following technologies in the operating system:
- User Account Control (UAC)
- Windows Defender
- Windows Firewall
- Windows Security Center
- Malicious Software Removal Tool
- Software Restriction Policies
In addition, the chapter includes the following information about Internet Explorer 7 security technologies:
- Internet Explorer Protected Mode
- ActiveX Opt-in
- Cross-domain scripting attack protection
- Security Status Bar
- Phishing Filter
- Additional security features
Chapter 3: Protect Sensitive Data
This chapter provides recommendations and best practice information about how to help protect data using encryption and access control technologies in Windows Vista. These technologies are especially relevant to mobile computing environments in which the potential of a device running Windows Vista to be lost or stolen is relatively higher.
The content in the chapter includes information about how to most effectively use the following technologies in Windows Vista:
- BitLocker™ Drive Encryption
- Encrypting File System (EFS)
- Rights Management Services (RMS)
- Device control
Chapter 4: Application Compatibility
This chapter provides recommendations on how to use new and enhanced security features and settings in Windows Vista without compromising the functionality of existing applications in your environment. The content in this chapter:
- Outlines potential application compatibility issues.
- Provides two simple procedures you can use to test application compatibility with Windows Vista.
- Includes potential mitigation strategies, configurations, and instructions.
- Recommends other resources you can use to further determine application compatibility with Windows Vista.
Chapter 5: Specialized Security – Limited Functionality
This chapter includes an explanation of the SSLF environment and the broad differences between it and the EC environment. The chapter provides instructions and processes to implement the SSLF baseline settings and security guidance. The chapter includes instructions that explain how to use a script to leverage the GPMC to create, test, and deploy OUs and GPOs to establish this environment.
The guidance in this chapter enables you to establish the SSLF environment, which is distinct from the EC environment described in Chapter 1, "Implementing the Security Baseline." The guidance in this chapter is for high security environments only and is not a supplement to the guidance in Chapter 1.
Appendix A: Security Group Policy Settings
The appendix includes descriptions and tables that detail the prescribed settings in the EC and SSLF security baselines for the guide. The appendix describes each setting and the reason for its configuration or value. The appendix also indicates setting differences between Windows Vista and Windows XP.
Guidance and Tools
This solution accelerator includes several files, such as the Windows Vista Security Guide.doc, Appendix A of the Windows Vista Security Guide.doc, the Windows Vista Security Guide Settings.xls, and the GPOAccelerator tool to help you easily implement the guidance. After downloading the Windows Vista Security Guide solution accelerator from the Microsoft Download Center, use the Microsoft Windows Installer (.msi) file to install these resources on your computer in a location of your choice.
Note When you start the Windows Vista Security Guide installation, the GPOAccelerator tool is selected by default to install with the other guidance that accompanies this tool. To use this tool requires administrative privileges. The default location for the solution accelerator installation is your Documents folder. The installation places a shortcut to the guide that opens the Windows Vista Security Guide folder.
You can use the Group Policy Management Console (GPMC) to apply the tools and templates for either of the security baselines defined in the guide. The "Implementing the Security Baseline" and "Specialized Security – Limited Functionality" chapters describe the procedures you can use to accomplish these tasks.
This guide uses the following style conventions.
Table 1.1 Style Conventions
Signifies characters typed exactly as shown, including commands, switches and file names. User interface elements also appear in bold.
Titles of books and other substantial publications appear initalic.
Placeholders set in italic and angle brackets <filename> represent variables.
Defines code and script samples.
Alerts the reader to supplementary information.
An important note provides information that is essential to the completion of a task.
Alerts the reader to essential supplementary information that should not be ignored.
This symbol denotes specific Group Policy setting modifications or recommendations.
This symbol denotes Group Policy settings that are new to Windows Vista.
The following links provide additional information about security topics and in-depth discussion of the concepts and security prescriptions in this guide:
- Microsoft Windows Security Resource Kit on the Microsoft Learning Web site.
- Microsoft Windows Server 2003 Resource Kit: Special Promotional Edition on the Microsoft Learning Web site.
- The Security Guidance page on Microsoft TechNet®.
- Threats and Countermeasures on TechNet.
- Windows Server 2003 Security Guide on TechNet.
- Windows Vista Readiness Assessment on Microsoft.com.
- Windows XP Professional Resource Kit on TechNet.
- Windows XP Security Guide on TechNet.
Support and Feedback
The Solution Accelerators – Security and Compliance (SASC) team would appreciate your thoughts about this and other solution accelerators.
Please contribute comments to the Discussions in Security newsgroup on the Windows Vista Help and Support Web site.
Or e-mail your feedback to: firstname.lastname@example.org.
We look forward to hearing from you.
The Solution Accelerators – Security and Compliance (SASC) team would like to acknowledge and thank the team that produced the Windows Vista Security Guide. The following people were either directly responsible or made a substantial contribution to the writing, development, and testing of this solution.
Authors and Experts
Richard Harrison, Content Master Ltd
David Coombes, Content Master Ltd
Jim Captainino, Content Master Ltd
Richard Hicks, QinetiQ
Vikrant Minhas, Infosys Technologies Ltd
Sumit Parikh, Infosys Technologies Ltd
Dharani Mohanam, Infosys Technologies Ltd
Swapna Jagannathan, Infosys Technologies Ltd
Prashant Japkar, Infosys Technologies Ltd
John Cobb, Wadeware LLC
Jennifer Kerns, Wadeware LLC
Steve Wacker, Wadeware LLC
Audrey Centola, Volt Information Sciences
Neil Bufton, Content Master Ltd
Kevin Leo, Excell Data Corporation
Contributors and Reviewers
Charles Denny, Ross Carter,
Derick Campbell, Chase Carpenter
Karl Grunwald, Mike Smith-Lonergan
Don Armstrong, Bob Drake
Eric Fitzgerald, Emily Hill
George Roussos, David Abzarian
Darren Canavor, Nils Dussart
Peter Waxman, Russ Humphries
Sarah Wahlert, Tariq Sharif
Ned Pyle, Bomani Siwatu
Kiyoshi Watanabe, Eric Lawrence
David Abzarian, Chas Jeffries
Vijay Bharadwaj, Marc Silbey
Sean Lyndersay, Chris Corio
Matt Clapham, Tom Daemen
Sanjay Pandit, Jeff Williams
Alex Heaton, Mike Chan
Bill Sisk, Jason Joyce
Mehul Mediwala, Infosys Technologies Ltd
At the request of Microsoft, the National Security Agency Information Assurance Directorate participated in the review of this Microsoft security guide and provided comments that were incorporated into the published version.
The United States Department of Commerce National Institute of Standards and Technology (NIST) participated in the review of this Microsoft security guide and provided comments that were incorporated into the published version.