Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Windows Vista Security Guide - DOC

VIEWS: 262 PAGES: 96

									Windows Vista® Security Guide
Security Compliance Management Toolkit

Version 3.0

Published: November 2006 | Updated: February 2009 microsoft.com/vsg

Copyright © 2009 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is your responsibility. By using or providing feedback on this documentation, you agree to the license agreement below.

If you are using this documentation solely for non-commercial purposes internally within YOUR company or organization, then this documentation is licensed to you under the Creative Commons AttributionNonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS". Your use of the documentation cannot be understood as substituting for customized service and information that might be developed by Microsoft Corporation for a particular user based upon that user’s particular environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.

Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your use of this document does not give you any license to these patents, trademarks or other intellectual property.

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious.

Microsoft, Access, Active Directory, ActiveX, Excel, InfoPath, Internet Explorer, Outlook, PowerPoint, Visual Basic, Windows, Windows Server, Windows Vista, and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft, without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback. You will not give Feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your Feedback in them.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Contents
Overview ........................................................................................................ 1 Executive Summary ...................................................................................... 1 Who Should Read This Guide ......................................................................... 3 Skills and Readiness ................................................................................ 4 Guide Purpose ........................................................................................ 4 Guide Scope ........................................................................................... 4 Chapter Summaries ...................................................................................... 5 More Information .................................................................................... 6 Feedback ......................................................................................... 7 Acknowledgements ................................................................................. 7 Development Team ........................................................................... 7 Contributors and Reviewers ................................................................ 8 Chapter 1: Implementing the Security Baseline .............................................. 9 Enterprise Client Environment .......................................................................10 Specialized Security – Limited Functionality Environment .................................10 Specialized Security ...............................................................................11 Limited Functionality ..............................................................................11 Restricted Services and Data Access ...................................................11 Restricted Network Access .................................................................12 Strong Network Protection.................................................................12 Security Design .....................................................................................12 OU Design for Security Policies ..........................................................12 GPO Design for Security Policies .........................................................14 Domain Policy Settings ...........................................................................17 Password Policy Settings ...................................................................17 Account Lockout Policy Settings .........................................................18 Computer Policy Settings ........................................................................18 Audit Policy Settings .........................................................................18 User Rights Assignment Settings ........................................................28 Security Options Settings ..................................................................28 Potential Issues with SMB Signing Policies ...........................................29 Event Log Security Settings ...............................................................30 Windows Firewall with Advanced Security Settings ...............................30 Computer Configuration\Administrative Templates ...............................31 Network Connections ........................................................................32 Windows Update ..............................................................................32

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

iv

Windows Vista Security Guide

More Information ........................................................................................34 Chapter 2: Defend Against Malware .............................................................. 35 Windows Vista Defense Technologies .............................................................36 User Account Control ..............................................................................36 Risk Assessment ..............................................................................37 Risk Mitigation .................................................................................37 Mitigation Considerations ..................................................................37 Mitigation Process ............................................................................38 Microsoft SpyNet Community .............................................................41 Risk Assessment ..............................................................................41 Risk Mitigation .................................................................................42 Mitigation Considerations ..................................................................42 Mitigation Process ............................................................................42 Windows Firewall ...................................................................................44 Risk Assessment ..............................................................................44 Risk Mitigation .................................................................................45 Mitigation Considerations ..................................................................45 Windows Security Center ........................................................................46 Malicious Software Removal Tool .............................................................48 Risk Assessment ..............................................................................48 Risk Mitigation .................................................................................48 Mitigation Process ............................................................................49 Software Restriction Policies ....................................................................49 Internet Explorer 7 Defense Technologies .......................................................50 Internet Explorer Protected Mode.............................................................50 ActiveX Opt-in .......................................................................................51 Cross-Domain Scripting Attack Protection .................................................52 Security Status Bar ................................................................................52 Phishing Filter .......................................................................................52 Additional Security Features ....................................................................53 Add-on Management ........................................................................54 Binary Behavior Security Restriction ...................................................54 Consistent MIME Handling .................................................................55 Information Bar ...............................................................................55 Local Machine Zone Lockdown Security ...............................................56 MIME Sniffing Safety Feature .............................................................56 MK Protocol Security Restriction .........................................................57 Network Protocol Lockdown ...............................................................58

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Windows Vista Security Guide

v

Object Caching Protection .................................................................59 Protection From Zone Elevation..........................................................60 Restrict ActiveX Install ......................................................................60 Restrict File Download ......................................................................61 RSS Restrictions...............................................................................61 Scripted Windows Security Restrictions ...............................................62 More Information ........................................................................................63 Chapter 3: Protect Sensitive Data ................................................................. 65 BitLocker Drive Encryption............................................................................66 Risk Assessment ....................................................................................66 Risk Mitigation .......................................................................................67 Mitigation Considerations ........................................................................67 Mitigation Process ..................................................................................68 Using Group Policy to Mitigate Risk for BitLocker ..................................69 Encrypting File System .................................................................................71 Risk Assessment ....................................................................................71 Risk Mitigation .......................................................................................72 Mitigation Considerations ........................................................................72 Mitigation Process ..................................................................................73 Specific Mitigation Steps for EFS ........................................................73 Rights Management Services ........................................................................75 Risk Assessment ....................................................................................76 Risk Mitigation .......................................................................................76 Mitigation Considerations ........................................................................76 Mitigation Process ..................................................................................77 Managing RMS Using Group Policy ...........................................................77 Device Control ............................................................................................77 Risk Assessment ....................................................................................78 Risk Mitigation .......................................................................................78 Mitigation Considerations ........................................................................78 Mitigation Process ..................................................................................79 Using Group Policy to Control Device Installation ..................................79 Using Group Policy to Control Device Usage .........................................81 Using Group Policy to Control AutoPlay and AutoRun ............................83 More Information ........................................................................................83 Chapter 4: Using Older Applications with Windows Vista .............................. 85 Thirty-Minute Compatibility Check .................................................................85 Known Application Compatibility Issues ..........................................................87

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

vi

Windows Vista Security Guide

Security Enhancements ..........................................................................87 Operating System Changes and Innovations .............................................88 Tools and Resources ....................................................................................88 Program Compatibility Assistant ..............................................................88 Program Compatibility Wizard .................................................................89 Microsoft Application Compatibility Toolkit.................................................89 Temporary Remedies ........................................................................90 More Information ........................................................................................90

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Overview
Welcome to the Windows Vista Security Guide. This guide provides instructions and recommendations to help strengthen the security of desktop and laptop computers running Windows Vista® Service Pack 1 (SP1) in a domain with Active Directory®. In addition to the solutions that the Windows Vista Security Guide prescribes, the guide includes tools, step-by-step procedures, recommendations, and processes that significantly streamline the deployment process. Not only does the guide provide you with effective security setting guidance, it also provides a reproducible method that you can use to apply the guidance to both test and production environments. The key tool to use in combination with the Windows Vista Security Guide is the GPOAccelerator.wsf script. This tool enables you to run a script that automatically creates all the Group Policy objects (GPOs) you need to apply this security guidance. Microsoft engineering teams, consultants, support engineers, partners, and customers have reviewed and approved this prescriptive guidance to make it:      Proven. Based on field experience. Authoritative. Offers the best advice available. Accurate. Technically validated and tested. Actionable. Provides the steps to success. Relevant. Addresses real-world security concerns.

Consultants and system engineers develop best practices for the implementation of Windows Vista SP1, Windows® XP Professional Service Pack 3 (SP3), Windows Server® 2003 SP2, and Windows 2000 in a variety of environments. If you are evaluating Windows Vista SP1 for your environment, the Microsoft Assessment and Planning Toolkit can help mid-market sized organizations determine the readiness of their computers to run Windows Vista SP1. You can use the toolkit to quickly conduct computer inventories, identify supported Windows Vista SP1 scenarios, and obtain specific hardware upgrade recommendations. Microsoft has published a guide for Windows XP SP3. This guide references significant security enhancements in Windows Vista SP1. The Windows Vista Security Guide was developed and tested with computers running Windows Vista joined to a domain that uses Active Directory, as well as with stand-alone computers.
Note All references to Windows XP in this guide refer to Windows XP Professional SP3 unless otherwise stated.

Executive Summary
Whatever your environment, you are strongly advised to take security matters seriously. Many organizations underestimate the value of information technology (IT). If an attack on the servers in your environment is severe enough, it could significantly damage the entire organization. For example, if malware infects the client computers on your network, your organization could lose proprietary data, and experience significant overhead costs

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

2

Windows Vista Security Guide

to return them to a secure state. An attack that makes your Web site unavailable also could result in a major loss of revenue or customer confidence. Conducting a security vulnerability, risk, and exposure analysis informs you of the tradeoffs between security and functionality that all computer systems are subject to in a networked environment. This guide documents the major security-related countermeasures that are available in Windows Vista SP1, the vulnerabilities these countermeasures help address, and the potential negative consequences (if there are any) related to implementing each countermeasure. This guide builds on the Windows XP Security Guide, which provides specific recommendations about how to harden computers running Windows XP Professional Service Pack 3 (SP3). The Windows Vista Security Guide provides recommendations to harden computers that use specific security baselines for the following two environments:  Enterprise Client (EC). Client computers in this environment are located in a domain that uses Active Directory and only need to communicate with systems running Windows Server 2003. The client computers in this environment include a mixture: some run Windows Vista SP1 whereas others run Windows XP Professional SP3. For instructions about how to test and deploy the EC environment, see the "Enterprise Client Environment" section in Chapter 1, "Implementing the Security Baseline." You also can access the Microsoft Excel® workbook Windows Vista Security Baseline Settings for more information about the baseline security settings that this environment uses. Specialized Security – Limited Functionality (SSLF). Concern for security in this environment is so great that a significant loss of functionality and manageability is acceptable. For example, military and intelligence agency computers operate in this type of environment. The client computers in this environment run only Windows Vista SP1. For instructions about how to test and deploy the SSLF environment, see the "Specialized Security – Limited Functionality Environment" section in Chapter 1, "Implementing the Security Baseline." The Excel workbook Windows Vista Security Baseline Settings also includes more information about the baseline security settings for this environment.
Warning The SSLF security settings are not intended for the majority of enterprise organizations. The configuration for these settings has been developed for organizations where security is more important than functionality.



The organization of the guide enables you to easily access the information that you require. The guide and its associated tools help you to:    Deploy and enable either of the security baselines in your network environment. Identify and use Windows Vista SP1 security features for common security scenarios. Identify the purpose of each individual setting in either security baseline and understand their significance.

In order to create, test, and deploy the security settings for either the EC environment or the SSLF environment, you must first run the Windows® Installer (.msi) file for the GPOAccelerator tool that accompanies the download for this toolkit. You can then use this tool to automatically create all the GPOs for the security settings this guide recommends. For instructions about how to use the tool to accomplish these tasks, see the companion document How to Use the GPOAccelerator. Although this guide is designed for enterprise customers, much of the guidance is appropriate for organizations of any size. To obtain the most value from this material, you will need to read the entire guide. However, it is possible to read individual portions of the guide to achieve specific aims. The "Chapter Summary" section in this overview briefly introduces the information in the guide. For further information about the security topics

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Overview

3

and settings related to Windows XP, see the Windows XP Security Guide and the companion guide, Threats and Countermeasures. After deploying the appropriate security settings across your enterprise you can verify that the settings are in effect on each computer using the Security Compliance Management Toolkit. The toolkit includes Configuration Packs that match the recommendations in this guide for the EC and SSLF environments. The toolkit can be used with the Desired Configuration Management (DCM) feature in Configuration Manager 2007® (SP1) to efficiently monitor compliance. In addition, you can quickly and easily run reports to demonstrate how your organization is meeting important compliance regulations. For further information about the toolkit see Security Compliance Management Toolkit on TechNet.

Who Should Read This Guide
The Windows Vista Security Guide is primarily for IT generalists, security specialists, network architects, and other IT professionals and consultants who plan application or infrastructure development and deployments of Windows Vista SP1 for both desktop and laptop client computers in an enterprise environment. The guide is not intended for home users. This guide is for individuals whose job roles include the following:  IT generalist. Users in this role handle security at every level in organizations ranging in size from 50 to 500 client computers. IT generalists focus on securing the computers that they manage quickly and simply. Security specialist. Users in this role focus on how to provide security across computing platforms within an organization. Security specialists require a reliable reference guide that addresses the security needs of every level of the organization that also offers proven methods to implement security countermeasures. Security specialists identify security features and settings and then provide recommendations on how their customers can most effectively use them in high risk environments. IT operations, help desk, and deployment staff. Users in IT operations focus on integrating security and controlling change in the deployment process, whereas deployment staff focuses on administering security updates quickly. Staff in these roles also troubleshoot security issues related to applications that involve how to install, configure, and improve the usability and manageability of software. They monitor these types of issues to define measurable security improvements and a minimum of impact on critical business applications. Network architect and planner. Users in these roles drive the network architecture efforts for computers in their organization. Consultant. Users in this role work in organizations ranging in size from 50 to 5,000 or more client computers. IT consultants are aware of many kinds of security scenarios that span all the business levels of an organization. IT consultants from both Microsoft Services and partners take advantage of knowledge transfer tools for enterprise customers and partners. Business analyst and business decision maker (BDM). Users in these roles have critical business objectives and requirements that need IT desktop or laptop support.





 



Note Users who want to apply the prescriptive guidance in this guide must, at a minimum, read and complete the steps to establish the EC environment in Chapter 1, "Implementing the Security Baseline."

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

4

Windows Vista Security Guide

Skills and Readiness
The following knowledge and skills are required for the intended audience of this guide, who develop, deploy, and secure client computers running Windows Vista SP1 in enterprise organizations:       MCSE on Windows Server 2003 or a later certification and two or more years of security-related experience, or equivalent knowledge. In-depth knowledge of the organization’s domain and Active Directory environments. Experience with the Group Policy Management Console (GPMC). Experience in the administration of Group Policy using the GPMC, which provides a single solution for managing all Group Policy–related tasks. Experience using management tools including Microsoft Management Console (MMC), Gpupdate, and Gpresult. Experience deploying applications and client computers in enterprise environments.

Guide Purpose
The primary purposes of the guide are to enable you to:    Use the solution guidance to efficiently create and apply tested security baseline configurations using Group Policy. Understand the reasoning for the security setting recommendations in the baseline configurations that are included in the guide, and their implications. Identify and consider common security scenarios, and how to use specific security features in Windows Vista SP1 to help you manage them in your environment.

The guide is designed to let you use only its relevant parts to meet the security requirements of your organization. However, readers will gain the most benefit by reading the entire guide.

Guide Scope
This guide focuses on how to help create and maintain a secure environment for desktop and laptop computers that run Windows Vista SP1. The guide explains the different stages of how to secure two different environments, and what each security setting addresses for the desktop and laptop computers deployed in either one. The guide provides prescriptive information and security recommendations. Client computers in the EC environment can run either Windows XP Professional SP3 or Windows Vista SP1. However, the computers that manage these client computers on the network must be able to run Windows Server 2008, Windows Server 2003 R2, or Windows Server 2003 SP2. Client computers in the SSLF environment can only run Windows Vista SP1.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Overview

5

Chapter Summaries
The Windows Vista Security Guide consists of 4 chapters. Each chapter builds on the end-to-end solution process that is required to implement and secure Office applications in your environment. A summary of each chapter follows.

Overview
The overview states the purpose and scope of the guide, defines the guide audience, and indicates the organization of the guide to assist you in locating the information relevant to you. It also describes the tools and templates that accompany the guide, and the user prerequisites for the guidance. Brief descriptions follow for each chapter in the guide.

Chapter 1: Implementing the Security Baseline
This chapter identifies the benefits to an organization of creating and deploying a security baseline. The chapter includes high-level security design recommendations that you can follow in preparation to implement either the EC baseline settings or the SSLF baseline settings. The chapter explains important security considerations for both the EC environment and the SSLF environment, and describes the broad differences between these environments. The easiest way to deploy the security settings this guide recommends is to use the GPOAccelerator. You can also use the GPOAccelerator to test and deploy the recommended settings. Run the .msi file for the GPOAccelerator tool that accompanies the download for this toolkit. For instructions about how to use the tool to accomplish these tasks, see How to Use the GPOAccelerator.
Caution The guidance in this chapter positions your organization to establish the SSLF environment, which is distinct from the EC environment. The SSLF guidance is for high security environments only. It is not a supplement to the guidance on the EC environment. Security settings prescribed for the SSLF environment limit key functionality across the environment. For this reason, the SSLF security baseline is not intended for most organizations. Be prepared to extensively test the SSLF security baseline before implementing it in a production environment.

Chapter 2: Defend Against Malware
This chapter provides recommendations to take advantage of new security features and enhanced existing ones in Windows Vista SP1 to help protect client computers and corporate assets against malware, which includes viruses, worms, and Trojan horses. It includes information about how to most effectively use the following technologies in the operating system:       User Account Control (UAC) Windows Defender Windows Firewall Windows Security Center Malicious Software Removal Tool Software Restriction Policies

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

6

Windows Vista Security Guide

In addition, the chapter includes the following information about Internet Explorer 7 security technologies:       Internet Explorer Protected Mode ActiveX Opt-in Cross-domain scripting attack protection Security Status Bar Phishing Filter Additional security features

Chapter 3: Protect Sensitive Data
This chapter provides recommendations and best practice information about how to help protect data using encryption and access control technologies in Windows Vista SP1. These technologies are especially relevant to mobile computing environments in which the potential of a device running Windows Vista SP1 to be lost or stolen is relatively higher. The content in the chapter includes information about how to most effectively use the following technologies in Windows Vista SP1:     BitLocker™ Drive Encryption Encrypting File System (EFS) Rights Management Services (RMS) Device control

Chapter 4: Using Older Applications with Windows Vista
This chapter includes simple procedures that you can use to test the level of compatibility of your applications with Windows Vista SP1. The chapter also discusses some of the more common causes of application compatibility issues, and provides pointers to available resources that can help you to address them.

More Information
The following resources provide additional information about security topics and in-depth discussion of the concepts and security prescriptions in this guide on Microsoft.com:            Infrastructure Planning and Design. Microsoft Assessment and Planning Toolkit. Microsoft Deployment. Microsoft Windows Security Resource Kit. Microsoft Windows Server 2003 Resource Kit. Security Guidance. Solution Accelerators. Threats and Countermeasures. Windows Server 2008 Security Guide. Windows Server 2003 Security Guide. Windows XP TechCenter.
microsoft.com/technet/SolutionAccelerators

Solution Accelerators

Overview

7



Windows XP Security Guide.

Feedback
The Solution Accelerators – Security and Compliance (SA–SC) team would appreciate your thoughts about this and other solution accelerators. Please send your comments using the following resources:  E-mail to: secwish@microsoft.com.

We look forward to hearing from you.

Acknowledgements
The Solution Accelerators – Security and Compliance (SA–SC) team would like to acknowledge and thank the team that produced the Windows Vista Security Guide. The following people were either directly responsible or made a substantial contribution to the writing, development, and testing of this solution.

Development Team
Authors and Experts David Coombes, Content Master Ltd Haikun Zhang – Minesage Co Ltd Hui Zeng – Minesage Co Ltd Jim Captainino, Content Master Ltd José Maldonado, Microsoft Kurt Dillard, kurtdillard.com Michael Tan, Microsoft Mike Danseglio, Microsoft Mike Smith-Lonergan, Microsoft Richard Harrison, Content Master Ltd Richard Hicks, QinetiQ ZhiQiang Yuan – Minesage Co Ltd Product Managers Alain Meeus, Microsoft Jim Stuart, Microsoft Kevin Leo, Excell Data Corporation Shruti Kala, Microsoft Tony Bailey, Microsoft Program Managers Audrey Centola, Volt Information Sciences Kelly Hengesteg, Microsoft Neil Bufton, Content Master Ltd Solution Accelerators
microsoft.com/technet/SolutionAccelerators

8

Windows Vista Security Guide

Vlad Pigin, Microsoft Release Managers Gareth Jones, Microsoft Karina Larson, Microsoft Editors Jennifer Kerns, Wadeware LLC John Cobb, Wadeware LLC Steve Wacker, Wadeware LLC Test Manager Sumit Parikh – Microsoft Testers Ankit Agarwal – Infosys Technologies Ltd. Dhanashri Dorle – Infosys Technologies Ltd. Dharani Mohanam, Infosys Technologies Ltd Gaurav Bora, Microsoft Prashant Japkar, Infosys Technologies Ltd Raxit Gajjar, Infosys Technologies Ltd Swapna Jagannathan, Infosys Technologies Ltd Vikrant Minhas, Infosys Technologies Ltd

Contributors and Reviewers
Charles Denny, Ross Carter, Derick Campbell, Chase Carpenter, Karl Grunwald, Don Armstrong, Bob Drake, Eric Fitzgerald, Emily Hill, George Roussos, David Abzarian, Darren Canavor, Nils Dussart, Peter Waxman, Russ Humphries, Sarah Wahlert, Tariq Sharif, Ned Pyle, Bomani Siwatu, Kiyoshi Watanabe, Eric Lawrence, David Abzarian, Chas Jeffries, Vijay Bharadwaj, Marc Silbey, Sean Lyndersay, Chris Corio, Matt Clapham, Tom Daemen, Sanjay Pandit, Jeff Williams, Alex Heaton, Mike Chan, Bill Sisk, Jason Joyce, Mehul Mediwala, Infosys Technologies Ltd
Note The United States Department of Commerce National Institute of Standards and Technology (NIST) participated in the review of this Microsoft security guide and provided comments that were incorporated into the published version. Note At the request of Microsoft, the National Security Agency Information Assurance Directorate participated in the review of this Microsoft security guide and provided comments that were incorporated into the published version.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 1: Implementing the Security Baseline
Windows Vista® Service Pack 1 (SP1) is the most secure client operating system that Microsoft has produced to date. However, you may need to make specific configuration changes to meet the network requirements of your environment. The purpose of this chapter is to demonstrate how relatively easy it is to configure security settings to harden client computers running the default operating system that are joined to a domain using Active Directory® directory service. This chapter provides a simple set of procedures to implement prescribed security settings to enhance the default security of the operating system. The streamlined procedures in this chapter offer a fast and efficient means for you to harden the Windows Vista SP1–based client computers in your environment. You can now harden the default operating system using only Group Policy objects (GPOs). Previous guidance from Microsoft required importing Security Template .inf files and extensive manual modification of the Administrative Templates portion of several GPOs. Working with these files and templates is no longer necessary. However, the Security Template .inf files still accompany this guide so that you can use them to harden stand-alone client computers. All of the recommended Group Policy settings are documented in the Microsoft Excel® workbook Windows Vista Security Baseline Settings. To deploy this guidance, you need to:    Create an organizational unit (OU) structure for your environment. Use the GPOAccelerator to create the GPOs for your environment. Use the Group Policy Management Console (GPMC) to link and manage the GPOs.

Warning It is essential to thoroughly test your OU and GPO designs before deploying them in a production environment. The "Implementing the Security Policies" section in this chapter provides procedural details you can use to create and deploy the OU structure and security GPOs during both the test and production phases of the implementation.

The baseline GPOs that accompany this guide provide a combination of tested settings that enhance security for client computers running Windows Vista SP1 in the following two distinct environments:   Enterprise Client (EC) Specialized Security – Limited Functionality (SSLF)

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

10

Windows Vista Security Guide

Enterprise Client Environment
The Enterprise Client (EC) environment referred to in this chapter consists of a domain using Active Directory® in which computers running Windows Server® 2008, Windows Server 2003 R2, or Windows Server 2003 SP2 or later and Active Directory manage client computers that can run either Windows Vista SP1 or Windows XP Professional SP3. The client computers are managed in this environment through Group Policy, which is applied to sites, domains, and OUs. Group Policy provides a centralized infrastructure within Active Directory that enables directory-based change and configuration management of user and computer settings, including security and user data.

Specialized Security – Limited Functionality Environment
The Specialized Security – Limited Functionality (SSLF) baseline in this guide addresses the demand to help create highly secure environments for computers running Windows Vista SP1. Concern for security is so great in these environments that a significant loss of functionality and manageability is acceptable. The Enterprise Client (EC) security baseline helps provide enhanced security that allows sufficient functionality of the operating system and applications for the majority of organizations.
Warning The SSLF security settings are not intended for the majority of enterprise organizations. The configuration for these settings has been developed for organizations where security is more important than functionality.

If you decide to test and deploy the SSLF configuration settings to the client computers in your environment, the IT resources in your organization may experience an increase in help desk calls related to the limited functionality that the settings impose. Although the configuration for this environment provides a higher level of security for data and the network, it also prevents some services from running that your organization may require. Examples of this include Terminal Services, which allows multiple users to connect interactively to desktops and applications on remote computers, and the Fax Service, which enables users to send and receive faxes over the network using their computers. It is important to note that the SSLF baseline is not an addition to the EC baseline: the SSLF baseline provides a distinctly different level of security. For this reason, do not attempt to apply the SSLF baseline and the EC baseline to the same computers running Windows Vista SP1. Rather, for the purposes of this guide, it is imperative to first identify the level of security that your environment requires, and then decide to apply either the EC baseline or the SSLF baseline. To compare the setting differences between the EC baseline and SSLF baseline, see the Microsoft Excel® workbook Windows Vista Security Baseline Settings.
Important If you are considering whether to use the SSLF baseline for your environment, be prepared to exhaustively test the computers in your environment after you apply the SSLF security settings to ensure that they do not prohibit required functionality for the computers in your environment.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 1: Implementing the Security Baseline

11

Specialized Security
Organizations that use computers and networks, especially if they connect to external resources such as the Internet, must address security issues in system and network design, and how they configure and deploy their computers. Capabilities that include process automation, remote management, remote access, availability 24 hours a day, worldwide access, and software device independence enable businesses to become more streamlined and productive in a competitive marketplace. However, these capabilities also expose the computers of these organizations to potential compromise. In general, administrators take reasonable care to prevent unauthorized access to data, service disruption, and computer misuse. Some specialist organizations, such as those in the military, state and local government, and finance are required to protect some or all of the services, systems, and data that they use with a specialized security level. The SSLF baseline is designed to provide this level of security for these organizations. To preview the SSLF settings, see the Excel workbook Windows Vista Security Baseline Settings.

Limited Functionality
The specialized security that the SSLF baseline implements may reduce functionality in your environment. This is because it limits users to only the specific functions that they require to complete necessary tasks. Access is limited to approved applications, services, and infrastructure environments. There is a reduction in configuration functionality because the baseline disables many property pages with which users may be familiar. The following sections in this chapter describe the areas of higher security and limited functionality that the SSLF baseline enforces:    Restricted services and data access Restricted network access Strong network protection

Restricted Services and Data Access
Specific settings in the SSLF baseline can prevent valid users from accessing services and data if they forget or misspell passwords. In addition, these settings may lead to an increase in help desk calls. However, the security benefits that the settings provide help make it harder for malicious users to attack computers running Windows Vista SP1 in this environment. Setting options in the SSLF baseline that could potentially prevent users from accessing services and data include those that:     Disable administrator accounts. Enforce stronger password requirements. Require more strict account lockout policy. Require more strict policy for the following User Rights Assignments settings: Log on as a Service and Log on as a Batch Job.

Note Setting details for both the EC and the SSLF baselines are available in the Windows Vista Security Guide Settings.xls file that also accompanies this guide to provide you with another resource to compare setting values.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

12

Windows Vista Security Guide

Restricted Network Access
Network reliability and system connectivity is paramount for successful business. Microsoft operating systems provide advanced networking capabilities that help to connect systems, maintain connectivity, and repair broken connections. Although this capability is beneficial to maintaining network connectivity, attackers can use it to disrupt or compromise the computers on your network. Administrators generally welcome features that help to support network communications. However, in special cases, the primary concern is the security of data and services. In such specialized environments, some loss of connectivity is tolerated to help ensure data protection. Setting options in the SSLF baseline that increase network security but could potentially prevent users from network access include those that:     Limit access to client systems across the network. Hide systems from browse lists. Control Windows Firewall exceptions. Implement connection security, such as packet signing.

Strong Network Protection
A common strategy to attack network services is to use a denial of service (DoS) attack. Such an attack prevents connectivity to data or services or over-extends system resources and degrades performance. The SSLF baseline protects access to system objects and the assignment of resources to help guard against this type of attack. Setting options in the SSLF baseline that help to prevent DoS attacks, include those that:     Control process memory quota assignments. Control object creation. Control the ability to debug programs. Control process profiling.

All of these security considerations contribute to the possibility that the security settings in the SSLF baseline may prevent applications in your environment from running or users from accessing services and data as expected. For these reasons, it is important to extensively test the SSLF baseline after you implement it and before you deploy it in a production environment.

Security Design
The security design that this chapter recommends forms the starting point for the scenarios in this guide, as well as mitigation suggestions for the scenarios. The remaining sections in this chapter provide design details about the core security structure:   OU Design for Security Policies GPO Design for Security Policies

OU Design for Security Policies
The security design this chapter recommends uses OUs. An OU is a container within a domain that uses Active Directory. An OU may contain users, groups, computers, and other OUs. If an OU contains other OUs, it is a parent OU. An OU within a parent OU is a child OU. Solution Accelerators
microsoft.com/technet/SolutionAccelerators

Chapter 1: Implementing the Security Baseline

13

You can link a GPO to an OU, which will then apply the GPO's settings to the users and computers that are contained in that OU and its child OUs. And to facilitate administration, you can delegate administrative authority to each OU. OUs provide an easy way to group users and computers to provide an effective way to segment administrative boundaries. Microsoft recommends that organizations assign users and computers to separate OUs, because some settings only apply to users and other settings only apply to computers. You can delegate control over a group or an individual OU by using the Delegation Wizard in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in tool. See the "More Information" section at the end of this chapter for links to documentation about how to delegate authority. One of the primary goals of an OU design for any environment is to provide a foundation for a seamless Group Policy implementation that applies to all client computers in Active Directory. This ensures that the client computers meet the security standards of your organization. The OU design must also provide an adequate structure to accommodate security settings for specific types of users in an organization. For example, developers may require access to their computers that average users do not. Also, laptop users may have different security requirements than desktop users. The following figure illustrates a simple OU structure that is sufficient for the Group Policy discussion in this chapter. The OU structure may differ from the requirements for your organization's environment.

Figure 1.1 Example OU structure for computers running Windows Vista

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

14

Windows Vista Security Guide

Department OU
Because security requirements often vary within an organization, it may make sense to create department OUs in your environment. You can use this OU to apply security settings through a GPO to computers and users in their respective department OUs.

Windows Vista Users OU
This OU contains the user accounts for the EC environment. The settings that you apply to this OU are described in detail in the Windows Vista Security Baseline Settings workbook.

Windows Vista Computers OU
This OU contains child OUs for each type of client computer running Windows Vista SP1 in the EC environment. This guide focuses on security guidance for desktop and laptop computers. For this reason, the engineers for this guide created the following computer OUs:  Desktop OU. This OU contains desktop computers that constantly remain connected to the network. The settings that are applied to this OU are described in detail in the Windows Vista Security Baseline Settings workbook. Laptop OU. This OU contains laptop computers for mobile users that are not always connected to the network. The Windows Vista Security Baseline Settings workbook also provides details about the settings that apply to this OU.



GPO Design for Security Policies
A GPO is a collection of Group Policy settings that are essentially the files created by the Group Policy snap-in. The settings are stored at the domain level and affect users and computers contained in sites, domains, and OUs. You can use GPOs to ensure that specific policy settings, user rights, and computer behavior apply to all client computers or users in an OU. Using Group Policy instead of a manual configuration process makes it simple to manage and update changes for many computers and users. Manual configuration is not only inefficient, because it requires a technician to visit each client computer, but it is also potentially ineffective. This is primarily because if the policy settings in domain-based GPOs are different than those applied locally, the domain-based GPO policy settings will overwrite the locally applied policy settings.

Figure 1.2 GPO order of precedence The previous figure shows the order of precedence in which GPOs are applied to a computer that is a member of the Child OU, from the lowest order (1) to the highest order Solution Accelerators
microsoft.com/technet/SolutionAccelerators

Chapter 1: Implementing the Security Baseline

15

(5). Group Policy is applied first from the local security policy of each client computer running Windows Vista SP1. After the local security policy is applied, GPOs are next applied at the site level, and then at the domain level. For Windows Vista SP1–based client computers that are nested in several OU layers, GPOs are applied in order from the parent OU level in the hierarchy to the lowest child OU level. The final GPO is applied from the OU that contains the client computer. This order of GPO processing for Group Policy—local security policy, site, domain, parent OU, and child OU—is significant because GPOs that are applied later in the process will overwrite those applied earlier. User GPOs are applied in the same manner. The following considerations apply when you design Group Policy:  An administrator must set the order in which you link multiple GPOs to an OU, or Group Policy will be applied by default in the order it was linked to the OU. If the same setting is configured in multiple policies, the policy that is highest on the policy list for the container will take precedence. You may configure a GPO with the Enforced option. If you select this option, other GPOs cannot override the settings that are configured in this GPO.
Note In Windows 2000, the Enforced option is referred to as the No Override option.





You may configure an Active Directory site, domain, or OU with the Block policy inheritance option. This option blocks GPO settings from GPOs that are higher in the Active Directory hierarchy unless they have the Enforced option selected. In other words, the Enforced option has precedence over the Block policy inheritance option. Group Policy settings apply to users and computers, and are based on where the user or computer object is located in Active Directory. In some cases, user objects may need policy applied to them based on the location of the computer object, not the location of the user object. The Group Policy loopback feature gives the administrator the ability to apply user Group Policy settings based on which computer the user is logged on to. The "Loopback Processing of Group Policy" article provides more information about this option.



Recommended GPOs
To implement the OU design described above requires a minimum of four GPOs to provide the following Group Policy settings:     Policy settings for the domain. Policy settings for the Windows Vista Users OU. Policy settings for the Desktop OU. Policy settings for the Laptop OU.

The following figure expands on the preliminary OU structure to show the linkage between these GPOs and the OU design.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

16

Windows Vista Security Guide

Figure 1.3 Example OU structure and GPO links for computers running Windows Vista SP1 In the example in Figure 1.3, laptop computers are members of the Laptop OU. The first policy that is applied is the local security policy on the laptop computers. Because there is only one site in this example, no GPO is applied at the site level, which leaves the Domain GPO as the next policy that is applied. Finally, the Laptop GPO is applied.
Note The Desktop Policy is not applied to any laptops because it is not linked to any OUs in the hierarchy that contains the Laptop OU.

As a precedence example, consider a scenario in which the policy setting for Allow logon through Terminal Services is set to apply to the following OUs and user groups:   Windows Vista Computers OU – Administrators group Laptop OU – Remote Desktop Users and Administrators groups

In this example, a user whose account is in the Remote Desktop Users group can log on to a laptop through Terminal Services because the Laptop OU is a child of the Windows Vista Computers OU and the child policy takes precedence. If you enable the No Override policy option in the GPO for the Windows Vista Computers OU, only users with accounts in the Administrators group can log on to the laptop computer through Terminal Services. This is because the No Override option prevents the child OU policy from overwriting the policy applied earlier in the process.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 1: Implementing the Security Baseline

17

Domain Policy Settings
A relatively small number of security settings are applied to the domain. These settings are applied through the Computer Configuration node in the Group Policy Object Editor. Within this node, the following setting groups appear in the Windows Settings sub-node:   Password Policy Settings Account Lockout Policy Settings

This section provides an overview of these two categories of settings, for information about which specific settings are recommended for each role review the Microsoft Excel® workbook Windows Vista Security Baseline Settings that accompanies this guide. For detailed information about how each setting functions, what threats each addresses, and the potential consequences of using each setting read the companion guide, Threats and Countermeasures.

Password Policy Settings
Complex passwords that you change regularly help reduce the likelihood of a successful password attack. Password policy settings control the complexity and lifetime of passwords. You configure password policy settings only by Group Policy at the domain level. You can configure the password policy settings in the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy

How to Make Users Change Passwords Only When Required
In addition to these password policies, centralized control over all users is a requirement for some organizations. This section describes how to prevent users from changing their passwords except when they are required to do so. Centralized control of user passwords is a cornerstone of a well-crafted Windows Vista security scheme. You can use Group Policy to set minimum and maximum password ages. However, frequent password change requirements can enable users to circumvent the Enforce password history setting for your environment. Requirements for passwords that are too long may also lead to help desk calls from users who forget their passwords. Users can change their passwords during the period between the minimum and maximum password age settings. However, the SSLF environment security design requires that users change their passwords only when prompted by the operating system after their passwords have reached the maximum age of 90 days. To achieve this level of control, administrators can disable the Change Password button in the Windows Security dialog box that appears when you press CTRL+ALT+DEL. You can implement this configuration for an entire domain through Group Policy, or edit the registry to implement it for one or more specific users. For more information about this configuration, see "How To: Prevent Users from Changing a Password Except When Required in Windows Server 2003": Microsoft Knowledge Base article 324744. If you have a Windows 2000–based domain, see "How To: Prevent Users from Changing a Password Except When Required in Windows 2000": Knowledge Base article 309799.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

18

Windows Vista Security Guide

Account Lockout Policy Settings
The account lockout policy is an Active Directory® directory service security feature that locks a user account. The lock prevents logon after a specified number of failed logon attempts occur within a specified period. Domain controllers track logon attempts and the number of allowed attempts and the period are based on the values that are configured for the account lockout settings. In addition, you can specify the duration of the lock. These policy settings help prevent attackers from guessing user passwords, and they decrease the likelihood of successful attacks on your network environment. However, an enabled account lockout policy will probably result in more support issues for network users. Before you enable the following settings, ensure that your organization wants to accept this additional management overhead. For many organizations, an improved and less-costly solution is to automatically scan the Security event logs for domain controllers and generate administrative alerts when it appears that someone is attempting to guess passwords for user accounts. You can configure the account lockout policy settings in the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings \Account Policies\Account Lockout Policy

Computer Policy Settings
The security settings in this section apply to desktop and laptop computers in the domain. These settings are applied through the Computer Configuration node in the Group Policy Object Editor. Within this node, these settings appear in the Windows Settings and Administrative Templates sub-nodes. This section provides an overview of the different categories of settings, for information about which specific settings are recommended for each role review the Microsoft Excel® workbook Windows Server 2008 Security Baseline Settings that accompanies this guide. For detailed information about how each setting functions, what threats each addresses, and the potential consequences of using each setting read the companion guide, Threats and Countermeasures.

Audit Policy Settings
An audit policy determines the security events to report to administrators so that there is a record of user or system activity in specified event categories. The administrator can monitor security-related activity, such as who accesses an object, when users log on to or log off from computers, or if changes are made to an Audit policy setting. For all of these reasons, Microsoft recommends that you form an Audit policy for an administrator to implement in your environment. However, before you implement an Audit policy you must investigate which event categories to audit in your environment. The audit settings you choose within the event categories define your Audit policy. When you define audit settings for specific event categories, an administrator can create an Audit policy that will meet the security needs of your organization. If you do not configure audit settings, it will be difficult or impossible to determine what took place during a security incident. However, if you configure audit settings so that too many authorized activities generate events, the Security event log will fill up with too much data. The information in the following sections will help you decide what to monitor to facilitate the collection of relevant audit data for your organization.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 1: Implementing the Security Baseline

19

Windows Vista includes the same nine audit policy categories present in previous versions of Windows, which are:          System Logon/Logoff Object Access Privilege Use Detailed Tracking Policy Change Account Management DS Access Account Logon

However, Windows Vista allows audit policy to be managed in a more precise way by including fifty audit policy subcategories. Although not all subcategories apply to Windows Vista–based computers, many of them can be configured to record specific events that provide valuable information. In the past, configuring any of the nine audit categories was easily accomplished using Group Policy. Although the same is possible with Windows Vista, the new audit subcategories cannot be configured individually using the Group Policy Object Editor because the subcategories are not exposed in the Group Policy Object Editor. If you configure any of the audit categories in Windows Vista using the settings present in the Group Policy Object Editor, all subcategories will also be configured. This will most likely cause excessive audit logging that will quickly fill up your event logs. The recommended approach is to configure only the necessary audit subcategories. Configuring each subcategory requires using a command-line tool included in Windows Vista called AuditPol.exe. Having to use a command-line tool makes it very difficult to implement the prescribed audit policy across many computers. However, Microsoft has developed a solution for configuring audit subcategories using Group Policy. This solution is automatically implemented by the GPOAccelerator tool. When you run the GPOAccelerator, it automatically copies the following files to the NETLOGON share of one of your domain controllers. For the EC environment:       EC-VSGAuditPolicy.cmd EC-VSGApplyAuditPolicy.cmd EC-VSGAuditPolicy.txt

For the SSLF environment: SSLF-VSGAuditPolicy.cmd SSLF-VSGApplyAuditPolicy.cmd SSLF-VSGAuditPolicy.txt

These files will then automatically replicate to the NETLOGON share of domain controllers in your Active Directory domain. The computer-specific GPOs created by the GPOAccelerator tool include a computer startup script that runs these files to configure the prescribed audit policy settings. The first time these files run on a computer, a scheduled task named VSGAudit is created. This task will run every hour to help ensure the audit policy settings are up to date. Solution Accelerators microsoft.com/technet/SolutionAccelerators

20

Windows Vista Security Guide

For more information on the solution for configuring the new audit policy settings in Windows Vista in a Windows Server 2003–based domain, see "How to use Group Policy to configure detailed security auditing settings for Windows Vista client computers in a Windows Server 2003 domain or in a Windows 2000 domain": Knowledge Base article 921469. The following table summarizes the audit policy setting recommendations for both desktop and laptop client computers in the two types of secure environments discussed in this guide. You should review these recommendations and adjust them as appropriate for your organization. Information about how to modify the audit policy settings configured by GPOs included with the GPOAccelerator tool is provided at the end of this section. However, be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated will make it difficult to find other types of entries in the Security event log. Such a configuration could also have a significant impact on performance. The following sections provide a brief description of each Audit policy. The tables in each section include recommendations for both desktop and laptop client computers in the two types of secure environments discussed in this guide.
Note Descriptions of each of the audit policy subcategories are not provided in this guide. The companion guide, Threats and Countermeasures, includes detailed descriptions of each of the 50 audit policy subcategories.

System
The System audit category allows you to monitor system events that succeed and fail, and provides a record of these events that may help determine instances of unauthorized system access. System events include starting or shutting down computers in your environment, full event logs, or other security-related events that affect the entire system. In Windows Vista, the System audit category contains the subcategories represented in the following table. Table 1.1 System Audit Policy Subcategory Recommendations Subcategory § Security System Extension § System Integrity § IPsec Driver § Other System Events § Security State Change Windows Vista default No Auditing Success and Failure No Auditing Success and Failure Success VSG EC Computer GPOs Success and Failure Success and Failure Success and Failure No Auditing Success and Failure VSG SSLF Computer GPOs Success and Failure Success and Failure Success and Failure No Auditing Success and Failure

§ - Denotes Group Policy settings that are new in Windows Vista.

Logon/Logoff
This audit category generates events that record the creation and destruction of logon sessions. These events occur on the accessed computer. For interactive logons, the Solution Accelerators
microsoft.com/technet/SolutionAccelerators

Chapter 1: Implementing the Security Baseline

21

generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure the Audit logon events setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. In Windows Vista, the Logon\Logoff events audit category contains the subcategories represented in the following table. Table 1.2 Logon/Logoff Audit Policy Subcategory Recommendations Subcategory § Logon § Logoff § Account Lockout
Note No events map to this subcategory.

Windows Vista default Success Success Success

VSG EC Computer GPOs Success Success No Auditing

VSG SSLF Computer GPOs Success and Failure Success No Auditing

§ IPsec Main Mode § IPsec Quick Mode § IPsec Extended Mode § Special Logon § Other Logon/Logoff Events

No Auditing No Auditing No Auditing Success No Auditing

No Auditing No Auditing No Auditing Success No Auditing

No Auditing No Auditing No Auditing Success No Auditing

§ - Denotes Group Policy settings that are new in Windows Vista.

Object Access
By itself, this policy setting will not cause auditing of any events. It determines whether to audit the event of a user who accesses an object—for example, a file, folder, registry key, or printer—that has a specified system access control list (SACL), effectively enabling auditing to take place. A SACL is comprised of access control entries (ACEs). Each ACE contains three pieces of information:    The security principal (user, computer, or group) to be audited. The specific access type to be audited, called an access mask. A flag to indicate whether to audit failed access events, successful access events, or both.

If you configure the Audit object access setting to Success, an audit entry is generated each time that a user successfully accesses an object with a specified SACL. If you configure this policy setting to Failure, an audit entry is generated each time that a user fails in an attempt to access an object with a specified SACL. Organizations should define only the actions they want enabled when they configure SACLs. For example, you might want to enable the Write and Append Data auditing setting on executable files to track when they are changed or replaced, because computer viruses, worms, and Trojan horses typically target executable files. Similarly, you might want to track when sensitive documents are accessed or changed. Solution Accelerators
microsoft.com/technet/SolutionAccelerators

22

Windows Vista Security Guide

The Object Access events audit category contains the subcategories represented in the following table. Table 1.3 Object Access Audit Policy Subcategory Recommendations Subcategory § File System § Registry § Kernel Object § SAM § Certification Services § Application Generated § Handle Manipulation § File Share § Filtering Platform Packet Drop § Filtering Platform Connection § Other Object Access Events Windows Vista default No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing VSG EC Computer GPOs No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing VSG SSLF Computer GPOs Failure Failure No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing

§ - Denotes Group Policy settings that are new in Windows Vista.

The following procedures describe how to configure audit rules on a file or folder and how to test each audit rule for each object in the specified file or folder.
Note You must use Auditpol.exe to configure the File System subcategory to audit Success and Failure events for the following steps to log events in the Security event log.

To define an audit rule for a file or folder 1. Use Windows Explorer to locate the file or folder and then click it. 2. On the File menu, click Properties. 3. Click the Security tab, and then click the Advanced button. 4. Click the Auditing tab. 5. If prompted for administrative credentials, click Continue, type your username and password, and press ENTER. 6. Click the Add button to make the Select User, Computer, or Group dialog box display. 7. Click the Object Types button, and then in the Object Types dialog box, select the object types you want to find.
Note The User, Group, and Built-in security principal object types are selected by default.

8. Click the Locations button, and then in the Location dialog box, select either your domain or local computer. 9. In the Select User or Group dialog box, type the name of the group or user you want to audit. Then, in the Enter the object names to select dialog box, type Solution Accelerators
microsoft.com/technet/SolutionAccelerators

Chapter 1: Implementing the Security Baseline

23

Authenticated Users (to audit the access of all authenticated users) and then click OK to make the Auditing Entry dialog box display. 10. Determine the type of access you want to audit on the file or folder using the Auditing Entry dialog box.
Note Remember that each access may generate multiple events in the event log and cause it to grow rapidly.

11. In the Auditing Entry dialog box, next to List Folder / Read Data, select Successful and Failed, and then click OK. The audit entries you have enabled display under the Auditing tab of the Advanced Security Setting dialog box. 12. Click OK to close the Properties dialog box. To test an audit rule for the file or folder 1. Open the file or folder. 2. Close the file or folder. 3. Start the Event Viewer. Several Object Access events with Event ID 4663 will appear in the Security event log. 4. Double-click the events as needed to view their details.

Privilege Use
The Privilege Use audit category determines whether to audit each instance of a user exercising a user right. If you configure this value to Success, an audit entry is generated each time that a user right is exercised successfully. If you configure this value to Failure, an audit entry is generated each time that a user right is exercised unsuccessfully. This policy setting can generate a very large number of event records. The Privilege Use events audit category contains the subcategories represented in the following table. Table 1.4 Privilege Use Audit Policy Subcategory Recommendations Subcategory § Sensitive Privilege Use § Non Sensitive Privilege Use § Other Privilege Use Events
Note No events map to this subcategory. § - Denotes Group Policy settings that are new in Windows Vista.

Windows Vista default No Auditing No Auditing No Auditing

VSG EC Computer GPOs No Auditing No Auditing No Auditing

VSG SSLF Computer GPOs Success and Failure No Auditing No Auditing

Detailed Tracking
The Detailed Tracking audit category determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Enabling Audit process tracking will generate a large number of events, so it is typically set to No Auditing. However, this setting can provide a great benefit during an incident response from the detailed log of the processes started and the time when they were launched. Solution Accelerators microsoft.com/technet/SolutionAccelerators

24

Windows Vista Security Guide

The Detailed Tracking events audit category contains the subcategories represented in the following table. Table 1.5 Detailed Tracking Audit Policy Subcategory Recommendations Subcategory § Process Termination § DPAPI Activity § RPC Events § Process Creation Windows Vista VSG EC default Computer GPO No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing Success VSG SSLF Computer GPO No Auditing No Auditing No Auditing Success

§ - Denotes Group Policy settings that are new in Windows Vista.

Policy Change
The Policy Change audit category determines whether to audit every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself. The recommended settings would let you see any account privileges that an attacker attempts to elevate—for example, by adding the Debug programs privilege or the Back up files and directories privilege. The Policy Change events audit category contains the subcategories represented in the following table. Table 1.6 Policy Change Audit Policy Subcategory Recommendations Subcategory § Audit Policy Change § Authentication Policy Change § Authorization Policy Change § MPSSVC Rule-Level Policy Change § Filtering Platform Policy Change § Other Policy Change Events Windows Vista VSG EC default Computer GPOs Success Success No Auditing No Auditing No Auditing No Auditing Success and Failure Success No Auditing No Auditing No Auditing No Auditing VSG SSLF Computer GPOs Success and Failure Success No Auditing No Auditing No Auditing No Auditing

§ - Denotes Group Policy settings that are new in Windows Vista.

Account Management
The Account Management audit category helps you track attempts to create new users or groups, rename users or groups, enable or disable user accounts, change account passwords, and enable auditing for Account Management events. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user and group accounts.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 1: Implementing the Security Baseline

25

The Account Management events audit category contains the subcategories represented in the following table. Table 1.7 Account Management System Audit Policy Subcategory Recommendations Subcategory § User Account Management § Computer Account Management § Security Group Management § Distribution Group Management § Application Group Management § Other Account Management Events Windows Vista default Success No Auditing Success No Auditing No Auditing No Auditing VSG EC Computer GPOs Success Success Success No Auditing No Auditing Success VSG SSLF Computer GPOs Success and Failure Success and Failure Success and Failure No Auditing No Auditing Success and Failure

§ - Denotes Group Policy settings that are new in Windows Vista.

DS Access
The DS Access audit category applies only to domain controllers. For this reason, the DS Access audit category and all related subcategories are configured to No Auditing for both environments discussed in this guide. The DS Access events audit category contains the subcategories represented in the following table. Table 1.8 DS Access Audit Policy Subcategory Recommendations Subcategory § Directory Service Changes § Directory Service Replication § Detailed Directory Service Replication § Directory Service Access Windows Vista default No Auditing No Auditing No Auditing No Auditing VSG EC Computer GPOs No Auditing No Auditing No Auditing No Auditing VSG SSLF Computer GPOs No Auditing No Auditing No Auditing No Auditing

§ - Denotes Group Policy settings that are new in Windows Vista.

Account Logon
The Account Logon audit category generates events for credential validation. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authoritative, whereas for local accounts, the local computer is authoritative. In domain environments, most of the Account Logon events Solution Accelerators
microsoft.com/technet/SolutionAccelerators

26

Windows Vista Security Guide

occur in the Security log of the domain controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization when local accounts are used to log on. The Account Logon events audit category contains the subcategories represented in the following table. Table 1.9 Account Logon Audit Policy Subcategory Recommendations Subcategory § Credential Validation §§ Kerberos Authentication Service §§ Kerberos Service Ticket Operations § Other Account Logon Events
Note No events map to this subcategory. § - Denotes Group Policy settings that are new in Windows Vista. §§ - Denotes Group Policy settings that are new in Windows Vista Service Pack 1.

Windows Vista default No Auditing No Auditing No Auditing No Auditing

VSG EC Computer GPOs Success No Auditing No Auditing No Auditing

VSG SSLF Computer GPOs Success and Failure No Auditing No Auditing No Auditing

Modifying Audit Policy Settings
To modify the audit policy subcategories and settings configured by the GPOs included with the GPOAccelerator tool requires you to use Auditpol.exe to modify the configuration of one computer in your environment, and then generate a file that contains the audit policy settings for your environment. The computer GPOs included with this guide can then apply the modified audit policy to the computers in your environment. To modify your audit policy configuration 1. Log on as a domain administrator to a computer running Windows Vista that is joined to the domain using Active Directory in which you will create the GPOs. 2. On the desktop, click the Windows Vista Start button, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. 3. Clear the current audit policy settings. To do this, type the following line at the command prompt, and then press ENTER: auditpol /clear 4. Use the Auditpol.exe command-line tool to configure the custom audit policy settings that you want. For example, type the following lines at the command prompt. Press ENTER after each line. auditpol /set /subcategory:"user account management" /success:enable /failure:enable auditpol /set /subcategory:"logon" /success:enable /failure:enable auditpol /set /subcategory:"IPSEC Main Mode" /failure:enable

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 1: Implementing the Security Baseline Note To see all possible categories and subcategories, type the following line at the command prompt, and then press ENTER: auditpol /list /subcategory:*

27

Type the following line at the command prompt, and then press ENTER: auditpol /backup /file:EC-AuditPolicy.txt (or SSLFAuditPolicy.txt) 5. Copy the new EC-AuditPolicy.txt (or SSLF-AuditPolicy.txt) file to the NETLOGON share of one of the domain controllers in your environment, and overwrite the existing version. The computer GPOs included with the GPOAccelerator tool will use the new ECAuditPolicy.txt (or SSLF-AuditPolicy.txt) file to modify and configure the audit policy settings on your computers.

Removing the Audit Policy Configuration
As previously discussed, the solution implemented by the GPOs included with the GPOAccelerator tool for configuring the audit policy subcategories creates the VSGAudit scheduled task on all computers in your environment. If you have removed the GPOs included with the GPOAccelerator tool from your environment, you might want to delete the VSGAudit scheduled task. The VSGAudit scheduled task should not affect the performance of computers running Windows Vista even if the GPOAccelerator tool has been removed from your environment. To delete the VSGAudit scheduled task from computers across your environment 1. Depending on your environment, delete the following three files from the NETLOGON share of one of the domain controllers in your environment: For the EC environment:       EC-VSGAuditPolicy.cmd EC-VSGApplyAuditPolicy.cmd EC-VSGAuditPolicy.txt

For the SSLF environment: SSLF-VSGAuditPolicy.cmd SSLF-VSGApplyAuditPolicy.cmd SSLF-VSGAuditPolicy.txt

2. Create an empty text file, name it DeleteVSGAudit.txt, and copy it to the NETLOGON share of one of the domain controllers in your environment. The text file will automatically replicate to all domain controllers in your environment. The VSGAudit scheduled task checks for the DeleteVSGAudit.txt file every time it runs, and when it finds the file, the VSGAudit scheduled task deletes itself. Since the VSGAudit scheduled task is configured to run every hour, it should not take long before the task is deleted from all computers across your environment.

Audit Policies for Computers Running Windows XP in the EC Environment
The GPOs included with the GPOAccelerator tool include settings that configure the audit categories present in previous versions of Windows. If you use the script and the GPOs Solution Accelerators

microsoft.com/technet/SolutionAccelerators

28

Windows Vista Security Guide

included with the GPOAccelerator tool, these settings will not apply to computers running Windows Vista. The GPOs intended for use in the EC environment have been designed to work with Windows XP-based computers. Settings for audit categories are included in these GPOs so that computers running Windows XP Professional SP3 in your environment receive the recommended audit policy settings for Windows XP–based computers. You can configure the Audit policy settings in Windows Vista at the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings \Local Policies\Audit Policy The following table summarizes the Audit policy setting recommendations for both desktop and laptop client computers in the two types of secure environments discussed in this guide. Table 1.10 Audit Policy Setting Recommendations Setting Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events Windows Vista default No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing No Auditing VSG EC Computer GPOs Success Success Not Defined Success No Auditing Success No Auditing No Auditing Success VSG SSLF Computer GPOs Not Defined Not Defined Not Defined Not Defined Not Defined Not Defined Not Defined Not Defined Not Defined

Note Because GPOs for the EC environment are designed to work with computers running Windows XP Professional SP3, the recommended audit policy settings are included in these GPOs. However, because the SSLF GPOs are only designed to work with computers running Windows Vista, audit policy settings are not included in the SSLF GPOs.

User Rights Assignment Settings
In conjunction with many of the privileged groups in Windows Vista, a number of user rights can be assigned to certain users or groups that typical users do not have. To set the value of a user right to No one, enable the setting but do not add any users or groups to it. To set the value of a user right to Not Defined, do not enable the setting. You can configure the user rights assignment settings in Windows Vista at the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Security Options Settings
The security option settings that are applied through Group Policy on computers that run Windows Vista in your environment are used to enable or disable capabilities and Solution Accelerators
microsoft.com/technet/SolutionAccelerators

Chapter 1: Implementing the Security Baseline

29

features such as floppy disk drive access, CD-ROM drive access, and logon prompts. These settings are also used to configure various other settings, such as those for the digital signing of data, administrator and guest account names, and how driver installation works. You can configure the security option settings in the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Not all of the settings that are included in this section exist on all types of systems. Therefore, the settings that comprise the Security Options portion of Group Policy that are defined in this section may need to be manually modified on systems in which these settings are present to make them fully operable. Alternatively, the Group Policy templates can be edited individually to include the appropriate setting options so that the prescribed settings will take full effect.

MSS Settings
There are settings that include registry value entries that do not display by default through the Security Configuration Editor (SCE). These settings, which are all prefixed with MSS:, were developed by the Microsoft Solutions for Security group for previous security guidance. The GPOAccelerator tool discussed earlier in this chapter modifies the SCE so that it properly displays the MSS settings.

User Account Control
User Account Control (UAC) reduces the exposure and attack surface of the operating system by requiring that all users run in standard user mode, even if they have logged on with administrative credentials. This limitation helps minimize the ability for users to make changes that could destabilize their computers or inadvertently expose the network to viruses through undetected malware that has infected the computer. When a user attempts to perform an administrative task, the operating system must raise their security level to allow the task to take place. The UAC settings in GPOs configure how the operating system responds to a request to heighten security privileges.

Potential Issues with SMB Signing Policies
When SMB signing policies are enabled and a Server Message Block (SMB) version 1 client establishes a non-guest session or a non-anonymous session with a server, the client enables security signatures for the server. Later sessions then inherit the security signature sequence that is already established. To improve security, Windows Server 2008 and Windows Vista SP1 prevent server authenticated connections from being maliciously downgraded to a guest session or to an anonymous session. However, this improved security does not work as intended when the domain controller is running Windows Server 2003 and the client computers are running Windows Vista SP1 or Windows Server 2008. Specifically, this applies if the policies in the following locations are enabled on a domain controller that is running Windows Server 2003 in a domain:   Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (always) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (if client agrees)

The following policies are enabled on a member computer that is running Windows Vista SP1 or Windows Server 2008 in the same domain: Solution Accelerators

microsoft.com/technet/SolutionAccelerators

30

Windows Vista Security Guide

 

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (If server agrees)

To download a hotfix to resolve this issue, and learn more about this topic, see "Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled": Microsoft Knowledge Base article 950876.

Event Log Security Settings
The event log records events on the system, and the Security log records audit events. The event log container of Group Policy is used to define attributes that are related to the Application, Security, and System event logs, such as maximum log size, access rights for each log, and retention settings and methods. You can configure the event log settings in the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Event Log

Windows Firewall with Advanced Security Settings
The firewall included with Windows Vista allows for more precise control of its configuration. You can configure the Windows Firewall with Advanced Security settings in the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings \Windows Firewall with Advanced Security To control these settings, within the Windows Firewall with Advanced Security section of the Group Policy Object Editor, click the Windows Firewall Properties link. In the Windows Firewall with Advanced Security dialog box, you can specify settings for the Domain, Private, and Public profiles. For each profile, you can specify general settings in the State section and then, in the Settings section, you can click the Customize button to specify customized settings. This section includes an overview of each of the profiles that you can configure in the Windows Firewall with Advanced Security dialog box.

Domain Profile
This profile applies when a computer is connected to a network and authenticates to a domain controller in the domain to which the computer belongs. The recommended Windows Firewall with Advanced Security configuration for the EC environment includes firewall rules that allow for Remote Desktop, and Remote Assistance communications to occur. Furthermore, local administrators of computers in the EC environment can configure local firewall rules to permit additional communications to a computer. In the SSLF environment, all inbound communications are blocked by default and local firewall rules are ignored by computers. Additions or modifications to firewall rules must be configured using the Group Policy Object Editor.
Important The prescribed firewall settings for the SSLF environment greatly limit inbound connections to your computers. You should extensively test this firewall configuration in your environment to ensure all applications work as expected.

To see which rules are defined for the Domain Profile, within the Windows Firewall with Advanced Security section of the Group Policy Object Editor, click the Inbound Rules link.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 1: Implementing the Security Baseline

31

Private Profile
This profile only applies if a user with local administrator privileges assigns it to a network that was previously set to use the Public profile. Microsoft recommends only changing the profile to Private for a trusted network. The recommended Windows Firewall with Advanced Security configuration for the EC environment includes firewall rules that allow for Remote Desktop communications to occur. Furthermore, local administrators of computers in the EC environment can configure local firewall rules to permit additional communications to a computer. In the SSLF environment, all inbound communications are blocked by default and local firewall rules are ignored by computers. Additions or modifications to firewall rules must be configured using the Group Policy Object Editor. To see which rules are defined for the Private Profile, within the Windows Firewall with Advanced Security section of the Group Policy Object Editor, click the Inbound Rules link.

Public Profile
This profile is the default network location type when the computer is not connected to a domain. Public profile settings should be the most restrictive because the computer is connected to a public network where security cannot be as tightly controlled as within an IT environment. In both the EC and SSLF environments, all inbound communications are blocked by default and no firewall rules exist that allow for additional communications to a computer. Furthermore, local firewall rules are ignored by computers in both environments described in this guide. Additions or modifications to firewall rules that apply to the Public Profile must be configured using the Group Policy Object Editor.

Computer Configuration\Administrative Templates
The following setting groups for the computer policy contain settings that this guide prescribes. The settings appear in the Computer Configuration\Administrative Templates subnode of the Group Policy Object Editor.   Network Connections System              Logon Group Policy Remote Assistance Remote Procedure Call Internet Communication Management\Internet Communication Settings Autoplay Policies Credential User Interface Internet Explorer NetMeeting Terminal Services Windows Messenger Windows Update

Windows Components

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

32

Windows Vista Security Guide

Network Connections
There are no specific security-related configurations in the Network container of Group Policy. However, there are a number of very important settings in the Network Connections\Windows Firewall container. Microsoft recommends configuring the Windows Firewall using the Windows Firewall with Advanced Security settings available in the Group Policy Object Editor. However, the recommended settings for Windows Firewall with Advanced Security will change the state of several settings in this area of Group Policy. Furthermore, several of the recommended settings help maintain compatibility with computers running Windows XP in the EC environment described in this guide. In Windows XP, Windows Firewall settings are configured in two profiles: Domain Profile and Standard Profile. Whenever a domain environment is detected, the Domain Profile is used, and whenever a domain environment is not available, the Standard Profile is used. When a Windows Firewall setting is Recommended in the Windows Vista Security Baseline Settings workbook that accompanies this guide, the specific value to use will vary for different organizations. Because each organization will have a unique list of applications that will require defined exceptions for the Windows Firewall, it is not feasible for this guide to define a list that will be broadly useful. When you need to determine which applications or ports might need exceptions, it may be helpful to enable Windows Firewall logging, Windows Firewall auditing, and network tracing. For more information, see the "Configuring a Computer for Windows Firewall Troubleshooting" article. Typically, the Domain Profile is configured to be less restrictive than the Standard Profile because a domain environment often provides additional layers of protection. The policy setting names are identical in both profiles.

Network Connections\Windows Firewall\Domain Profile
The settings in this section configure the Windows Firewall Domain Profile. You can configure these settings in the following location within the Group Policy Object Editor: Administrative Templates\Network\Network Connections \Windows Firewall\Domain Profile

Network Connections\Windows Firewall\Standard Profile
The settings in this section configure the Windows Firewall Standard Profile. This profile is often more restrictive than the Domain Profile, which assumes a domain environment provides some basic level of security. The Standard Profile is expected to be used when a computer is on an untrusted network, such as a hotel network or a public wireless access point. Such environments pose unknown threats and require additional security precautions.
Note The Standard Profile only applies to computers running Windows XP. The following recommendations apply only to the EC environment described in this guide to maintain compatibility with Windows XP.

Windows Update
Administrators use Windows Update settings to manage how updates and hotfixes are applied on Windows Vista–based workstations. Updates are available from Windows Update. Alternatively, you can set up an intranet Web site to distribute updates and hotfixes in a similar manner with additional administrative control. Windows Server Update Services (WSUS) is an infrastructure service that builds on the success of the Microsoft Windows Update and Software Update Services (SUS) technologies. WSUS manages and distributes critical Windows updates that resolve known security vulnerabilities and other stability issues with Windows operating systems. Solution Accelerators
microsoft.com/technet/SolutionAccelerators

Chapter 1: Implementing the Security Baseline

33

WSUS eliminates manual update steps with a dynamic notification system for critical updates that are available to Windows–based client computers through your intranet server. No Internet access is required from client computers to use this service. This technology also provides a simple and automatic way to distribute updates to your Windows–based workstations and servers. Windows Server Update Services also offers the following features:  Administrator control over content synchronization within your intranet. This synchronization service is a server-side component that retrieves the latest critical updates from Windows Update. As new updates are added to Windows Update, the server running WSUS automatically downloads and stores them, based on an administrator-defined schedule. An intranet-hosted Windows Update server. This easy-to-use server acts as the virtual Windows Update server for client computers. It contains a synchronization service and administrative tools for managing updates. It services requests for approved updates from client computers that are connected to it through the HTTP protocol. This server can also host critical updates that are downloaded from the synchronization service and refer client computers to those updates. Administrator control over updates. The administrator can test and approve updates from the public Windows Update site before deployment on their organization’s intranet. Deployment takes place on a schedule that the administrator creates. If multiple servers are running WSUS, the administrator controls which computers access particular servers that run the service. Administrators can enable this level of control with Group Policy in an Active Directory environment or through registry keys. Automatic updates on computers (workstations or servers). Automatic Updates is a Windows feature that can be set up to automatically check for updates that are published on Windows Update. WSUS uses this Windows feature to publish administrator approved updates on an intranet.







Note If you choose to distribute updates through another method, such as Microsoft Systems Management Server, this guide recommends that you disable the Configure Automatic Updates setting.

There are several Windows Update settings. A minimum of three settings is required to make Windows Update work: Configure Automatic Updates, No auto-restart for scheduled Automatic Updates installations, and Reschedule Automatic Updates scheduled installations. A fourth setting is optional and depends on the requirements of your organization: Specify intranet Microsoft update service location. You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components \Windows Update Configuration of Windows Update is essential to the security of your environment because it helps ensure that the client computers in your environment receive security updates from Microsoft soon after they are available.
Note Windows Update depends on several services, including the Remote Registry service and the Background Intelligence Transfer Service.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

34

Windows Vista Security Guide

More Information
The following resources provide additional information about Windows Vista SP1 security-related topics on Microsoft.com:       Administering Group Policy with the GPMC. "Configuring a Computer for Windows Firewall Troubleshooting" on Microsoft TechNet. Enterprise Management with the Group Policy Management Console. "How To Prevent Users from Changing a Password Except When Required in Windows Server 2003": Knowledge Base article 324744. "HOW TO: Prevent Users from Changing a Password Except When Required in Windows 2000": Knowledge Base article 309799. "How to use Group Policy to configure detailed security auditing settings for Windows Vista client computers in a Windows Server 2003 domain or in a Windows 2000 domain": Knowledge Base article 921469. IIS and Built-in Accounts (IIS 6.0) on TechNet. Microsoft Update on Microsoft.com. Migrating GPOs Across Domains with GPMC. Security Advancements in Windows Vista, a white paper also available online as a video. Security guidance configuration support, Microsoft Knowledge Base article 885409 that includes detailed information about the potential impact some settings may have on previous Windows versions. Step-by-Step Guide to Understanding the Group Policy Feature Set. Step-by-Step Guide to Using the Delegation of Control Wizard. Summary of New or Expanded Group Policy Settings. "The Package Installer (Formerly Called Update.exe) for Microsoft Windows Operating Systems and Windows Components" on TechNet. Threats and Countermeasures Chapter 5, "Security Options." Windows Firewall on TechNet. Windows Server Update Services Product Overview on Microsoft.com. Windows Vista Help and Support.

    

       

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 2: Defend Against Malware
Malicious software, or malware, is any program or file that is harmful to a computer user. Examples of malware include computer viruses, worms, Trojan horse programs, and spyware that gathers information about a computer user without permission. Windows Vista® Service Pack 1 (SP1) includes several new technologies that you can use to help enhance protection against malware for computers running Windows Vista SP1 in your environment. You can use these features and services in addition to the settings included in the Group Policy objects (GPOs) described in the previous chapter, some of which also help provide protection against malware. In Windows Vista SP1, Microsoft® Internet Explorer® 7 also includes several enhancements that help protect against malware. Technologies that help prevent the installation of unwanted software, and technologies that help guard against unauthorized transmission of personal data greatly increase browser security and privacy protection. This chapter provides overviews of these technologies, and recommendations on how to configure them when applicable. You can implement these recommendations in the appropriate GPOs described in Chapter 1, "Implementing the Security Baseline." However, it is important to note that many of the settings for these technologies require information specific to your environment. For this reason, most of the recommended values for these additional settings are not included in the GPOs described in the previous chapter. All of these technologies are by default configured to provide enhanced protection for computers running Windows Vista SP1 in the Enterprise Client (EC) environment. However, there are some new Group Policy settings that you can use to help customize the behavior and functionality of these technologies to provide even better protection against malware for your environment. This chapter divides into the following new and enhanced security technologies in Windows Vista SP1 and Internet Explorer 7:   Windows Vista SP1 defense technologies Internet Explorer 7 defense technologies

Note For each of these areas in the chapter, specific Group Policy settings are highlighted to document the default configuration for a new installation of Windows Vista SP1. Specific setting modifications or recommendations are denoted with the ‡ symbol. For more details on these setting values, see the Windows Vista Security Baseline Settings workbook.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

36

Windows Vista Security Guide

Windows Vista Defense Technologies
Windows Vista SP1 includes several new and enhanced technologies that provide enhanced defense against malware. These technologies include:       User Account Control (UAC) Windows Defender Windows Firewall Windows Security Center Malicious Software Removal Tool Software Restriction Policies

In addition to these protection technologies it is important to understand that logging in as a standard user account is still a highly recommended security practice. Even with all these protection technologies in place, if you are not protecting who has the ability to gain administrative level access to your computers, you are exposing them to risk.

User Account Control
Windows Vista SP1 includes User Account Control (UAC) to provide a method of separating standard user privileges and tasks from those that require administrator access. UAC increases security by improving the user experience while running as a standard user account. Users can now perform more tasks and enjoy higher application compatibility without the need to be logged in with administrative level privileges. This helps reduce the affect of malware, the installation of unauthorized software, and unapproved system changes.
Note In previous versions of the Microsoft Windows® operating system, the Power Users group was designed to enable members of this group to perform system tasks, such as installing applications without full administrator permissions. UAC does not use the Power Users group, and the permissions granted to it in Windows Vista SP1 have been removed. However, the Power Users group is still available for backward compatibility with other versions of the operating system. To use the Power Users group in Windows Vista SP1, you must apply a new Security Template to change the default permissions on system folders and the registry to grant members of the Power Users group permissions equivalent to those for this group in Windows XP.

In Windows Vista SP1, standard users can now perform many tasks that previously required administrator access but did not adversely affect security. Examples of tasks that standard users can now perform include modifying time zone settings, connecting to a secure wireless network, and installing approved devices and Microsoft ActiveX® controls. Furthermore, the Administrator Approval Mode feature in the UAC technology also helps protect computers running Windows Vista SP1 from some types of malware. By default, administrators can run most programs and tasks with standard user privileges. When users need to perform administrative tasks, such as installing new software or modifying certain system settings, they are first prompted for consent before they can complete such tasks. However, this mode does not provide the same level of protection as a standard user account and it does not guarantee that malicious software already on the client computer cannot tamper with the elevated software. It also does not guarantee that the elevated software itself will not attempt malicious actions after it is elevated. To take advantage of this technology, you can configure new Group Policy settings in Window Vista SP1 to control how UAC behaves. The Group Policy settings described in the previous chapter are configured to enforce prescribed behavior for UAC. However, Microsoft recommends reviewing the prescriptions for these settings, which are described Solution Accelerators
microsoft.com/technet/SolutionAccelerators

Chapter 2: Defend Against Malware

37

in the Microsoft Excel® workbook Windows Vista Security Baseline Settings to ensure that they are optimally configured to meet the needs of your environment.

Risk Assessment
Users who have administrative privileges log on with their administrative capabilities enabled. This could allow administrative tasks to occur accidentally or maliciously without the knowledge of the individual. For example:     A user unknowingly downloads and installs malware from a malicious or infected Web site. A user is tricked into opening an e-mail attachment that contains malware, which runs and possibly installs itself on the computer. A removable drive is inserted into the computer and AutoPlay then attempts to run the malicious software automatically. A user installs unsupported applications that can affect the computers performance or reliability.

Risk Mitigation
The recommended mitigation approach is to ensure that all users log on using a standard user account for everyday tasks. Users should only elevate to an administrator level account for tasks that require that level of access. Also ensure that UAC is enabled to prompt the user when an attempt is made to perform a task that requires administrative privileges.

Mitigation Considerations
UAC can help mitigate the risks described in the previous "Risk Assessment" section. However, it is important to consider the following:  If you have in-house application developers, Microsoft recommends requesting that they download and review the "Windows Vista Application Development Requirements for User Account Control Compatibility" article. This document describes how to design and develop UAC–compliant applications for Windows Vista SP1. UAC can introduce problems in applications that are not compliant with UAC. For this reason it is important to test applications with UAC before you deploy them. For more information about application compatibility testing, see the Desktop Deployment Web site on Microsoft TechNet. The administrative credential and privilege escalation requests of UAC increase the number of steps required to complete many common administrative tasks. You should evaluate the affect of the increased steps on your administrative staff. If the additional UAC prompts significantly affect these users, you can configure the UAC policy setting "Behavior of the elevation prompt for administrators in Admin Approval Mode" to "Elevate without prompting." However, changing this policy may increase the security risk in your environment and the Windows Security Center will report it. A user who has administrative privileges can disable Administrator Approval Mode, disable UAC from prompting for credentials to install applications, and change the elevation prompt behavior. For this reason, it is important to control the number of users who have access to administrative privileges on the computers in your organization.







Solution Accelerators

microsoft.com/technet/SolutionAccelerators

38

Windows Vista Security Guide



Microsoft recommends assigning two accounts for administrative staff. For everyday tasks, staff should use a standard level account. When specific administrative tasks are required, staff should log on with the administrative level account, perform the tasks, and then log off to return to the standard user account. The Group Policy settings for this guide disable a standard user’s ability to elevate privileges. This is the recommended approach because it enforces that administrative tasks can only be performed by accounts that have specifically been set up at the administrative level. If an application is incorrectly identified as an administrative or user application (for example with an "administrator" or "standard" token), Windows Vista SP1 might start the application under the wrong security context.





Mitigation Process
Start the mitigation process by investigating the full capabilities of UAC. For more information, see Understanding and Configuring User Account Control in Windows Vista and Getting Started with User Account Control on Windows Vista. To use this mitigation process 1. Identify the number of users who are able to carry out administrative tasks. 2. Identify how often administrative tasks are required. 3. Determine if administrators should be able to perform administrative tasks by simply agreeing to the UAC prompt, or if they should be required to enter specific credentials to perform administrative tasks. 4. Determine if standard users should have the ability to elevate privileges to perform administrative tasks. The policy settings applied as part of this guide specifically block the ability for standard users to elevate their privileges. 5. Identify how application installations should be handled. 6. Configure the UAC Group Policy settings to suit your requirements.

Using Group Policy to Mitigate Risk for UAC
You can configure the UAC settings in the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options The following table provides security setting information specific to this technology in Windows Vista SP1.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 2: Defend Against Malware

39

Table 2.1 UAC Control Settings Policy object Admin Approval Mode for the Built-in Administrator account Behavior of the elevation prompt for administrators in Admin Approval Mode Behavior of the elevation prompt for standard users Detect application installations and prompt for elevation Description This security setting determines the behavior of Administrator Approval Mode for the Built-in Administrator account. This security setting determines the behavior of the elevate privileges prompt for administrators. This security setting determines the behavior of the elevation prompt for standard users. This security setting determines the behavior of application installation detection for the entire system. Changes to this setting require you to restart the computer before they take effect. This security setting enforces PKI signature checks on any interactive application that requests elevation of privilege. Enterprise administrators can control the administrator application allowed list using certificates in the local computers Trusted Publisher Store. This security setting enforces the requirement that applications that request execution with a UIAccess integrity level must reside in a secure location on the file system. This security setting determines the behavior of all UAC policies for the entire system. This security setting determines whether the elevation request will display a prompt on the interactive users desktop or the Secure Desktop. Windows Vista default Disabled ‡

Prompt for consent ‡

Prompt for credentials ‡

Enabled

Only elevate executables that are signed and validated

Disabled

Only elevate UIAccess applications that are installed in secure locations Run all administrators in Admin Approval Mode Switch to the secure desktop when prompting for elevation

Enabled

Enabled

Enabled

Virtualize file and This security setting enables the Enabled registry write failures to redirection of legacy application per-user locations write failures to defined locations in both the registry and file system. This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

40

Windows Vista Security Guide

You can configure the UAC Credentials user interface (UI) in the following location in the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Credential User Interface The following table provides security setting information specific to this technology in Windows Vista SP1. Table 2.2 Credential User Interface Settings Policy object Enumerate administrator accounts on elevation Description By default, not all administrator accounts display when attempting to elevate a running application. If you enable this policy setting, all local administrator accounts on the computer display so the user can choose one and enter the correct password. If you disable this policy setting, users always are required to type in a user name and password to elevate their privileges. If you enable this setting, Windows Vista SP1 requires the user to enter credentials using a trusted path to help prevent a Trojan horse program or other types of malicious code from stealing the user’s Windows credentials. This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled. Windows Vista default Not configured ‡

Require trusted path for credential entry

Not configured ‡

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor. You can configure the ActiveX Installer Service in the following location in the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\ActiveX Installer Service The following table provides security setting information specific to the ActiveX Installer Service in Windows Vista SP1. Table 2.3 ActiveX Installer Service Policy object Approved Installation Sites for ActiveX Controls Description Windows Vista default

This setting enables an administrator Not configured to allow a standard user account to install ActiveX controls from a list of approved ActiveX installation sites.

This table provides a simple description for this setting. For more information about this setting, see the Explain tab of the setting in the Group Policy Object Editor.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 2: Defend Against Malware

41

Windows Defender
Windows Defender is a program included in Windows Vista SP1 that is also available as a download for Windows XP Professional SP3. It helps protect computers against popups, slow performance, and security threats caused by spyware and other unwanted software. Windows Defender monitors, in real time, important checkpoints of the Windows Vista SP1 operating system that this unwanted software targets, such as the Startup folder and the autorun entries in the registry. Windows Defender also helps detect and remove unwanted applications, such as adware, keyloggers, and spyware. When a program tries to modify a protected area in Windows Vista SP1, Windows Defender prompts the user to either allow or reject the change in an effort to guard against spyware installation. This monitoring enhances the reliability of computers running Windows Vista SP1, and helps provide additional user privacy protection. Windows Defender is enabled by default in Windows Vista SP1, and although the technology provides you with enhanced protection against spyware, you can also use it with other third-party protection products. To offer the best protection against malicious software, Microsoft strongly recommends that customers also deploy a full antivirus solution in conjunction with Windows Defender. You can configure new Group Policy settings in Window Vista SP1 to control how Windows Defender behaves. The Group Policy settings described in the previous chapter do not contain any settings that modify the default behavior of Windows Defender because the values for these settings are likely to be specific to the requirements of your environment.

Microsoft SpyNet Community
Microsoft SpyNet® is an online community dedicated to helping a computer user choose how to respond to potential spyware threats. The community also helps stop the spread of new spyware infections. When Windows Defender detects software or changes by software not yet classified for risks, you can see how other members are responding to the alert. In turn, actions you take help other community members choose how to respond. Your actions also help Microsoft choose which software to investigate for potential threats. You can choose to send basic or additional information about detected software. Additional information helps improve how Windows Defender works. For example, the technology can include the location of detected items on your computer if harmful software has been removed. In these cases, Windows Defender will automatically collect and send the information to the community.

Risk Assessment
Spyware presents a number of serious risks to an organization that need to be mitigated to ensure that data and computers are not compromised. The most common identifiable risks that spyware create for organizations include:       Sensitive business data that could be exposed to unauthorized users. Employee personal information that could be exposed to unauthorized users. Computer compromise by an unauthorized attacker. Lost productivity because of spyware that affects computer performance and stability. Support cost increases because of spyware infections. A potential blackmail risk to your organization if an infection exposes sensitive data.
microsoft.com/technet/SolutionAccelerators

Solution Accelerators

42

Windows Vista Security Guide

Risk Mitigation
Windows Defender is designed to mitigate risks related to spyware. Regular updates for the technology are provided automatically via the Windows Update or you can instead use Microsoft Windows Server Update Services (WSUS). In addition to the spyware protection that Windows Defender offers, Microsoft also strongly recommends installing an antivirus package that is capable of extending your spyware protection to detect viruses, Trojan horse programs, and worms. For example, products such as Microsoft Forefront™ Client Security provide unified malware defense for business desktops, laptops, and server operating systems.

Mitigation Considerations
Windows Defender is enabled by default in Windows Vista SP1. The technology is designed to be as unobtrusive as possible to users under normal operational conditions. However, organizations should consider the following recommendations as part of deploying Windows Vista SP1:     Test the interoperability of any third-party real-time spyware or antivirus scanners that you may want to use in your organization. Design a system to manage signature definition updates deployments if your organization manages a large number of computers. Train users in some of the common tricks that spyware programs employ to socially engineer a user into running a malicious program. Adjust the scheduled scan time to suit the needs of your business. The default is 2:00 A.M. daily. If the computer is not able to perform the scan at this time, the user is later notified and asked to run a scan. If the scan does not occur within the next two days, it will occur approximately 10 minutes after the computer is next started. This scan is run as a low priority process so it will have as small an effect on the client as possible. Thanks to the performance improvements in input/output (I/O) handling in Windows Vista SP1, this low priority scan has a much lower affect on the user than it did in Windows XP. Windows Defender is not designed as an enterprise class antispyware application. It does not provide a business class centralized reporting, monitoring, or control mechanism. If additional reporting or control is required, you will need to investigate additional products such as Microsoft Forefront Client Security. Determine a policy for your organization to report possible spyware to the Microsoft SpyNet online community.





Mitigation Process
Because Windows Defender is a default part of the operating system, no additional steps are required to activate Windows Defender. However, there are a few additional steps that Microsoft recommends considering to ensure that your organization stays protected. To use this mitigation process 1. Investigate antispyware capabilities of Windows Vista SP1 and Windows Defender. 2. Investigate the Group Policy settings for Windows Defender. 3. Evaluate additional antivirus protection for your organization. 4. Plan the optimal update process for the computers in the organization. It is possible that mobile computers will need a different update configuration than desktop computers. 5. Provide user training to enable them to identify suspicious computer activity. Solution Accelerators
microsoft.com/technet/SolutionAccelerators

Chapter 2: Defend Against Malware

43

6. Provide training to support staff to use Windows Defender tools to help in resolving support calls.

Using Group Policy to Mitigate Risk for Windows Defender
You can review and configure the available Windows Defender settings in the following location in the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Windows Defender Table 2.4 Windows Defender Control Settings Policy object Turn on definition updates through both WSUS and Windows Update Description This setting allows you to configure Windows Defender to check and install definition updates from Windows Update when a locally managed WSUS server is not available. If you enable this setting, the scheduled scan checks for new signatures before it scans the computer. If this setting is set to Disabled or Not configured, the scheduled scan starts without downloading new signatures. Keeping this setting at its default value enables Windows Defender Real-Time Protection. This setting determines if Windows Defender will prompt users to allow or block unknown activity. This setting enables logging detection data during Real-time Protection when Windows Defender detects known good files. Logging detections provides you with detailed information about the programs that run on the computers you monitor. This setting enables logging detections during Real-time Protection when Windows Defender detects unknown files. Logging detections provides you with detailed information about the programs that run on the computers you monitor. Windows Vista default Not configured

Check for New Signatures Before Scheduled Scans

Not configured

Turn off Windows Defender Turn off Real-Time Protection Prompts for Unknown Detection Enable Logging Known Good Detection

Not configured

Not configured

Not configured

Enable Logging Unknown Detection

Not configured

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

44

Windows Vista Security Guide

Policy object Download Entire Signature Set

Description This setting enables a download of the full signature set, rather than only the signatures that have been updated since the last signature download. Downloading the full signature set can help troubleshoot problems with signature installations, but because the file is large, it can take longer to download. This setting adjusts membership in the Microsoft SpyNet online community.

Windows Vista default Not configured

Configure Microsoft SpyNet Reporting

Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Windows Firewall
A personal firewall is a critical line of defense against many kinds of malware. Like the firewall functionality in Windows XP Professional Service Pack 3 (SP3), the firewall in Windows Vista SP1 is turned on by default to help protect the user’s computer as soon as the operating system is operational. Windows Firewall in Windows Vista SP1 includes both inbound and outbound filtering to help protect users by restricting operating system resources that behave unexpectedly. The firewall is also integrated with the Windows Vista network awareness so that specialized rules can be applied depending on the location of the client computer. For example, if a laptop computer is located on an organization's network, firewall rules can be defined by the administrator of the domain network environment that will match the security requirements of that network. However when a user attempts to connect the same laptop to the Internet via a public network, such as a free wireless hotspot, a different set of firewall rules can be automatically used to help ensure the computer is protected from an attack. In addition, for the first time in a Windows operating system, Windows Vista SP1 integrates firewall management with Internet Protocol security (IPsec). In Windows Vista SP1, a single console, known as the Windows Firewall with Advanced Security console, integrates IPsec and firewall management. The console centralizes inbound and outbound traffic filtering, and IPsec server and domain isolation settings in the user interface to simplify configuration and reduce policy conflicts.

Risk Assessment
A network connection is a vital requirement in modern business. However this connection has also become a major target for attackers. The threats associated with connectivity need to be mitigated to ensure that data or computers are not compromised. The most commonly identifiable threats to an organization from network-based attacks include:   A computer that is compromised by an unauthorized attacker who could then gain administrative level access to that computer. Network scanner applications that an attacker can use to remotely determine open network ports to launch an attack.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 2: Defend Against Malware

45



Sensitive business data that could be exposed to unauthorized users if a Trojan horse program can open an unauthorized network connection from a client computer to an attacker. Mobile computers that may be exposed to network attacks while outside the organization's network firewall. Computers on an internal network that could be exposed to a network attack from a compromised computer that connects directly to the internal network. A potential blackmail risk to your organization if an attacker successfully compromises internal computers.

  

Risk Mitigation
The firewall in Windows Vista SP1 provides protection to the client computer out of the box. The firewall blocks most unsolicited inbound traffic until a change is made either by an administrator or by Group Policy. Windows Firewall also includes outbound network traffic filtering, and out of the box this rule is set to "Allow" for all outgoing network traffic. You can use Group Policy settings to configure these rules in the Windows Vista firewall to ensure that client security settings remain constant.

Mitigation Considerations
There are a few issues that you should consider if you are planning to use the firewall in Windows Vista SP1:  Test the interoperability of applications that are required on your organization's computers. Each application should have a record of the network port requirements to help ensure only the required ports are opened through the Windows Firewall. The Windows XP firewall supports a Domain and a Standard profile. The Domain profile is active when the client is connected to a network that contains the domain controllers for the domain in which its computer account resides. This allows you to create rules that are specific to the requirements of the organization's internal network. The Windows Vista firewall includes a Private and Public profile to provide a finer level of control to protect a client computer when a user operates it outside of the organization's network defenses. Evaluate the logging capacities of the Windows Firewall to determine its ability to integrate into your existing enterprise reporting or monitoring solutions. By default Windows Firewall blocks remote control or remote management of Windows Vista SP1–based computers. Microsoft has created a number rules specifically for such remote tasks in the Windows Firewall. If you want your organizations computers to support these remote tasks, you will need to enable the required rules for each profile that the task will be required for. For example, you may chose to enable the Remote Desktop rule for the Domain profile to allow your help desk to support users on the organizations network, but leave it disabled for the Public and Private profiles to reduce the attack surface of your computers when they are away from your network.



 

Mitigating Risk Using Windows Firewall with Advanced Security
Windows Vista SP1 includes new Group Policy settings and management UI that assist you with configuring the new functionality available in the Windows Vista firewall. The advanced security settings for Windows Vista SP1 do not apply on a client computer running Windows XP Professional SP3.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

46

Windows Vista Security Guide

Microsoft recommends that you closely review these new capabilities to determine if they can assist you to better secure your environment. If you plan to modify the default behavior of the Windows Vista firewall, Microsoft recommends using the Windows Firewall with Advanced Security Group Policy settings to manage client computers running Windows Vista SP1. You can review and configure the new Group Policy settings and management snap-in available for Windows Firewall in the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security Windows Firewall with Advanced Security supports the following environment profiles:   Domain Profile. This profile applies when a computer is connected to a network and authenticates to a domain controller in the domain to which the computer belongs. Public Profile. This profile is the default network location type when the computer is not connected to a domain. Public profile settings should be the most restrictive because the computer is connected to a public network where security cannot be as tightly controlled as within an IT environment. Private Profile. This profile only applies if a user with local administrator privileges assigns it to a network that was previously set to Public. Microsoft recommends only doing this for a trusted network.



It is important to understand that only one profile is active at a time. If the computer has multiple interfaces and they are connected to multiple network locations, the evaluation of which profile applies is as follows: 1. If all network interfaces evaluate to a domain network location, apply the domain profile. 2. If all network interfaces evaluate to a private network location, apply the private profile. 3. If a network interface evaluates to a public network location, apply the public profile. Microsoft recommends enabling Windows Firewall with Advanced Security for all three profiles. In addition to the advanced firewall rules, Windows Firewall also supports connection security rules. Connection security involves authenticating two computers before they begin communications, and securing information sent between the two computers. Windows Firewall with Advanced Security incorporates IPsec technology to support key exchange, authentication, data integrity, and optionally, data encryption. For more information, see the IPsec Web page on Microsoft TechNet. The Windows Vista Security Baseline Settings workbook describes all of the prescribed Windows Firewall with Advanced Security settings, and indicates which settings require environment-specific information.

Windows Security Center
The Windows Security Center (WSC) feature runs as a background process on client computers running Windows Vista SP1 and Windows XP Professional SP3. In Windows Vista this feature constantly checks and displays the status of four important security categories:     Firewall Automatic Updates Malware protection Other security settings
microsoft.com/technet/SolutionAccelerators

Solution Accelerators

Chapter 2: Defend Against Malware

47

The WSC process also serves as a starting point to access other security-related areas of the computer and provides a single point of reference for you to find security-related support and resources. For example, the WSC provides a link to help users without antivirus software to view offers from vendors that provide antivirus solutions that are compatible with WSC. Microsoft has improved WSC in Windows Vista SP1 by including a new category called "Other security settings." This category displays the status of Internet Explorer security settings and User Account Control. Another new category in Windows Vista is "Malware protection," which includes monitoring for antivirus and antispyware software. In addition to the default protection that Windows Vista provides, WSC can monitor multiple vendor security solutions for Windows Firewall, as well as antivirus and antispyware software running on the same client computer, and indicate which solutions are enabled and up to date. For client computers running Windows Vista SP1, WSC provides direct links to vendors that you can use to remediate problems should they arise on the computer. For example, if a third-party antivirus or antispyware solution is turned off or out-of-date, WSC provides a button that you can click to launch a vendor solution on the computer to correct the problem. In addition, WSC provides links to the vendor Web site so that the user can use to activate or renew a subscription or obtain updates. Knowing when security software is turned off or out-of-date, and the ability to easily download updates, can mean the difference between staying protected as much as possible or becoming vulnerable to malware. WSC runs by default on computers running Windows Vista SP1. The Group Policy settings described in the previous chapter do not contain any settings that modify the default behavior of WSC. However, it is possible for administrators to use Group Policy to ensure that the WSC client UI remains either disabled or enabled for computers that are Domain members. You can review and configure the Group Policy setting available for WSC in the following location in the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Security Center The Securitycenter.admx template file contains the XML setting information for this policy setting. The following table describes this setting. Table 2.5 Windows Security Center Setting Policy object Description Windows Vista default Not configured

Turn on Security Center This setting specifies whether (Domain PCs only) the Security Center is turned on or off on users' computers that are joined to a domain that uses Active Directory. If this setting is left in the default of Not configured, the Security Center is turned off for computers that are domain members.

This table provides a simple description for this setting. For more information about this setting, see the Explain tab of the setting in the Group Policy Object Editor.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

48

Windows Vista Security Guide

Malicious Software Removal Tool
The Microsoft Windows Malicious Software Removal Tool is designed to help remove malware from infected computers. Every month, Microsoft releases a new version of the tool through Microsoft Update, Windows Update, WSUS, and the Microsoft Download Center. Because the Malicious Software Removal Tool is not a fully featured antivirus product, Microsoft strongly recommends that users run antivirus software that will continually detect and remove viruses. When you run the tool, it scans your computer in the background and produces a report if it detects any infections. This tool does not install into the operating system it is scanning. This tool does not have any Group Policy settings in Windows Vista SP1.

Risk Assessment
Microsoft recommends that all computers run a real-time antivirus scanner in addition to the protection services provided as part of Windows Vista SP1. However, even with these protection measures installed, there are two risks that can still apply to an organization:   If the installed real-time antivirus scanner does not detect a specific instance of malware. If the malware manages to disable the installed real-time antivirus scanner.

For these situations, the Malicious Software Removal Tool does provide an additional layer of security to help detect and remove common malicious software.

Risk Mitigation
To mitigate these risks, Microsoft recommends configuring your client computers to run Automatic Updates so that the Malicious Software Removal Tool will download and run when it is released. If you are considering using the this tool in your environment, the following list highlights some considerations that will help ensure a successful deployment:  The Malicious Software Removal Tool is approximately 4 MB in size, which can affect an organization's Internet connection if a large number of client computers attempt to download the tool at the same time. The tool is primarily intended for noncorporate users who do not have an existing, upto-date antivirus product installed on their computers. However, you also can deploy the tool in an enterprise environment to enhance existing protection and as part of a defense-in-depth strategy. To deploy the tool in an enterprise environment, you can use one or more of the following methods:     Windows Server Update Services SMS Software Package Group Policy–based computer startup script Group Policy–based user logon script



For enterprise environments, Microsoft recommends reviewing "Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment": Knowledge Base article 891716.  Typically, when you run the Windows Malicious Software Removal Tool, the tool creates a randomly named temporary directory in the root drive of your computer. This directory will contain several files and includes the Mrtstub.exe file. Most of the time, this folder will be deleted automatically after the tool has finished running or after the computer next restarts. But sometimes this folder may not be deleted
microsoft.com/technet/SolutionAccelerators

Solution Accelerators

Chapter 2: Defend Against Malware

49

automatically. In these cases, you can delete this folder manually with no adverse effect on the computer.  A user may log on to a computer at the same time that the Malicious Software Removal Tool is running in the background. (The tool may be running as part of a deployment that uses Windows Server Update Services.) In this case, Windows may inform the user that the current user profile is corrupted and that a new profile is being created. To resolve this issue, the new profile can be removed. The user can log on to the system again at a time when the tool is not running. This issue is most likely to occur on a Windows 2000–based computer.

Mitigation Process
To effectively use the Malicious Software Removal Tool, use the following process. To use this mitigation process 1. Investigate the Malicious Software Removal Tool capabilities. For more information, see the Malicious Software Removal Tool Web page. 2. Assess the need for the tool in your environment. 3. Determine the most appropriate method of deploying the tool in your organization. 4. Identify the systems in your organization that would benefit from the protection that the tool offers. 5. Deploy the tool via the selected deployment method.

Software Restriction Policies
Software restriction policies provide administrators with a way to identify application software and control its ability to run on local computers. This feature can help protect computers running Windows Vista SP1 and Windows XP Professional SP3 against known conflicts, and help safeguard them against malicious software, such as viruses and Trojan horse programs. Software restriction policies integrate fully with Active Directory and Group Policy. You can also use this feature on stand-alone computers. You can use software restriction policies to accomplish the following:      Control what software can run on the client computers in your environment. Restrict access to specific files on multi-user computers. Decide who can add trusted publishers to client computers. Define whether the policies affect all users or a subset of users on the client computers. Prevent executable files from running on local computers based on policies set at the following levels: computer, organizational unit (OU), site, and domain.

Important It is important to thoroughly test all of the policy settings that are discussed in this guide before you deploy them to a production environment. This is especially true when you configure settings for software restriction policies. Mistakes in the design or implementation of this feature can cause considerable user frustration.

Software restriction policies have not changed significantly in Windows Vista SP1. For this reason, they are not covered in this guide. For more information about how to design and implement these policies, see "Using Software Restriction Policies to Protect Against Unauthorized Software" on TechNet.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

50

Windows Vista Security Guide

Internet Explorer 7 Defense Technologies
It is possible for malicious Web sites to compromise the client computers that you manage. Internet Explorer 7 includes technologies that help prevent the installation of unwanted software, and technologies that help guard against unauthorized transmission of personal data to greatly increase browser security and privacy protection. New security technologies in Internet Explorer 7 include:       Internet Explorer Protected Mode ActiveX Opt-in Cross-domain scripting attack protection Security Status Bar Phishing Filter Additional security features

Internet Explorer 7 is available for both the Windows Vista SP1 and Windows XP Professional SP3. Windows Vista enhances the Internet Explorer experience. For example, some features available in Internet Explorer 7, such as Protected Mode and Parental Controls, are not available when using the browser on client computer running Windows XP Professional SP3. Also, the Aero user interface is not available through Internet Explorer 7 on computers running Windows XP Professional SP3.

Internet Explorer Protected Mode
Internet Explorer Protected Mode in Windows Vista SP1 adds additional defenses to help enable a safer Internet browsing experience for users. In addition, Protected Mode helps to prevent malicious users from taking over a user’s browser and executing code through elevated privileges. Protected Mode helps reduce previous software vulnerabilities in the extensions for the browser by eliminating the possibility of using them for silent installation of malicious code. Protected Mode uses mechanisms with higher integrity levels in Windows Vista SP1 that restrict access to processes, files, and registry keys to accomplish this goal. The Protected Mode application programming interface (API) enables software vendors to develop extensions and add-ons for Internet Explorer that can interact with the file system and registry while the browser is in Protected Mode. In Protected Mode, Internet Explorer 7 runs with reduced permissions to help prevent user or system files or settings from changing without the user’s explicit permission. The new browser architecture also introduces a "broker" process that helps to enable existing applications to elevate out of Protected Mode in a more secure way. This prevents downloading data outside of the low-rights directories in the browser, such as the Temporary Internet Files folder. Protected Mode is enabled by default in Internet Explorer 7 for all security zones except the Trusted Sites zone. However, users can disable the mode, which reduces overall security. For this reason, the Group Policy settings described in the previous chapter enable Protected Mode in all the Web content zones for the browser except the Trusted Site zone, and prevent users from disabling it.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 2: Defend Against Malware

51

You can review and configure the Group Policy setting for Internet Explorer 7 Protected Mode in the following location in the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\<Zone> The following table describes this setting. Table 2.6 Protected Mode Setting Policy object Description Windows Vista default

Turn on Protected If this setting is enabled, Protected Mode Not configured Mode * will be turned on and users will not be able to turn off Protected Mode. If this setting is disabled, Protected Mode will be turned off and users will not be able to turn on Protected Mode. If this setting is configured to Not configured, users can turn it on or off.
* This setting only works in Internet Explorer 7 with Windows Vista SP1.

This table provides a simple description for this setting. For more information about this setting, see the Explain tab of the setting in the Group Policy Object Editor. Protected Mode is available for the following security areas and zones in Internet Explorer 7:           Internet Intranet Local Machine Locked-Down Internet Locked-Down Intranet Locked-Down Local Machine Locked-Down Restricted Sites Locked-Down Trusted Sites Restricted Sites Trusted Sites

ActiveX Opt-in
Internet Explorer 7 in Windows Vista SP1 offers a powerful new security mechanism for the ActiveX platform to help protect user information and computer systems. ActiveX Optin automatically disables all controls that are not explicitly allowed by the user. This mitigates the potential misuse of preinstalled controls. In Windows Vista SP1, the Information Bar prompts users before they can access a previously installed ActiveX control that has not yet been used on the Internet. This notification mechanism enables the user to permit or deny access on a control-by-control basis, which helps further reduces the available surface area for attacks. Malicious users cannot use Web sites to launch automated attacks with ActiveX controls that were never intended to be used on the Internet.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

52

Windows Vista Security Guide

Cross-Domain Scripting Attack Protection
New cross-domain script barriers help limit the ability of malicious Web sites to manipulate vulnerabilities in other Web sites. For example, before cross-domain scripting attack protection a user might visit a page on a malicious Web site that opens a new browser window containing a legitimate page (such as a banking Web site) that prompts the user to enter account information. This information could then be extracted by a script and made available to the attacker. With Internet Explorer 7, cross-domain scripting attack protection helps to ensure that these types of attacks will fail.

Security Status Bar
The new Security Status Bar in Internet Explorer 7 helps users quickly differentiate authentic Web sites from suspicious or malicious ones. To provide this information, the Security Status Bar enhances access to digital certificate information that helps identify secure (HTTPS) Web sites. The Security Status Bar provides users with clearer, more prominent visual cues that indicate the safety and identity of Web sites. The technology also supports information about High Assurance certificates to clearly identify secure (HTTPS) sites that have stronger identification measures in place.

Phishing Filter
Phishing is a technique that many attackers use to trick computer users into revealing personal or financial information through an e-mail message or Web site. Phishers masquerade as a legitimate person or business to deceive people into revealing personal information, such as account passwords and credit card numbers. The Phishing Filter in Internet Explorer 7 advises users about suspicious or known phishing Web sites to help them more safely browse content on the Internet. The filter analyzes Web site content for known phishing techniques, and uses a global network of data sources to assess the trustworthiness of Web sites. Developers who create fraudulent e-mail, online advertisements, and Web sites thrive on lack of communication and limited information sharing. The new Phishing Filter in Internet Explorer 7, which uses an online service that updates the filter several times an hour, consolidates the latest industry information about fraudulent Web sites, and shares it with Internet Explorer 7 customers to help proactively warn and help protect them. The Phishing Filter combines client-side scans for suspicious Web site characteristics with an opt-in online service. It helps protect users from phishing scams in three ways:    It compares the addresses of Web sites that a user attempts to visit with a list of reported legitimate sites stored on the user’s computer. It analyzes Web sites that users want to visit by checking them for characteristics that are common to phishing sites. It sends the Web site address that a user attempts to visit to an online service Microsoft maintains that immediately checks it against a frequently updated list of phishing sites. These sites have been confirmed by reputable sources as fraudulent and reported to Microsoft.

Even if the site is unknown to the Phishing Filter service, Internet Explorer 7 can examine the behavior of the site and report to the user if it is doing anything suspicious, such as collecting user information without a Secure Socket Layer (SSL) certificate. In this way, the Phishing Filter helps to prevent a site from collecting user information before it has been officially reported.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 2: Defend Against Malware

53

When users run Internet Explorer 7, the Phishing Filter is configured by default to prompt users to enable or disable the filter. The Group Policy settings described in the previous chapter do not contain any settings that modify this default behavior. However, it is possible for administrators to control the behavior of the Phishing Filter using Group Policy. You can review and configure the Group Policy settings available for the Phishing Filter in the following location in the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer The following table describes this setting. Table 2.7 Phishing Filter Setting Policy object Description Windows Vista default Not configured

Turn off Managing This setting allows the user to enable a Phishing filter * phishing filter that will warn if the Web site being visited is known for fraudulent attempts to gather personal information through "phishing." By default the user will be prompted to decide the mode of operation for the phishing filter.

* To take advantage of this setting, the computer must run Internet Explorer 7 with any of the following operating systems: Windows Vista SP1, Windows XP Professional SP3, or Windows Server 2003 SP2.

This table provides a simple description for this setting. For more information about this setting, see the Explain tab of the setting in the Group Policy Object Editor. Microsoft recommends configuring this setting to Enabled and the operating mode to Automatic. However, administrators should be aware that this configuration automatically causes the browser to send information to Microsoft without prompting the user.

Additional Security Features
Internet Explorer includes a number of specialized security features that help protect against malware. You can manage all of these settings through Group Policy. You can review and configure the Group Policy Security Features settings available for Internet Explorer 7 in the following location in the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features This section provides an overview of these settings in Internet Explorer 7. For a full list of all Group Policy settings for Internet Explorer 7, see the Group Policy Object Editor.
Note All of the features in this section also work on computers running Internet Explorer 6.0 or later with the following operating systems: Windows XP Professional SP3 and Windows Server 2003 SP2.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

54

Windows Vista Security Guide

Add-on Management
You can use the policy settings in this section to restrict the add-ons that Internet Explorer 7 can use. The settings in the following table manage add-ons. Table 2.8 Add-on Management Settings Policy object Add-on List Description This setting allows you to manage a list of add-ons Windows Vista default Not configured ‡ Not configured ‡

Deny all add-ons unless This policy setting allows only the specifically allowed in add-ons that you specify to run the Add-on List with Internet Explorer 7. All Processes This setting allows you to manage whether user preferences affect processes (as reflected by Add-on Manager) or policy settings. This setting allows you to manage whether user preferences affect the listed processes (as entered into Add-on Manager) or policy settings.

Not configured

Process List

Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Binary Behavior Security Restriction
Internet Explorer contains dynamic binary behaviors: components that encapsulate specific functionality for the HTML elements to which they are attached. You can use the settings in the following table to restrict these behaviors. Table 2.9 Binary Behavior Security Restriction Settings Policy object All Processes Description This setting controls whether the Binary Behavior Security Restriction setting is prevented or allowed. If you configure this setting to Not configured or Enabled, the binary behaviors are prevented for Windows Explorer and Internet Explorer processes. Windows Vista default Not configured

Internet Explorer Processes Process List

Not configured

This setting allows administrators to define Not configured applications for which they want this security feature to be prevented or allowed. If you configure this setting to Enabled, it Not configured allows a list of behaviors permitted in each zone to be defined for the Allow binary and script behaviors as Administrator approved.

Adminapproved behaviors

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 2: Defend Against Malware

55

The previous table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Consistent MIME Handling
Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. The following table provides information about the Group Policy settings for MIME that are available for Internet Explorer 7. Table 2.10 Consistent MIME Handling Settings Policy object All Processes Description This setting determines whether Internet Explorer requires that all file type information provided by Web servers is consistent. This setting determines whether Internet Explorer requires consistent MIME data for all received files. If you configure this setting to Not configured or Enabled, Internet Explorer requires consistent MIME data for all received files. Windows Vista default Not configured

Internet Explorer Processes

Not configured ‡

Process List

This setting allows administrators to define Not configured applications for which they want this security feature to be prevented or allowed.

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Information Bar
Policy settings in this section allow you to manage whether the Information Bar displays for processes other than Internet Explorer processes when file or code installation is restricted. By default, the Information Bar displays for Internet Explorer Processes, but not for any process when file or code installs are restricted. The following table provides setting information that you can use to modify this behavior. Table 2.11 Information Bar Settings Policy object All Processes Internet Explorer Processes Process List Description Windows Vista default

If you configure this setting to Enabled, the Not configured Information Bar displays for all processes. If you configure this setting to Disabled, the Information Bar does not display for Internet Explorer Processes. This policy setting allows you to manage whether the Information Bar displays for specific processes when file or code installs are restricted. Not configured

Not configured

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

56

Windows Vista Security Guide

Local Machine Zone Lockdown Security
Internet Explorer places zone restrictions on each Web page it opens, which depend on the location of the Web page (Internet, Intranet, Local Machine zone, and so on). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone. Local Machine zone security applies to all local files and content. This feature helps to mitigate attacks when the Local Machine zone is used as an attack vector to load malicious HTML code. Table 2.12 Local Machine Zone Lockdown Security Settings Policy object All Processes Description If you configure this setting to Enabled, Local Machine zone security applies to all local files and content processed by any process other than Internet Explorer or those defined in a process list. By default Local Machine zone security is not applied to local files or content processed by any process other than Internet Explorer or those defined in a process list. If you configure this setting to Not configured or Enabled, Local Machine zone security applies to all local files and content processed by Internet Explorer. Windows Vista default Not configured

Internet Explorer Processes Process List

Not configured

If you configure this setting to Enabled and Not configured you define a process name with a value of 1, Local Machine zone security applies. If you define a value of 0, Local Machine zone security does not apply.

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

MIME Sniffing Safety Feature
This feature helps to prevent promotion of a file of one type to a more dangerous file type. The following table lists the settings that are available for this feature. Table 2.13 MIME Sniffing Safety Feature Settings Policy object All Processes Description If you configure this setting to Enabled, the MIME Sniffing Safety Feature is enabled for all processes. If you configure this setting to Disabled, Internet Explorer processes will allow a MIME sniff promoting a file of one type to a more dangerous file type. The default (Not configured) behavior does not allow promotion. Windows Vista default Not configured

Internet Explorer Processes

Not configured ‡

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 2: Defend Against Malware

57

Policy object Process List

Description

Windows Vista default

This policy setting allows administrators to Not configured define applications on which they want to prevent or not allow this security feature to run.

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

MK Protocol Security Restriction
The MK Protocol Security Restriction policy setting reduces attack surface area by blocking the MK protocol. If this setting is enabled the resources hosted on the MK protocol will fail. Table 2.14 MK Protocol Security Restriction Settings Policy object All Processes Description By default this restriction is disabled for all processes. However, if you configure this setting to Enabled, the MK Protocol is blocked for all processes and any use of the MK Protocol is blocked. Windows Vista default Not configured

Internet Explorer If you configure this setting to Disabled, Not configured ‡ Processes applications can use the MK protocol API and resources hosted on the MK protocol will work for the Windows Explorer and Internet Explorer processes. The default setting prevents the MK Protocol for Windows Explorer and Internet Explorer, and resources hosted on the MK protocol are blocked. Process List This policy setting allows administrators to Not configured define applications for which they want this security feature to be prevented or allowed.

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

58

Windows Vista Security Guide

Network Protocol Lockdown
You can configure Internet Explorer 7 to prevent active content obtained through restricted protocols from running in an unsafe manner. This policy setting controls whether restricting content obtained through restricted protocols is prevented or allowed. Table 2.15 Network Protocol Lockdown Settings Policy object All Processes Description Windows Vista default

If you configure this setting to Enabled, Not configured restricting content obtained through restricted protocols is allowed for all processes other than Windows Explorer or Internet Explorer. If you configure this setting Disabled, restricting content obtained through restricted protocols is prevented for all processes other than Windows Explorer or Internet Explorer. The default setting (Not configured) does not enforce this policy for processes other than Windows Explorer and Internet Explorer. If you configure this setting to Enabled, restricting content obtained through restricted protocols is allowed for Windows Explorer and Internet Explorer processes. If you configure this setting to Disabled, restricting content obtained through restricted protocols is prevented for Windows Explorer and Internet Explorer processes. The default (Not configured) setting causes Internet Explorer to ignore this setting. Not configured

Internet Explorer Processes

Process List

This setting allows administrators to define Not configured applications for which they want restricting content obtained through restricted protocols to be prevented or allowed.

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor. For each zone, the Network Protocol Lockdown security restriction may be configured to prevent active content obtained through restricted protocols from running in an unsafe manner, either by prompting the user, or simply disabling the content.
Note If you set policy for a zone in both Computer Configuration and User Configuration, this action restricts both protocol lists for that zone.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 2: Defend Against Malware

59

Table 2.16 Restricted Protocols for Security Zone Settings Policy object Internet Zone Restricted Protocols Intranet Zone Restricted Protocols Local Machine Zone Restricted Protocols Description If this setting is enabled, it creates a list of protocols that are restricted for the Internet zone. If this setting is enabled, it creates a list of protocols that are restricted for the Intranet zone. If this setting is enabled, it creates a list of protocols that are restricted for the Local Machine zone. Windows Vista default Not configured

Not configured

Not configured

Restricted Sites Zone If this setting is enabled, it creates a Restricted Protocols list of protocols that are restricted for the Restricted Sites zone. Trusted Sites Zone Restricted Protocols If this setting is enabled, it creates a list of protocols that are restricted for the Trusted Sites zone.

Not configured

Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Object Caching Protection
This policy setting defines whether a reference to an object is accessible when the user navigates within the same domain or to a new domain. Table 2.17 Object Caching Protection Settings Policy object All Processes Description If you configure this setting Disabled or Not configured, object reference is retained when navigating within or across domains in the Restricted Zone sites. Windows Vista default Not configured

Internet Explorer If you do not change this setting from Not Not configured configured or configure it to Enabled, an Processes object reference is no longer accessible when navigating within or across domains for Internet Explorer processes. Process List This setting allows administrators to define applications for which they want this security feature to be prevented or allowed. Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

60

Windows Vista Security Guide

Protection From Zone Elevation
Internet Explorer places restrictions on each Web page it opens. The restrictions depend on the location of the Web page (Internet, Intranet, Local Machine zone, and so on). For example, Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine zone a prime target for malicious users. Table 2.18 Protection From Zone Elevation Settings Policy object All Processes Description If you configure this setting to Enabled, you can protect any zone from zone elevation for all processes. If you do not change this setting from Not configured or is configure it to Disabled, processes other than Internet Explorer or those listed in the Process List receive no such protection. If you do not change this setting from Not configured or configure it to Enabled, any zone can be protected from zone elevation by Internet Explorer processes. If you configure this setting to Disabled, this protection is not applied to Internet Explorer processes. This policy setting allows administrators to define applications for which they want this security feature to be prevented or allowed. Windows Vista default Not configured

Internet Explorer Processes

Not configured ‡

Process List

Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Restrict ActiveX Install
These policy settings apply restrictions to the installation of ActiveX controls. Table 2.19 Restrict ActiveX Install Settings Policy object All Processes Description This setting enables applications hosting the Web Browser Control to block automatic prompting of ActiveX control installation. This setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. Windows Vista default Not configured

Internet Explorer Processes

Not configured ‡

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 2: Defend Against Malware

61

Policy object Process List

Description This setting allows administrators to define a list of executables where automatic prompting of ActiveX control installation is allowed or blocked. By default this security feature is allowed.

Windows Vista default Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Restrict File Download
These policy settings apply restrictions to file downloads that are automatically attempted without a user initiating the download. Table 2.20 Restrict File Download Settings Policy object All Processes Description This setting enables applications hosting the Web Browser Control to block automatic prompting of file downloads that are not user initiated. This setting enables blocking of file download prompts that are not user initiated. This setting allows administrators to create a list of executables that will allow or disallow the blocking of automatic prompting of file downloads that are not user initiated. Windows Vista default Not configured

Internet Explorer Processes Process List

Not configured ‡

Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

RSS Restrictions
Internet Explorer 7 is designed to reduce the risk of an attacker exploiting Really Simple Syndication (RSS). Several policy setting mechanisms help protect systems from malicious RSS feeds. Table 2.21 RSS Restriction Settings Policy object Sanitization Description Before any application, including the Internet Explorer Feed View, can access the feed, it is sanitized. During this process, script is removed from HTML fields and text fields are treated as text, not HTML. The feed is stored in the sanitized form so that other applications access that version too. Windows Vista default Not configured

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

62

Windows Vista Security Guide

Policy object Feed View in Restricted zone

Description Internet Explorer 7 renders RSS streams in Feed View, regardless of where they originate. RSS feeds are always handled in the Restricted Sites zone.

Windows Vista default Not configured

Enclosure handling

Files included in RSS feeds are always Not configured treated as untrusted files, similar to the way Microsoft Outlook® handles e-mail attachments. Directly executable files are blocked via the Attachment Execution Service (AES). The AES maintains a list of file extensions that are considered dangerous. Security programs, such as Windows Defender and antivirus software, can integrate with AES in order to inspect files before they are made available to users or other applications. In addition, enclosures are stored in a location that varies from one computer to another, making it more difficult for malicious programs to use enclosures as an attack vector.

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Scripted Windows Security Restrictions
Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other windows' title and status bars. Table 2.22 Scripted Windows Security Restrictions Settings Policy object All Processes Description Windows Vista default

If you do not change this setting from Not Not configured configured or configure it to Disabled, scripted windows are not restricted. However, if you configure this setting to Enabled, scripted windows are restricted for all processes. If you do not change this setting from Not Not configured ‡ configured or configured it to Enabled, popup windows and other restrictions apply for Windows Explorer and Internet Explorer processes. However, if you configure this setting to Disabled, scripts can continue to create popup windows and windows that may be used to obfuscate other windows.

Internet Explorer Processes

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 2: Defend Against Malware

63

Policy object Process List

Description This policy setting allows administrators to define applications for which they want this security feature to be prevented or allowed.

Windows Vista default Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

More Information
The following resources provide additional information about enhanced security features and technologies in Windows Vista SP1 on Microsoft.com:         Malicious Software Removal Tool. Software Restriction Policy for Windows XP Clients chapter in the Windows XP Security Guide. User Account Control. Using Software Restriction Policies to Protect Against Unauthorized Software. Windows Defender. Windows Firewall. Windows Server Group Policy. Windows Vista Security and Data Protection Improvements.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 3: Protect Sensitive Data
Each year, hundreds of thousands of computers without appropriate safeguards are lost, stolen, or improperly decommissioned around the world. The 2006 CSI/FBI Computer Crime and Security Survey reported that the costs associated with data loss have grown 65 percent in the previous year. Effective technology features and services to help counter the risk of data theft or exposure was a primary customer request for Microsoft to include in Windows Vista® Service Pack 1 (SP1). This is in part because malicious users can often run a different operating system on a client computer, move its disk drive to another computer, or use other offline attack methods to view data on lost or stolen computers. In many cases, recent legislation and government regulations to safeguard consumer information and privacy also have made securing data a legal requirement. For these security reasons, Microsoft has developed both new and enhanced features and services to help organizations better protect the data that resides on their client computers. The features and services that this chapter discusses are designed to protect data on client computers running Windows Vista SP1 in the Enterprise Client (EC) environment. The configuration of these features depends on your specific requirements and environment. This chapter provides you with a design process to identify how to configure the following features and services to better meet your data protection needs:     BitLocker™ Drive Encryption Encrypting File System (EFS) Rights Management Services (RMS) Device control

You can use BitLocker, EFS, RMS, and device control to help protect sensitive data in the enterprise. However, each technology and method performs specific functions to help secure data. In fact, all these technologies and methods are complimentary elements of data protection, and Microsoft highly recommends using them in an enterprise’s overall security strategy. You can use each separately or together, depending on the security needs of your organization. The following table provides examples of how these technologies and methods work to protect different scenarios within an enterprise. Table 3.1 Data Protection Technology Comparison in Windows Vista SP1 Scenario Laptop data protection Branch office server data protection Local single-user file and folder protection Desktop data protection Shared computer file and folder protection Solution Accelerators BitLocker         EFS  RMS Device control  

microsoft.com/technet/SolutionAccelerators

66

Windows Vista Security Guide

Scenario Remote file and folder protection Untrusted network administrator protection Remote document policy enforcement Protect content in transit Protect content during collaboration Protect against data theft

BitLocker

EFS  

RMS

Device control

   

BitLocker Drive Encryption
BitLocker Drive Encryption helps protect data on a client computer. The entire Windows volume is encrypted to help prevent unauthorized users from breaking Windows file and system protections, or viewing information offline on the secured drive. Early in the startup process, BitLocker checks the client computer's system and hardware integrity. If BitLocker determines an attempt has been made to tamper with any system files or data, the client computer will not complete the startup process. BitLocker helps prevent a thief who starts another operating system or runs a software attack tool from bypassing the Windows Vista SP1 file and system protections or performing offline viewing of the files stored on the protected drive. BitLocker Drive Encryption can lock the normal boot sequence until the user supplies a personal identification number (PIN) code or inserts a USB flash drive that contains the appropriate decryption keys. The maximum protection is obtained when the computer has a Trusted Platform Module (TPM 1.2) to protect user data, and to help ensure that a client computer running Windows Vista SP1 cannot be tampered with while the system is offline. For information on TPM technology, refer to the specifications and materials maintained on the Trusted Computing Group Web site. If no TPM is available, BitLocker can still help protect the data, but no system integrity validation is performed. BitLocker is available in the Windows Vista SP1 Enterprise and Ultimate editions of the operating system for client computers. For a more detailed look at BitLocker and the other data encryption technologies included with Windows Vista SP1, see the Data Encryption Toolkit for Mobile PCs.
Note BitLocker provides protection for the Windows partition and is not a replacement for EFS. BitLocker does not encrypt data stored outside the Windows partition, but it does provide an added security layer for EFS by encrypting the EFS keys within the Windows partition.

Risk Assessment
Mobile computers are typically exposed to environments that are not secure in which there is a higher risk of them becoming lost or stolen. If malicious users gain physical control of a system, they can bypass many security measures designed to protect the system and data. Desktop computers in shared or public environments may also be at significant risk. The primary risk BitLocker is designed to mitigate is data theft from stolen or lost mobile computers. Solution Accelerators
microsoft.com/technet/SolutionAccelerators

Chapter 3: Protect Sensitive Data

67

When an attacker gains physical access to a computer, the potential consequences include:   The attacker can log on to Windows Vista SP1 and copy files. The attacker can restart the client computer into an alternate operating system to:     View file names. Copy files. Read the contents of the hibernation file or paging file to discover plaintext copies of in-process documents. Read the contents of the hibernation file to discover plaintext copies of software private keys.

Even if files are encrypted using EFS, a careless user might move or copy a file from an encrypted location to an unencrypted location, which could leave the file information formatted in plaintext. Uninformed IT staff might also neglect to encrypt hidden folders, where applications keep backup copies of in-process files. There are also operational risks, such as unauthorized personnel tampering and modification of system and boot files, which may prevent normal system operation.

Risk Mitigation
To mitigate these risks, the computer should protect the boot sequence so that the system will only start when authorized. In addition, the operating system and data files should be protected.

Mitigation Considerations
BitLocker can mitigate the risks defined in the previous ―Risk Assessment‖ section. However, before you use BitLocker, it is important to consider the following requirements and best practices for this data protection feature:  In order to use BitLocker in the optimal configuration, the motherboard on the client computer must provide a TPM 1.2 chip that includes a Trusted Computing Group– compliant BIOS implementation. In addition, a startup key is optionally required to provide an additional authentication factor. The startup key is either an additional physical key (a USB flash drive with a machine-readable key written to it) or a PIN entry that the user sets. Strong user logon and password protocols are also required. You must partition the computer hard drive correctly to use BitLocker. Two NTFS drive volumes are required for BitLocker: one for the system volume, and one for the operating system volume. The system volume partition should be at least 1.5 GB. BitLocker configurations that do not take advantage of external key authentication might be susceptible to hardware-based attacks. If you use BitLocker with a USB key or a PIN, you must establish procedures to address lost keys and forgotten PINs. BitLocker does have a small effect on system performance, but this is typically unnoticeable. However if system performance is critical, for example on a server, you must thoroughly test the configuration to ensure that the overhead that BitLocker causes does not significantly affect performance. Depending on the computer vendor, TPM management tools may require manual steps to configure the TPM device state and a BIOS administrator password during the build process, which may prevent fully automated or scripted system deployments and upgrades.
microsoft.com/technet/SolutionAccelerators



  



Solution Accelerators

68

Windows Vista Security Guide



To use a TPM device, it must have an Endorsement Key (EK) Credential applied to it, which the computer vendor can provide or a Value Added Reseller (VAR), or IT support staff could provide after the system has been delivered. The EK must be securely stored, and tracked while the computer is in use. If TPM is not available on the computer, the computer should support USB devices when it starts to use a startup key to unlock the volume during the boot sequence. BitLocker may have an impact on your software distribution procedures if software or system updates are distributed remotely and overnight, and you restart user computers without the user present. For example:  If a computer has a protector type of TPM and a PIN or TPM and a startup key, and at 2:00 A.M. you deploy a software update to the computer that requires the computer to restart, the computer will not restart without the PIN or startup key. If you currently use Wake-on-LAN or a BIOS auto-power on feature to start computers for maintenance purposes, these computers would also be affected by a TPM and PIN or startup key protector.

 





OEM-distributed BIOS/TPM firmware updates may affect BitLocker-enabled computers. You will need to review OEM installation instructions to determine whether recovery information (recovery passwords and keys) will be preserved after the update, and if additional protectors (PINs or startup keys) also will be preserved. Application updates may affect BitLocker-enabled computers. If, during installation or updating, the updates make changes to the boot manager or files that BitLocker measures, this will cause a system boot failure and force the computer into recovery mode. Before installing or updating applications that affect the Windows Vista SP1 boot environment, test them on BitLocker-enabled computers. All domain controllers in the domain must be running Microsoft® Windows Server® 2003 Service Pack 2 (SP2) or later.
Note Windows Server 2003 requires you to extend the schema to support storing BitLocker recovery information in Active Directory®.





Mitigation Process
Use the following risk mitigation process to assess how best to configure BitLocker to help protect sensitive data on the client computers that you manage. To use this mitigation process 1. Investigate BitLocker technology and capabilities.
Note For more information about BitLocker, see BitLocker Drive Encryption on Microsoft TechNet.

2. Assess the need for BitLocker in your environment. 3. Confirm that the hardware, firmware, and software that your organization uses meets BitLocker requirements. 4. Identify the systems in your organization that require BitLocker protection. 5. Identify the level of protection your systems require. A PIN or USB key containing encryption keys can be required to start the operating system. The operating system will not start without these keys. 6. Install necessary drivers on a test system. 7. Use Group Policy objects (GPOs) to configure BitLocker on test systems. 8. After a successful test, install the drivers and configure BitLocker on production systems. Solution Accelerators
microsoft.com/technet/SolutionAccelerators

Chapter 3: Protect Sensitive Data

69

Using Group Policy to Mitigate Risk for BitLocker
There are two Group Policy templates that Microsoft recommends using to manage the configuration of BitLocker. These templates allow you to manage TPM configuration separately from the rest of the BitLocker. The following table outlines the Group Policy settings that are available for BitLocker in the VolumeEncryption.admx template. You can configure these settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption Table 3.2 BitLocker Drive Encryption Settings Policy setting Turn on BitLocker backup to Active Directory Domain Services Control Panel Setup: Configure recovery folder Description Enables the backup of BitLocker recovery information in Active Directory. This recovery information includes the recovery password and some unique identifier data. Configures whether the BitLocker setup wizard asks the user to save the recovery key to a folder. Specifies the default path that displays when the BitLocker Setup Wizard prompts the user to type the location of a folder in which to save the recovery key. Windows Vista default Not configured

Not configured

Control Panel Setup: Configure recovery options

Configures whether the BitLocker Not configured Setup Wizard asks the user to create a recovery password. The recovery password is a randomly generated 48-digit sequence. Configures whether the BitLocker Not configured Setup Wizard asks the user to create a PIN on the computer. The PIN is a 4–20 digit sequence that the user types each time the computer starts. You cannot use policy to set the number of digits. Configures the encryption algorithm and key size that BitLocker uses. This policy setting applies to a fully decrypted disk. If the disk is already encrypted or if encryption is in progress, changing the encryption method has no effect. Not configured

Control Panel Setup: Enable advanced startup options

Configure encryption method

Configure TPM platform validation profile

Configures how the TPM secures the Not configured disk volume’s encryption key. This policy setting does not apply if the computer does not have a compatible TPM, nor does changing this policy affect existing copies of the encryption key.
microsoft.com/technet/SolutionAccelerators

Solution Accelerators

70

Windows Vista Security Guide

The previous table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor. The following table outlines the Group Policy settings available for the TPM in the TPM.admx template. You can configure these settings in the following location in the Group Policy Object Editor: Computer Configuration\Administrative Templates\System\Trusted Platform Module Services Table 3.3 Trusted Platform Module Settings Policy setting Turn on TPM backup to Active Directory Domain Services Configure the list of blocked TPM commands Ignore the default list of blocked TPM commands Ignore the local list of blocked TPM commands Description Manages the backup of (TPM recovery information in Active Directory. This recovery information includes a cryptographic derivation of the TPM owner password. Manages the Group Policy list of TPM commands blocked by Windows. Windows Vista default Not configured

Not configured

Manages enforcement of the Not configured computer’s default list of blocked TPM commands. Manages enforcement of the computer’s local list of blocked TPM commands. Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor. Your security policies must effectively support BitLocker password and key management. These policies should be comprehensive enough to secure the information, but not so restrictive as to make supporting BitLocker difficult. The following list includes policy examples:         Always require backup of recovery passwords in Active Directory. Always require backup of TPM owner information in Active Directory. Use recovery keys along with recovery passwords as a backup or alternate recovery method. If you are using TPM and a PIN or USB startup keys, change them on a regularly scheduled basis. On TPM-enabled computers, use a BIOS administrator password to prohibit access. Ensure that users do not store key material such as USB startup keys with the computer. Save recovery keys to a central location for support and disaster recovery purposes. Backup recovery material to secure offline storage.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 3: Protect Sensitive Data

71

Encrypting File System
You can use Encrypting File System (EFS) to encrypt files and folders to help protect data from unauthorized access. EFS is integrated into the NTFS file system and its operation is completely transparent to applications. When a user or program attempts to access an encrypted file, the operating system automatically attempts to acquire a decryption key for the content, and then silently performs encryption and decryption on behalf of the user. Users who have authorized keys are able to access and work with encrypted files just as they would with any other file, whereas other users are denied access. Windows Vista SP1 includes many new security, performance, and manageability features for EFS. The following are new features in Windows Vista SP1 for EFS:     You can store User keys on smart cards. You can store recovery keys on smart cards, allowing secure data recovery without a dedicated recovery station, even over Remote Desktop sessions. You can encrypt the Windows paging file using EFS with a key that is generated when the system starts up. This key is destroyed when the system shuts down. You can encrypt the Offline Files cache with EFS. In Windows Vista SP1 this encryption feature employs the user’s key instead of the system key. Thus, each file in the Offline Files cache can only be accessed by the user on whose behalf it is cached. Many new configuration options are provided in Group Policy to help enforce enterprise policies. EFS supports a wider range of user certificates and keys.

 

A number of new Group Policy options have been added to Windows Vista SP1 to help administrators define and implement organizational policies for EFS. These include the ability to require smart cards for EFS, enforce page file encryption, stipulate minimum key lengths for EFS, and enforce encryption of the user’s Documents folder.
Note Microsoft recommends using BitLocker and EFS in combination to maximize data protection.

Risk Assessment
Unauthorized access to data can compromise business processes and profitability. Especially where multiple users have access to the same system or you use mobile computer systems, data is at risk of compromise. The risk area that EFS is designed to mitigate is data theft or compromise due to lost or stolen mobile computers, or due to exposure by an insider. Shared computers might also be subject to this data risk. When an attacker gains physical access to a computer with unencrypted data, the potential consequences include:  The attacker may restart the computer and escalate their user privilege to local Administrator to access the user's data. An attacker also could download tools to mount a brute-force attack to obtain the user's password, so they can then log on as the user and access the user's data. The attacker could attempt to log on to Windows Vista SP1 and copy all data that is available to the user to a removable device, send it via e-mail, copy it over the network, or transmit it using FTP to a remote server.



Solution Accelerators

microsoft.com/technet/SolutionAccelerators

72

Windows Vista Security Guide

    

The attacker could restart the computer into an alternate operating system and copy files directly from the hard drive. The attacker could plug the computer into another network, start the stolen computer, and then log on to it remotely. If a user caches their network files in Offline Files, an attacker can escalates privilege to Administrator/LocalSystem and inspect the contents of the Offline Files cache. A curious coworker could open sensitive files owned by other users of a shared computer. An attacker could restart the computer using an alternative operating system, read the contents of the paging file, and discover plaintext copies of in-process documents.

Risk Mitigation
To mitigate these potential data compromise risks, you can encrypt data when it is stored on the hard disk. Improvements in the EFS technology in Windows Vista SP1 help you to mitigate the following situations:  You can use EFS to prevent an attacker from reading encrypted files through another operating system by requiring the attacker to obtain a key that is capable of decrypting the content. You can store such a key on a smart card for added security. You can enforce the strength of encryption that EFS uses through Group Policy. You can thwart an attacker who attempts to access a user’s data using a brute-force password attack by storing the user’s EFS keys on a smart card, or by using BitLocker in combination with EFS to deny the attacker access to the user’s password hashes and cached credentials. You can prevent an attacker from accessing a user’s confidential data by enforcing encryption of the user’s Documents folder through Group Policy. Alternatively, you can enforce encryption of other locations or the user’s entire data partition through a logon script. You can use EFS to provide encryption on multiple drives and network shares. You can use EFS to protect the contents of the system paging file and the Offline Files cache.

 



 

Mitigation Considerations
You can use EFS in Windows Vista SP1 to mitigate the risks described in the previous Risk Assessment section. However, before deploying EFS, consider the following:  You must implement tested procedures for key management and data recovery requirements. In the absence of reliable and well-defined procedures, critical data may become inaccessible if keys are lost. Under normal operation, the overhead due to EFS is not noticeable. However, if system performance is critical, you must perform thorough testing to ensure that EFS does not adversely affect performance. If you enable EFS on a volume, you cannot also compress files on the same volume. If necessary, deploy and test additional scripts to encrypt sensitive file locations.



 

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 3: Protect Sensitive Data

73



Users and IT staff must be properly trained to avoid issues, such as:   File copies or file moves from an encrypted location to an unencrypted location, which could leave the files formatted as plaintext files. Failure to encrypt hidden folders where applications maintain backup copies of in-process files.



Thoroughly test your EFS configuration to ensure that encryption is set on all sensitive file locations, including Documents, the Desktop, and temporary folders.

Note You can only deploy EFS on the following Windows Vista SP1 editions: Business, Enterprise, and Ultimate.

Mitigation Process
Use the following risk mitigation process to assess how best to configure EFS to help protect sensitive data on the client computers that you manage. To use this mitigation process 1. Investigate EFS technology and capabilities.
Note For more information, see the "Best practices for the Encrypting File System" article on Microsoft.com.

2. Assess the need for EFS in your environment. 3. Investigate the configuration of EFS using Group Policy. 4. Identify the computer systems and users that require EFS. 5. Identify the level of protection that you require. For example, does your organization require using smart cards with EFS? 6. Configure EFS as appropriate for your environment using Group Policy.

Specific Mitigation Steps for EFS
To use Group Policy to manage EFS there are several security settings in this location: Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System To add or create a Data Recovery Agent (DRA), right-click Encrypting File System, and then click Properties to open the Encrypting File System Properties dialog box.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

74

Windows Vista Security Guide

Figure 3.1 The Encrypting File System Properties dialog box There are also four Group Policy templates that include EFS settings, which are listed in the following table. Table 3.4 EFS Group Policy Settings Template and setting GroupPolicy.admx EFS recovery policy processing Path and description Computer Configuration\ Administrative Templates\ System\Group Policy Determines when encryption policies are updated. Windows Vista default Not configured

EncryptFilesonMove.admx Do not automatically encrypt files moved to encrypted folders

Computer Configuration\ Not configured Administrative Templates\ System\ Prevents Windows Explorer from encrypting files that are moved to an encrypted folder.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 3: Protect Sensitive Data

75

Template and setting OfflineFiles.admx Encrypt the Offline Files cache

Path and description Computer Configuration\ Administrative Templates\ Network\Offline Files\ This setting determines whether offline files are encrypted.
Note On Windows XP SP3, these files are encrypted with the system key whereas on Windows Vista SP1 they are encrypted with the user’s key.

Windows Vista default Not configured

Search.admx Allow indexing of encrypted files

Computer Configuration\ Administrative Templates\ Windows Components\ Search\ This setting allows encrypted items to be indexed by Windows Search.
Note There may be data security issues if encrypted files are indexed and the index is not adequately protected by EFS or another means.

Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Rights Management Services
Rights Management Services (RMS) is designed to provide security and usage policy enforcement for sensitive e-mail, documents, Web content, and other types of information. RMS provides information security by encrypting information persistently so that as a file or e-mail message is transmitted through the enterprise or the Internet, only those who are authenticated and explicitly authorized to access it can do so. There are three components to RMS:    RMS server. Windows Vista SP1 requires Windows Rights Management Services for Windows Server 2003 or later. RMS client. This is included with Windows Vista SP1. RMS platform or application. This is a platform or application that is designed to encrypt and control usage of the information it manages.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

76

Windows Vista Security Guide

Risk Assessment
The risk to an organization that RMS can help mitigate is that unauthorized personnel may be able to view sensitive information. This information may have been distributed or made available to unauthorized users either in error or maliciously. Specific examples of this type of risk include:    Unauthorized users sniff the network, access USB flash and portable hard drives, or access insufficiently protected server shares and storages. Authorized users send sensitive information to unauthorized recipients inside or outside the organization. Authorized user’s copy or move sensitive data to unauthorized locations or applications, or from an authorized device to an unauthorized device, such as a removable storage device. Authorized users accidentally provide access to sensitive information to unauthorized recipients via peer-to-peer (P2P) technologies or instant messaging. Authorized users print sensitive files, and the printed documents are found by unauthorized users and distributed, copied, faxed, or sent via e-mail.

 

Risk Mitigation
To effectively protect information that users share and collaborate with regardless of the mechanism they use, Microsoft recommends securing the information directly via RMS so that it is seamlessly protected as it is transmitted between hosts, devices, and shares.

Mitigation Considerations
You can use RMS to mitigate the risks described in the previous ―Risk Assessment‖ section. However, before deploying RMS, consider the following:  RMS requires Windows Rights Management Services for Windows Server 2003 or later, as the RMS server, and rights-enabled applications installed on the client computer. Microsoft Office SharePoint® Server 2007 or later is required if you want to make use of SharePoint-RMS integration (where RMS protects documents and information that reside on SharePoint sites). If you want to take advantage of the optional smart card integration of the RMS solution, ensure that each client computer that you use to access the content is compatible with the smart cards. To use Web-based applications such as Outlook Web Access (OWA) with RMS, the Rights Management Add-on for Internet Explorer is required. IT staff will require training to successfully deploy, support, and troubleshoot RMS.





 

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 3: Protect Sensitive Data

77

Mitigation Process
Use the following risk mitigation process to assess how best to configure RMS to help protect sensitive data on the client computers that you manage. To use this mitigation process 1. Investigate RMS technology and capabilities.
Note For more information about RMS see the Windows Rights Management Services Technology Center.

2. Assess the need for RMS in your environment. 3. Identify support of applications and services for RMS. 4. Assess potential RMS deployment architectures, such as:      Single server (or single cluster) Single certification, single license Single certification, multiple license Multiple certification, single license Multiple certification, multiple license

5. Identify information that you want to secure using RMS. 6. Identify users and groups that require access to specific information. 7. Configure RMS to allow only required access to information.

Managing RMS Using Group Policy
The Group Policy settings for the configuration of RMS are not part of the Windows Vista SP1 installation. RMS is primarily a server-based solution so the configuration of the services behavior should be configured on the RMS server. In addition, RMS-aware applications may have individual settings that govern how they will handle RMS protected content. For example, there are RMS-related settings for Microsoft Office 2003 or later, and applications such as Microsoft Office Outlook® and Microsoft Office Word. For more information on these settings see the Office 2003 Policy Template Files and Deployment Planning Tools.

Device Control
The ability of users to add new Plug and Play (PnP) hardware to their client computers such as USB key drives or other removable storage devices creates significant security issues for IT administrators. Not only can these types of devices make client computers harder to maintain when users use them to install unsupported hardware, but they can pose threats to data security. A malicious user can potentially use a removable storage device to steal a company’s intellectual property. An attacker also could use a removable storage device with malicious software configured on it that includes an "autorun" script to install malicious software on an unattended client computer. Windows Vista SP1 enables IT administrators to use Group Policy to help manage installation of unsupported or unauthorized devices. For example, you can allow users to install entire classes of devices (such as printers), but disallow any kind of removable Solution Accelerators
microsoft.com/technet/SolutionAccelerators

78

Windows Vista Security Guide

storage device. An administrator can be allowed to override these policies, to install authorized hardware. However, it is important to understand that a device is installed for a computer not for particular users. After a user has installed a device, it is typically available for all users of that computer. Windows Vista SP1 supports user-level access controls for read and write access to installed devices. For example, you can allow full read and write access to an installed device such as a USB flash drive to one user account, but only allow read access to another user account on the same computer. For more information about device control and how you can configure it, see the Step-ByStep Guide to Controlling Device Installation Using Group Policy.

Risk Assessment
Unauthorized addition or removal of devices comprises a high security risk because it can enable an attacker to run malicious software, remove data, and add unwanted data. The following includes some examples:  An authorized user may copy sensitive files from an authorized device to an unauthorized removable storage device, either intentionally or unintentionally. This may include copying from an encrypted location to an unencrypted location on a removable device. An attacker might log on to Windows Vista SP1 and copy data to a removable storage device. An attacker could use a removable storage device with malicious software to use an AutoRun script to install malicious software on an unattended client computer. An attacker could install an unauthorized key-logging device, which could be used to record user account details that could be used to launch a further attack.

  

Risk Mitigation
To mitigate these risks, Microsoft recommends protecting the computer systems you manage against the installation and use of unauthorized devices. You can use Group Policy settings to control the use of PnP devices, such as USB flash drives and other removable storage devices.

Mitigation Considerations
You can use Group Policy in Windows Vista SP1 to mitigate the risks described in the previous "Risk Assessment" section by using the Device Installation settings. However, before deploying device control to the client computers in your environment, take into account the following mitigation considerations:   Restricting devices may block legitimate file sharing or mobile users from working most effectively. Restricting devices can prevent you from using a USB key as part of the BitLocker drive encryption process. For example, if the Removable Disks: Deny write access policy setting is in effect for a user, even if that user is an administrator, the BitLocker setup program will not be able to write its startup key to a USB flash drive. Some devices identify themselves with both a "removable storage" and a "local storage" ID, for example some bootable USB flash drives may do this. Therefore, it is important to thoroughly test your GPOs to ensure that the correct devices are restricted and allowed.



Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 3: Protect Sensitive Data

79

Mitigation Process
Use the following risk mitigation process to assess how best to configure device control to help protect sensitive data on the client computers that you manage. To use this mitigation process 1. Investigate the device control capabilities of Windows Vista SP1.
Note For more information, see the Step-By-Step Guide to Controlling Device Installation Using Group Policy.

2. Assess the need for device control in your environment. 3. Investigate the Group Policy settings for device control. 4. Identify removable devices that you require in your environment and record the required Hardware or Compatibility IDs for these devices. 5. Identify the computer systems and users that require the removable devices. 6. Configure Group Policy to enable installation of specifically required device classes. 7. Configure Group Policy to enable installation of devices on computer systems that specifically require the capability.

Using Group Policy to Control Device Installation
To manage the control of device installation, Microsoft recommends using the DeviceInstallation.admx Group Policy template. The following table outlines the Group Policy settings available in that template. You can configure these settings in the following location in the Group Policy Object Editor: Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions Table 3.5 USB Device Control Settings Policy setting Allow administrators to override Device Installation policies Description Windows Vista default

Allows members of the Administrators Not configured group to install and update the drivers for any device, regardless of other policy settings. Otherwise, administrators are subject to all policies that restrict device installation.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

80

Windows Vista Security Guide

Policy setting Allow installation of devices using drivers that match these device setup classes

Description Specifies a list of device setup class GUIDs describing devices that users can install, unless specifically prevented by the following policy settings: Prevent installation of devices that match these device IDs Prevent installation of devices for these device classes Prevent installation of removable devices. Only use this setting when the Prevent installation of devices not described by other policy settings setting is enabled. Specifies a custom message that displays to the user in the title of the notification balloon when this policy prevents the installation of a device. This setting specifies a custom message that displays to the user in the title of the notification balloon when a policy setting prevents an installation from installing. This setting specifies a custom message that displays to the user in the text of the notification balloon when policy prevents the installation of a device.

Windows Vista default Not configured

Prevent installation of devices using drivers that match these device setup classes Display a custom message when installation is prevented by policy (balloon title) Display a custom message when installation is prevented by policy (balloon text) Allow installation of devices that match any of these device IDs

Not configured

Not configured

Not configured

Specifies a list of Plug and Play Not configured hardware IDs and compatible IDs that describe devices that can be installed, unless the following settings specifically prevent this: Prevent installation of devices that match these device IDs Prevent installation of devices for these device classes Prevent installation of removable devices. Only use this setting when the setting for Prevent installation of devices not described by other policy settings is enabled. Specifies a list of Plug and Play hardware IDs and compatible IDs for devices that users cannot install.
Note This policy setting takes precedence over any other policy settings that allows a device to install.

Prevent installation of devices that match any of these device IDs

Not configured

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 3: Protect Sensitive Data

81

Policy setting Prevent installation of removable devices

Description If you enable this setting, users may not install removable devices, and existing removable devices cannot receive driver updates.
Note This policy setting takes precedence over any other policy settings that allows a device to install.

Windows Vista default Not configured

For this policy to apply, the drivers for the device must correctly identify that the device is removable. For more information see the Step-By-Step Guide to Controlling Device Installation Using Group Policy. Prevent installation of devices not described by other policy settings If you enable this setting, any device that is not described by the following settings cannot update their drivers: Allow installation of devices that match these device IDs Allow installation of devices for these device classes. Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Using Group Policy to Control Device Usage
In addition to helping you control the installation of devices, Windows Vista SP1 allows you to control the level of access users have to particular device classes after they have been installed. There are two other templates described in the following tables that contain settings that can affect the behavior of devices: RemovableStorage.admx contains the following setting for removable storage devices, and it is located at the following location in the Group Policy Object Editor: Computer Configuration\Administrative Templates\System\Removable Storage Access Table 3.6 Device Settings Policy setting All Removable Storage classes: Deny all access All Removable Storage: Allow direct access in remote sessions CD and DVD: Deny read access Description Configures access to all removable storage devices classes. This setting grants standard user accounts access to removable storage devices in remote sessions. The default configuration does not allow this access for remote sessions. This setting denies read access to the CD and DVD removable storage class. The default setting will allow read access. Windows Vista default Not configured

Not configured

Not configured

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

82

Windows Vista Security Guide

Policy setting CD and DVD: Deny write access

Description

Windows Vista default

This setting denies write access to the Not configured CD and DVD removable storage class. The default setting will allow write access to this device class. This setting denies read access to custom device classes. The default setting allows read access. This setting denies write access to custom device classes. The default setting allows write access to this device class. Not configured

Custom Classes: Deny read access Custom Classes: Deny write access

Not configured

Floppy Drives: Deny This setting denies read access to read access floppy drives. The default setting allows read access. Floppy Drives: Deny This setting denies write access to write access floppy drives. The default setting allows write access to this device class. Removable Disks: Deny read access Removable Disk: Deny write access This setting denies read access to removable drives. The default setting allows read access. This setting denies write access to removable drives. The default setting allows write access to this device class. This setting denies read access to tape drives. The default setting allows read access. This setting denies write access to tape drives. The default setting allows write access to this device class.

Not configured

Not configured

Not configured

Not configured

Tape Drives: Deny read access Tape Drives: Deny write access

Not configured

Not configured

WPD Devices: Deny This setting denies read access to read access Windows portable devices, such as media players and mobile phones. The default setting allows read access. WPD Devices: Deny This setting denies write access to write access Windows portable devices such as media players, mobile phones, and so on. The default setting allows write access to this device class.

Not configured

Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 3: Protect Sensitive Data

83

Using Group Policy to Control AutoPlay and AutoRun
The Autoplay.admx template contains the following settings that affect the AutoPlay and AutoRun behavior for removable storage devices and removable media in Windows Vista SP1. You can find the settings for this template in the following location the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies Table 3.7 AutoPlay Policy Settings Policy setting Turn off Autoplay Description Windows Vista default

Allows you to disable the autoplay Not configured ‡ feature for CD, DVD-ROM, and removable drives or all drives. This setting configures the default behavior for AutoRun commands. By default, Windows Vista SP1 prompts the user to confirm whether the AutoRun command should run. Not configured

Default behavior for AutoRun

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor. These settings also appear under the user configuration at the following location: User Configuration\Administrative Templates\Windows Components\AutoPlay Policies If the device control settings conflict, the setting in the computer configuration takes precedence over the user configuration setting.
Note Some policy settings specify the use of device setup class GUIDs, and others use Plug and Play device setup class GUIDs For more information, see How Setup Selects Drivers.

More Information
The following resources provide additional information about enhanced security features and technologies to help protect sensitive data in Windows Vista SP1 on Microsoft.com:          Best practices for the Encrypting File System. BitLocker Drive Encryption. First Look: New Security Features in Windows Vista for general information about security features in Windows Vista SP1. The Encrypting File System. Trusted Computing Group. Office 2003 Policy Template Files and Deployment Planning Tools. Step-By-Step Guide to Controlling Device Installation Using Group Policy. Windows Rights Management Services Technology Center. Windows Vista Security and Data Protection Improvements: "Data Protection."
microsoft.com/technet/SolutionAccelerators

Solution Accelerators

Chapter 4: Using Older Applications with Windows Vista
Application compatibility is always a critical challenge that organizations must address when deploying a new operating system. A large part of the development effort for Windows Vista® Service Pack 1 (SP1) involved helping to ensure that the new features and services in the operating system would maintain a high level of functionality and compatibility with older programs. Throughout development, the Microsoft Application Experience Team tested many applications from a wide range of third-party vendors. The security settings prescribed in this guide to harden Windows Vista SP1 have been extensively tested to work compatibly with the core operating system, as well as with the Microsoft® Office suite of applications. Applications that run on Windows Vista SP1 should continue to operate properly on client computers that are subject to the setting recommendations in this guide. However, there is a possibility that older applications may not work properly with some of the new security technologies built into Windows Vista SP1. Technologies such as User Account Control (UAC) and Windows Resource Protection can interfere with older applications. The Microsoft Solution Accelerator for Business Desktop Deployment 2007 contains comprehensive application compatibility guidance to enable IT professionals to test applications for compatibility with Windows Vista SP1, and mitigate compatibility issues discovered during the process. For more information, see the Application Compatibility Feature Team Guide on Microsoft TechNet®. This chapter includes simple procedures that you can use to test the level of compatibility of your applications with Windows Vista SP1. The chapter also discusses some of the more common causes of application compatibility issues, and provides pointers to available resources that can help you to address them.

Thirty-Minute Compatibility Check
This section provides guidance on how to test and evaluate application compatibility with Windows Vista SP1. It includes two scenarios that you can use to test application compatibility with the operating system. The scenarios are designed to help you accomplish the following:   Test an application on a computer running Windows Vista SP1. Test an application on a computer running an upgrade to Windows Vista SP1 from Windows® XP Professional Service Pack 3 (SP3).

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

86

Windows Vista Security Guide

To test an application on a computer running Windows Vista SP1 1. Install Windows Vista SP1 on a test computer, and then log on to the computer as an administrator. 2. Install the application that you want to test on the computer. If a prompt displays requesting permission to install the application, click Permit to continue the installation. If the installation succeeds, go to Step 6.
Note This step is not necessary if you use a Microsoft Installer (.msi) file to install the application.

3. If the application installation fails and no installation permission prompt displayed, right-click the installer .exe file, click the Run this program as administrator option, and then re-install the application. If the installation succeeds, go to Step 7. 4. If you receive any errors related to the operating system version, application registration, or file copy, right-click the installer .exe file, click Compatibility, and then choose the Windows XP Professional SP3 compatibility mode. 5. Repeat Step 2. If you still cannot install the application, go to Step 8. 6. Log on as a user without administrative privileges to the test computer running Window Vista SP1. 7. Start the application. If the application does not start properly or displays errors, enable the Windows XP Professional SP3 compatibility mode for the application .exe file, and then try to install it again on the operating system. 8. If the application starts successfully, run the full suite of tests you would typically use to test it on a computer running Windows XP. If the application passes all major functionality tests, the application will work properly with Windows Vista SP1. 9. If the application does not install and start successfully, stops responding, produces an error, or fails any major functionality test, it may be one of a small set of applications that is subject to compatibility issues with Windows Vista SP1. Refer to other resources in this chapter to further investigate and test the application. To test an application on a computer running an upgrade to Windows Vista SP1 from Windows XP Professional SP3 1. Install Windows XP Professional SP3 on a test computer and then install the application that you want to test. Verify all functionality of the application before proceeding. 2. Upgrade the test computer to Windows Vista SP1. Follow the Windows Vista SP1 setup and upgrade instructions. After the upgrade is complete, log on to the test computer as you would to a computer running Windows XP Professional SP3. 3. Start the application. If the application does not start properly or if errors display, enable the Windows XP Professional SP3 compatibility mode for the application .exe file, and then try installing it again. 4. If the application starts successfully, run the full suite of tests you would typically use to test it on a computer running Windows XP. If the application passes all major functionality tests, the application will work properly with Windows Vista SP1. 5. If the application does not install, start successfully, stops responding, produces an error, or fails any of your major functionality tests, it may be one of a small set of applications that is subject to compatibility issues with Windows Vista SP1. Refer to other resources in this chapter to further investigate and test the application. If you complete both scenarios and determine that the application performs properly, you can assume that it will work with Windows Vista SP1.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 4: Using Older Applications with Windows Vista

87

Known Application Compatibility Issues
This section describes several of the most common new technologies, enhancements, and changes in Windows Vista SP1 that are known to cause application compatibility issues. Where possible, this section also includes potential ways to mitigate them.
Important Test all third-party applications that you plan to use in your environment with Windows Vista SP1 to ensure that they will work properly with the operating system.

Security Enhancements
The following security enhancement features in Windows Vista SP1 may cause compatibility issues with third-party applications:  User Account Control. This feature in Windows Vista SP1 provides a method of separating standard user privileges and tasks from those that require administrator access. User Account Control (UAC) increases security by improving the computer experience for users running standard user accounts. Users can perform more tasks and enjoy higher application compatibility without the need to log on to their client computers with administrative-level privileges. This helps reduce the affect of malware, unauthorized software installation, and unapproved system changes. UAC can introduce problems in applications that are not compliant with this technology enhancement. For this reason, it is important to test applications with UAC enabled before you deploy them. For more information about application compatibility testing, see the Application Compatibility Feature Team Guide on TechNet.  Windows Resource Protection. This feature in Windows Vista SP1 helps safeguard system files and protected registry locations to help improve the overall security and stability of the operating system. Most applications that previously accessed or modified these locations are automatically redirected to temporary locations, which they can then use to continue to operate without issues. However, applications that require full access to these protected areas and cannot handle the automatic redirection process will not operate properly with Windows Vista SP1. In these cases, you must modify the applications so that they function as intended. For more information about this feature and its implications for application compatibility, see About Windows Resource Protection on Microsoft MSDN®.  Protected Mode. This feature of Microsoft Internet Explorer® 7 helps protect computers running Windows Vista SP1 from the installation of malware and other harmful software by running the operating system with lower, more secure rights. When Internet Explorer is in Protected Mode, the browser can only interact with specific areas of the file system and registry. Although Protected Mode helps maintain the integrity of client computers running Windows Vista SP1, it can affect the proper operation of older Internet and intranet Web applications. You may need to modify such Web applications to run them in a more restrictive environment.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

88

Windows Vista Security Guide

Operating System Changes and Innovations
The following operating system changes and innovations in Windows Vista SP1 may cause compatibility issues with third-party applications:  New system APIs. Application programming interfaces (APIs) expose layers of the Windows Vista SP1 operating system differently than in previous versions of Windows. Antivirus and firewall software are examples of applications that rely on these new APIs to properly monitor and safeguard Windows Vista SP1. You need to upgrade applications that perform these functions to versions that are compatible with Windows Vista SP1. Windows Vista SP1 64-Bit. 16-bit applications and 32-bit drivers are not supported in the Windows Vista SP1 64-bit environment. Automatic registry and system file redirection is not available for the 64-bit environment. For these reasons, new 64-bit applications must comply with the full Windows Vista SP1 application standards. Operating system versions. Many older applications check for specific versions of Windows. When third-party applications cannot detect a specific operating system version, many of them stop responding.





Most operating system versioning requirements related to compatibility issues are addressed by new functionality built into Windows Vista SP1. Features such as the Program Compatibility Assistant can usually resolve these types of issues automatically. For more information about the Program Compatibility Assistant and other tools and resources, see the next section of this chapter. The Application Compatibility Cookbook on MSDN provides additional information about these security enhancements and operating system changes and innovations in Windows Vista SP1. This resource also provides test approaches and possible remedies for most of these compatibility issues.

Tools and Resources
This section provides brief overviews and pointers to several features and technologies available for Windows Vista SP1 designed to help you address application compatibility issues.

Program Compatibility Assistant
This feature automatically specifies an appropriate "compatibility mode" for applications designed to run with previous versions of Windows. When Windows Vista SP1 detects applications that need to run in compatibility modes for Windows XP Professional SP3, Windows 2000, or later versions of Windows, the operating system directs the applications to be updated automatically to run on Windows Vista SP1 without further user intervention. For more information, see the Program Compatibility Assistant: frequently asked questions page of the Windows Vista Help and Support Web site.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

Chapter 4: Using Older Applications with Windows Vista

89

Program Compatibility Wizard
The Program Compatibility Wizard is included with Windows Vista SP1 to assist you when a program written for an earlier version of Windows does not run correctly. The wizard will help you specify compatibility settings for the program, which will resolve application compatibility issues for many older programs. To open the Program Compatibility Wizard click the Start button, click Control Panel, click Programs, and then click Use an older program with this version of Windows. For more information, see the Make older programs run in this version of Windows page of the Windows Vista Help and Support Web site.
Warning Do not run the Program Compatibility Wizard on older antivirus programs, disk utilities, or other system programs because it might cause data loss or create a security risk. Instead, use only versions of these programs and utilities designed specifically to work with Windows Vista SP1.

Microsoft Application Compatibility Toolkit
Microsoft has released a suite of tools and documentation to help you identify and manage your organization’s application portfolio. The Microsoft Application Compatibility Toolkit (ACT) 5.0 is designed to help you reduce the cost and time involved to resolve application compatibility issues to better enable you to quickly deploy Windows Vista SP1. ACT 5.0 can help you prepare to use Windows Vista SP1 by providing you with a detailed inventory or your existing applications, managing critical applications, and determining the extent of your application environment that may require special attention in preparation for Windows Vista SP1. The toolkit has been specifically updated to support security features of Windows Vista. Enhancements in ACT 5.0 allow you to do the following tasks:         Analyze your portfolio of applications, Web sites, and computers. Evaluate operating system deployments, the impact of operating system updates, and your compatibility with Web sites. Centrally manage compatibility evaluators and configuration settings. Rationalize and organize applications, Web sites, and computers. Prioritize application compatibility efforts with filtered reporting. Add and manage issues and solutions for your enterprise-computing environment. Deploy automated mitigations to known compatibility issues. Send and receive compatibility information from the Microsoft Compatibility Exchange.

For more information about the toolkit, see Microsoft Application Compatibility Toolkit 5.0.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators

90

Windows Vista Security Guide

Temporary Remedies
In addition to specific application compatibility tools and resources, there are additional Microsoft technologies you can use to address application compatibility issues that might take some time to fully resolve. These technologies are designed to help you migrate to Windows Vista SP1, and continue to run business-critical applications that are not compatible with Windows Vista SP1. These technologies include the following:  Microsoft Virtual PC. You can use Virtual PC to run applications on Windows Vista SP1 that only work properly with older versions of Windows. Virtual PC lets users keep a previous version of Windows available to run non-compatible applications within their Windows Vista SP1 environment until upgraded versions of noncompatible applications are developed. For more information, see Microsoft Virtual PC 2007. Terminal Services for hosting applications. Hosting older applications on Terminal Services lets you deliver Windows-based applications, or the Windows desktop itself, to virtually any computing device on your network. Windows Vista SP1–based client computers can connect to these application-hosting environments through Remote Desktop to access older applications. For more information, see Terminal Services for Windows Server 2008 and the Technical Overview of Windows Server 2003 Terminal Services. Virtual Server for hosting applications. With a Virtual Server environment, you can host older applications and allow remote connectivity from users who need access to those applications. In conjunction with Windows Server 2003 SP2, Virtual Server 2005 R2 SP1 provides a virtualization platform that runs most major x86 operating systems in a guest environment, and the platform is supported by Microsoft as a host for Windows Server operating systems and Microsoft Windows Server System™ applications. For more information, see the Virtual Server 2005 R2 SP1 Product Overview.





More Information
The following resources provide additional information about Windows Vista SP1 application compatibility-related topics on Microsoft.com:            About Windows Resource Protection. Application Compatibility Feature Team Guide. Application Compatibility and User Account Control. Introduction to the Protected Mode API. Make older programs run in this version of Windows on Windows Vista Help and Support. Microsoft Application Compatibility Toolkit 5.0. Microsoft Virtualization. Program Compatibility Assistant: frequently asked questions on Windows Vista Help and Support. Technical Overview of Windows Server 2003 Terminal Services. Terminal Services for Windows Server 2008. The Windows Vista and Windows Server 2008 Developer Story: Application Compatibility Cookbook.

Solution Accelerators

microsoft.com/technet/SolutionAccelerators


								
To top