CSRC
System Administration |
|
MS
Windows
|
|
Other
Resources |
|
Our
Sponsor |
|
|
|
|
|
Description
of the Guidance for Securing Microsoft Windows Vista
|
NIST has collaborated with the Defense Information Systems Agency
(DISA), the National Security Agency (NSA), and Microsoft Corporation
to produce Microsoft's
Windows Vista baseline security settings for the Enterprise
(EC) and Specialized Security/ Limited Functionality (SSLF) environments.
These recommended baselines/profiles are represented in the Microsoft
Vista security guide. NIST also collaborated with industry to produce
the XML representation
of the recommended profiles in Extensible Configuration Checklist
Description Format (XCCDF) and the Open Vulnerability and Assessment
Language (OVAL).
Comments and
questions may be addressed to checklists@nist.gov.
|
Frequently
Asked Questions - FAQ
|
1.
|
Who
produces the Microsoft Vista security guide? |
|
In a collaborative effort with DISA, NSA, and NIST, Microsoft
produced the Vista security guide that reflects the consensus
recommended settings from DISA, NSA, and NIST for the Windows
Vista platform. NIST has reviewed the security guide and provided
comments that Microsoft has adopted in the production of the
guide.
|
2.
|
What
should agencies do? |
|
Assuming that agencies will transition to the Vista platform,
they should begin interoperability testing with deployed applications
and systems due to the substantial changes in the security
architecture and default out of the box configurations.
|
3.
|
When
should agencies deploy Vista? |
|
This is an operational and business case decision. Among
the many factors to consider are the time it takes to test
existing applications for compatibility, operating in mixed
Vista/Windows XP environments, interoperability with existing
configuration management and security tools (e.g., antivirus
software), vulnerability and patch management, upgrading existing
applications, training considerations for affected personnel,
understanding the new security features, and other technology
changes such as server OS upgrades.
|
4.
|
What
are some of the out of the box security changes? |
|
For example, the built-in Administrator account and LanMan
(LM) authentication protocol are disabled. Only NTLMv2 passwords
are sent over the network. Members of the Administrators group
operate as standard users and get the additional rights when
required.
|
5.
|
What
are some of the security features? |
|
Microsoft has introduced a number of security changes in
Vista such as the User Account Control (UAC), hardened services,
Windows Integrity Control, Internet Explorer protected mode,
phishing filter, Windows Defender, a bi-directional Windows
firewall, Suite B cryptographic algorithms (undergoing FIPS
140 evaluation), full disk encryption with BitLocker, virtualized
file and registry, etc.
|
6.
|
Is
Windows Vista more secure? |
|
Windows Vista is a major and significant upgrade in security
from Windows XP. It has undergone the Microsoft Secure Development
Lifecycle (SDL) process. The default configuration of Windows
Vista is much more locked down than any previous version of
Windows. This is illustrated by changes such as the fact that
the built-in Administrator account and LanMan (LM) password
hash are disabled, by default NTLMv2 is used for network authentication
to Windows servers. Members of the Administrators group operate
as standard users and get the additional rights when required.
The Power Users group has the same rights as Users group.
Microsoft has introduced a number of security changes in Vista,
such as the ones listed above. As Vista is widely deployed
and field tested, organizations will have a better understanding
of the impact of these security improvements.
|
7.
|
What
are some of the new features? |
|
Microsoft has introduced a number of new features that agencies
should consider such as a new graphical user interface, the
next generation TCP/IP stack that supports IPv6 by default,
network discovery protocol, Windows event log, etc.
|
8.
|
Who
is the intended audience? |
|
The intended audience is Windows Vista system administrators
and technical Windows Vista systems users. The document assumes
that the reader has experience installing and administering
Windows-based systems in domain configurations.
|
9.
|
Should
I test this before applying it in my environment? |
|
Yes. Test the recommended settings on carefully selected
test machines that are deployed in an environment that simulates
the organziation's operational infrastructure.
|
10.
|
What
is the impact caused by applying the Specialized Security-Limited
Functionality template? |
|
The Specialized Security-Limited Functionality template contains
the more restrictive settings and will reduce the functionality
and interoperability of the Windows Vista system. It will
reduce the usability of a typical system found in a multi-purpose
managed environment and will break legacy or other general-purpose
applications. It should only be used by the experienced security
specialists and seasoned system administrators who understand
the impact of implementing these strict requirements.
|
11.
|
Should
I make changes to the baseline settings? |
|
Given the wide variation in operational and technical considerations
for operating any major enterprise, it is appropriate that
some local changes will need to be made to the baseline and
the associated settings (with hundreds of settings, a myriad
of applications, and the variety of business functions supported
by Windows Vista systems, this should be expected). Of course,
use caution and good judgment in making changes to the security
settings. Always test the settings on carefully selected test
machines first and document the implemented settings.
|
12.
|
Is NIST
endorsing or mandating the use of the Windows Vista Systems
or requiring each setting be applied as stated? |
|
No. NIST does not endorse the use of any particular product
or system. NIST is not mandating the use of the Windows Vista
Systems nor is NIST establishing conditions or prerequisites
for Federal agency procurement or deployment of any system.
NIST is not precluding any Federal agency from procuring or
deploying other computer hardware or software systems for
which NIST has not developed a publication or a security configuration
checklist.
|
|
|