In a collaborative effort with DISA, NSA, and NIST, Microsoft produced the Vista security guide that reflects the consensus recommended settings from DISA, NSA, and NIST for the Windows Vista platform. NIST has reviewed the security guide and provided comments that Microsoft has adopted in the production of the guide.

Assuming that agencies will transition to the Vista platform, they should begin interoperability testing with deployed applications and systems due to the substantial changes in the security architecture and default out of the box configurations.

This is an operational and business case decision. Among the many factors to consider are the time it takes to test existing applications for compatibility, operating in mixed Vista/Windows XP environments, interoperability with existing configuration management and security tools (e.g., antivirus software), vulnerability and patch management, upgrading existing applications, training considerations for affected personnel, understanding the new security features, and other technology changes such as server OS upgrades.

For example, the built-in Administrator account and LanMan (LM) authentication protocol are disabled. Only NTLMv2 passwords are sent over the network. Members of the Administrators group operate as standard users and get the additional rights when required.

Microsoft has introduced a number of security changes in Vista such as the User Account Control (UAC), hardened services, Windows Integrity Control, Internet Explorer protected mode, phishing filter, Windows Defender, a bi-directional Windows firewall, Suite B cryptographic algorithms (undergoing FIPS 140 evaluation), full disk encryption with BitLocker, virtualized file and registry, etc.

Windows Vista is a major and significant upgrade in security from Windows XP. It has undergone the Microsoft Secure Development Lifecycle (SDL) process. The default configuration of Windows Vista is much more locked down than any previous version of Windows. This is illustrated by changes such as the fact that the built-in Administrator account and LanMan (LM) password hash are disabled, by default NTLMv2 is used for network authentication to Windows servers. Members of the Administrators group operate as standard users and get the additional rights when required. The Power Users group has the same rights as Users group. Microsoft has introduced a number of security changes in Vista, such as the ones listed above. As Vista is widely deployed and field tested, organizations will have a better understanding of the impact of these security improvements.

Microsoft has introduced a number of new features that agencies should consider such as a new graphical user interface, the next generation TCP/IP stack that supports IPv6 by default, network discovery protocol, Windows event log, etc.

The intended audience is Windows Vista system administrators and technical Windows Vista systems users. The document assumes that the reader has experience installing and administering Windows-based systems in domain configurations.

Yes. Test the recommended settings on carefully selected test machines that are deployed in an environment that simulates the organziation's operational infrastructure.

The Specialized Security-Limited Functionality template contains the more restrictive settings and will reduce the functionality and interoperability of the Windows Vista system. It will reduce the usability of a typical system found in a multi-purpose managed environment and will break legacy or other general-purpose applications. It should only be used by the experienced security specialists and seasoned system administrators who understand the impact of implementing these strict requirements.

Given the wide variation in operational and technical considerations for operating any major enterprise, it is appropriate that some local changes will need to be made to the baseline and the associated settings (with hundreds of settings, a myriad of applications, and the variety of business functions supported by Windows Vista systems, this should be expected). Of course, use caution and good judgment in making changes to the security settings. Always test the settings on carefully selected test machines first and document the implemented settings.

No. NIST does not endorse the use of any particular product or system. NIST is not mandating the use of the Windows Vista Systems nor is NIST establishing conditions or prerequisites for Federal agency procurement or deployment of any system. NIST is not precluding any Federal agency from procuring or deploying other computer hardware or software systems for which NIST has not developed a publication or a security configuration checklist.