ISO Consensus Papers
ISO Consensus Paper: Windows Vista
ISO Consensus papers present the expert security perspective of the Information Security Office staff at The University of Texas at Austin.
The expected release date for Windows Vista is November 30, 2006, and it will likely appear on OEM (original equipment manufacturer) PCs shortly thereafter. Microsoft has touted it as the most secure version of Windows yet, and it does indeed include many new and refreshed security utilities, as well as several improvements to the operating system design.
Higher education networks often contain a mixture of managed and unmanaged Windows workstations. Managed Windows workstations are usually under control of an administrative authority through Active Directory, are updated and managed using a central utility, such as SMS or Altiris, and use an enterprise-wide anti-malware solution. On unmanaged Windows workstations, the typical user has administrator access and relies on automated updates from Microsoft and anti-malware companies.
The purpose of this paper is to provide guidance regarding the security of Windows Vista. Where applicable, we include notes on differences in recommendations between unmanaged and managed workstations. Although there are several editions of Windows Vista, for the purposes of this paper, we evaluated Windows Vista Enterprise only.
Pay attention to what you’re purchasing: Microsoft is releasing no less than six editions of Windows Vista: Starter (available only in developing countries), Home Basic, Home Premium, Business, Enterprise, and Ultimate. Depending on which version you buy, you may be getting only a subset of security features. For instance, Bitlocker drive encryption is available only in the Enterprise and Ultimate editions. Also be aware that OEM computer makers may preinstall Windows Vista with a different set of security defaults, or include third-party security packages.
The security features are useful only if used: Some of the security features in Windows Vista, such as the Firewall or User Account Control, will alert or prompt the user when an action is required. If users perceive this is happening too much and become annoyed, they may disable these features if they are administrators, reducing the overall security of their systems. User education and restricting administrator access reduces the likelihood of this.
Consider using centralized management to enforce security: Many of the security controls in Windows Vista can be managed, or at least enabled, centrally. This allows you to enforce a system to be compliant with your policies. Consider using Active Directory group policies and other management tools.
Don’t get a false sense of security: Although Windows Vista has many new security features, it is still important to be vigilant and maintain a layered approach to your security posture. Additional security layers that should not be neglected definitely includes anti-virus and might also include a perimeter firewall, host/network intrusion detection, and third-party auditing tools. Even operating systems that have a better security history than Windows, and have implemented some of the same security features (such as privilege separation) for a much longer period of time, occasionally get compromised.
You can afford to wait to upgrade: As long as your current systems are up-to-date and have the appropriate security controls in place for your environment, the improved security in Windows Vista alone is not enough to warrant an immediate upgrade. In addition, certain hardware requirements might have to be met before you can take full advantage of Windows Vista. We recommend a wait-and-see approach until the first service pack is released.
Internet Explorer 7
Windows Vista comes with the Internet Explorer 7 Web browser (which is also available for Windows XP Service Pack 2). Although there are a number of new security features in IE 7, for example phishing filter and opt-in for ActiveX controls, a full treatment of all of them is outside the scope of this document. Instead, we will focus on the features that apply only to Windows Vista. It is worth mentioning, however, that both for Windows Vista and Windows XP SP 2, IE is no longer integrated into the Windows Explorer shell. If you attempt to open a file in IE 7, the Windows Explorer will instead launch and open the file. If you attempt to visit a Web site in Windows Explorer, the default Web browser will open the page. This is a major security improvement in IE overall.
IE 7 under Windows Vista runs in a protected mode that places the browser in a “sandbox.” The browser can only touch Temporary Internet Files, where it places special “low privilege” versions of the cache, cookies, TEMP folder, and history. It also takes advantage of mandatory integrity control for separation of privileges. By default, protected mode is turned on for all sites except for trusted sites. When visiting a trusted site, Windows Vista does not use the low privilege versions of the files. The Favorites directory is shared between both protected mode and non-protected mode. Even when in non-protected mode, IE 7 uses new User Account Control features, including file and directory virtualization, to prevent unintentional program installation and modification of the registry and system files.
Even with these security enhancements, there have already been several vulnerabilities reported in IE 7 since its release, although none that allow remote code execution under Windows Vista. It is also important to keep in mind that, even though IE 7 itself is more secure, it provides a vector to other Windows components that might have vulnerabilities.
Windows Defender is Microsoft’s anti-spyware utility, originally released in beta form for Windows XP. It now comes standard with Windows Vista and is turned on by default. Windows Defender is a useful feature, as spyware/adware has always been a problem on Windows systems. It should be left enabled unless it conflicts with any third-party anti-malware packages you already have installed.
Managed environment notes: Group policies can ensure Windows Defender remains enabled, or disabled if you use another anti-malware package.
Bitlocker can be used to encrypt an entire hard drive with either AES-128 or AES-256, thus making the data unreadable. This is especially useful for laptops, which have a high potential for being lost or stolen.
Bitlocker requires that your motherboard and BIOS support TPM 1.2, which may be available only on newer systems. The TPM provides integrity checking to ensure that the computer and operating system have not been tampered with. There is currently no virtualization for TPM, so Bitlocker will not work with PC virtualization software, such as VMware or VirtualPC, although there may be support for these environments in the future.
One of the risks of encryption is that you might lose your encryption key and therefore not be able to decipher your own data—rendering it completely useless. Bitlocker gives you the ability to backup, or escrow, your recovery key (referred to as a Recovery Password) on a USB key or network drive. Store this key in a safe place or with a trusted party, such as your network administrator.
Managed environment notes: If the system is part of an Active Directory environment, administrators can configure group policies to silently escrow keys into Active Directory.
The Windows Firewall supports three profiles by default: Public, for when you are connected to an untrusted public network; Private, for when you are connected behind a firewall; and Domain, for when your computer is part of, and managed by, a Windows domain. By default, the Public (most restrictive) profile is used.
The Windows Firewall now has the ability to block both inbound and outbound connections, though by default all outbound connections are allowed. Thus, spyware and worms that make outbound connections are not restricted. The standard Windows Firewall Control is similar to the one included with Windows XP SP 2, in that configuration options are very limited. To block outbound connections at a more granular level, the “Windows Firewall with Advanced Security” Administrative Tool must be used. The use of this tool, however, may be too complex for most users, and they will therefore continue to run without outbound protection.
The Windows Firewall now has the ability to export and import rulesets. Consider creating rule templates tailored for your environment, which your users can then apply. Third-party firewalls are also an option.
Managed environment notes: In a managed environment, firewall policies can be enforced via group policies. IPsec policies can also be managed through the same firewall now.
User Account Control
User Account Control is designed so that when a standard user needs to do something that requires administrator privileges, they are prompted for an administrator username and password. Such changes are usually something that affects the whole system, such as installing software or changing firewall settings. In previous versions of Windows, users had to log out and then log back in as an administrator to perform these functions, an interruption that caused many users to run as an administrator all the time. Under Windows Vista, even administrators are prompted for confirmation when they perform administrative functions. This design should help prevent the stealth installation of software and reduce the efficacy of many forms of malware.
Part of User Access Control is file and registry virtualization, which allows registry and file changes that must normally be made system-wide to only affect individual users. This means that legacy applications that require administrator rights to modify the registry will still work for non-administrative users, and the overall security of the system is increased because they will not have to run as administrators. This is an improvement over Windows 2000 and XP, which required you to run as administrator if you were going to run these legacy applications.
We recommend that users run as standard users and get prompted for administrative credentials when required. Administrators should also get prompted to confirm administrative tasks. Although it is possible for administrators to change these options, it is not recommended. Always use the principle of least privilege.
Managed environment notes: Enforce the User Account Control settings described above through Active Directory group policies.
Windows Vista includes the Peer Name Resolution Protocol (PNRP), which allows users to discover other users on the same network as themselves for ad-hoc collaboration, instant messaging, and gaming. So, for instance, a user on a wireless access point at a coffee shop can advertise that they are interested in playing network-based game, and invite others to play it. This capability does not require an Internet connection, just a local network connection. Additionally, users can designate other users as trusted and use peer-to-peer capabilities with them over the Internet.
PNRP is disabled by default, but in order to use any of its features it must be turned on. Users who decide to use it should be aware of the privacy concerns that might arise when allowing other users to discover them. They should also be aware of the security concerns inherent with peer-to-peer networking, such as viruses from file sharing. Among other things, using the peer-to-peer networking features causes the client to connect to seed servers at Microsoft , which caches your peer identifier and Internet IP address, basically telling the server who you are and where you are coming from. Enabling peer-to-peer networking also turns on Teredo IPv6 NAT transversal (because PNRP uses IPv6 as its network layer), which is something administrators should be aware of when inspecting traffic on their network. Additionally, PNRP represents a potentially new vector for botnets to discover and infiltrate systems, as well as communicate with each other. Turning on peer-to-peer services does not require administrator access, so users could be tricked into turning it on, or a malicious program might find a way to turn it on automatically.
Managed environment notes: Use active directory group policies to limit peer-to-peer networking in your organization. If you wish to use it locally, but not allow communications over the Internet, put outbound firewall rules in place at your perimeter.
Send computing questions to the ITS Help Desk or call (512) 475-9400.