- Campuses :
- Twin Cities
- Crookston
- Duluth
- Morris
- Rochester
- Other Locations
Contents
As advertised, the suite of Windows Vista Operating Systems is the most secure to date. A major theme of the design of Vista is an attempt to make it easy to keep a computer secure in various environments. However, all editions allow the user to make poor decisions that reduce the security on their computer. Consult with your local technical support staff.
There are five editions of Vista as released by Microsoft for consumption by US customers. They are differentiated by the features they offer. There are three of these editions that will be included in the University’s Campus Agreement Licence with Microsoft. They are listed here, ranked from most to least features:
All features possible in Windows Vista are present in this edition. This is the only edition that includes System Partition Encryption available when running standalone, or outside of a domain.
Two Business Editions
This edition has all features present in the Ultimate edition, except Media Center, Movie Making, DVD authoring, and Ultimate Extras. System Partition Encryption is available in this edition, but due to the way the encryption keys will be stored, this encryption will only be available when used within a domain.
This edition has all features present in the Enterprise edition, except System Partition Encryption, Virtual PC Express, Multi-Language User Interface, and the Subsystem for Unix ApplicationsSecurity affecting features that are available in all of the business editions above are listed here:
IIS 7.0
Remote Desktop Domain join capability
Encrypted File System
Networked Backup
Group Policy
Offline folders
Meeting SpaceNote on BitLocker availability
BitLocker, the System Partition Encryption feature, is only available on the enterprise version when in part of a domain. The only edition of Vista that can run BitLocker in a standalone configuration is Ultimate.
Home Editions
There are two editions that will be marketed to the home user: “Home Basic” and “Home Premium”. These editions, although not available through the University’s CAL, are mentioned here because a computer may come OEM installed with one of these editions or its possible for a student to bring their computer installed with a Vista Home OS into their dorm. The Home Editions of Vista are not suitable for university staff and faculty computers, since they mostly lack interfaces for efficient administration, such as the group policy editor.
|
Home Basic |
Home Premium |
Business |
Enterprise |
Ultimate |
|
|
Included in our MS Campus Agreement License? (CAL) |
No |
No |
Yes |
Yes |
Yes |
|
Has a web server |
No |
No |
Yes |
Yes |
Yes |
|
Remote Desktop |
No |
No |
Yes |
Yes |
Yes |
|
Media Center |
No |
Yes |
No |
No |
Yes |
|
Group Policy |
No |
No |
Yes |
Yes |
Yes |
|
System Partition Encryption (Bit Locker) |
No |
No |
No |
Yes* |
Yes |
* When in a domain
Recent events have demonstrated the need for securing private data residing on hard drives in University computers. If a laptop or desktop is stolen, the exposure of resident data can cost the university many times the replacement cost of the hard drive the data was on. Vista users that handle private data should consider the option of turning on the System Partition Encryption feature in Vista called BitLocker.
BitLocker (System Partition Encryption)
When the BitLocker feature is turned on the entire contents of a hard drive, including files that make up the Operating System, are encrypted, with the exception of a small, separate partition that functions as a bootstrap for the OS. There must be a key present to unlock the hard drive. This key can exist on a thumb drive or a Trusted Platform Module (TPM). A TPM can be thought of as a smartcard internal to the computer. Booting with a key installed in the TPM is preferred for BitLocker, because this is the only way that the system can ensure that all software and hardware* has not been tampered with. The encryption process is transparent to the user and has no noticeable impact on the computer’s performance.
Note that failure of a thumb drive or other hardware can mean permanent loss of all data on the encrypted drive, therefore its very important to regularly back it up. Backups should be kept in a secure location.
* which includes BIOS firmware, CPU subcode, Hard drive firmware, etc.
Hardware considerations
Upgrading rule of thumb
Usually, administrators wait until one or two service Packs are released before upgrading. However, there may be reasons to upgrade sooner if private data is planned to exist on a user’s system.
New Security Features to Take Advantage of
If the computer will have BitLocker turned on
BitLocker requires two partitions on the hard drive. To minimize problems, it's strongly recommended that these partitions be created before Vista is installed. The first one should be 1.5Gbytes and will hold the bootstrap segment of the OS. The second will hold the OS and other files. To properly configure the partitions, use the instructions in the “Windows BitLocker Drive Encryption Step-by-Step Guide” under the heading:
Scenario 1: Partitioning a Hard Drive for BitLocker Drive Encryption
Microsoft BitLocker documentation mentions that only the “system drive” will be encrypted. The system drive is the partition that contains the operating system.
Install Symantec Anti-Virus
To ensure compliance with University policies, it is recommended that Symantec Anti-Virus be installed. ADCS has the latest versions that are compatible with Vista at their Antivirus and Firewall Software download site:
http://www.umn.edu/adcs/software/security/
See special note on how to get Live Update to work on Windows Vista.
Be careful to choose the correct version for your OS. All of the default settings can be left as they are, except that the update scheduling should be set to daily and to a time that the computer is known to be turned on.
QuickStart Security Settings
With the exception of the File and Print Sharing setting*, Vista default settings meet "Basic" security settings provided all accounts have passwords and Symantec Anti-Virus is properly installed.
*At the time of release of this document, File and Print Sharing settings is still under investigation. Recommend disabling file and print sharing if not needed.
Use the QuickStart Basic tool to verify some of the basic security settings recommended for Windows Vista computers.
Vista default settings do not meet "Level-2" security settings.
See Windows Vista Desktop Computer Security Guideline for recommended security settings.
Use the QuickStart Level-2 Verify tool to verify the additional recommended security settings for Windows Vista computers.
Avoid running these unnecessary services
If more remotely accessible services are run, there are more avenues of attack. This is a fundamental concept of computer security.
Two-Factor Authentication
Two-Factor Authentication systems are an alternative to the username/password method of authentication. This alternative method is naturally more secure. Its typically based on something you have (USB token, Smart Card, fingerprint) and something you know (password or passphrase). These systems are a mature technology and Vista comes ready to accommodate them. These systems can come preinstalled. Dell has a two-factor authentication software pre-installed on its ‘Latitude’ laptops that also come with fingerprint and smart card readers. It is recommended to turn on this feature if feasible, but before turning this on, a complete system backup should be done. Two-Factor Authentication is strongly recommended for Vista users that have sensitive data.
A note about file sharing authentications and network neighborhood
Although not enabled by default, Vista Operating Systems have the same file sharing security settings as XP, and can still be configured to allow insecure file sharing protocols to used. Vista is capable of storing LAN Man password hashes and allowing anonymous enumeration of user names and shares. Note that altering these settings from their defaults amounts to deviating from the Securing Private Data Standard.
Mobile users
Mobile users are often wireless users and hence, should be concerned with exposure of their computers File Sharing services to the local network while working in public areas. It is possible with Vista to easily adjust File Sharing security to an appropriate level upon connecting to a network When the OS detects that a connection is established the user is presented with a dialog box called “Set Network Location”, where the user can select a settings profile.
There are three choices: Home, Work and Public Location. Its recommended that Public Location be chosen, unless the computer is on a wired connection and file sharing services are needed or the computer needs services within a Windows domain.
Do not operate computer while logged in with an administrator level account
Windows Vista is designed so that the user doesn’t need administrator permissions to install or use applications in their day-to-day work. So working on a computer with admin level account creates an unnecessary security risk.
Security Center
The Security Center application appeared with the advent of SP2 on Win XP, and is very much like OIT Security’s QuickStart application. It checks the essentials:
It is recommended to run the Security Center every so often, especially when leaving a private network and connecting to a public one (ie. Going to a conference, or connecting to a wireless AP at a coffee shop).