Windows Vista Desktop Security - Office of Information Technology, University of Minnesota

Return to: U of M Home

	myU \| One Stop \| Directories \| Search U of M

STANDARDS & GUIDELINES

GUIDELINE—Windows Vista Desktop Computer Security (Appendix S)

Responsible Office: Office of Information Technology
Responsible Officer: Chief Information Officer

EFFECTIVE DATE:
November 2006
VIEW HISTORY
RELATED POLICY/PROCEDURE:
Securing Private Data Standard

GUIDELINE
A guideline is highly recommended.

Introduction

This document was prepared as a guideline for securing Windows Vista desktops. "Basic" and "Level-2" Security settings are required for all workstations that work with private data. "Basic" is required and "Level-2" is recommended for all other workstations on the University network. Consult with your local technical support staff.

For a comparison of the various editions of Windows Vista and recommended editions for the University environment, see Security Recommendations on the Initial Release of Windows Vista.

“Basic” Security Settings for Windows Vista Computers

This is required for all workstations on the University network, including those that work with private data.

Windows Feature	Minimum Required Setting
Windows Firewall	Enabled
Automatic Windows Updates	Enabled

Symantec AntiVirus Settings	Minimum Required Setting
Symantec AV Installed	Installed or Managed
Live Update Enabled	Enabled
Virus Definition File Age	8 days or less
Live Update Schedule Frequency	Daily
Auto Protect Filesystem	Enabled

Use the QuickStart Basic Tool to verify and set some of the basic security settings recommended for Windows Vista computers.

“Level-2” Security Settings for Windows Vista Computers

These additional settings are required for workstations that work with private data and are recommended for all other workstations on the University network.

Account Lockout Policy	Vista Default Setting	Minimum Required Setting
Account Lockout Duration	Not Analyzed	15 Minute Minimum
Accounts Lockout Threshold	0 invalid logon attempts	7 wrong passwords Maximum
Reset Account Lockout Counter After	Not Analyzed	15 Minute Minimum

Audit Policy	Vista Default Setting	Minimum Required Setting
Audit Account Logon Events	No auditing	Audit Success and Failure attempts
Audit Account Management	No auditing	Audit Success and Failure attempts
Audit Logon Events	No auditing	Audit Success and Failure attempts
Audit Object Access	No auditing	Audit Failure on attempts
Audit Policy Change	No auditing	Success, Failure
Audit Privilege Use	No auditing	Audit Failure on attempts
Audit System Events	No auditing	Audit Success and Failure on attempts

Event Log Policy	Vista Default Setting	Minimum Required Setting
Maximum Application Log Size	20480 kilobytes	9984 kilobytes Minimum
Maximum Security Log Size	20480 kilobytes	99968 kilobytes Minimum
Maximum System Log Size	20480 kilobytes	9984 kilobytes Minimum
Retention Method for Application Log	As needed	As needed
Retention Method for Security Log	As needed	As needed
Retention Method for System Log	As needed	As needed

Password Policy	Vista Default Setting	Minimum Required Setting
Enforce Password History	0 passwords remembered	5 passwords Minimum
Maximum Password Age	42 days	360 days
Minimum password age	0 days	1 days
Minimum Password Length	0 characters	8 characters Minimum
Password must meet complexity requirements	Disabled	Enabled
Store Passwords using Reversible Encryption for all users in the domain	Disabled	Disabled

Security Options Policy	Vista Default Setting	Minimum Required Setting
Accounts: Guest account status	Disabled	Disabled
Accounts: Limit local account use of blank passwords to console logon only	Enabled	Enabled
Network access: Allow anonymous SID/Name translation	Disabled	Disabled
Network access: Do not allow anonymous enumeration of SAM accounts	Enabled	Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares	Disabled	Enabled
Network security: Do not store LAN Manager hash value on next password change	Enabled	Enabled
Network security: LAN Manager authentication level	Send NTLMv2 response only	Send NTLMv2 response only. Refuse LM & NTLM
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients	No minimum	Require NTLMv2 session security, Require 128-bit encryption
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers	No minimum	Require NTLMv2 session security, Require 128-bit encryption
Network access: Let Everyone permissions apply to anonymous users		Disabled
Recovery console: Allow automatic Administrative logon		Disabled

User Rights Policy	Vista Default Setting	Minimum Required Setting
Deny Access to this computer from the network	[hostname]\Guest	Administrator
Deny log on through Terminal Services (Remote Desktop)		Administrator

File System Settings	Vista Default Setting	Minimum Required Setting
Enable updating of the Last Accessed timestamp on Files in Vista		Enabled

Device AutoRun	Vista Default Setting	Minimum Required Setting
CD Drive media autorun restrictions		Autorun restricted on ALL media forms
Running commands in portable media AUTORUN.INF files		Disabled

Screen Saver	Vista Default Setting	Minimum Required Setting
Password required when returning from Screen Saver		Enabled
Screen Saver Time out Setting		30 minutes Maximum
Screen Saver		Enabled
Screen Saver selected		Do not use bubbles.scr

Network Components	Vista Default Setting	Minimum Required Setting
IPv6 Disabled Protocols		All IPv6 protocols disabled

Power Settings	Vista Default Setting	Minimum Required Setting
Prompt for Password on Resume		Enabled

Use the QuickStart Level-2 Verify tool to verify the additional recommended security settings for Windows Vista computers. Use the QuickStart Level-2 Wizard to apply the recommended security setting to a Windows Vista computer.

Similar “Basic” and “Level-2” settings are recommended for Windows Vista servers.

Together the "Basic" and "Level-2" Security Settings help meet 6 steps in the Securing Private Data Standard http://www.umn.edu/oit/security/privatedata.html

Resources and Links

Securing Private Data: http://www.umn.edu/oit/security/privatedata.html
OIT Security & Assurance: http://www.umn.edu/oit/security/index.htm
OIT Technology helpline (1-HELP): http://1help.umn.edu/
Safe Computing: Secure a University Machine http://safecomputing.umn.edu/

© 2007 - 2009 Regents of the University of Minnesota. All rights reserved.	Contact U of M \| Privacy
The University of Minnesota is an equal opportunity educator and employer.	Last modified on 11/16/2009 2:24 PM