Figure 2 illustrates the primary activities that occur during the Envisioning Phase. While the other teams are developing images, project plans, and the like, the Security feature team focuses on the existing production environment from a security perspective; the team determines whether changes should be made in the computer images to reduce the risk of new or different security threats to the organization and, if so, how best to incorporate them.
Figure 2. Activities during the Envisioning Phase
On This Page
Risk Analysis for Desktop Security
Client Risk Management Considerations
Data Protection Technologies
Internet Explorer 7 Security Features
Windows Service Hardening
Risk Analysis for Desktop Security
Too often, an organization’s security architecture is determined casually rather than analytically. For example, administrators might be assigned to identify security settings for new computers. When using Windows XP Service Pack 2 (SP2) or Windows Vista, this approach probably will not result in significant vulnerabilities, because these operating systems are designed to be secure by default. However, it is entirely possible for well-meaning and knowledgeable engineers to deploy desktop security settings that are too restrictive. Overly restrictive settings can negatively affect user productivity, increase application deployment costs, and ultimately be extremely costly to an organization. Fortunately, team members can use the security risk management process to identify the most efficient way to improve an organization’s security.
The Security Risk Management Process
The security risk management process, described in detail in The Security Risk Management Guide at http://www.microsoft.com/technet/security/topics/policiesandprocedures/secrisk, is a proactive, structured approach for determining which security settings and countermeasures will benefit an organization and which will be unjustifiably costly.
The Microsoft security risk management process has four phases:
Assessing Risk. Identify and prioritize risks to the business.
Conducting Decision Support. Identify and evaluate control solutions based on a defined cost-benefit analysis.
Implementing Controls. Deploy and operate control solutions to reduce risk to the business.
Measuring Program Effectiveness. Analyze the risk management process for effectiveness, and verify that controls are providing the expected degree of protection.
These four phases are illustrated in Figure 3.
Figure 3. The Microsoft security risk management process
Many organizations already have a security risk management process in place, and it may differ from the Microsoft security risk management process. Regardless of the specific process used, it is important to integrate desktop deployment into a structured risk analysis that includes weighing both the costs and benefits of security decisions. Even if the Security feature team ultimately decides to accept default security settings, the security risk management process benefits the organization by requiring that several levels of management acknowledge that not all vulnerabilities can be eliminated. By acknowledging that some level of security risk is acceptable, management shares responsibility for security decisions.
Client Risk Management Considerations
At a high level, the most fundamental security decision the Security feature team will make is to choose between the default level of security or enhanced security. By choosing the default level, the team decides that the security requirements are typical of Microsoft customers. Although Windows XP SP2 and Windows Vista are designed to be secure by default, the team can choose to implement more secure settings. Accepting default security settings requires accepting more security risks than if the team chooses to implement enhanced security.
Although accepting these risks has a cost, the benefits of using the default security settings are significant:
Client applications are more likely to run without extra configuration.
Engineering and testing standard applications will take less time.
Users will have fewer problems caused by restrictive security settings.
Successful security compromises always have a cost. Depending on the type of compromise, the cost can be minimal and can even go unnoticed. Serious compromises can cost organizations millions of dollars. If, during the security risk management process, the Security feature team determines that the costs of a possible security compromise outweigh the costs of imposing more restrictive desktop security, the team should implement enhanced desktop security. The benefits of using enhanced security are also significant:
Fine-tune security settings to meet the organization’s needs.
Take control of security risks by actively mitigating vulnerabilities.
Reduce vulnerabilities to specific exploits, such as worms or viruses, and therefore have more time to respond to security events.
Reduce vulnerabilities to widespread exploits such as worms and viruses, because they typically target default security settings.
Gain more flexibility in deploying security updates, because the organization may not be affected by the vulnerabilities they repair.
Ultimately, the Security feature team may choose to implement both types of security settings for different desktop roles within the organization. For example, the team might decide to use enhanced security for computers that temporary staff members use, because their computers might be more likely to attack other computers or to be compromised by malware. In contrast, a development team may require default security so that team members can more easily perform administrative tasks on their own computers. Each different role created adds cost, however. The Security feature team must design and manage multiple sets of security settings and may need to manage separate images for each role.
If the Security feature team chooses to implement enhanced security, the team must weigh security risk against user functionality, convenience, and ease-of-use. Typically, as the level of security increases, the level of user functionality decreases. For example, a default feature of Windows, Autoplay, automatically launches the default program on a CD-ROM when a user places the disc in the CD-ROM drive. This value-added functionality means that the user does not need to search the CD for the appropriate application and then manually run it. But this feature can be a liability if the CD contains inappropriate or malicious software that could harm the computer. In this example, organizations must decide between the ease-of-use of the Autoplay feature and the security risk associated with the possibility of malicious contents on the CD.
This section provides an overview of security technologies that the Security feature team should consider during the Envisioning Phase of desktop deployment. For detailed information about each of these security technologies, refer to the Windows XP Security Guide at http://go.microsoft.com/fwlink/?LinkId=14839 and the Windows Vista Security Guide at http://go.microsoft.com/?linkid=5637271.
Note The Windows XP Security Guide and the Windows Vista Security Guide are the authoritative resources for evaluating client security settings. Client security settings in this guide are discussed only to allow the Security feature team to evaluate technology at a high-level and to quickly understand security options available, especially those that are new to Windows Vista. When reading the security guides, focus on the Enterprise Client (EC) settings. The security guides provide tools for creating Group Policy objects (GPOs) that simplify deploying security settings to Active Directory member computers.
System Security Settings
Determine the security of client computers by collecting thousands of different settings that directly or indirectly affect the security of the operating system and applications. Configure these settings by using Group Policy settings in a Microsoft Active Directory® directory service domain or by applying them locally. These policy settings ensure that the desktop and portable computers in the organization are configured to meet the security requirements:
Account Policy settings. Password complexity and expiration as well as account lockout settings
Local Policy settings. Audit policy, user rights assignments (granular user privileges), and security options (settings that control system behavior)
File permissions. Define privileges for client file systems
Registry settings. Define privileges for client registries
Service settings. Define which services start automatically and which are disabled
Public key policies. Define settings for public key cryptography, including the distribution of keys for the Encrypting File System (EFS)
Software Restriction Policies. Define which applications users can and cannot run
IP Security Policies. Define network authentication and encryption requirements
For detailed information about specific security settings, refer to Security and Protection in Windows Vista at http://www.microsoft.com/technet/windowsvista/secprot/default.mspx and the Windows XP Security Guide at http://go.microsoft.com/fwlink/?LinkId=14839.
User Account Control
Although logging on to a computer as a Standard user (known as Limited users in Windows XP—users who are only members of the local Users group) offers better protection from malware, working with this type of account has been so difficult that many people choose to use administrative privileges. Windows Vista User Account Control (UAC, available only with Windows Vista) offers the benefits of Standard user accounts without the limitations. First, all users (including administrators) run with limited privileges by default. Second, Windows Vista allows Standard user accounts to change the system time and perform other common tasks without providing administrative credentials, which enables organizations to configure more users with Standard accounts. Third, UAC enables most applications to run correctly, even those that required administrative privileges on the Windows XP operating system.
For detailed information about Windows Vista UAC, read “Understanding and Configuring User Account Control in Windows Vista” at http://www.microsoft.com/technet/WindowsVista/library/00d04415-2b2f-422c-b70e-b18ff918c281.mspx. For information about using least privilege security with Windows XP, read “Applying the Principle of Least Privilege to User Accounts on Windows XP” at http://go.microsoft.com/fwlink/?linkid=58445.
Windows Vista introduces Windows Firewall, which is an enhancement to the Windows Firewall included in Windows XP SP2. Windows Firewall is a combination of a host firewall and Internet Protocol Security (IPSec). Unlike a perimeter firewall, it runs on each computer running Windows Vista and provides local protection from network attacks that might pass through the perimeter network or originate inside the organization. It also provides computer-to-computer connection security that allows Security feature team members to require authentication and data protection for all communications.
Windows Firewall is a stateful firewall, so it inspects and filters all TCP/IP version 4 (IPv4) traffic in both Windows XP and Windows Vista, and TCP/IP version 6 (IPv6) traffic in Windows Vista only. Unsolicited incoming traffic is dropped unless it is a response to a request by the host (solicited traffic) or it is specifically allowed (that is, it has been added to the exceptions list). Outgoing traffic is filtered by default, too, although many common applications are allowed to access the network. Security feature team members can specify traffic to be added to the exceptions list according to application name, service name, port number, destination network, domain membership, or other criteria by configuring Windows Firewall settings.
For traffic that is allowed, use Windows Firewall to request or require that computers authenticate each other before communicating and to use data integrity and data encryption when communicating.
In Windows Vista, Windows Firewall has many new features, including:
Management integration with IPSec.
New user and command-line interfaces.
Windows service hardening, which limits the actions a service can take to reduce the damage caused during a security compromise.
Full Group Policy integration.
Filtering by new properties:
Active Directory groups (authorized users and authorized computers)
Internet Control Message Protocol (ICMP) extensions
IP address lists
Authenticated (that is, allow a connection only if it is authenticated using IPSec)
Encrypted (that is, allow a connection only if it is authenticated and encrypted using IPSec)
IP Authentication (the ability to have two rounds of authentication and additional user credentials).
Application-based IPSec policies.
Per-port authorization bypass.
Simplified IPSec policy.
For detailed information about Windows Firewall, see “Windows Vista Security and Data Protection Improvements” at http://www.microsoft.com/technet/windowsvista/evaluate/feat/secfeat.mspx.
Intrusion detection monitors activity on the network and can alert administrators in real-time of suspected security events. For example, if a new worm were to attack the network, an intrusion detection system could alert Security feature team members to suspicious network activity, giving the security operations team early warning and the opportunity to adjust security controls to limit the worm’s opportunity to spread.
Without an intrusion detection system, it is very likely that successful attacks will go unnoticed. Undiscovered exploits can provide sophisticated attackers with an ongoing entry point to the network and private data.
Like any security countermeasure, intrusion detection systems have a cost. A typical solution would involve a combination of both Microsoft and non-Microsoft software. Intrusion detection systems tend to be complex to both configure and manage. In addition, the systems must be customized to meet the needs of the network and security operations teams. In particular, Security feature team members must develop filters to distinguish between significant and insignificant events. Automated network attacks occur constantly on the Internet, and managing the alerts for such attacks can be time-consuming.
While Windows does not include built-in intrusion detection technologies, it does include logging and auditing features that can provide information to an intrusion detection system. For detailed information about intrusion detection, read The Security Monitoring and Attack Detection Planning Guide at http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/default.mspx.
Data Protection Technologies
Because hundreds of thousands of computers are lost or stolen every year, customers are concerned with data security. Currently, if a system is lost or stolen, its contents can be accessed by anyone who can download a program. For example, current password and encryption methods can be circumvented using recovery software available on the Internet that accesses the disk when the Windows operating system is offline. Even if the data on a lost or stolen computer is not sensitive, this method can be used to access an enterprise network that does contain sensitive data.
This section provides an overview of data protection technologies that the Security feature team should consider during the Envisioning Phase of desktop deployment.
BitLocker Drive Encryption
Using BitLocker™ Drive Encryption (available only with Windows Vista), enterprises can reduce the risk of confidential data being lost when a user’s portable computer is stolen. Its full-volume encryption seals the symmetric encryption key in a Trusted Platform Module (TPM) 1.2 chip or a Universal Serial Bus (USB) flash drive. A TPM chip is a hardware component available in some newer computers that stores keys, passwords, and digital certificates.
BitLocker Drive Encryption also stores measurements of core operating system files in the TPM chip or USB flash drive. Every time the computer is started, Windows Vista verifies that the operating system files have not been modified in an offline attack. An offline attack is a scenario in which an attacker starts an alternative operating system to gain control of the system. If the files have been modified, Windows Vista alerts the user and refuses to release the key required to access the operating system. The system then goes into a recovery mode, prompting the user to provide a recovery key to allow access to the boot volume.
Note BitLocker Drive Encryption provides protection for the Windows partition and is not a replacement for the EFS. BitLocker Drive Encryption does not provide encryption for the data stored outside the Windows partition but does provide an added security layer for EFS by encrypting the EFS keys within the Windows partition. In addition, EFS provides an additional security layer when multiple users use the same partition. A user can have both BitLocker Drive Encryption and EFS enabled or either technology enabled alone. If EFS is disabled, BitLocker Drive Encryption continues to function and vice versa.
For more information about the benefits of BitLocker Drive Encryption, refer to the “Secure Startup - Full Volume Encryption: Executive Overview” at http://www.microsoft.com/whdc/system/platform/pcdesign/secure-start_exec.mspx and the BitLocker Drive Encryption home page at http://www.microsoft.com/technet/windowsvista/security/bitlockr.mspx.
For more information about Windows Vista’s TPM Services architecture and platform components, refer to “Trusted Platform Module Services in Windows Longhorn” at http://www.microsoft.com/resources/ngscb/WinHEC05.mspx.
More information on the Trusted Computing Group (TCG) specifications as well as information about the TPM, refer to the TCG Web site at http://www.trustedcomputinggroup.org.
The EFS is a file encrypting technology available with the NTFS file system. EFS is entirely transparent to end users, because encrypted files behave exactly the same as unencrypted files. However, if a user does not have the correct decryption key, the file is impossible to open, even if an attacker bypasses the operating system security. It is possible to encrypt individual files, but if users encrypt a folder, all the files that they create within the folder will be encrypted.
EFS is especially useful for securing sensitive data on portable computers or on computers that several users share. Both kinds of systems are susceptible to attack by techniques that circumvent the restrictions of access control lists (ACLs). An attacker can steal a computer, remove the hard disks, place the disks in another system, and gain access to the stored files. Files encrypted by EFS, however, appear as unintelligible characters when the attacker does not have the decryption key.
Windows Vista includes new features for the EFS, including:
Smartcard support. Provides strong protection for portable and shared computer scenarios
Client-Side Encryption. Improved security and protection against malicious server administrators
Centralized administration. Enhanced administration of protection policies
For more information about Windows Vista EFS features, refer to the Microsoft TechNet document, “Windows Vista Security and Data Protection Improvements,” at http://www.microsoft.com/technet/windowsvista/evaluate/feat/secfeat.mspx.
For detailed information on Windows EFS technologies, see the Windows XP Professional Resource Kit at http://www.microsoft.com/resources/documentation/windows/xp/all/reskit/en-us/prnb_efs_awzg.asp.
Rights Management Services
Microsoft Windows Rights Management Services (RMS) is an information protection technology that works with RMS-enabled applications to help safeguard digital information from unauthorized use—both online and offline—inside and outside the firewall. This product is designed for organizations that need to protect sensitive and proprietary information, such as financial reports, product specifications, customer data, and confidential e-mail messages.
RMS augments an organization’s security strategy by providing protection of information through persistent usage policies (also known as usage rights and conditions), which remain with the information no matter where it goes. RMS persistently protects any binary format of data, so the usage rights remain with the information, even in transport, rather than the rights merely residing on an organization’s network. This functionality also enables the organization to enforce usage rights after an authorized recipient accesses the information—both online and offline—inside and outside the organization.
For detailed information about RMS, refer to the Microsoft RMS site at http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt.
Spyware is a general term used for software that performs certain behaviors such as advertising, collecting personal information, or changing the configuration of a user’s computer, generally without appropriately obtaining the user’s consent. Furthermore, this type of software typically requires customer interaction to determine whether proper consent was obtained. Spyware is different from viruses, which are malicious programs that replicate and infect computers without consent.
The effects of spyware on user computers range from minor issues to serious impacts on performance, security, and privacy. Below are some of these common symptoms:
Unauthorized pop-up advertisements, even when not browsing the Web
A change to the browser home page or default search engine without user consent and that often resists attempts to change it back
A new and unwanted toolbar on the browser that often resists attempts to remove it
A sudden and dramatic slowdown in computer performance
Increased crashing of operating systems, Web browsers, and other applications
Windows Vista offers real-time blocking of spyware to prevent potentially unwanted software from installing itself. The anti-malware features built into Windows Vista remove malicious software and give users better control over the software on their computers.
For more information about Windows Defender (formerly, Microsoft Windows AntiSpyware), go to the Microsoft Windows AntiSpyware site at http://www.microsoft.com/athome/security/spyware/software. Windows Defender will also be freely available for Windows XP.
Internet Explorer 7 Security Features
Windows Internet Explorer® 7 features a focus on the core security architecture changes that offer dynamic protection against data theft, fraudulent Web sites, and malicious and hidden software as well as improvements to the platform for Web developers. Microsoft has made architectural enhancements to Internet Explorer 7 to make it less a target for hackers and other malicious people, which will help users browse with better peace of mind. As security is tightened, compatibility and extensibility tend to suffer. With Internet Explorer 7, Microsoft is working hard to ensure that this balance is met effectively so that users can have the best possible browsing experience.
The new security features of Internet Explorer 7 are:
Protected mode. Reduces the risk of silent installation of malicious code
Improved cross-domain barriers. Defend against spoofing
Phishing filter. Anti-phishing warning and blocking
Address bar. Visible in every window
“One-click cleanup.” Cleans cached pages, passwords, and history
ActiveX Opt-in. Ensures user consent before Microsoft ActiveX® controls run
Restore to Factory Defaults. Resets the browser to a clean configuration
For more information on the advanced security features of Internet Explorer 7 security, refer to the Internet Explorer 7 Beta 3 Technology Overview at http://www.microsoft.com/windows/ie/ie7/about/default.mspx.
Windows Service Hardening
Windows Service Hardening, a new feature in Windows Vista, restricts critical Windows services from performing abnormal activities in the file system, registry, network, or other resources that could be used to allow malware to install itself or attack other computers. For example, the Remote Procedure Call (RPC) service can be restricted from replacing system files or modifying the registry.
Services represent a large percentage of the overall attack surface in Windows—from the perspective of the quantity of overall always-on code footprint in the system and the privilege level of that code. Windows Vista limits the number of services that are running and operational by default. Today, many system and non-Microsoft services run in the LocalSystem account, where any breach could lead to unbounded damage to the local machine—including disk formatting, user data access, or driver installation.
Windows Service Hardening reduces the damage potential of a compromised service by introducing the following new concepts:
The introduction of a per-service security identifier (SID) enables per-service identity, which subsequently enables access control partitioning through the existing Windows access control model covering all objects and resource managers that use ACLs. Services can now apply explicit ACLs to resources that are private to the service, which prevents other services as well as the user from accessing the resource.
Moving services from LocalSystem to a lesser-privileged account, such as LocalService or NetworkService, reduces the overall privilege level of the service, which is similar to the benefits derived from UAC.
Stripping of unnecessary Windows privileges on a per-service basis—for example, the ability to perform debugging.
Applying a write-restricted token to the service process can be used in cases where the set of objects that the service writes to is bounded and can be configured. Write attempts to resources that do not explicitly grant the service SID access will fail.
Services are assigned network firewall policy, which prevents network access outside the normal bounds of the service program. The firewall policy is linked directly to a per-service SID.