Microsoft Windows Vista SIRT Roundtable Discussion January 12, 2007 Harvard Townsend Interim University IT Security Officer College Court 114
Jan. 12, 2007Windows Vista2 Agenda Vista versions – their features and availability Security features Trend Micro and Vista SIRT recommendations for deployment Microsoft seminar Feb. 6 in Union 212 Other issues Q&A
Jan. 12, 2007Windows Vista3 Versions Starter – not available in US Home Basic – limited functionality Home Premium – minimum for K-State home use Business – minimum for K-State computers Ultimate – $$$ (business+multimedia tools) Enterprise – not available retail; volume license customers with Software Assurance only)
Jan. 12, 2007Windows Vista4 Availability Developers – available now; could order Business version from SHI since November Retail consumers (i.e., ship with new Dell, etc. computers) – January 30 Can pre-order from SHI now (and amazon.com) Dell, Gateway, HP offer Vista “Express Upgrade” with new computer purchase (usually only a shipping fee added) until March 15 Union Computer Store doesn’t know pricing yet or when it will be available
Jan. 12, 2007Windows Vista5 Vista Security “SD3” – security by design, default, and deployment Is more secure, but… –Vulnerabilities already identified (selling for $50K) –Still susceptible to social engineering, “stupid user” attacks (click- happy users) Extent of damage can be limited with “User Account Control” (UAC) –Users don’t have admin control by default –Can perform common tasks w/o admin rights –Administrator Approval Mode prompts user before performing admin task like installing software –Many control settings (is good, but more complicated) –Some applications may break with UAC
Jan. 12, 2007Windows Vista6 Other Vista Security Features Windows Defender built in –Real-time spyware protection –Updates managed by WSUS or Windows Update –Prompts user if a program tries to modify a protected area of the Vista kernel (“PatchGuard” locks kernel) –SIRT will re-evaluate Spybot recommendation Windows Firewall –Filters both inbound and outbound traffic –Different rulesets depending on type of network connection Windows Security Center more user oriented and comprehensive
Jan. 12, 2007Windows Vista7 Other Vista Security Features Malicious Software Removal Tool –cleans up malware missed by antivirus software –New version monthly via WSUS, Windows Update –Similar to Trend OfficeScan Damage Cleanup Services Software Restriction Policies –Control environment in which applications can operate –Similar to Windows XP Pro Internet Explorer 7 security features Group Policies easier to work with, but voluminous
Jan. 12, 2007Windows Vista8 Other Vista Security Features BitLocker –Encrypts entire Windows volume (but leaves system volume unencrypted) –Cannot boot Linux and look at Windows files –Prompts for PIN or uses USB token at boot-up –Can store encryption keys and protect integrity of boot code with TPM chip –Don’t lose your PIN or USB key! –Affects performance of the computer –Only in Ultimate and Enterprise versions
Jan. 12, 2007Windows Vista9 Other Vista Security Features Encrypting File System (EFS) –Encrypt individual files and/or folders –Can store decryption key on smartcard –Can generate recovery key –If use with BitLocker, EFS keys protected (hacker can’t get password hash to try brute force cracking) –Can encrypt multiple drives and network shares –Available in Business, Ultimate, and Enterprise versions
Jan. 12, 2007Windows Vista10 Other Vista Security Features Rights Management Services –Protect info in transit ( , docs, web content) –Requires a server –Application has to be RMS-compatible Device Control –Prevent users from installing certain devices, like USB flash drive or other removable storage –Can turn off AutoPlay or AutoRun
Jan. 12, 2007Windows Vista11 Vista Security Windows Vista Security Guide: VERY useful document – get it, study it Chapters on: –Implementing the Security Baseline (Group Policy) –Protecting Against Malware (UAC, Defender, Firewall, Security Center, Malicious Software Removal Tool) –Protecting Sensitive Data (BitLocker, EFS, Rights Mgmt, Device Control)
Jan. 12, 2007Windows Vista12 Trend Micro Still need AV software with Vista No OfficeScan client for Vista yet Current version = 7.3 Vista-compatible version = 8.0 Expected Q207 (April-June?) Cannot run Windows without antivirus/security software
Jan. 12, 2007Windows Vista13 SIRT Recommendations Hold off on deployment until Trend Micro releases a compatible OfficeScan client Use Business version or better for campus computers Use Home Premium or better for personal computers brought to campus Consider implementation plan carefully Test all applications thoroughly Don’t be in any hurry
Jan. 12, 2007Windows Vista14 Microsoft Visit At K-State Feb. 6, Union 212 Two sessions: –10-11:30 A.M. – general overview of Vista and IE7, general Q&A –1:30-3:30 P.M. – technical details, licensing, security, in-depth Q&A Will be announced in IT Tuesday and sirt- contacts mailing list
Jan. 12, 2007Windows Vista15 Other Issues License downgrade? Are probably some options, but unsure of details at this time Can buy XP Pro for another year License activation under Volume License Agreements Samba broken with default Vista configuration Other applications reported to have problems – test! New user interface – will be challenging transition for some
Jan. 12, 2007Windows Vista16 Q&A?