Windows Vista makes security a policy decision

Enhanced Group Policy capabilities power the security features in the new Windows Vista operating system and the 2007 Microsoft Office system.

In Summary:

As the first Windows client built using the Microsoft Security Development Lifecycle, Windows Vista is the most secure operating system Microsoft has produced. According to Russ Humphries, senior product manager for Windows Vista Client Security, security improvements minimize the operating system's attack surface area. "This in turn improves system and application integrity and helps organizations more securely manage and isolate their networks," he says.

Windows Vista offers an array of security tools to help prevent the intrusion of malicious software (malware), including User Account Control (UAC), Windows Defender, Windows Firewall, Windows Security Center, and Software Restriction Policies. Policy management is fundamental to the deployment of these new or improved tools in Windows Vista (excluding the Home and Starter editions), as well as the new 2007 Microsoft Office system.

Top of page

Windows Vista makes Group Policy easier to implement

Group Policy in Windows knows who you are and what settings are allowed on your computer. For many midsize companies, the concept might be unfamiliar, according to Andrew Reese, a principal consultant and head of the security practice with CompuCom Systems, an information technology (IT) outsourcing company. Companies have had Group Policy capabilities in previous versions of Windows, he says, but IT managers have often failed to use them.

Fortunately, enhancements in Windows Vista make this feature easier to use. The Group Policy Management Console (GPMC) is now built right into the operating system. The GPMC supports multiple Group Policy Objects (GPOs) that contain the policy settings affecting users and computers in sites, domains, and organizational units; provides management of Internet Explorer 7.0; and offers hundreds of additional settings.

To take advantage of Group Policy, an organization must have Active Directory, the distributed directory service in Windows Server 2003. Active Directory functions as an identity management solution, says Joshua Edwards, technical product manager for 2007 Office system security with Microsoft. "When you log on, policy is downloaded from Active Directory and enforced on your machine," he explains.

Group Policy provides a centralized infrastructure within Active Directory that enables directory-based change and configuration management of user and computer settings. The Windows Vista Security Guide provides tools and step-by-step procedures to ease the deployment process for running Windows Vista with Active Directory.

Top of page

New encryption in Windows Vista

Active Directory also plays a role in Windows Vista BitLocker Drive Encryption. This hardware-enabled data protection feature prevents unauthorized users from accessing data by breaking Windows file and system protections or attempting to view information on the secured drive offline. BitLocker can use Active Directory to remotely store BitLocker recovery keys while also allowing IT administrators to store encryption keys and restore passwords onto a universal serial bus (USB) key (thumb drive) or to a separate file for backup.

A number of new Group Policy options are available in Windows Vista to help administrators define and implement organizational policies for the Microsoft Encrypting File System (EFS). Such policies include the ability to require smart cards for EFS, enforce page file encryption, and enforce encryption of the user's Documents folder.

Top of page

2007 Office system security

Encryption also plays a role in the information rights management features in the 2007 Office system, says Edwards. With Windows Rights Management Services (RMS) for Windows Server 2003, organizations can assign document-level protection. "If I send you a document that's encrypted, once you open that document you authenticate yourself and the server sends you a key," he explains. You can enforce policies regarding printing, changing, and saving files. You can also establish an expiration date for policies and set up an audit trail.

Every application in the new release of Microsoft Office has a feature called the Trust Center, which, for example, allows you to turn macros on or off. You can also set Group Policy to control Trust Center settings, Edwards notes.

With all the new features in both the 2007 Office system and Windows Vista, deployment might seem difficult, but there is plenty of help. A collection of Windows Vista deployment tools and best practices is incorporated into the Microsoft Solution Accelerator for Business Desktop Deployment (BDD) 2007, a free download. BDD 2007 includes a solution for smaller organizations that do not have Systems Management Server and other management tools that are common in larger organizations.

Top of page

User Account Control helps administrators fight threats

Prior to Windows Vista, IT departments would often grant users "administrator" rights in order to simplify deployment issues. Fortunately, that's no longer necessary. User Account Control (UAC) enables users to run as standard users but still be able to complete day-to-day productivity tasks. If a standard user seeks to install a program, change system settings, or perform other administrator tasks—which can weaken security—he will be prompted to enter administrator credentials. At the same time, UAC extends the range of common, low-risk tasks that standard users can perform, such as installing new printers or changing Windows time zones. See the Windows Vista Security Guide for more information about adjusting Windows Vista security features.

For more information about UAC, see Understanding and Configuring User Account Control in Windows Vista.

Pete Bartolik is a Hopkinton, Massachusetts-based writer specializing in technology.

Top of page