Transcript Microsoft Windows Vista SIRT Roundtable Discussion January 12, 2007 Harvard Townsend Interim University IT Security Officer [email protected] 532-2985 College Court 114

Microsoft Windows Vista
SIRT Roundtable Discussion
January 12, 2007
Harvard Townsend
Interim University IT Security Officer
[email protected]
532-2985
College Court 114
Agenda
•
•
•
•
•
•
•
Vista versions – their features and availability
Security features
Trend Micro and Vista
SIRT recommendations for deployment
Microsoft seminar Feb. 6 in Union 212
Other issues
Q&A
Jan. 12, 2007
Windows Vista
2
Versions
http://www.microsoft.com/windowsvista/getready/editions/default.mspx
• Starter – not available in US
• Home Basic – limited functionality
• Home Premium – minimum for K-State home
use
• Business – minimum for K-State computers
• Ultimate – $$$ (business+multimedia tools)
• Enterprise – not available retail; volume license
customers with Software Assurance only)
Jan. 12, 2007
Windows Vista
3
Availability
• Developers – available now; could order Business
version from SHI since November
• Retail consumers (i.e., ship with new Dell, etc.
computers) – January 30
• Can pre-order from SHI now (and amazon.com)
• Dell, Gateway, HP offer Vista “Express Upgrade”
with new computer purchase (usually only a
shipping fee added) until March 15
• Union Computer Store doesn’t know pricing yet
or when it will be available
Jan. 12, 2007
Windows Vista
4
Vista Security
• “SD3” – security by design, default, and deployment
• Is more secure, but…
– Vulnerabilities already identified (selling for $50K)
– Still susceptible to social engineering, “stupid user” attacks (clickhappy users)
• Extent of damage can be limited with “User Account
Control” (UAC)
– Users don’t have admin control by default
– Can perform common tasks w/o admin rights
– Administrator Approval Mode prompts user before performing
admin task like installing software
– Many control settings (is good, but more complicated)
– Some applications may break with UAC
Jan. 12, 2007
Windows Vista
5
Other Vista Security Features
• Windows Defender built in
– Real-time spyware protection
– Updates managed by WSUS or Windows Update
– Prompts user if a program tries to modify a protected
area of the Vista kernel (“PatchGuard” locks kernel)
– SIRT will re-evaluate Spybot recommendation
• Windows Firewall
– Filters both inbound and outbound traffic
– Different rulesets depending on type of network
connection
• Windows Security Center more user oriented and
comprehensive
Jan. 12, 2007
Windows Vista
6
Other Vista Security Features
• Malicious Software Removal Tool
– cleans up malware missed by antivirus software
– New version monthly via WSUS, Windows Update
– Similar to Trend OfficeScan Damage Cleanup Services
• Software Restriction Policies
– Control environment in which applications can operate
– Similar to Windows XP Pro
• Internet Explorer 7 security features
• Group Policies easier to work with, but voluminous
Jan. 12, 2007
Windows Vista
7
Other Vista Security Features
• BitLocker
– Encrypts entire Windows volume (but leaves
system volume unencrypted)
– Cannot boot Linux and look at Windows files
– Prompts for PIN or uses USB token at boot-up
– Can store encryption keys and protect integrity
of boot code with TPM chip
– Don’t lose your PIN or USB key!
– Affects performance of the computer
– Only in Ultimate and Enterprise versions
Jan. 12, 2007
Windows Vista
8
Other Vista Security Features
• Encrypting File System (EFS)
–
–
–
–
Encrypt individual files and/or folders
Can store decryption key on smartcard
Can generate recovery key
If use with BitLocker, EFS keys protected
(hacker can’t get password hash to try brute
force cracking)
– Can encrypt multiple drives and network shares
– Available in Business, Ultimate, and Enterprise
versions
Jan. 12, 2007
Windows Vista
9
Other Vista Security Features
• Rights Management Services
– Protect info in transit (e-mail, docs, web
content)
– Requires a server
– Application has to be RMS-compatible
• Device Control
– Prevent users from installing certain devices,
like USB flash drive or other removable storage
– Can turn off AutoPlay or AutoRun
Jan. 12, 2007
Windows Vista
10
Vista Security
• Windows Vista Security Guide:
http://www.microsoft.com/technet/windowsvista/security/guide.mspx
• VERY useful document – get it, study it
• Chapters on:
– Implementing the Security Baseline (Group Policy)
– Protecting Against Malware (UAC, Defender, Firewall,
Security Center, Malicious Software Removal Tool)
– Protecting Sensitive Data (BitLocker, EFS, Rights
Mgmt, Device Control)
Jan. 12, 2007
Windows Vista
11
Trend Micro
•
•
•
•
•
•
Still need AV software with Vista
No OfficeScan client for Vista yet
Current version = 7.3
Vista-compatible version = 8.0
Expected Q207 (April-June?)
Cannot run Windows without
antivirus/security software
Jan. 12, 2007
Windows Vista
12
SIRT Recommendations
• Hold off on deployment until Trend Micro
releases a compatible OfficeScan client
• Use Business version or better for campus
computers
• Use Home Premium or better for personal
computers brought to campus
• Consider implementation plan carefully
• Test all applications thoroughly
• Don’t be in any hurry
Jan. 12, 2007
Windows Vista
13
Microsoft Visit
• At K-State Feb. 6, Union 212
• Two sessions:
– 10-11:30 A.M. – general overview of Vista and
IE7, general Q&A
– 1:30-3:30 P.M. – technical details, licensing,
security, in-depth Q&A
• Will be announced in IT Tuesday and sirtcontacts mailing list
Jan. 12, 2007
Windows Vista
14
Other Issues
• License downgrade? Are probably some options, but
unsure of details at this time
• Can buy XP Pro for another year
• License activation under Volume License Agreements
http://www.microsoft.com/technet/windowsvista/plan/volact.mspx
• Samba broken with default Vista configuration
• Other applications reported to have problems – test!
• New user interface – will be challenging transition for
some
Jan. 12, 2007
Windows Vista
15
Q&A?
Jan. 12, 2007
Windows Vista
16