[ISN] Microsoft guidelines give the bottom line on security settings

From: InfoSec News (alerts@private)
Date: Mon Mar 19 2007 - 22:04:42 PST


By William Jackson

Microsoft Corp. has produced a set of security guidelines [1] for 
Windows Vista, providing a checklist of security settings and 
configurations for two levels of enhanced security in the new operating 

Although published by Microsoft, the guidelines are the product of a 
collaboration between the software vendor and the National Security 
Agency, the National Institute of Standards and Technology and the 
Defense Information Systems Agency. The guidelines are the latest in a 
series of recommendations for hardening Microsoft software. Kurt 
Dillard, security evangelist for Microsofts federal team, said the Vista 
guidelines represent a closer collaboration with government.

We first approached the NSA a little over four years ago to see if they 
were interested in getting security recommendations for XP and 2000 
aligned with government needs, Dillard said. The original versions didnt 
include input from the government.

Subsequent guidelines for Windows XP and Windows Server 2003 were in 
close agreement with government recommendations, and Microsoft began 
working with NIST, NSA and DISA last summer on the Vista guidelines. The 
teams now are working on documents for Office 2007 and Longhorn Server.

NIST recommends that agencies considering a move to the new operating 
system begin interoperability testing with deployed applications and 
systems because of the substantial changes in the security architecture. 
Vista is the first operating system developed under Microsofts Secure 
Development Lifecycle process and includes a number of advanced security 
features in the default configuration.

NSA and the Air Force both made suggestions on security configurations 
in the late stages of Vistas development, Dillard said.

A lot of their suggestions were incorporated, he said. The default 
settings are much more secure than in previous systems.

Although the default configuration is more locked down than in earlier 
operating systems, the security guidelines set out a higher level of 
security for enterprises, which would probably be more advanced than 
most home users would require. A higher level, Specialized 
Security-Limited Functionality, is intended for some government users.

The higher-level security settings sacrifice some user convenience and 
interoperability with applications.

[1] http://www.microsoft.com/downloads/details.aspx?FamilyId=A3D1BBED-7F35-4E72-BFB5-B84A526C1565&displaylang=en

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Mon Mar 19 2007 - 22:15:08 PST