Securing / Hardening Windows Vista Business

Wondering if anyone has any documentation or point me in the right
direction (URLs) in order to gather some insight on securing/hardening
a Windows Vista Business workstation.

Any help into this matter would be appreciated.

José Carlos

Not sure what specific threats you are trying to mitigate, but the Windows
Vista Security Guide is fairly general, although quite too intrusive:
http://www.microsoft.com/downloads/d...displaylang=en

There are books starting to appear too, such as the most excellent "Windows
Vista Security". :-)
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"jose.cso@gmail.com" wrote:

> Wondering if anyone has any documentation or point me in the right
> direction (URLs) in order to gather some insight on securing/hardening
> a Windows Vista Business workstation.
>
> Any help into this matter would be appreciated.
>
> José Carlos
>
>

jose.cso@gmail.com wrote:
> Wondering if anyone has any documentation or point me in the right
> direction (URLs) in order to gather some insight on securing/hardening
> a Windows Vista Business workstation.
>
> Any help into this matter would be appreciated.

Vista is just another NT based O/S like Win 2K and XP. I know most of
the things in the link can be applied to Vista either directly or
indirectly knowing the basics of the NT based O/S(s).

http://labmice.techtarget.com/articl...ychecklist.htm

Some of that stuff is good, notably most of the stuff in the first section.
Although, on a physically secure stand-alone machine, having no password is
often more secure than having one.

Renaming the admin account is meaningless. Leaving it with the default name
makes it no easier at all to break into an insecure system, but it can break
apps if you rename it.

Replacing Everyone with Authenticated Users not only has absolutely no
impact on Security, it also will almost certainly break your system and
render it unsupported and unsupportable (see KB 885409
http://support.microsoft.com/kb/885409). Everyone and Users include the Guest
account, since INTERACTIVE is a member of Users. Authenticated Users do not
include guests, but as the Guest account is disabled by default, and the
vast majority of systems have no members of Guests, there is no functional
difference between Everyone and Authenticated Users on the vast majority of
systems, and hence no reason to make that change.

Preventing the last logged in user name from being displayed provides
security if your username is the primary secret stopping bad guys. Take a
moment and look at your business card. I bet it shows your username, with an
@-sign right after it. And, if you take your first initial and last name,
there are most usernames. In other words, hiding the last logged on username
doesn't help.

Disabling remote desktop breaks remote assistance and is generally
inadvisable unless you have no options other than to have extremely weak
passwords.

The firewall should be on if you have a network connection. Period.
Regardless of whether it is permanent or not.

Encrypting the local offline files cache in XP is totally meaningless. In
Vista it is not.

Encrypting the %temp% folder is not only not supported, it can't be done.

Clearing the pagefile at shutdown is a valid countermeasure if the attacker
you are worried about is the Chinese/North Korean/U.S./U.K./Russian/SomeOther
Intelligence agency. It is highly, no, make that entirely, unlikely that a
run-of-the-mill attacker that has stolen your machine is going to wade
through a 2 billion byte binary file with a hex editor on the off chance that
there (a) is anything interesting in there, (b) Windows or the other app that
put it there did not encrypt it, and (c) he actually manages to recognize it.
On the other hand, if you like shutdowns to take 15-30 minutes, then clearing
the pagefile at shutdown is a good way to ensure they do.

The auditing settings are not only broken in that there are no failed system
events (uh, dude, I tried to shutdown but failed because it took too long to
clear the pagefile); if you set the audit settings in this guide you will
generate somewhere around 1,000 events per _second_ on a default system. Go
ahead. Tell me when you find any interesting ones. It is somewhat comical
(tragicomical really) that this checklist has absolutely nothing about
actuallly _looking_ at your logs. Generate thousands of events, but have no
log management system in place. That doesn't sound like it makes anyone any
more secure.

Disabling the default shares is totally, utterly, completely, entirely
meaningless. An attacker that has an admin account already can turn them back
on in half a second. An attacker that doesn't have an admin account can't use
them anyway. Why take the app compat hit from turning them off to get
absolutely no gain, not to mention that if you took the advice above and
turned on the firewall, they are impervious anyway. Defense in Depth is a
reasoned strategy by which you protect a system against meaningful and
realistic threats on multiple levels. It is not a phrase to justify dangerous
tweaks that you can't justify any other way.

The part about disabling boot from floppy or CDROM just made me laugh. The
author first of all has missed the crucial point that if the bad guy has
physical access to your system, it ain't your system any longer. Second, he
(she?) does not understand what the "restrict floppy access..." security
settings do. If you (a) enable those settings, AND (b) there is a floppy/CD
in the drive, AND (c) you have manually created a share for that drive (there
is none by default), AND (d) the share permits the attacker to map it, AND
(e) there is someone currently logged on locally, THEN, and only then can
remote users not use the shares across the network. As soon as you log off,
the shares are remotely accessible again.

Please do yourselves a favor: don't implement security guides from third
parties, at least not without a complete understanding of the impact of the
changes they recommend. The vast majority of third party security guides will
render your system unstable in one or more respects. I have seen some that
will prevent users from logging on, and one that caused the system to
self-destruct if it was turned off for seven days. There is plenty of
trustworthy documentation from Microsoft. Use that. And, before you do,
analyze who you are trying to protect yourself from.

If your objective is to secure your home computer, turn on the firewall,
install an anti-malware program, create a separate account to administer your
system, make sure your day-to-day account is a non-admin, and enable Windows
Update to auto-install patches. You're done.

If the enemy is some foreign intelligence service, hire folks that are true
experts in system hardening and don't trust random documents on the web,
written by people who do not have an obvious interest in your system being
secure, nor an obvious skillset to bring to bear on a risk management
problem, not to mention absolutely no idea what risks you are facing and the
threats that are meaningful to you. If there were a "one-size-fits-all"
security configuration, don't you think Microsoft would have shipped the
system that way in the first place?

---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"DArnold" wrote:

> jose.cso@gmail.com wrote:
> > Wondering if anyone has any documentation or point me in the right
> > direction (URLs) in order to gather some insight on securing/hardening
> > a Windows Vista Business workstation.
> >
> > Any help into this matter would be appreciated.
>
> Vista is just another NT based O/S like Win 2K and XP. I know most of
> the things in the link can be applied to Vista either directly or
> indirectly knowing the basics of the NT based O/S(s).
>
> http://labmice.techtarget.com/articl...ychecklist.htm
>

I don't know why you have written War and Peace about this.

It's a good article if someone understands the security aspects of the NT
based O/S and in general an understanding on the NT based O/S, which I do
have that understanding.

I have been in the IT field since 1971 and have worn many hats, from tech
support, Operations Manager, network admin, to .Net Programmer, many hats.

I started on the MS platform in 1994, and I am still going strong.

Not to be out of line here, but I don't think there is too much you can tell
me about the NT based O/S.

I appreciate your comments, but they were way too long. I lost interest
after the first paragraph, sorry.

I've written war and peace about this because almost every time I've seen
someone use advice like this they have ended up destroying thousands of
systems.

And, I am sorry you've lost interest in learning.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Mr. Arnold" wrote:

> I don't know why you have written War and Peace about this.
>
> It's a good article if someone understands the security aspects of the NT
> based O/S and in general an understanding on the NT based O/S, which I do
> have that understanding.
>
> I have been in the IT field since 1971 and have worn many hats, from tech
> support, Operations Manager, network admin, to .Net Programmer, many hats.
>
> I started on the MS platform in 1994, and I am still going strong.
>
> Not to be out of line here, but I don't think there is too much you can tell
> me about the NT based O/S.
>
> I appreciate your comments, but they were way too long. I lost interest
> after the first paragraph, sorry.
>
>

"Jesper" <Jesper@discussions.microsoft.com> wrote in message
news:A3CD1C31-FB04-4643-83DB-B851D01FC0A0@microsoft.com...
> I've written war and peace about this because almost every time I've seen
> someone use advice like this they have ended up destroying thousands of
> systems.
>
> And, I am sorry you've lost interest in learning.

I learned everything I needed to know from the best at
comp.security.firewalls where I have frequented and have given advise, since
2001.

Like I have told you, I am no fool and have done this for many years. There
is nothing in that link, if someone knows what he or she is doing with the
NT based O/S, that's going to lead to someone to destroying the O/S. It's
totally ridiculous that you have even brought it up.

And right now, I am going through the MCTS 70-528 Training Kit book for the
exam, with two more books to go through for the MCPD. I hold two MCP(s) in
MS technologies since year 2000.

So, you see I never stop learning. Why do you think I am still around at the
age that I am at, being in the industry since 1971 and out gunning the
young guns in the profession, if I am not always on the leading edge of
learning new technology.

It's just that you are talking about stuff I already know, which is of no
interest to me, because of that reason.

Sorry, but that's just the way it is.

I don't know if you checked the link that Jesper posted earlier. But there is
a resemblance between Jesper's name and the author of the book called
"Windows Vista Security: Securing Vista Against Malicious Attacks". If Jesper
gives a tip about security, usually people listens.

"Mr. Arnold" wrote:

>
> "Jesper" <Jesper@discussions.microsoft.com> wrote in message
> news:A3CD1C31-FB04-4643-83DB-B851D01FC0A0@microsoft.com...
> > I've written war and peace about this because almost every time I've seen
> > someone use advice like this they have ended up destroying thousands of
> > systems.
> >
> > And, I am sorry you've lost interest in learning.
>
> I learned everything I needed to know from the best at
> comp.security.firewalls where I have frequented and have given advise, since
> 2001.
>
> Like I have told you, I am no fool and have done this for many years. There
> is nothing in that link, if someone knows what he or she is doing with the
> NT based O/S, that's going to lead to someone to destroying the O/S. It's
> totally ridiculous that you have even brought it up.
>
> And right now, I am going through the MCTS 70-528 Training Kit book for the
> exam, with two more books to go through for the MCPD. I hold two MCP(s) in
> MS technologies since year 2000.
>
> So, you see I never stop learning. Why do you think I am still around at the
> age that I am at, being in the industry since 1971 and out gunning the
> young guns in the profession, if I am not always on the leading edge of
> learning new technology.
>
> It's just that you are talking about stuff I already know, which is of no
> interest to me, because of that reason.
>
> Sorry, but that's just the way it is.
>
>

"Magnus" <Magnus@discussions.microsoft.com> wrote in message
news:ED5B60BA-D6BA-4526-BD48-6769FC41E069@microsoft.com...
>I don't know if you checked the link that Jesper posted earlier. But there
>is
> a resemblance between Jesper's name and the author of the book called
> "Windows Vista Security: Securing Vista Against Malicious Attacks". If
> Jesper
> gives a tip about security, usually people listens.

And I am telling you I don't need it. I can't make it any clearer than that.
I don't need it.

You tell him to put out a book about how to secure the Win 2k3 server O/S,
including the registry, file system, user accounts, Web applications and
IIS7 to face the Internet, then he might get my attention.

But when it comes to the Windows NT based O/S for the workstations,
including Vista, I don't need any help --- sorry. And I am offended that he
made the post.

Now, I got nothing ageist the guy, and for the clueless, what he has to
offer may help them in someway, but there is nothing he can do for me or
tell me --- sorry.

"Mr. Arnold" <MR. Arnold@Arnold.com> wrote in message
news:%23VbSV0etHHA.4572@TK2MSFTNGP02.phx.gbl...
>
> "Magnus" <Magnus@discussions.microsoft.com> wrote in message
> news:ED5B60BA-D6BA-4526-BD48-6769FC41E069@microsoft.com...
>>I don't know if you checked the link that Jesper posted earlier. But there
>>is
>> a resemblance between Jesper's name and the author of the book called
>> "Windows Vista Security: Securing Vista Against Malicious Attacks". If
>> Jesper
>> gives a tip about security, usually people listens.
>
> And I am telling you I don't need it. I can't make it any clearer than
> that. I don't need it.
>

Mr. Arnold,

When Dr. Jesper Johansson gives a Windows security post, it might be worth
your while to sit back and listen, instead of attempting to tout your own
deep knowlege. Until August 2006, Jesper was a Senior Security Strategist
in the Security Technology Unit at Microsoft. He now serves a similar role
as Principal Security Program Manager at a little internet company known as
Amazon.com. His Phd. in MIS likely trumps your "two MCP's since 2001".
Others in this newsgroup have probably had the pleasure to hear Jesper speak
at many Microsoft TechEd's as well as other similar events for the many
years he was at Microsoft, and his depth of knowledge in computer security
and Windows security specifically is legendary.

So, please, sir, show a little respect.

Thank you,

Glenn Fincher - v-glennf AT microsoft.com