S 3.210 Windows Vista client
Description
This module addresses the Enterprise version of the Windows Vista client operating system, or Windows Vista Enterprise for short. When necessary, differences between this version and the Windows Vista Business or Windows Vista Ultimate versions are pointed out.
Windows Vista is the successor product to the Microsoft Windows XP Professional/Home operating system. The security of a client operating system such as Windows Vista plays an important role for security throughout the entire information system. Vulnerabilities in the operating system of a client endanger the security of all IT systems, and therefore of the entire information system.
This module focuses on the operation of clients in a domain environment. Important facts applying especially to the use of Windows Vista on stand-alone computers or in a workgroup are pointed out as such.
The server-specific security safeguards relevant when operating the clients in a domain environment are described in the server modules, for example S 3.6 Windows 2000 Server and S 3.8 Windows Server 2003.
Clients running a Microsoft operating system are attractive targets for attackers due to their widespread use. This is also indicated by the large number of published security gaps and attacks. For this reason, Microsoft has implemented some changes in Windows Vista that were not available in previous Windows versions to improve the level of security of the client. In addition, Microsoft has refined the security features available in earlier Windows versions and implemented them in Windows Vista. Such security features include, for example, the Security Center available in Service Pack 2 of Windows XP. Examples of security features specific to Windows Vista include the following:
- BitLocker Drive Encryption, which is a hard disk encryption feature used to protect confidential data (only available in Windows Vista Enterprise and Ultimate).
- User Account Control (UAC) to protect the system integrity when working with administrator accounts.
- Protected mode of the Internet Explorer IE7 to protect against undetected downloading and execution of malicious code when surfing the internet (requires the use of the UAC), as well as additional security features to protect the integrity of user and system data.
- File and registry virtualisation to allow standard users to securely execute legacy applications, the use of which was only possible using the administrator account before the release of Windows Vista (requires the use of the UAC).
In addition to new and updated security features, Windows Vista is characterised especially by the numerous changes to the procedures and requirements for activation.
Threat scenario
Modern IT systems are exposed to a number of threats in daily operation. Successful attacks often exploit certain faulty configurations of individual systems or of several system components, as well as design weaknesses in the system architecture.
In general, it is true that the threat scenarios for individual IT systems always depend on the operational scenario, and that each of these threats also poses a threat to the overall system. It must be taken into account that all attacks to stand-alone IT systems (see "Deliberate acts") require local access to the IT system.
The following typical threats to the IT-Grundschutz are assumed to exist when using stand-alone IT systems running the Windows Vista operating system.
Force Majeure
| T 1.2 | Failure of the IT system |
| T 1.4 | Fire |
| T 1.5 | Water |
| T 1.8 | Dust, soiling |
Organisational Shortcomings
| T 2.7 | Unauthorised use of rights |
| T 2.9 | Poor adjustment to changes in the use of IT |
| T 2.19 | Inadequate key management for encryption |
| T 2.62 | Inappropriate handling of security incidents |
| T 2.146 | Loss of functionality of Vista clients due to not reactivating before SP1 |
Human Error
| T 3.2 | Negligent destruction of equipment or data |
| T 3.3 | Non-compliance with IT security measures |
| T 3.6 | Hazards posed by cleaning staff or outside staff |
| T 3.8 | Improper use of the IT system |
| T 3.9 | Improper IT system administration |
| T 3.22 | Improper modification of the registry |
| T 3.48 | Incorrect configuration of Windows computers |
| T 3.97 | Violation of confidentiality in spite of BitLocker drive encryption under Windows Vista and higher |
| T 3.98 | Loss of BitLocker-encrypted data |
Technical Failure
| T 4.1 | Disruption of power supply |
| T 4.7 | Defective data media |
| T 4.8 | Discovery of software vulnerabilities |
| T 4.23 | Automatic recognition of removable data media |
| T 4.73 | Impaired software functionality due to compatibility problems with Windows Vista and Windows 7 |
Deliberate Acts
| T 5.2 | Manipulation of information or software |
| T 5.4 | Theft |
| T 5.7 | Line tapping |
| T 5.9 | Unauthorised use of IT systems |
| T 5.18 | Systematic trying-out of passwords |
| T 5.23 | Malicious software |
| T 5.52 | Misuse of administrator rights in Windows operating systems |
| T 5.71 | Loss of confidentiality of classified information |
| T 5.79 | Unauthorised acquisition of administrator rights under Windows systems |
| T 5.83 | Compromising cryptographic keys |
| T 5.85 | Loss of integrity of information that should be protected |
Method recommendation
To secure an IT system, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
Windows Vista systems are generally part of an information system. This opens up special possibilities for attacks. In its basic configuration, Windows Vista already offers several security mechanisms. Other security mechanisms must first be implemented by the person responsible. The Active Directory (AD) may help specify the central configuration and enforce technical security safeguards.
In situations where it is impossible to use the central configuration option offered by Active Directory, technical safeguards need to be specified locally on each client using local security policies. To accomplish this, it is possible to create configuration files centrally and then transmit these files to the clients and install them there using suitable mechanisms.
The descriptions of the configurations provided in the following assume a Windows Server 2003 domain structure is being used in the "Windows Server 2003" AD function level.
A series of safeguards must be implemented to securely configure clients running Windows Vista, starting with the design of the configuration and continuing through the installation and operation phase. The steps to take to accomplish this as well as the safeguards to consider in each of the steps are listed in the following.
Planning and design
When using Windows Vista, it is necessary to select a suitable version first (see S 2.440 Selection of a suitable Windows Vista and Windows 7 version) and to plan its use (see S 2.324 Planning the introduction of Windows XP, Vista and Windows 7). In turn, these depend on whether there will be a completely new application environment or if an existing environment will be migrated to the Windows Vista operating system. A security policy for the use of Windows Vista also needs to be created. It is possible in this case to adapt an existing security policy to cover the features of Windows Vista or to create a new policy specifically adapted to the features of Windows Vista (see S 2.325 Planning the Windows XP, Vista and Windows Vista security policies).
In a domain environment, different sets of security settings can be created and maintained with a central administrative tool such as Active Directory. Other security settings can be specified centrally and transmitted to the clients using suitable tools. Safeguard S 2.326 Planning the Windows XP, Vista and Windows 7 group policies contains information and recommendations relating to the configuration of clients under Windows Vista.
Windows Vista supports remote administration capabilities for the client and offers administrators the ability to access other systems via remote administration using Windows Vista. If these capabilities are used, appropriate action must be taken in the planning phase to ensure that unauthorised persons cannot log on to the clients. The relevant aspects are described in safeguard S 2.327 Secure remote access under Windows XP, Vista and Windows 7.
If Windows Vista will be used on portable computers, the corresponding security aspects must be taken into account during the planning phase. The aspects specific to Windows Vista are mentioned in safeguard S 2.442 Use of Windows Vista and Windows 7 on mobile systems.
The activation of the system is a particularly important issue when using Windows Vista. The reasons for this can be found in safeguard S 4.336 Activation of Windows systems from a volume licence contract in Vista or Server 2008 and higher versions.
Implementation
In the implementation phase, all safeguards that specifically prepare the system for secure operation are implemented. This especially includes safeguards taken to ensure security during installation and when specifying the basic configuration of the system.
Once the preparatory organisational and planning tasks have been completed, the Windows Vista systems can be installed. Special care must be taken during installation. S 4.248 Secure installation of Windows client operating systems contains a summary of the relevant recommendations. It is necessary to determine in advance during the planning phase which aspects need to be taken into account for the configuration of a Windows Vista system.
Operation
Ideally, implementation is tested first on a test installation. After successful testing, Windows Vista can then be installed on the desired clients and regular operation can then begin. The following security aspects must be taken into account in this phase:
- A Windows Vista system is often used by a number of users with highly different needs and varying requirements on the system. The result is that it is necessary to create and maintain a corresponding number of user profiles.
- The aspects to be taken into account during the regular operation phase are summarised in safeguard S 4.146 Secure operation of Windows client operating systems.
- One way to maintain the security of a Windows Vista system is to monitor the system and its individual components. The relevant recommendations can be found in S 4.344 Monitoring of Windows Vista, Windows 7 and Windows Server 2008 systems.
- Windows Vista systems, like other IT systems, are subject to general security risks. To reduce the probability of a successful attack to an acceptable level, Windows Vista systems must be kept up to date. The corresponding recommendations can be found in S 4.249 Keeping Windows client systems up to date.
- For the Windows Vista systems already in operation, the effects of the installation of Service Packs and Hotfixes must be taken into account.
- Regular checks of the currently valid security settings and, in general, of the existing security policies make an important contribution to the security of the Windows Vista systems currently in operation. The aspects to consider in this regard are summarised in S 2.330 Regular checks of the Windows XP, Windows Vista and Windows Vista security policies and their implementation.
- Windows Vista offers several administrative tools the use of which is recommended from a security perspective since it is possible with the aid of these tools to avoid security-relevant configuration errors, among other things. Furthermore, these tools are useful when troubleshooting and/or when performing audits (see S 4.243 Windows client operating system administration tools).
- It is necessary under certain circumstances to reactivate a running Windows Vista system. Information and recommendations on the reactivation can be found in S 4.343 Reactivation of Windows systems from a volume licence contract in Vista or Server 2008 and higher versions.
Disposal
The user data stored locally on workstation PCs that will be removed from a department or disposed of must be deleted. This also applies to defective data media that will be replaced. If the data on the data media cannot be reliably deleted for some reason, the data media must be destroyed using a suitable method. Corresponding recommendations can be found in S 1.15 Deleting and destroying data.
It must be taken into account that access to archived data must be possible during the required retention period even if the IT system that originally recorded the data has been disposed of.
Contingency Planning
Contingency planning also plays an important role in addition to protecting the IT systems during live operation. Information on contingency planning can be found in S 6.76 Creation of a contingency plan for failure of Windows systems. Recommendations for data backups can be found in S 6.78 Data backup under Windows clients.
The bundle of security safeguards for the "Windows Vista client" module is presented in the following:
Planning and design
| S 2.324 | (A) | Planning the introduction of Windows XP, Vista and Windows 7 |
| S 2.325 | (A) | Planning the Windows XP, Vista and Windows 7 security policies |
| S 2.326 | (A) | Planning the Windows XP, Vista and Windows 7 group policies |
| S 2.327 | (B) | Secure remote access under Windows XP, Windows Vista and Windows 7 |
| S 2.440 | (A) | Selection of a suitable Windows Vista and Windows 7 version |
| S 2.441 | (A) | Checking software for compatibility with Windows Vista and Windows 7 |
| S 2.442 | (B) | Use of Windows Vista and Windows 7 on mobile systems |
| S 4.147 | (Z) | Secure use of EFS under Windows |
| S 4.243 | (Z) | Windows client operating system administration tools |
| S 4.244 | (A) | Secure configuration of Windows client operating systems |
| S 4.245 | (A) | Basic settings for Windows Group Policy Objects |
| S 4.246 | (A) | Configuration of the system services under Windows XP, Vista and Windows 7 |
| S 4.247 | (A) | Restrictive assignment of authorisations under Windows Vista and Windows 7 |
| S 4.336 | (A) | Activation of Windows systems from a volume licence contract in Vista or Server 2008 and higher versions |
| S 4.337 | (Z) | Use of BitLocker drive encryption |
| S 4.338 | (A) | Use of Windows Vista and Windows 7 File and Registry Virtualization |
| S 4.339 | (B) | Prevention of unauthorised use of removable media in Windows Vista and Windows 7 |
| S 4.340 | (A) | Use of Windows User Account Control UAC in Windows Vista and higher |
| S 4.341 | (A) | Integrity protection in Windows Vista and higher versions |
| S 4.342 | (Z) | Activation of the Last Access time stamp under Windows Vista and higher |
| S 5.123 | (B) | Securing network communication in Windows |
Implementation
| S 2.32 | (Z) | Establishment of a restricted user environment |
| S 3.28 | (A) | User training on Windows client operating system security mechanisms |
| S 4.48 | (A) | Password protection under Windows systems |
| S 4.49 | (A) | Protection of the boot procedure for a Windows system |
| S 4.75 | (A) | Protection of the registry under Windows systems |
| S 4.149 | (A) | File and share authorisations in Windows |
| S 4.248 | (A) | Secure installation of Windows client operating systems |
| S 5.89 | (A) | Configuration of the Secure Channel under Windows |
| S 5.90 | (Z) | Use of IPSec under Windows |
Operation
| S 2.330 | (B) | Regular checks of the Windows XP, Windows Vista and Windows 7 security policies and their implementation |
| S 2.443 | (A) | Implementation of Windows Vista SP1 |
| S 4.56 | (C) | Secure deletion under Windows operating systems |
| S 4.146 | (A) | Secure operation of Windows client operating systems |
| S 4.249 | (A) | Keeping Windows client systems up to date |
| S 4.343 | (Z) | Reactivation of Windows systems from a volume licence contract in Vista or Server 2008 and higher versions |
| S 4.344 | (B) | Monitoring of Windows Vista, Windows 7 and Windows Server 2008 systems |
Contingency Planning
| S 6.76 | (C) | Creation of a contingency plan for failure of a Windows network |
| S 6.78 | (A) | Data backup under Windows clients |