S 2.324 Planning the introduction of Windows XP, Vista and Windows 7

Initiation responsibility: Head of IT

Implementation responsibility: IT Security Officer, Administrator, Head of IT

The proper and secure implementation of Windows XP, Windows Vista or Windows 7 systems requires extensive planning. The conditions necessary for the secure operation of Windows XP, Windows Vista and Windows 7 systems are created in the planning phase.

The individual planning steps depend on the operational scenarios planned for the Windows XP, Windows Vista and Windows 7 systems. Each step of the implementation process must be planned in as much detail as possible. It is not only necessary in this case to take the contents of the plan into account, but also the internal processes and procedures of the institution. All contents and processes must be defined, documented in a guideline and made accessible to all parties involved.

In general, an adequate amount of time must be planned for the implementation of Windows XP, Windows Vista and Windows 7. An introduction period of six months for large companies and government agencies is perfectly realistic. Experience has shown that the timetable will need to be updated a number of times in the course of planning.

The security-related aspects mentioned in the following must be taken into account when implementing Windows XP, Windows Vista and Windows 7.

New installation or migration/upgrade

Various procedures are available for implementing Windows XP, Windows Vista or Windows 7. On the one hand, implementation can be accomplished using a parallel infrastructure for the Windows infrastructure to be migrated (new clients are added in parallel to the existing clients). On the other hand, implementation can be achieved by migrating or updating existing client systems.

It is impossible to provide general recommendations for implementation since the implementation depends on the individual prevailing conditions. The procedure must always be tailored to the company or government agency.

You must first decide when introducing a new Windows version if the client systems will be migrated or if they will receive completely new Windows installations. In practice, the existing client systems are often migrated instead of performing full installations. For new installations, installation media adapted to the individual requirements, referred to as Baseline Images, can be created for a structured migration. The migration of clients running older Windows versions to newer versions of the operating system requires adequate planning, especially when the domain controllers will be migrated as well (for example in the case of Windows Server 2008). In doing so, additional migration aspects on the server side must be taken into account (e.g. S 4.424 Secure use of older software under Windows 7). Each step of the migration process must be planned in as much detail as possible since planning deficits in the timetable for the conversion can easily result in security gaps.

Only the Windows XP operating system with Service Pack 2 or higher can be upgraded to Windows Vista. Migration to Windows 7 is only possible from Windows Vista. An upgrade chain from Windows XP via Windows Vista to Windows 7 is not supported by the manufacturer and should not be performed. If you are using an older version of Windows such as Windows 2000, then you must perform a new installation of Windows Vista and Windows 7. However, you should consider a performing a new installation for the clients running an upgradeable version of the operating system.

Due to the availability of different editions of Windows Vista and Windows 7, there are several migration paths possible, in contrast to previous versions of Windows. It is necessary to specify which edition of Windows Vista or Windows 7 should be used in the institution (see S 2.440 Selection of a suitable Windows Vista and Windows 7 version)

The requirements for activation of Windows Vista or Windows 7 clients must be taken into account for each new installation and each upgraded system (see S 4.336 Activation of Windows Vista or Windows Server 2008 systems and higher with a volume license contract and S 4.343 Reactivation of Windows Vista or Windows Server 2008 systems and higher with a volume license contract).

It must be taken into account that extended access authorizations may be necessary during the migration phase under some circumstances (e.g. for a special migration team) and that weaker security settings will need to be selected to avoid potential compatibility problems. These settings must be returned to the highest possible security level after completing the migration. The additional migration-specific authorisations granted must be taken back after migration. In general, a successful migration must reach the same security level as reached in a new installation. After completing the migration, a current/target state comparison must be performed for all security settings, for example the authorisations and group memberships.

The time frame for migration must be specified and maintained. The migration phase must not turn into the normal state because this will affect security in particular since the level of security available during migration is usually lower.

Software compatibility check when switching to Windows Vista or Windows 7

It must be determined which software will be installed on the Windows Vista or Windows 7 clients. Existing software must be checked to see if it can be run with Windows Vista or Windows 7 (see S 2.441 Checking software for compatibility with Windows Vista and Windows 7). This also applies to planned purchases of new software after completing a migration to Windows Vista or Windows 7.

Existing software that does not meet the compatibility requirements of Windows Vista or Windows 7 can still be operated on Windows XP clients during a transition period.

Assuming the corresponding hardware is available, you may also want to consider using virtualisation. Virtualisation is achieved on a Windows Vista or Windows 7 client by installing virtualisation software. This software makes virtual hardware available, on which another operating system can be installed together with the necessary application software. The Enterprise Edition of Windows 7 contains the Microsoft Virtual PC virtualisation software as a standard component. Windows 7 Professional, Enterprise and Ultimate in addition provide the Windows XP modewith a licence for a virtual Windows XP machine. When using a virtualisation software the virtual operating system must also be secured.

Planning the use in mixed Windows environments

When using Windows XP, Windows Vista or Windows 7 clients in mixed Windows environments (e.g. together with Windows NT 4.0 systems), it may be necessary to lower the security settings (no continuous digital signing of the network communication, for example). This must be taken into account when planning. In particular, it must be ensured that the security settings will be increased to the higher level once a homogeneous environment has been created, which means that only Windows XP, Windows Vista or Windows 7 clients as well as Windows 2000/2003/2008 domain controllers and servers are used.

If Windows XP, Windows Vista or Windows 7 clients are used in NT 4.0 environments, then Active Directory-based group policies are not available. In this case, local security policies must be used to implement the desired security settings. In particular, it is necessary to plan the deployment mechanism for the intended policy settings in this case. In addition, a concept for maintaining the local security policies must be created during the planning phase.

Active Directory-based planning

When implementing Windows XP, Windows Vista or Windows 7 in an Active Directory environment, it is not enough just to examine the clients. In this case, the servers must also be taken into account. It is also necessary to plan all changes to be made to the Active Directory, and the security settings on the clients and servers must be adjusted so the levels of security offered match.

For example, corresponding group and OU (Organizational Unit) structures must be developed in the Active Directory. A suitable OU structure makes operation of the Windows XP, Windows Vista and Windows 7 systems easier and, due to the greater transparency offered, more secure.

If Windows Vista or Windows 7 clients will be operated in an Active Directory environment, then Windows Server 2003 with Service Pack 1 (SP1) or higher must be run on all domain controllers.

If a server version older than Windows Server 2008 is run on the domain controllers, then the group policies must be configured using a Windows Vista or Windows 7 client.

On the client, a domain administrator will need to create the required group policy configurations using GPOAccelerator tool. These configurations then need to be transmitted to the domain controllers.

Furthermore, it is necessary to plan the group policy structure in the Active Directory. You must decide in the planning phase if you want to use group policy-specific mechanisms such as blocking inheritance or security filtering. When deciding, it is necessary to take the order in which the group policies are processed into account. The measures relating to the planning of group policies are described in S 2.326 Planning the Windows XP, Vista and Windows 7 group policies.

The general Active Directory planning measures are summarised in S 2.229 Planning Active Directory, among other safeguards.

Security concept and security policy

It is extremely important to plan and create a security concept and a security policy before the introduction of Windows XP, Windows Vista or Windows 7. The security policy must take all security-related aspects of the operation of Windows XP, Windows Vista or Windows 7 into account. Additional requirements for the security concept are summarised in safeguard S 2.325 Planning the Windows XP, Vista and Windows 7 security policies.

User concept

When planning the user concept, rules must be specified for the handling of local and domain-wide user accounts. When using Windows XP, Windows Vista and Widows 7 in a Windows domain, it is also necessary to decide if user profiles will be stored on servers (i.e. if roaming user profiles will be used). In particular, the use of roaming user profiles affects the backup strategy as well as the use of the Windows Encrypting File System (EFS).

When planning the user concept for a Windows Vista or Windows 7 system, it is necessary to specify how to handle the User Account Control (UAC) (see S 4.340 Use of Windows User Account Control UAC in Windows Vista and higher). It is recommended to select the settings so that standard users are not able to elevate their privileges.

Administration concept

An administration concept must be created before the introduction of Windows XP, Windows 7 or Windows 7. There are basically two different accounts available for administrative personnel. If possible, the administrators should be assigned an account possessing only the privileges of a standard user to do their normal work. An account with administrative privileges should only be used when the standard privileges are inadequate. After completing the corresponding tasks, the administrator should log out of the account with administrative privileges and resume working with the standard user account.

The User Account Control configuration to be used should be documented in the administration concept.

Furthermore, rules must be provided regarding remote administration of the clients and the handling of local administrative accounts. Questions relating to the personnel and organisational responsibilities also need to be considered in the concept. Responsibilities must be separated (segregation of duties) and anchored in the administration concept. The corresponding implementation must be planned at the organisational as well as the technical level.

If the Windows XP, Windows Vista or Windows 7 systems are used in an Active Directory environment, then the administrative responsibilities and limits as well as the policies for assigning administrative authorisations for client and user objects in the Active Directory must be clarified.

Logging/audit concept

In order to be able to guarantee the security of a Windows XP, Windows Vista or Windows 7 client, it is necessary to monitor the users to see if they are following the specified security policies (see S 2.325 Planning the Windows XP, Vista and Windows 7 security policies). In particular, organisational and technical rules must be specified to regulate the evaluation of the data collected regularly. If Windows Vista or Windows 7 is used, then the evaluation should also include the Windows Firewall log files. The security aspects to be taken into account when logging are listed in S 4.148 Monitoring a Windows 2000/XP system and S 4.344 Monitoring of Windows Vista, Windows 7 and Windows Server 2008 systems.

Data storage, data backup, and encryption

It is necessary to specify where user data will be stored (see S 2.138 Structured data storage). It is not generally recommended to store data on client systems. For this reason, it is necessary to provide a suitable storage infrastructure for the servers in this case. Which strategy will be followed must be decided on a case-by-case basis based on the specific circumstances. In certain operational scenarios, for example when using a portable IT system, it is both necessary and desirable to store data on the system. In such cases, the storage of data and its (cryptographic) protection must be planned accordingly (see S 4.29 Use of an encryption product for portable IT systems). The implementation of the technical safeguards used to ensure the security of the data stored locally, such as hard drive encryption, EFS, or encryption of the offline files, must be planned prior to introduction.

Windows Vista and Windows 7 offer BitLocker, which provides offline encryption of the boot partition, for storing data on the clients and protecting it cryptographically. Offline encryption means that the encryption is only effective when the system is turned off. When Windows Vista with Service Pack 1 and higher or Windows 7 is installed, BitLocker can also encrypt other partitions. When used in connection with a Trusted Platform Module (TPM) in the IT system, BitLocker also ensures system integrity during the boot process.

Consideration should be given to the use of BitLocker, especially when portable systems are used. If BitLocker will be used, then it is also necessary to specify which of the four possible forms of user authentication will be used. More detailed information on the BitLocker can be found in S 4.337 Use of BitLocker drive encryption.

To enforce clear separation between user-specific and project-specific data as well as between the programs and data of the operating system, it is necessary to plan a suitable directory structure. For example, you could create two main directories named \Projects and \Users containing separate subdirectories for storing the files and directories of each project and each user.

When implementing Windows XP, Windows Vista or Windows 7, it is also necessary to specify a corresponding data backup strategy. The procedure must be specified for each IT system and for each file type. The implementation depends especially on the type of data stored on the client. If no data is stored on a client, only standard software is used, and the users all have roaming user profiles, then it may not be necessary to back up the data on the client under some circumstances. However, if data is stored on a Windows XP, Windows Vista or Windows 7 system, then the data on this computer needs to be backed up. Additional information on this subject is provided in S 6.32 Regular data backup and S 6.33 Development of a data backup policy.

The use of EFS or BitLocker must be taken into account when specifying the backup strategy. If EFS is used, then the recommendations in safeguard S 6.56 Data backup when using cryptographic procedures generally need to be taken into account. In particular, the backup concept should specify rules for handling key material during recovery operations (see also S 4.147 Secure use of EFS under Windows for more information on this subject).

Rollout

The procedures performed during installation, i.e. during the rollout phase, must be taken into account when planning. Among other things, it is necessary to clearly define the personnel responsibilities for the rollout. In addition, a rollout contingency concept must be created. This contingency concept must ensure that the system can be quickly restored to a productive state if the migration or installation fails. If in addition to client operating systems servers are also migrated, then the migration of the servers should be performed first. New or modified group policies, Active Directory settings or authorisation concepts can only be used for clients to be migrated.

Additional concepts

In addition to the concepts stated above, additional concepts may be necessary depending on the operational scenario. Such concepts could include, for example, a naming concept (naming conventions for the computers, user groups, and users), a software deployment concept, or a concept for application migrations. Application migrations in particular can affect the security of a Windows system (e.g. lower access rights for the registry) and therefore needs to be planned carefully.

The additional concepts must then be taken into account in the planning phase as well.

In general, a company or institution will already have corresponding concepts available, but these concepts must be examined to ensure they are suitable for use in Windows XP, Windows Vista and Windows 7 environments.

Finally, it is also necessary to plan which users and administrators need to be trained and when they should receive this training. The administrators in particular must receive basic training on the administration and security of the Windows versions used. The Windows systems should only be put into operation after the users and administrators have received such training.

Review questions:

© Federal Office for Information Security. All rights reserved.