S 2.443 Implementation of Windows Vista SP1

Initiation responsibility: IT Security Officer, Administrator

Implementation responsibility: Administrator

SP1 stands for Service Pack 1 and is a collection of software patches and software extensions for Microsoft's Windows Vista operating system. Service Pack 1 is available for the 32-bit version (x86) and the 64-bit version (x64) of Windows Vista.

Regarding the procurement of SP1, Microsoft supports the distribution channels Stand-alone-Package, Windows Update, and Integrated DVD. The following table states the most important properties of each of these distribution channel.

Distribution channel	Properties
Standalone Package	Does not require the Windows Vista clients on which SP1 will be installed to have internet access. A Standalone Package, once it has been obtained, can be installed on several Windows Vista clients using a program for software deployment, for example. The size of Service Pack 1 RC ranges from 400 MB to 900 MB depending on how many languages must be supported and whether the 32-bit version (x86) or the 64-bit version (x64) is selected.
Windows Update	Requires the Windows Vista clients on which SP1 will be installed to have access to the internet to connect to the corresponding Microsoft Update servers. With only about 65MB, it is significantly smaller than the Standalone Package.
Integrated DVD	Contains the Windows Vista operating system version updated to SP1 For the installation of Windows Vista together with SP1 Windows Vista needs to be activated within 30 days after completing installation.

Table: Distribution channels of Windows Vista SP1

If you decide to download SP1, it is necessary to take into account the network load placed by the downloads on the LAN of the organisation. The network load is calculated by multiplying the size of the SP1 package desired and the number of Windows Vista clients that will simultaneously download SP1.

Before using a Windows Vista production system after installing SP1, the new system must be tested in a test environment for possible incompatibilities.

Furthermore, it must be ensured before installing SP1 on a Windows Vista client that the client has the necessary hard drive space available. The hard drive space required depends on a number of factors. These factors include, for example, which delivery mechanism was selected to install SP1 on the Windows Vista client as well as the number of languages it needs to support. The installation routine of SP1 calculates the exact amount of hard disk space required for the installation. As a guideline, Microsoft specifies a required hard disk space of 4.5 GB for a Standalone Package with five supported languages for the 32-bit Vista version (x86). If necessary, exact specifications of the hard disk space required to install SP1 should be requested prior to installation from Microsoft.

Before installing SP1 on a Windows Vista client, it must be ensured that the required Windows Vista updates have already been installed. According to Microsoft Knowledge Base Article 935509, these updates include Update 935509 of the BitLocker, Update 938371 for the installation/deinstallation of SP1, and Update 937287 for the Windows Vista installation software (information valid during the Spring of 2008).

Service Pack 1 contains some security-relevant changes and extensions in addition to error corrections and improvements to existing mechanisms. These changes and extensions include, for example:

Warnings are issued instead of threatening the user with the RFM (Reduced Functionality Mode) when certain specifications are actually or supposedly violated in connection with the activation of a Windows Vista license (see S 4.336 Activation of Windows systems from a volume licence contract in Vista or Server 2008 and higher versions and S 4.343 Reactivation of Windows systems from a volume licence contract in Vista or Server 2008 and higher versions).
Files encrypted with EFS can be backed up using the "Backup and Recovery" tool. (see S 6.78 Data backup under Windows clients).
APIs (Application Programming Interfaces) offer improved capabilities for using anti-virus software from third-party vendors in a 64-bit environment together with Kernel Patch Protection.
Multifactor authentication using a USB stick and a PIN for BitLocker is supported when the TPM (Trusted Platform Module) is used.
It is possible to encrypt additional partitions using BitLocker (see S 4.337 Use of BitLocker drive encryption).
SHA-256, AES-GCM, and AES-GMAC are supported for ESP (Encapsulating Security Payload) and AH (Authentication Header), ECDSA, SHA-256, and SHA-384 are supported for Internet Key Exchange (IKE) and AuthIP.
The NIST SP 800-90 Elliptical Curve Cryptography (ECC) pseudo-random number generator (PRNG) is now entered in the list of PRNG's available for selection.

Review questions:

Has it been specified which version of Service Pack 1 is needed?
Was the Service Pack 1 tested in a test environment for possible incompatibilities before it was installed in a production environment?
Is there enough bandwidth available in the LAN of the organisation to download Service Pack 1 from the internet and then install it?
Does every Windows Vista client have enough hard disk space available for Service Pack 1?
Were the necessary updates according to Microsoft Knowledge Base Article 935509 installed on the Windows Vista client before Service Pack 1 was installed?