By Gregg Larson
RISMEDIA, Jan. 21, 2008-Many of our consulting clients are planning hardware replacements and since most still use Microsoft products, they are asking about the security of the next generation of Microsoft Windows. Here are some key points.
Windows Vista includes many exciting security features, including improved Firewall, Defender, and a Malicious Software Removal Tool. It allows for more organizational control over software installations via Software Restriction Policies. For the more technically minded, one can also download and install security templates from Microsoft that make the computer harder to hack into-but this can take a more technically minded person to do without causing computer problems.
Despite all of these capabilities, Vista does not come thoroughly secured “out of the box.” To get a handle on how to secure Vista, one needs to download, understand, carefully test, and implement the many items described in the Windows Vista Security Guide available from Microsoft at http://technet.microsoft.com/en-us/bb629420.aspx.
One of the security features that comes built in with Vista is called User Account Protection (UAP). It makes you either click “OK” or type a password on endless dialog boxes to do anything that requires administrative privileges. While this feature may work for computers where people don’t do much but surf the Web and read e-mail, it’s infuriating to anyone else, especially actual system administrators, who would likely rather maintain two accounts-one user account and one where they can get work done without all the extra clicks. The biggest problem with this feature is that all these dialogs eventually blur into a “click to get work done” button that nobody bothers to read any more. While this was most likely a good concept, I don’t think this feature was well thought out on the execution side.
Then, there’s Windows Server 2008. The best thing about that operating system is that you can install it for a specific role (e.g. Web, mail, or file server) and only those parts of the operating system needed to fulfill that role get installed or activated. Not only should this make the computer more efficient, but it makes the servers more secure. There are also other useful security features, including fine-grained password policies and easier to use and manage encryption-a must for those who store sensitive information. Note: 35 states currently have breach notification laws. Do you do business in or with anyone in one of them?
Another very exciting Server 2008 feature is Network Access Protection (NAP). NAP monitors the health of computers when they connect or communicate with the network. NAP can check computers running Windows Vista, Windows Server 2008, or Windows XP with Service Pack 3 for firewall, antivirus, and antispyware settings and to ensure that Microsoft Update Services is enabled (so that security patches are downloaded).
Noncompliant computers can be given limited connection to your network and redirected to a site where they can find out how to fix problems.
For those of you actively looking at deploying Windows Server 2008, here’s a security guide for that operating system (OS).
You may also wish to look for the “Changes in Functionality from Windows Server 2003” document on the Microsoft site.
Hopefully, your company policy ensures that someone is responsible for making sure computers are set up securely and security is maintained. While there’s no such thing as “100% Secure,” if you take advantage of the new features Microsoft is offering through its next generation of operating systems, you can really raise the bar for security and in doing so, protect your clients and you.
Gregg Larson is the CEO of Clareity Security.
For more information, visit www.ClareitySecurity.com.
