Jump to content

Short Experts Guide to Windows Vista Security


NIM

Recommended Posts

vista_flag.png

Microsoft, as you probably know, has spent a lot of time and millions of dollars to make Windows Vista more secure and ultimately to protect users from themselves.

But you -- you've been using computers for years, right? You don't need any of this hand-holding. You were infested with malware that one time, but that wasn't your fault. And no one has noticed the eight toolbars in your browser whose origin you couldn't explain.

Oh, and your significant other was very understanding about Blaster causing you to work 80-hour weeks cleaning up a software wasteland.

You and your network are clearly ready for Vista without the locks. Here's how to fly with all the safeties off.

-------------------------------------------------------------------------------------------------

Turn User Account Control completely off

User Account Control, or UAC, is a new security feature that limits the authority of accounts users are running in, restricting them from entering protected areas or performing sensitive actions on the system. Briefly, users log on, whether they are power users, ordinary users or administrators, and are assigned a normal security token.

However, when an action is requested that requires administrative privileges, a logon prompt is displayed and the user must enter credentials; at that time, an administrative security token is assigned to them that allows them to carry out the protected function. This really bothers some people, especially power users, who think they don't need to be protected from themselves.

For the people who subscribe to that school of thought, it's relatively easy to turn off UAC entirely. You'll need to open GPEDIT.MSC, acknowledge the very UAC prompt you're trying to disable, and then disable everything beginning with "User Account Control" under Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options.

uacgx6.th.jpg

-------------------------------------------------------------------------------------------------

Turn off data execution prevention

Data Execution Prevention (DEP) is a security feature introduced in Windows XP, Windows Server 2003 and now in Windows Vista, that looks for malicious code trying to execute. If DEP's analysis of a process beginning execution makes DEP think the resulting code will cause some sort of unwanted activity, DEP intervenes and shuts the process down.

It sounds good in theory, but too often DEP shuts down legitimate programs -- particularly third-party installers used by software developers that release their products for download off the Web. Equally too often, DEP fails to show any sort of warning or information prompt telling you it shut off a process, leaving you scratching your head, wondering why your machine is ignoring you.

You might want to turn off Data Execution Prevention globally by issuing the following at an elevated command prompt (i.e., a shell running with administrative credentials): bcdedit.exe /set {current} nx AlwaysOff

(As you might imagine, it's almost as simple to turn it back on should you want DEP's protection back on your side. The following command will do the trick: bcdedit.exe /set {current} nx AlwaysOn)

-------------------------------------------------------------------------------------------------

Neuter the built-in Windows Internet Explorer protections

The new Protected Mode -- available in Windows Vista -- runs IE in an isolated security setting, working in conjunction with most of the other, under-the-hood, architectural improvements in Windows Vista. With Protected Mode enabled, Internet Explorer runs within a low-right environment no matter which user actually launched the process.

Add-ins, like ActiveX controls and browser toolbars, subsequently run with low rights as well. This helps to prevent browser-based malware from latching onto your system through IE, which was a significant problem in previous versions of Windows.

But maybe you want to surf with all caution to the wind, since you trust yourself. Or maybe some of the restrictions of Protected Mode, like having to open separate windows to switch between intranet sites and Internet sites or other cross-security zone jumps, drive you crazy. In this case, you can turn off Protected Mode by double-clicking the lower right corner of any IE window, and on the resulting Internet Security dialog box (shown in Figure 2), unchecking the Enable Protected Mode box. You'll have to restart IE to make the change effective.

protectedmode.png

-------------------------------------------------------------------------------------------------

--------------

Jonathan Hassell is an author, consultant and speaker on a variety of IT topics. His published works include RADIUS, Hardening Windows, Using Windows Small Business Server 2003 and Learning Windows Server 2003. His work appears regularly in such periodicals as Windows IT Pro magazine, PC Pro and TechNet Magazine. He also speaks worldwide on topics, ranging from networking and security to Windows administration. He is currently an editor for Apress LLC, a publishing company specializing in books for programmers and IT professionals.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...