Service provider takeaway: Service providers will learn how to ensure Windows Vista security in this Channel Checklist that highlights eight steps for locking down the OS.
When Microsoft created Windows Vista, one of the primary design goals was to address the various security problems that have plagued Windows XP for so many years. The end result is that Windows Vista security is far more comprehensive than Windows XP ever was. Even so, Windows Vista does have its vulnerabilities, and it is important that you take a few steps to address these vulnerabilities when you deploy Vista on your client's PCs. This checklist describes some steps that you can take towards ensuring Windows Vista security.
- Install antivirus software
The first thing I recommend doing after installing Vista is to install some antivirus software. Windows Vista comes with Microsoft's malicious software removal tool, but it isn't a comprehensive antivirus solution. You still need a commercial antivirus product if you want to properly protect Vista against viruses.
- Ensure that the Windows Firewall is enabled
When you install Windows Vista, the Windows Firewall should be activated by default. Even so, the firewall is important enough that I recommend taking a minute to ensure that it is up and running. The easiest way to do this is to open the Control Panel, click the Security link and then click the Windows Firewall link. The resulting dialog box will tell you whether or not the Windows Firewall is turned on.
- Make sure that Windows Defender is enabled
The next step that I recommend taking in securing Windows Vista is to verify that Windows Defender is enabled. Windows Defender is enabled by default, but it can be disabled through various means.
- Apply any necessary patches
Security patches have already been released for Windows Vista, and the OS must be kept up-to-date with the latest patches. Keep in mind that the initial patching process is going to require several rounds of patching since some patches cannot be applied until other patches are in place. Therefore, you will have to patch and then re-patch the system several times before it is up to date.
- Configure the machine's local security policy
Configuring the machine's local security policy is a step that many administrators neglect. After all, if the machine is a member of a domain, then the domain security policy gets applied when the user logs in. But unless you have also populated the machine's local security policy, the machine is left virtually unprotected until a user logs onto a domain. There are no group policies protecting the machine when no one is logged on, or when someone is logged on using a local security account. I recommend applying the same types of settings through the machine's local security policy as you would through the domain security policy.
- Patch any applications that are installed
Just as the Windows operating system contains security vulnerabilities that Microsoft has patched, most applications also contain security vulnerabilities that can be exploited. The Windows Update service automatically patches some of the more popular Microsoft applications, but it does not do anything to keep your client's third party applications up-to-date. It is important that you check the Internet to see if patches have been released for the client's third party applications and then download and apply any patches that you find.
- Look for updated drivers
Another important step in the initial deployment process is to check for outdated device drivers. Administrators typically think of outdated device drivers as providing additional capabilities, or as fixes for stability or performance issues. While these are all good things, there have been many cases over the years in which updated device drivers corrected security holes. That's why it is so important to make sure that your device drivers are up-to-date.
- Raise Internet Explorer's security level
One last thing that I recommend to ensure Windows vista security is to adjust Internet Explorer's security level. By default, Internet Explorer is set to use a security level of Medium -- High. This is appropriate for most environments, but it still leaves Internet Explorer somewhat vulnerable to attack. You can make Internet Explorer a lot less vulnerable by setting the security level to high, but doing so may impact the functionality of some websites. If you decide to adjust the Internet Explorer security level, you can do so by selecting the Internet Options command from Internet Explorer's Tools menu. The security level can be found on the resulting Properties sheet's Security tab.
About the author
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.
This was first published in July 2008