Microsoft guidelines give the bottom line on security settings
- By William Jackson
- Mar 19, 2007
Microsoft Corp. has produced a set of security guidelines
for Windows Vista, providing a checklist of security settings and configurations for two levels of enhanced security in the new operating system.
Although published by Microsoft, the guidelines are the product of a collaboration between the software vendor and the National Security Agency, the National Institute of Standards and Technology and the Defense Information Systems Agency. The guidelines are the latest in a series of recommendations for hardening Microsoft software. Kurt Dillard, security evangelist for Microsoft's federal team, said the Vista guidelines represent a closer collaboration with government.
'We first approached the NSA a little over four years ago to see if they were interested in getting security recommendations for XP and 2000 aligned' with government needs, Dillard said. 'The original versions didn't include input from the government.'
Subsequent guidelines for Windows XP and Windows Server 2003 were in close agreement with government recommendations, and Microsoft began working with NIST, NSA and DISA last summer on the Vista guidelines. The teams now are working on documents for Office 2007 and Longhorn Server.
NIST recommends that agencies considering a move to the new operating system begin interoperability testing with deployed applications and systems because of the substantial changes in the security architecture. Vista is the first operating system developed under Microsoft's Secure Development Lifecycle process and includes a number of advanced security features in the default configuration.
NSA and the Air Force both made suggestions on security configurations in the late stages of Vista's development, Dillard said.
'A lot of their suggestions were incorporated,' he said. 'The default settings are much more secure than in previous systems.'
Although the default configuration is more locked down than in earlier operating systems, the security guidelines set out a higher level of security for enterprises, which would probably be more advanced than most home users would require. A higher level, Specialized Security-Limited Functionality, is intended for some government users.
The higher-level security settings sacrifice some user convenience and interoperability with applications.
William Jackson is a Maryland-based freelance writer.