 | |
provided by:
For Dummies is a registered trademark of Wiley Publishing, Inc. in the United States and other countries. Used here by license.Service hardening Windows services are applications that provide OS functionality, low-level application tasks, run in the background, and usually require no user interaction. Although services are essential to the operation of your system, they have historically presented a significant attack surface for malicious code writers. Service hardening is not necessarily a new security concept but has largely been the responsibility of the user — until now.
The Vista service hardening features are just one part of a multilayered security strategy that embeds security within the OS to reduce the risks associated with exploits that might target your systems. The real focus of service hardening isn’t to prevent such attacks as much as it is to reduce the damage such an exploit can cause to your system if a service is compromised. Vista service hardening provides security in the following key areas:
Least privilege service permission: In previous Windows OSes, services ran largely under the local system account — which is, essentially, the most powerful account on your computer — even if they did not require such privilege. Vista allows services to run with the least privilege that they might require, such as Local Service or Network Service. Additional restrictions can be placed on a service to limit the areas of the Registry or file system that a particular system has the ability to write to.
Service isolation: This allows a service to be separated (isolated) from other services or applications. Such isolation helps reduce the attack surface.
Firewall policy integration: Vista allows firewall policies to now be applied to services. Because network-facing services are often the target of exploits, this feature can go a long way in limiting the attack surface of your system.
Vista provides a very comprehensive security approach to service hardening. With the exception of a few additional steps that can be taken to secure the Registry with regard to least-privilege permissions, Vista handles service hardening and requires no interaction by the end user.
Internet Explorer 7Although Internet Explorer 7 (IE7) is part of the Vista OS, it can be installed as a separate application independently from Vista. Microsoft has put a great deal of effort into making Internet browsing more secure and changes in IE7 certainly reflect that.
Internet Explorer 7 provides the following security features:
Protected Mode: This defense-in-depth security feature restricts where files can be downloaded and executed, or the ability to invoke other programs without the user’s consent.
ActiveX protection: ActiveX are small, Microsoft application components that provide functions to the end user via their Web browser. Internet Explorer 7 provides security mechanisms that reduce potential risks of ActiveX exploits, such as ActiveX Opt-In and the ability to control ActiveX for a particular zone or site.
Cross-domain scripting protection: Cross-domain scripting attacks have presented a significant security threat in previous versions of Internet Explorer and Windows OSes. Internet Explorer 7 forces scripts to run in their original context, even if they are redirected to run in another security domain, mitigating much of the risk associated with cross-domain scripting attacks.
Security status bar: This feature allows you to differentiate an authentic Web site from one that is considered to be suspicious. The status bar also provides you with digital certificate information that can help you determine whether a site is trustworthy enough to make an e-commerce transaction.
Integration with Parental Controls: Internet Explorer 7 integrates with Parental Controls security features, allowing more control over Internet browsing and downloading functionality.
Phishing protection: The IE7 Phishing Filter provides some impressive functionality to protect you against an Internet phishing scheme that just might make you that next identity theft victim. Web sites that you visit are analyzed. If the site is a known phishing site or otherwise has characteristics that are commonly found in phishing sites, you will be warned of the potential danger.
Protection of personal data: Internet Explorer 7 offers the ability for one-click cleanup of information entered in Web sites, browsing history, temporary Internet files, and so on that could potentially hold tracking or otherwise Personally Identifiable Information (PII) of the user.
URL display: Crooks commonly attempt to mask a site for which they are directing you. One of the ways that crooks try to hide this is by displaying a pop-up without an address bar so that the URL of the site is not displayed. Internet Explorer 7 now requires an address bar in every window so that you can more easily identify whether the site you’re being directed to is a trusted source.
Encryption with EFS and BitLocker Now, more than ever, we use our computers to process or hold sensitive information. Whether our financial files, medical information, or private e-mail messages, this information has the potential to be the golden nugget to crooks trying to perpetuate identity theft or other crimes of fraud. To add to the problem, more of us are on the move, using portable computers that are more easily lost or stolen, ultimately putting our personal or corporate data at risk. Vista offers the Encrypting File System (EFS) and BitLocker Drive Encryption to help you protect your sensitive information that is resident on your computer from theft.
Encrypting File System (EFS): Offered in the Business, Enterprise, and Ultimate editions of Vista. Encrypting File System provides file and folder level encryption of user data.
BitLocker: Offered in Enterprise and Ultimate editions of Vista. BitLocker provides data protection by preventing unauthorized users from accessing a lost or stolen computer. The entire windows volume — such as all user and system files — are encrypted.
Windows Security Center enhancementsWindows Security Center (WSC) made its first debut in the Microsoft Windows XP OS. It returns in Windows Vista with a similar look and feel but with some enhanced functionality. Windows Security Center continues to provide a single interface to manage multiple security functions, some of which are native to the Vista OS and some (such as third-party antivirus software) that are not. New WSC enhancements in Vista include the following:
Other Security Settings category: Offers you the ability to monitor and manage IE security settings and User Account Control (UAC)
Malware Protection category: Provides the ability to monitor and manage antivirus and anti-spyware settings
Manage multiple products: Allows you to manage multiple firewall, antispyware, or antivirus products either native to Vista or third-party tools
Vendor resources: Provides direct links to vendors of the products that you have installed to get updates or other fixes to remediate issues
Windows Firewall enhancementsLike WSC, Windows Firewall also made its debut with Windows XP. It, too, returns in Vista as a significantly enhanced tool. The new Windows Firewall enhancements include the following:
Easily configurable through two different interfaces: Windows Firewall is configurable via Security Center and also through the Microsoft Management Console (MMC) snap-in for those who want to implement some advanced settings. The advance settings provide a more resolute approach.
Filtering of incoming and outgoing traffic: Vista Firewall, unlike previous versions, allows for outbound filtering.
IPsec integration: This provides an advanced security-setting console that integrates IPsec and firewall management and allows for IPsec server isolation and other customizable IPsec settings.
Firewall profiles: Although the previous version of Windows Firewall did allow for profile configuration, Vista Firewall provides for more profile options, such as Domain, Public, and Private Profiles for yet even more tenacious security than its predecessor. Such tenacity allows you, for example, to provide certain settings to your office connection yet quite different settings to your home connection.
| |
provided by:
For Dummies is a registered trademark of Wiley Publishing, Inc. in the United States and other countries. Used here by license.