By William Jackson
Microsoft Corp. has produced a set of security guidelines  for
Windows Vista, providing a checklist of security settings and
configurations for two levels of enhanced security in the new operating
Although published by Microsoft, the guidelines are the product of a
collaboration between the software vendor and the National Security
Agency, the National Institute of Standards and Technology and the
Defense Information Systems Agency. The guidelines are the latest in a
series of recommendations for hardening Microsoft software. Kurt
Dillard, security evangelist for Microsofts federal team, said the Vista
guidelines represent a closer collaboration with government.
We first approached the NSA a little over four years ago to see if they
were interested in getting security recommendations for XP and 2000
aligned with government needs, Dillard said. The original versions didnt
include input from the government.
Subsequent guidelines for Windows XP and Windows Server 2003 were in
close agreement with government recommendations, and Microsoft began
working with NIST, NSA and DISA last summer on the Vista guidelines. The
teams now are working on documents for Office 2007 and Longhorn Server.
NIST recommends that agencies considering a move to the new operating
system begin interoperability testing with deployed applications and
systems because of the substantial changes in the security architecture.
Vista is the first operating system developed under Microsofts Secure
Development Lifecycle process and includes a number of advanced security
features in the default configuration.
NSA and the Air Force both made suggestions on security configurations
in the late stages of Vistas development, Dillard said.
A lot of their suggestions were incorporated, he said. The default
settings are much more secure than in previous systems.
Although the default configuration is more locked down than in earlier
operating systems, the security guidelines set out a higher level of
security for enterprises, which would probably be more advanced than
most home users would require. A higher level, Specialized
Security-Limited Functionality, is intended for some government users.
The higher-level security settings sacrifice some user convenience and
interoperability with applications.
Visit the InfoSec News Security Bookstore