[ISN] User Account Control in Windows Vista
isn at c4i.org
Thu Feb 9 01:41:24 EST 2006
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which
you might be interested. Please take a moment to visit these
advertisers' Web sites and show your support for Security UPDATE.
1. In Focus: User Account Control in Windows Vista
2. Security News and Features
- Recent Security Vulnerabilities
- ISA Server 2004 Service Pack 2 Now Available
- IE 7.0 Beta 2 Preview Available for Public Review
- Researchers Already Scouring IE 7.0 for Holes
3. Security Toolkit
- Security Matters Blog
- Share Your Security Tips
4. New and Improved
- Soft Token, Strong Authentication
==== Sponsor: GuardianEdge Technologies ====
Encrypt your data--from Active Directory!
The Encryption Anywhere Data Protection Platform from GuardianEdge
is a powerful tool for protecting data, managing compliance and
enhancing mobility. Controlled within Active Directory, the Encryption
Anywhere platform is a scalable, modular system for securing data on
end-point devices and for applying consistent encryption policies
across your organization. The Encryption Anywhere platform leverages
what you've already established in AD, letting you distribute and
manage encrypted Microsoft clients without changing your current
processes. Encryption is the only true way to protect data; the
Encryption Anywhere platform is the breakthrough enterprise encryption
solution that provides truly robust enterprise management capabilities
while leveraging your existing architecture and investment. For more
information, visit http://list.windowsitpro.com/t?ctl=2030B:4FB69
==== 1. In Focus: User Account Control in Windows Vista ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Microsoft recently released the document "Applying the Principle of
Least Privilege to User Accounts on Windows XP" (at the URL below),
which aims to help you implement least-privileged user accounts (LUAs)
in your Windows XP environment. The LUA terminology has been in use for
quite a while now. Even so, Microsoft apparently wanted a clearer
phrase for the concept. Initially, LUA was renamed User Account
Protection (UAP), and most recently, the company landed on User Account
Control (UAC), which will be the terminology used from here on out.
When Windows Vista makes its debut, native UAC will be built into the
OS, so you won't have to jump through countless hoops trying to limit
use of administrative privileges on your network. Vista will expose new
UAC policies that let you better control user accounts.
When using Vista, you'll either be considered a standard user or an
administrator with privileges and rights appropriate to those two
general types of accounts. For example, there will be 14 different
types of administrative consent that cover the usual tasks a person
might need to perform.
In general, Vista will operate a bit more like Linux systems when it
comes to administrative access. You'll operate on the desktop with
least privileges, and your account will have a policy assigned to
handle any need for elevation of privileges. Standard users will either
be prompted for credentials (username and password) or denied elevated
access outright, depending on the policy settings. Administrative
accounts will have both those possibilities, plus a Prompt for Consent
option. In the latter case, administrators would simply click Yes or No
to elevated privileges instead of having to enter their credentials.
Application installation will be an issue for some users, depending on
their particular network. Vista will let you control whether elevation
takes place when required by an application. Microsoft said that in an
enterprise network, such elevation probably won't be required when
installation is delegated to Group Policy Software Install (GPSI) or
Microsoft Systems Management Server (SMS).
Another policy will govern applications that require elevation of
privileges. You'll be able to deny elevation if the applications don't
have a valid digital signature. To help with legacy applications that
don't adhere to Vista's new architecture, you'll also be able to
redirect registry and file writing activity to safe areas on the
system. In other words, applications that typically write to the
HKEY_LOCAL_MACHINE\SOFTWARE registry subkey or the Program Files,
Windows, or Windows\System32 directories will still be able to run, but
any write I/O will be written to virtualized locations instead of those
actual locations. So the applications will run correctly, but sensitive
storage areas won't be overly exposed.
UAC will be a welcome change in Windows that will surely bring greater
security. There will of course be the usual learning curve, so the
sooner you get started understanding the ins and out, the better off
you'll be when you begin to use the OS. You can catch glimpses of
developing UAC functionality by reading Microsoft's UACBlog (at the URL
below) on the Microsoft Developer Network (MSDN).
==== Sponsor: GuardianEdge Technologies ====
Win a TUMI Laptop Bag from GuardianEdge
Register to win one of four quality TUMI laptop computer bags from
the company that brings you the Encryption Anywhere Data Protection
Platform. GuardianEdge Technologies (formerly PC Guardian) will exhibit
at the RSA Conference in San Jose, Feb 14 to 16 in Booth #1827. We are
using the show to demonstrate Encryption Anywhere Hard Disk, which
delivers full-volume encryption of XP computers right from Active
Directory and the Microsoft Management Console. Register online for the
contest. You do not have to be at the conference to win. Visit:
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
ISA Server 2004 Service Pack 2 Now Available
Microsoft released ISA Server 2004 Service Pack 2 (SP2). The new
service pack brings new features, including enhanced caching, HTTP
compression, and traffic prioritization.
IE 7.0 Beta 2 Preview Available for Public Review
Microsoft released a public beta of the long-awaited Internet
Explorer (IE) 7.0. The new browser includes numerous security features
that will help make Web surfing much safer than it was with previous
versions of IE.
Researchers Already Scouring IE 7.0 for Holes
As soon as Microsoft released IE 7.0 Beta 2 Preview, researchers
went to work looking for security holes, and Tom Ferris found one.
==== Resources and Events ====
Windows Connections Conference, April 9-12, 2006
Don't miss the essential Windows technology conference. Register
early and save!
WHITE PAPER: Evaluate the costs of losing information and learn what
real-time information management means and how to accomplish it in your
Learn to gather evidence of compliance across multiple systems, and
link the data to regulatory and framework control objectives. Live Web
Seminar: March 1, 2006; 12:00 EST
Learn about the various applications of SSL certificates and their
appropriate deployment, along with details of how to test SSL on your
Industry expert Paul Robichaux discusses how availability is a function
of unplanned downtime only, helping you achieve a system available
99.9% of the time.
==== Featured White Paper ====
Learn how storage has been redesigned to provide administrators with
the tools to manage the storage demands of today and the future. Defer
storage purchases, separate backup data from protected data and more!
==== Hot Spot ====
Maximizing Network Security Against Spyware and Other Threats
Are you solving the real problems of spyware? By leaving your
systems open to reinfestation, you risk surging bandwidth consumption,
system instability, overwhelmed Help desks, lost user productivity, and
other consequences. Manage both the threats and vulnerabilities from
one console as a comprehensive security solution.
==== 3. Security Toolkit ====
Security Matters Blog: SANS 2005 Information Security Salary Survey
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=20307:4FB69
SANS published its 2005 Information Security Salary & Career
Advancement Survey. The results indicate that security administrators
earn an average of $75,275 per year in the United States with an annual
raise of 2.9 percent. Read more about the survey in this blog article.
by John Savill, http://list.windowsitpro.com/t?ctl=20306:4FB69
Q: What are the versions of Windows Vista?
Find the answer at http://list.windowsitpro.com/t?ctl=20304:4FB69
Share Your Security Tips and Get $100
Share your security-related tips, comments, or problems and
solutions in the Windows IT Security print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rwinitsec at windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
==== Announcements ====
(from Windows IT Pro and its partners)
VIP Subscribers have it all!
Become a VIP subscriber and get continuous, inside access to ALL of
the online resources published in Windows IT Pro magazine, SQL Server
Magazine, and the Exchange and Outlook Administrator, Windows Scripting
Solutions, and Windows IT Security newsletters--that's more than 26,000
articles at your fingertips. You'll also get a valuable one-year print
subscription to Windows IT Pro and two VIP CD-ROMs that include the
entire article database and are delivered twice per year. Don't miss
out--sign up now:
==== 5. New and Improved ====
by Renee Munshi, products at windowsitpro.com
Soft Token, Strong Authentication
Diversinet announced the release of its next-generation MobiSecure
soft token and MobiSecure Authentication Service Center (MASC).
MobiSecure provides an automated self-service system (meaning that
users can download the tokens themselves over the Internet) that can
support strong authentication for online banking, remote online access,
and secure e-commerce applications. MobiSecure soft tokens comply with
the Open Authentication (OATH) Reference Architecture and interoperate
with OATH-compliant hard-token and smart-card solutions. MobiSecure
soft tokens are available now on mobile devices supporting Java,
Symbian, Windows Mobile, Palm, and RIM; on SanDisk TrustedFlash memory
cards; and on PCs running Windows. For more information, go to
Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=20309:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com
This email newsletter is brought to you by Windows IT Security,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2006, Penton Media, Inc. All rights reserved.
More information about the ISN