[ISN] User Account Control in Windows Vista

InfoSec News isn at c4i.org
Thu Feb 9 01:41:24 EST 2006


This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 

GuardianEdge Technologies

GuardianEdge Technologies--Sweepstakes


1. In Focus: User Account Control in Windows Vista

2. Security News and Features
   - Recent Security Vulnerabilities
   - ISA Server 2004 Service Pack 2 Now Available
   - IE 7.0 Beta 2 Preview Available for Public Review
   - Researchers Already Scouring IE 7.0 for Holes

3. Security Toolkit
   - Security Matters Blog
   - FAQ
   - Share Your Security Tips

4. New and Improved
   - Soft Token, Strong Authentication


==== Sponsor: GuardianEdge Technologies ====

Encrypt your data--from Active Directory!
   The Encryption Anywhere Data Protection Platform from GuardianEdge 
is a powerful tool for protecting data, managing compliance and 
enhancing mobility. Controlled within Active Directory, the Encryption 
Anywhere platform is a scalable, modular system for securing data on 
end-point devices and for applying consistent encryption policies 
across your organization. The Encryption Anywhere platform leverages 
what you've already established in AD, letting you distribute and 
manage encrypted Microsoft clients without changing your current 
processes. Encryption is the only true way to protect data; the 
Encryption Anywhere platform is the breakthrough enterprise encryption 
solution that provides truly robust enterprise management capabilities 
while leveraging your existing architecture and investment. For more 
information, visit http://list.windowsitpro.com/t?ctl=2030B:4FB69


==== 1. In Focus: User Account Control in Windows Vista ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Microsoft recently released the document "Applying the Principle of 
Least Privilege to User Accounts on Windows XP" (at the URL below), 
which aims to help you implement least-privileged user accounts (LUAs) 
in your Windows XP environment. The LUA terminology has been in use for 
quite a while now. Even so, Microsoft apparently wanted a clearer 
phrase for the concept. Initially, LUA was renamed User Account 
Protection (UAP), and most recently, the company landed on User Account 
Control (UAC), which will be the terminology used from here on out. 

When Windows Vista makes its debut, native UAC will be built into the 
OS, so you won't have to jump through countless hoops trying to limit 
use of administrative privileges on your network. Vista will expose new 
UAC policies that let you better control user accounts. 

When using Vista, you'll either be considered a standard user or an 
administrator with privileges and rights appropriate to those two 
general types of accounts. For example, there will be 14 different 
types of administrative consent that cover the usual tasks a person 
might need to perform. 

In general, Vista will operate a bit more like Linux systems when it 
comes to administrative access. You'll operate on the desktop with 
least privileges, and your account will have a policy assigned to 
handle any need for elevation of privileges. Standard users will either 
be prompted for credentials (username and password) or denied elevated 
access outright, depending on the policy settings. Administrative 
accounts will have both those possibilities, plus a Prompt for Consent 
option. In the latter case, administrators would simply click Yes or No 
to elevated privileges instead of having to enter their credentials. 

Application installation will be an issue for some users, depending on 
their particular network. Vista will let you control whether elevation 
takes place when required by an application. Microsoft said that in an 
enterprise network, such elevation probably won't be required when 
installation is delegated to Group Policy Software Install (GPSI) or 
Microsoft Systems Management Server (SMS). 

Another policy will govern applications that require elevation of 
privileges. You'll be able to deny elevation if the applications don't 
have a valid digital signature. To help with legacy applications that 
don't adhere to Vista's new architecture, you'll also be able to 
redirect registry and file writing activity to safe areas on the 
system. In other words, applications that typically write to the 
HKEY_LOCAL_MACHINE\SOFTWARE registry subkey or the Program Files, 
Windows, or Windows\System32 directories will still be able to run, but 
any write I/O will be written to virtualized locations instead of those 
actual locations. So the applications will run correctly, but sensitive 
storage areas won't be overly exposed. 

UAC will be a welcome change in Windows that will surely bring greater 
security. There will of course be the usual learning curve, so the 
sooner you get started understanding the ins and out, the better off 
you'll be when you begin to use the OS. You can catch glimpses of 
developing UAC functionality by reading Microsoft's UACBlog (at the URL 
below) on the Microsoft Developer Network (MSDN). 


==== Sponsor: GuardianEdge Technologies ====

Win a TUMI Laptop Bag from GuardianEdge
   Register to win one of four quality TUMI laptop computer bags from 
the company that brings you the Encryption Anywhere Data Protection 
Platform. GuardianEdge Technologies (formerly PC Guardian) will exhibit 
at the RSA Conference in San Jose, Feb 14 to 16 in Booth #1827. We are 
using the show to demonstrate Encryption Anywhere Hard Disk, which 
delivers full-volume encryption of XP computers right from Active 
Directory and the Microsoft Management Console. Register online for the 
contest. You do not have to be at the conference to win. Visit:


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

ISA Server 2004 Service Pack 2 Now Available
   Microsoft released ISA Server 2004 Service Pack 2 (SP2). The new 
service pack brings new features, including enhanced caching, HTTP 
compression, and traffic prioritization.

IE 7.0 Beta 2 Preview Available for Public Review
   Microsoft released a public beta of the long-awaited Internet 
Explorer (IE) 7.0. The new browser includes numerous security features 
that will help make Web surfing much safer than it was with previous 
versions of IE. 

Researchers Already Scouring IE 7.0 for Holes
   As soon as Microsoft released IE 7.0 Beta 2 Preview, researchers 
went to work looking for security holes, and Tom Ferris found one. 


==== Resources and Events ====

Windows Connections Conference, April 9-12, 2006
   Don't miss the essential Windows technology conference. Register 
early and save!

WHITE PAPER: Evaluate the costs of losing information and learn what 
real-time information management means and how to accomplish it in your 

Learn to gather evidence of compliance across multiple systems, and 
link the data to regulatory and framework control objectives. Live Web 
Seminar: March 1, 2006; 12:00 EST

Learn about the various applications of SSL certificates and their 
appropriate deployment, along with details of how to test SSL on your 
web server.

Industry expert Paul Robichaux discusses how availability is a function 
of unplanned downtime only, helping you achieve a system available 
99.9% of the time.


==== Featured White Paper ====

Learn how storage has been redesigned to provide administrators with 
the tools to manage the storage demands of today and the future. Defer 
storage purchases, separate backup data from protected data and more!


==== Hot Spot ====

Maximizing Network Security Against Spyware and Other Threats
   Are you solving the real problems of spyware? By leaving your 
systems open to reinfestation, you risk surging bandwidth consumption, 
system instability, overwhelmed Help desks, lost user productivity, and 
other consequences. Manage both the threats and vulnerabilities from 
one console as a comprehensive security solution.


==== 3. Security Toolkit ==== 

Security Matters Blog: SANS 2005 Information Security Salary Survey
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=20307:4FB69

   SANS published its 2005 Information Security Salary & Career 
Advancement Survey. The results indicate that security administrators 
earn an average of $75,275 per year in the United States with an annual 
raise of 2.9 percent. Read more about the survey in this blog article.

   by John Savill, http://list.windowsitpro.com/t?ctl=20306:4FB69 

Q: What are the versions of Windows Vista? 

Find the answer at http://list.windowsitpro.com/t?ctl=20304:4FB69

Share Your Security Tips and Get $100
   Share your security-related tips, comments, or problems and 
solutions in the Windows IT Security print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
r2rwinitsec at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.


==== Announcements ====
   (from Windows IT Pro and its partners)

VIP Subscribers have it all!
   Become a VIP subscriber and get continuous, inside access to ALL of 
the online resources published in Windows IT Pro magazine, SQL Server 
Magazine, and the Exchange and Outlook Administrator, Windows Scripting 
Solutions, and Windows IT Security newsletters--that's more than 26,000 
articles at your fingertips. You'll also get a valuable one-year print 
subscription to Windows IT Pro and two VIP CD-ROMs that include the 
entire article database and are delivered twice per year. Don't miss 
out--sign up now:


==== 5. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

Soft Token, Strong Authentication
   Diversinet announced the release of its next-generation MobiSecure 
soft token and MobiSecure Authentication Service Center (MASC). 
MobiSecure provides an automated self-service system (meaning that 
users can download the tokens themselves over the Internet) that can 
support strong authentication for online banking, remote online access, 
and secure e-commerce applications. MobiSecure soft tokens comply with 
the Open Authentication (OATH) Reference Architecture and interoperate 
with OATH-compliant hard-token and smart-card solutions. MobiSecure 
soft tokens are available now on mobile devices supporting Java, 
Symbian, Windows Mobile, Palm, and RIM; on SanDisk TrustedFlash memory 
cards; and on PCs running Windows. For more information, go to

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you to 
   whatshot at windowsitpro.com.


==== Contact Us ==== 

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=20309:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com


This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list