796
|
Chapter 24: Understanding Windows Vista Security Changes
An important change to note is that Windows Vista requires secure, complex pass-
words by default. All passwords must have a minimum length of seven characters, a
user must keep a new password for at least one day, and the password must meet the
minimum complexity requirements.
Identifying User Rights Assignment Changes
User Rights Assignment policies determine what a user or group can do on a com-
puter. You can follow these steps to access User Rights Assignment policies in the
Local Security Policy console:
1. Click Start, and then click Control Panel.
2. In the Control Panel, click System and Maintenance and then click Administra-
tive Tools.
3. Double-click Local Security Policy.
4. As shown in Figure 24-2, expand the Local Policies node in the left pane and
then click the User Rights Assignment node.
Figure 24-1. Accessing the Password Policy node
Table 24-1. Default Password Policy in Windows XP and Windows Vista
Password Policy Default setting in Windows XP Default setting in Windows Vista
Enforce Password History 3 passwords remembered 24 passwords remembered
Maximum Password Age 42 days 42 days
Minimum Password Age 0 days 1 days
Password Must Meet Complexity
Requirements
Enabled Enabled
Store Passwords Using Reversible
Encryption
Disabled Disabled
Identifying User Rights Assignment Changes
|
797
Several new user rights are available in Windows Vista. These user rights are:
Access Credential Manager as a trusted caller
This privilege controls whether an application that a user or member of a partic-
ular group is running can establish a trusted connection to Credential Manager.
In Windows Vista, you use Credential Manager to manage a user’s credentials.
Credentials provide identification and proof of identification. Examples of cre-
dentials are usernames and passwords, smart cards, and certificates.
Allow log on locally
This privilege controls whether a user or member of a particular group can log
on at the keyboard. This user right was originally named Log On Locally and is
renamed in Windows Vista so that there are now both “allow logon locally” and
“deny logon locally” user rights.
Create symbolic links
This privilege controls whether an application that a user or member of a partic-
ular group is running can create a symbolic link from the computer to which she
is logged on. Symbolic links make it appear as though a document or folder is in
a specific location when it actually resides in another location. Because mali-
cious users can exploit symbolic links, use of symbolic links is limited by default.
Change the time zone
This privilege allows a user or member of a particular group to change the time
zone. As all members of the Users group have this right by default, all users are able
to change the computer’s time zone without requiring administrator privileges.
Increase a process working set
This privilege allows an application that a user or member of a particular group is
running to increase the memory that a process working set uses. A process work-
ing set is the set of memory pages currently visible to a process in physical memory
(RAM). As these pages are resident in memory, they are available for an applica-
tion that a user is running without triggering a page fault. The size of the working
sets used by processes a user is running affects the virtual memory paging. This
privilege is added to Windows Vista to allow standard user applications to request
additional memory for process working sets, and it is the desired behavior.
Figure 24-2. Accessing the User Rights Assignment node
Get Windows Vista Security: Praxisorientierte Sicherheit für Profis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
