800
|
Chapter 24: Understanding Windows Vista Security Changes
Identifying Security Options Changes
Security Options enable or disable security settings for a computer. You can follow
these steps to access Security Options in the Local Security Settings console:
1. Click Start, and then click Control Panel.
2. In the Control Panel, click System and Maintenance and then click Administra-
tive Tools.
3. Double-click Local Security Policy.
4. As shown in Figure 24-3, expand the Local Policies node in the left pane and
then click the Security Options node.
Table 24-3 compares the default Security Options settings in Windows XP and Win-
dows Vista. Most new Security Options changes pertain to UAC. In Windows Vista,
UAC is used to enhance security and restrict what applications can be run. In partic-
ular, UAC is designed to block installation of spyware and other types of malicious
programs or at least make the user aware that these programs are trying to install
themselves.
Figure 24-3. Accessing the Security Options node
Table 24-3. Comparing Security Options in Windows XP and Windows Vista
Security option Default setting in Windows XP Default setting in WindowsVista
Accounts: Administrator Account Status Not applicable Disabled
Accounts: Guest Account Status Not applicable Disabled
Accounts: Limit Local Account Use of Blank Pass-
words to Console Logon Only
Enabled Enabled
Accounts: Rename Administrator Account Administrator Administrator
Accounts: Rename Guest Account Guest Guest
Identifying Security Options Changes
|
801
Audit: Audit the Access of Global System Objects Disabled Disabled
Audit: Audit theUse of Backupand Restore Privilege Disabled Disabled
Audit: Shut Down System Immediately If Unable
to Log Security Audits
Disabled Disabled
DCOM: Machine Access Restrictions in Security
Descriptor Definition Language (SDDL) Syntax
Not defined Not defined
DCOM: Machine Launch Restrictions in Security
Descriptor Definition Language (SDDL) Syntax
Not defined Not defined
Devices: Allow Undock Without Having to Log On Enabled Enabled
Devices: Allowed to Format and Eject Removable
Media
Administrators Not defined
Devices: Prevent Users from Installing PrinterDrivers Disabled Disabled
Devices: Restrict CD-ROM Access to Locally
Logged-On User Only
Disabled Not defined
Devices:Restrict FloppyAccess toLocallyLogged-On
User Only
Disabled Not defined
Devices: Unsigned Driver Installation Behavior Warn but Allow Installation Not applicable
Domain Controller: Allow Server Operators to
Schedule Tasks
Not defined Not defined
Domain Controller: LDAP Server Signing
Requirements
Not defined Not defined
Domain Controller: Refuse Machine Account Pass-
word Changes
Not defined Not defined
Domain Member: Digitally Encrypt or Sign Secure
Channel Data (Always)
Enabled Enabled
Domain Member: DigitallyEncrypt SecureChannel
Data (When Possible)
Enabled Enabled
Domain Member: Digitally Sign Secure Channel
Data (When Possible)
Enabled Enabled
Domain Member: Disable Machine Account Pass-
word Changes
Disabled Disabled
Domain Member: Maximum Machine Account
Password Age
30 days 30 days
Domain Member: Require Strong (Windows 2000
or Later) Session Key
Disabled Disabled
Interactive Logon: Do Not Display Last User Name Disabled Disabled
Interactive Logon: Do Not Require
CTRL+ALT+DEL
Not defined Not defined
Interactive Logon: Message Text for Users
Attempting to Log On
Interactive Logon: Message Title for Users
Attempting to Log On
Table 24-3. Comparing Security Options in Windows XP and Windows Vista (continued)
Security option Default setting in Windows XP Default setting in WindowsVista
802
|
Chapter 24: Understanding Windows Vista Security Changes
Interactive Logon: Number of Previous Logons to
Cache (in Case Domain Controller Is Not Available)
10 logons 10 logons
Interactive Logon: Prompt User to Change Pass-
word Before Expiration
14 days 14 days
Interactive Logon: Require Domain Controller
Authentication to Unlock Workstation
Disabled Disabled
Interactive Logon: Require Smart Card Not defined Disabled
Interactive Logon: Smart Card Removal Behavior No action No action
Microsoft Network Client: Digitally Sign Communi-
cations (Always)
Disabled Disabled
Microsoft Network Client: Digitally Sign Communi-
cations (If Server Agrees)
Enabled Enabled
Microsoft Network Client: Send Unencrypted Pass-
word to Third-Party SMB Servers
Disabled Disabled
Microsoft Network Server: Amount of Idle Time
Required Before Suspending Session
15 minutes 15 minutes
Microsoft Network Server: Digitally Sign Commu-
nications (Always)
Disabled Disabled
Microsoft Network Server: Digitally Sign Commu-
nications (If Client Agrees)
Disabled Disabled
Microsoft Network Server: Disconnect Clients
When Logon Hours Expire
Enabled Enabled
Network Access: Allow Anonymous SID/Name
Translation
Not applicable Disabled
Network Access: Do Not Allow Anonymous Enu-
meration of SAM Accounts
Enabled Enabled
Network Access: Do Not Allow Anonymous Enu-
meration of SAM Accounts and Shares
Disabled Disabled
Network Access: Do Not Allow Storage of Creden-
tials or .NET Passports for Network Authentication
Disabled Disabled
Network Access: Let Everyone Permissions Apply
to Anonymous Users
Disabled Disabled
Network Access: Named Pipes That Can Be
Accessed Anonymously
COMNAP, COMNODE, SQL\
QUERY, SPOOLSS, LLSRPC,
browser
netlogon, lsarpc, samr, browser
Network Access: Remotely Accessible Registry
Paths
(Multiple paths defined as
accessible)
(Multiple paths defined as
accessible)
Network Access: Remotely Accessible Registry
Paths and Subpaths
Not applicable (Multiple paths defined as
accessible)
Network Access: Restrict Anonymous Access to
Named Pipes and Shares
Not applicable Enabled
Table 24-3. Comparing Security Options in Windows XP and Windows Vista (continued)
Security option Default setting in Windows XP Default setting in WindowsVista
Get Windows Vista Security: Praxisorientierte Sicherheit für Profis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
