Security UPDATE--User Account Control in Windows Vista--February 8, 2006

1. In Focus: User Account Control in Windows Vista

2. Security News and Features

- Recent Security Vulnerabilities

- ISA Server 2004 Service Pack 2 Now Available

- IE 7.0 Beta 2 Preview Available for Public Review

- Researchers Already Scouring IE 7.0 for Holes

3. Security Toolkit

- Security Matters Blog

- FAQ

- Share Your Security Tips

4. New and Improved

- Soft Token, Strong Authentication

==== Sponsor: GuardianEdge Technologies ====

Encrypt your data--from Active Directory!

The Encryption Anywhere Data Protection Platform from GuardianEdge is a powerful tool for protecting data, managing compliance and enhancing mobility. Controlled within Active Directory, the Encryption Anywhere platform is a scalable, modular system for securing data on end-point devices and for applying consistent encryption policies across your organization. The Encryption Anywhere platform leverages what you've already established in AD, letting you distribute and manage encrypted Microsoft clients without changing your current processes. Encryption is the only true way to protect data; the Encryption Anywhere platform is the breakthrough enterprise encryption solution that provides truly robust enterprise management capabilities while leveraging your existing architecture and investment. For more information, visit http://www.guardianedge.com

==== 1. In Focus: User Account Control in Windows Vista ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Microsoft recently released the document "Applying the Principle of Least Privilege to User Accounts on Windows XP" (at the URL below), which aims to help you implement least-privileged user accounts (LUAs) in your Windows XP environment. The LUA terminology has been in use for quite a while now. Even so, Microsoft apparently wanted a clearer phrase for the concept. Initially, LUA was renamed User Account Protection (UAP), and most recently, the company landed on User Account Control (UAC), which will be the terminology used from here on out.

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx

When Windows Vista makes its debut, native UAC will be built into the OS, so you won't have to jump through countless hoops trying to limit use of administrative privileges on your network. Vista will expose new UAC policies that let you better control user accounts.

When using Vista, you'll either be considered a standard user or an administrator with privileges and rights appropriate to those two general types of accounts. For example, there will be 14 different types of administrative consent that cover the usual tasks a person might need to perform.

In general, Vista will operate a bit more like Linux systems when it comes to administrative access. You'll operate on the desktop with least privileges, and your account will have a policy assigned to handle any need for elevation of privileges. Standard users will either be prompted for credentials (username and password) or denied elevated access outright, depending on the policy settings. Administrative accounts will have both those possibilities, plus a Prompt for Consent option. In the latter case, administrators would simply click Yes or No to elevated privileges instead of having to enter their credentials.

Application installation will be an issue for some users, depending on their particular network. Vista will let you control whether elevation takes place when required by an application. Microsoft said that in an enterprise network, such elevation probably won't be required when installation is delegated to Group Policy Software Install (GPSI) or Microsoft Systems Management Server (SMS).

Another policy will govern applications that require elevation of privileges. You'll be able to deny elevation if the applications don't have a valid digital signature. To help with legacy applications that don't adhere to Vista's new architecture, you'll also be able to redirect registry and file writing activity to safe areas on the system. In other words, applications that typically write to the HKEY_LOCAL_MACHINE\SOFTWARE registry subkey or the Program Files, Windows, or Windows\System32 directories will still be able to run, but any write I/O will be written to virtualized locations instead of those actual locations. So the applications will run correctly, but sensitive storage areas won't be overly exposed.

UAC will be a welcome change in Windows that will surely bring greater security. There will of course be the usual learning curve, so the sooner you get started understanding the ins and out, the better off you'll be when you begin to use the OS. You can catch glimpses of developing UAC functionality by reading Microsoft's UACBlog (at the URL below) on the Microsoft Developer Network (MSDN).

http://blogs.msdn.com/uac/default.aspx

==== Sponsor: GuardianEdge Technologies ====

Win a TUMI Laptop Bag from GuardianEdge

Register to win one of four quality TUMI laptop computer bags from the company that brings you the Encryption Anywhere Data Protection Platform. GuardianEdge Technologies (formerly PC Guardian) will exhibit at the RSA Conference in San Jose, Feb 14 to 16 in Booth #1827. We are using the show to demonstrate Encryption Anywhere Hard Disk, which delivers full-volume encryption of XP computers right from Active Directory and the Microsoft Management Console. Register online for the contest. You do not have to be at the conference to win. Visit:

http://www.guardianedge.com/Additional_Resources/RSA_2006_Tumi_Bag.html

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

ISA Server 2004 Service Pack 2 Now Available

Microsoft released ISA Server 2004 Service Pack 2 (SP2). The new service pack brings new features, including enhanced caching, HTTP compression, and traffic prioritization.

http://www.windowsitpro.com/Article/ArticleID/49273

IE 7.0 Beta 2 Preview Available for Public Review

Microsoft released a public beta of the long-awaited Internet Explorer (IE) 7.0. The new browser includes numerous security features that will help make Web surfing much safer than it was with previous versions of IE.

http://www.windowsitpro.com/Article/ArticleID/49253

Researchers Already Scouring IE 7.0 for Holes

As soon as Microsoft released IE 7.0 Beta 2 Preview, researchers went to work looking for security holes, and Tom Ferris found one.

http://www.windowsitpro.com/Article/ArticleID/49275

==== Resources and Events ====

Windows Connections Conference, April 9-12, 2006

Don't miss the essential Windows technology conference. Register early and save!

http://www.winconnections.com

WHITE PAPER: Evaluate the costs of losing information and learn what real-time information management means and how to accomplish it in your business.

http://www.windowsitpro.com/go/whitepapers/xosoft/infomanagement?code=0208emailannc

Learn to gather evidence of compliance across multiple systems, and link the data to regulatory and framework control objectives. Live Web Seminar: March 1, 2006; 12:00 EST

http://www.windowsitpro.com/go/seminars/bindview/multiregcompliance/?partnerref=0208emailannc

Learn about the various applications of SSL certificates and their appropriate deployment, along with details of how to test SSL on your web server.

http://www.windowsitpro.com/go/whitepapers/thawte/ssl?code=0208emailannc

Industry expert Paul Robichaux discusses how availability is a function of unplanned downtime only, helping you achieve a system available 99.9% of the time.

http://www.windowsitpro.com/essential/index.cfm?code=0208emailannc

==== Featured White Paper ====

Learn how storage has been redesigned to provide administrators with the tools to manage the storage demands of today and the future. Defer storage purchases, separate backup data from protected data and more!

http://www.windowsitpro.com/go/whitepapers/lefthand/storage?code=0208featwp

==== Hot Spot ====

Maximizing Network Security Against Spyware and Other Threats

Are you solving the real problems of spyware? By leaving your systems open to reinfestation, you risk surging bandwidth consumption, system instability, overwhelmed Help desks, lost user productivity, and other consequences. Manage both the threats and vulnerabilities from one console as a comprehensive security solution.

http://www.windowsitpro.com/go/whitepapers/shavlik/spyware?code=SECHot0208

==== 3. Security Toolkit ====

Security Matters Blog: SANS 2005 Information Security Salary Survey

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

SANS published its 2005 Information Security Salary & Career Advancement Survey. The results indicate that security administrators earn an average of $75,275 per year in the United States with an annual raise of 2.9 percent. Read more about the survey in this blog article.

http://www.windowsitpro.com/Article/ArticleID/49250

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: What are the versions of Windows Vista?

Find the answer at http://www.windowsitpro.com/Article/ArticleID/49227

Share Your Security Tips and Get $100

Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Announcements ====

(from Windows IT Pro and its partners)

VIP Subscribers have it all!

Become a VIP subscriber and get continuous, inside access to ALL of the online resources published in Windows IT Pro magazine, SQL Server Magazine, and the Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. You'll also get a valuable one-year print subscription to Windows IT Pro and two VIP CD-ROMs that include the entire article database and are delivered twice per year. Don't miss out--sign up now:

https://store.pentontech.com/index.cfm?s=1&promocode=eu2762uv

==== 5. New and Improved ====

by Renee Munshi, [email protected]

Soft Token, Strong Authentication

Diversinet announced the release of its next-generation MobiSecure soft token and MobiSecure Authentication Service Center (MASC). MobiSecure provides an automated self-service system (meaning that users can download the tokens themselves over the Internet) that can support strong authentication for online banking, remote online access, and secure e-commerce applications. MobiSecure soft tokens comply with the Open Authentication (OATH) Reference Architecture and interoperate with OATH-compliant hard-token and smart-card solutions. MobiSecure soft tokens are available now on mobile devices supporting Java, Symbian, Windows Mobile, Palm, and RIM; on SanDisk TrustedFlash memory cards; and on PCs running Windows. For more information, go to

http://www.diversinet.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]