Some guidelines for securing your Windows Vista PC
Windows Vista introduces a breakthrough user experience and is designed to help you feel confident in your ability to view, find, and organize information and to control your computing experience. Windows Vista has been engineered to be the most secure version of Windows yet. The new features in Windows Vista help to give you the control and confidence you need to get the most out of your PC. This document will briefly discuss some of the security options these great new features provide for you –
; User Account Control: enabling users to run with Standard User rights
; Parental Controls: Monitoring and managing your children's computer privileges
; Internet Explorer 7: a major step forward in ease of use and security
; BitLocker? Drive Encryption: a new data protection feature
In addition to the feature overviews, we’ll offer some ways you can increase your system security to get even greater protection. Using the information in this document you should be able to configure and manage all of these great security features on your new Windows Vista machine.
Security features vs. Convenience
Security is about making choices. Tighten things too much to protect the system, and users have problems doing what they want. Focus on ease of use by opening up settings broadly and you expose the system to attack. Finding the right balance is just not easy. Add the need to satisfy multiple classes of users – home, professional, business, etc. – and the problem takes on a level of impossibility.
In the goal to make Windows Vista the most secure version of Windows ever, we worked hard to define default security settings that protect users while keeping the system usable with those protections enabled. This document will discuss ‘out of the box’ security capabilities as well as offer ways you can increase system security and the issues those changes may create.
Understanding Users & Administrators
To help explain the issues in this document and some of the changes made in Windows Vista, it is helpful to get a grasp on the user account concept. Essentially, user accounts are unique profiles assigned to each person using a system. As with real life, some users can do more than others. Regular users, called Standard Users, can do many things on a system but certain changes will require special
permission. That special permission is given by a different type of user account, called Administrators. It may help to think of Users as employees in a company, and the boss is an Administrator. Employees can do everyday work, but something like getting new equipment requires the boss’s approval. Another important thing to realize is that Administrators are users too – they just have extra privileges. With
that comes the possibility of an increased security risk, but we’ll address that later on. Right now let’s see how you setup a Standard User account:
Go to Control Panel and select “Add or remove user accounts”. You should then see a dialog box asking for permission to continue. That’s a new security feature in Windows Vista which we’ll review in just a little bit, but for now go ahead and click ‘Continue’ in the dialog. On the next screen, select ‘Create a
new account’ (see Figure 1)
Type in the User Name you want (e.g. Abby), make sure the Standard User option is selected and click ‘Create Account’ (see Figure 2)
The process would be the same to create an Administrator account, except that in the final step you would select that Administrator instead of Standard User.
Using this overview of user accounts and following the instructions to setup accounts, you should be ready to read about the exciting new security features in Windows Vista.
User Account Control
User Account Control (UAC) is a brand new technology introduced with Windows Vista. As discussed in the previous section, there are two types of user accounts – Standard Users and Administrators. In
Windows Vista, both Administrators and Standard Users run applications with roughly the same permissions to change their own settings. UAC provides a method of separating standard user privileges
and tasks from those that require Administrator access. UAC increases security by enabling you to make Standard User the default user account for everyday use. Users can now perform more tasks and enjoy higher application compatibility without the need to be logged in with administrative level privileges. This helps reduce the affect of malware, the installation of unauthorized software, and accidental system changes. In short your PC is more stable!
Credential and Consent Prompts
When a Standard User is using the system and attempts to do something for which they do not have authorization, they will be asked for permission from Windows and require the Administrator account’s
password. That prompt is known as a ‘Credential Prompt’ (see Figure 3) because it requires credentials
from another account to permit the action and proceed.
If an Administrator is using the system and attempts to do the same task, they will only be asked for permission. That prompt is known as a ‘Consent Prompts’ (see Figure 4) because the user is only asked
to agree to the action before it will proceed.
; Note: When first setting up a new Windows Vista system you may encounter a number of these UAC prompts. This is due in part to the number of “system wide” changes you’ll want to make, such as installing software or configuring devices. Generally, Windows Vista users will find that the number of times they are shown UAC prompts will decreases dramatically over time. In fact, once the computer is configured for your specific environment and the bulk of the software is installed you should rarely even see a UAC dialog.
Do’s and Don’ts regarding Credential and Consent prompts
Anytime you enter your password, you are possibly putting yourself at risk so always consider why you
are entering your credentials. Think carefully when you see a UAC prompt – make sure you know what
action is about to be performed. If you are not sure, it’s safest to click ‘Cancel’ and double check. It’s
very important to remember that UAC prompts are not a security boundary – they don’t offer direct
protection. They do offer you a chance to verify an action before it happens.
Once you allow an action to proceed, there may be no easy way back. Windows Vista provides many features to protect your system, but they require proper use. Your system security is only as strong as your actions, so think before you click. The guidance below can help you find the right balance that works for your situation.
Best Practices for UAC
Good Practice: Create a Standard User account and use it every day!
When setting up a system, you should make only the first user account an Administrator account, even on a child’s machine. Be sure to choose a good password to protect the Administrator account. By default, this first account had approval mode enabled, meaning it can be used to configure Parental Controls and manage any setting on the system. All subsequent user accounts you create —especially
for kids—should be setup as Standard Users. If a user with a Standard User account needs to complete a restricted task, installing a program for example, the Administrator can enter the proper credentials to complete the task.
For normal system use you should be able to login as a Standard User, and enter your Administrator credentials only when a task requires it. Taking this extra step when you need it will help prevent accidentally doing something you didn’t mean to do – or installing something you know you shouldn’t.
Better Practice: Make everyone enter a password – even Administrators!
You can also increase security by requiring the Administrator account to ‘Prompt for Credentials’ rather than simply use the Consent prompt. Making this change will help ensure fewer mistakes are made when logged in using the Administrator account. It will also make it harder to spoof the system and make it difficult for an unauthorized person to complete a restricted task if your PC is left unattended. Instructions for making this change can be found online at
Best (More Secure) Practice
In addition to “Good Practice” you might consider also requiring the special Control-Alt-Delete key
sequence for consent to complete administrative tasks. Control-Alt-Delete is a special key sequence that places the computer in a very secure mode of operation and makes entering Administrator credentials far more secure. In addition to the previous guidance, this change will provide additional protection to the system when an administrator is elevating his or herself using admin approval mode and also when a Standard User needs consent from an Administrator. Information on making this change can be found online at
Fast User Switching
If you find yourself moving back and forth between a Standard User and Administrator accounts, you should consider using Fast User Switching (FUS) to switch accounts whenever an administrative task is required – in effect using the separate accounts desktop as a security boundary.
Fast User Switching is a feature in Windows Vista that allows you to switch to a different computer user account without closing programs and files first. This makes it easier to quickly transition to the Administrator account without disturbing your current activities.
To use FUS simply click the START button and then click the arrow next to the lock button. Next, click Switch User, and then click the user you want to switch to.
; Warning: Make sure to save any open files before switching user because Windows does not automatically save files that are open. If you switch to a different user and that user shuts down the computer, any unsaved changes you have made to files that are open on your account will be lost.
Windows Vista Parental Controls
As much as they are a powerful business tool, computers represent one of the greatest educational tools in recent times. Using a computer and the Internet, children are able to research topics, communicate with students in other areas and create literary or visual masterpieces. Access to those resources brings with it an exposure to risk – one that is underscored in media reports of one kind or
another. As parents, you are constantly aware of dangers facing your children in the real world and want to keep them safe from online threats as well. Until now, monitoring your children’s online activity has been, at best, a difficult task requiring specialized software and deciphering third party spying tools to review activity logs. That’s not even taking into account the need to stay ahead of your children’s growing technical expertise.
Monitoring and managing your children's computer privileges just got easier though. That's because Windows Vista ships with new family safety functionality called Parental Controls. Parental Controls makes managing your children's online and offline activities much more intuitive and includes easy to use tools to help you keep their computing experience a safe one. Family safety starts by taking a little time to set up Parental Controls.
The first thing to do is setup user accounts for each child you want to let use the computer. Alternatively, you can choose to setup a single account for all your children to share, but that limits your ability to grant specific permissions to older children while blocking the younger ones. As a general rule, it’s best to have unique accounts for each child to ensure you have the most flexibility in granting
permissions and an easier time reviewing activity reports. Make sure you follow the earlier instructions to create a Standard User account for any kid’s accounts since only Standard User accounts can be managed by Parental Controls.
Once you have the user accounts setup, we’ll need to bring up the Parental Controls screens which can be accessed from the Control Panel (see Figure 5). Select ‘Continue’ when you see a UAC Consent prompt asking for permission. Click on a user account to select and configure the Parental Controls for that account. We’ll use Jennifer’s account, since she has the only Standard User account that can be configured with Parental Controls.
The Parental Controls screen (see Figure 6) allows you to configure the settings for an account:
; Web Restrictions: Control what Web sites your child can access and what they're allowed to
; Time Limits: Control what days and times your child can use the computer.
; Games: Control what games your child can play by setting rules based on rating, content, or title.
; Block Specific Programs: Block access to installed programs on your computer that you do not
want your child to have access to.
; Activity Reports: Display activity reports that include information about what Web sites your
children visit, how long they're online, how many e-mail messages they get, and information
about who they are exchanging messages with, to name a few.
Now that you’ve seen how to setup an account and enable Parental Controls, let’s examine more detail of how these tools can be used to help keep your children safe and your system secure while online.
Parental controls are a system wide set of controls, so you don’t need to worry about details of what
browser your children want to use. Whatever rules you specify in Web Restrictions will apply to any and all browsers. If you configure Parental Controls to allow your children to visit only 10 Web sites that you name, they won't be able to visit any others. Likewise, if you set that a particular Web site is "blocked," they won't be able to visit that site either. You can rest assured that if your child downloads different browser software, blocked websites will still be blocked, because the block is not dependent on the browser settings.
In addition to blocking websites Parental Controls gives you another powerful security feature to protect your children and the system. Managing the ability to restrict file downloads is an important step to preventing unwanted malicious software from infecting your system. Malware, adware, and viruses usually get onto your computer via downloads, and many are the result of a child unknowingly downloading something harmful. Web Restrictions in Parental Controls changes all of that. You can set general content restrictions by selecting from the generic settings of Low, Medium, High, or Highest. You can also block specific types of content in categories such as alcohol, bomb-making, drugs, gambling, hate speech, mature content, pornography, sex, tobacco, weapons, Web chat, and Web e-mail. To configure Web Restrictions, open Control Panel, and click Parental Controls. Select the appropriate
user account, and then click Windows Vista Web Filter under Web Restrictions. Under Web Filtering,
click Yes to block web content. Under Filter Web Content, click an option to choose how restrictive you
want the Web filter to be. From there, create the restrictions that meet your requirements.
Best Practices for Web Restrictions
When setting up Parental Controls Web Restrictions, it’s best to list what sites your child can visit rather
than to trying to create a list of blocked sites. There are simply too many sites to list for that approach to be manageable.
You can limit the time your children spend online or on the computer. By configuring Time Restrictions in Parental Controls, you can designate the hours and the days of the week the child is allowed on the computer. If the child tries to log on at a time not allowed, the logon will fail. If a child is logged on and time limits expire, the child will be automatically logged off.
To configure Time Restrictions, open Control Panel, and click Parental Controls. Select the appropriate
user account and then click Time Restrictions. Click inside the grid to set when your child is allowed to
access the computer. Allowed hours are white and blocked hours are red.
Best Practices for Time Limits
While there is no set schedule to recommend, it’s important to consider enforcing time limits for children’s accounts. Regardless of the research or schoolwork being performed, limiting time in front of a computer may help encourage more physical activity when the resource is not available. Games
You can use Parental Controls to manage which games your child can play and how long they spend doing it. You can block all games or specific games based on their ratings. Most computer games have an age and content rating, assigned by the applicable ratings board for the user's region. In the US, this is the Entertainment Software Ratings Board (ESRB). The ratings are similar to how movies are rated, allowing you to decide if the software is age-appropriate or content-appropriate for your child. You may also decide to set more granular boundaries based on game content — even if a game has an allowed
rating, you can block if for the type of content it contains.
In addition to games installed on the computer, your child may want to play some online games. Parental Controls allows you to set similar permissions for online gaming content. Because some games may not be rated, you have the option of blocking games with no rating until you have reviewed them and decided if they are suitable for your children to play.
Best Practices for Games
It is advisable to research or play the games yourself, as content may change during online play. Often as a game progresses to higher levels, the content may change to reflect the new ranking. While the first few levels of a game may be appropriate, it is possible the upper levels may contain unwanted content. Block Specific Programs
With Allow and Block Specific Programs, you can prevent children from running any program you deem inappropriate. These could be third party programs you've installed, including games or instant messaging software, or programs from Microsoft that you don't want them nosing around in, such as Microsoft Money or your personal diary.
With Activity Reports (see Figure 7) you can see just what your child does online and off, including what Web sites they visit, who they instant message, what they download, what programs they access, and more. These Activity Reports can help you initiate important conversations with your children. Here's an excerpt from an Activity Report.
As you can see, Windows Vista Parental Controls were designed to be easier to use and manage than any tool you have used before. Between the range of options and ease or reporting, Windows Vista Parental Controls will help make it easier to keep your children safe from online threats and provides a simple way to monitor your children's computer activities. So take a few minutes to create user accounts for your children and set up basic monitoring. You'll be glad you did!
Internet Explorer 7
Internet Explorer 7 in Windows Vista is the latest version of the leading web browser, offering a set of new security features that provide dynamic security protection and usability features designed to make everyday tasks easier. Internet Explorer 7 has been built to simplify everyday browsing tasks and provide a much more productive Web experience. With improvements such as a new clean and sleek interface, tabbed browsing, inline search, and intelligent printing, Internet Explorer 7 offers the most efficient browsing experience available.
Internet Explorer 7 provides several valuable security features to help protect Windows Vista users when browsing the Internet. Protected Mode, taking advantage of UAC benefits, allows users to browse with restricted permissions to isolate potential online threats and protect the system from compromise – and just like UAC, Protected Mode prompts are not a security boundary – they don’t offer direct
protection, only a chance to verify an action before it happens. The new Phishing Filter service provides