Manage Learn to apply best practices and optimize your operations.

Top 10 ways to improve Windows Vista security

Windows Vista was designed to be Microsoft's most secure desktop operating system to date. In the opinion of expert Brien Posey, Vista is a pretty secure OS right out of the box, but you can make it even more secure. Check out Brien's top 10 list of Vista security tips.

Although Windows XP was Microsoft's preferred desktop operating system for an unprecedented length of time, it became something of a PR nightmare for the software giant. Windows XP is full of security holes and is very easy to compromise. When Microsoft created Windows Vista, its primary goal was to address all of the security problems that have been plaguing Windows XP for so many years.

Windows Vista security
Windows Integrity Control (WIC) in Vista

Securing Windows Vista

Although Windows Vista security is far stronger than that of Windows XP, even running an out-of-the-box configuration, you need to know how to use some of the new security features in order to get the most out of the OS. This list of the top Vista security tips can help you run a truly secure Vista installation.

1. Use Network Access Protection (NAP) to keep your network clean

NAP is actually a feature that's built into Windows Server 2008. It allows you to create a network health policy that defines what criteria Windows Vista workstations need to meet in order to be considered healthy. For example, you can require that Windows Vista workstations have the Windows Firewall turned on or that they have to be running a specific security patch. When a user attempts to log on to your network, NAP checks the user's machine to see if it meets the health criteria that you have established. If it doesn't, then you can either fix the problem on the spot or deny the user access to the network. NAP is complicated to set up, but in my opinion it is probably the best security feature that Windows Vista and Windows Server 2008 have to offer.

2. Turn on the phishing filter

Make sure the phishing filter is turned on for all of your desktops. The phishing filter's job is to help users distinguish between a legitimate website and a fraudulent website that is posing as a popular website. Unfortunately, the phishing filter's website database is not comprehensive, but it does include enough legitimate and fraudulent sites to make it useful. Just be sure to train your users on how to use it.

3. Keep Vista up to date

Although beta testing for Windows Vista went on for a really long time, it is inevitable that additional bugs and security holes will be discovered over time. Once a security exploit has been made public, you can bet that hackers will be all over it. That's why it's so important to stay on top of the patch management process. Don't make the mistake of thinking that just because Windows Vista was designed to be secure that it doesn't need to be frequently patched.

4. Know how to check the update history

It's important to know which patches have actually been applied to your OS. To check this, open the Control Panel and click on the Programs and Features link. Then, click the View Installed Updates link to see which patches have been applied to the machine.

5. Use a Windows Server 2008 domain controller

For many years now, Group Policies have been the primary security mechanism for Windows OSes. Therefore, it should come as no surprise that Windows Vista contains hundreds of Group Policy settings that did not exist in Windows XP. You always have the option of applying these Group Policy settings at the local computer level, but if you would prefer to manage the new Vista-specific Group Policy settings at the Active Directory level, then you will need a Windows Server 2008 domain controller on your network.

6. Make use of network profiles

Prior to the release of Windows Vista, Windows treated all network connections equally. In Vista, however, you can use the Network and Sharing Center to designate a network as public, private or a domain network. Networks are designated as domain networks automatically when the machine uses the network to log on to a domain.

It is important to select an appropriate network profile because Windows implements various security features based on the type of network you're connected to. For example, Vista disables the network mapping feature if you are connected to a public network. The Windows Firewall also contains network profile-specific settings.

7. Understand that there is more to the Windows Firewall than meets the eye

One of the things that always strikes me as odd about Windows Vista is that, on the surface, the Windows Firewall looks almost exactly like the one that came with Windows XP. The truth of the matter is that your options for configuring the Windows Firewall are very limited if you use the Control Panel. However, Microsoft provides a dedicated management console that allows you to have far greater control over the Windows Firewall.

8. Use the 64-bit version

The 64-bit version of Vista is far more secure than the 32-bit version. The 64-bit version contains a security feature called Address Space Layout Randomizer, which causes a random offset to be applied when system files are loaded. This means that unlike the 32-bit version of Vista, system files are rarely located in the same memory location twice in a row. This randomization foils many of the exploits that are commonly used against Windows XP.

Another security feature found only in the 64-bit version is Data Execution Prevention. This feature keeps executable code from running in certain areas of the system's memory. The 32-bit version of Vista includes a less sophisticated version of this feature that is implemented through software, but the 64-bit version enforces Data Execution Prevention at the hardware level.

9. Don't use encryption until you understand the consequences

Every week hundreds of people send me e-mail messages asking me questions about various technical problems they are having. By far the question I am asked most often involves recovering encrypted data when the encryption keys have been lost. Unfortunately, there is no easy way of recovering your encrypted data if you have lost the encryption keys. In many cases, data recovery is impossible. That being the case, I would encourage you to hold off on using EFS encryption or BitLocker encryption until you understand how the encryption process works and how to protect yourself from data loss.

10. Don't underestimate Windows Defender

Windows Defender is Microsoft's own antispyware application, and it's included with Windows Vista. Microsoft has had a history of including very weak applets with the Windows operating system. Systems administrators have traditionally understood that the applets that ship with Windows are usually sufficient to get the job done in a pinch, but that they are usually better off using third-party applications.

In spite of this, Windows Defender is actually pretty decent. It's not perfect, but my own personal experience has been that it works well for cleaning up all but the worst spyware infections.

About the author: Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award four times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and healthcare facilities, and was once a network administrator for Fort Knox.

Dig Deeper on Windows legacy operating systems

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Wow! flashbacks. It's interesting to see how far we have come since this was written over 8 years ago.