CSRC System Administration

MS Windows

Other Resources
Our Sponsor


white space white space

Description of the Guidance for Securing Microsoft Windows Vista

NIST has collaborated with the Defense Information Systems Agency (DISA), the National Security Agency (NSA), and Microsoft Corporation to produce Microsoft's Windows Vista baseline security settings for the Enterprise (EC) and Specialized Security/ Limited Functionality (SSLF) environments. These recommended baselines/profiles are represented in the Microsoft Vista security guide. NIST also collaborated with industry to produce the XML representation of the recommended profiles in Extensible Configuration Checklist Description Format (XCCDF) and the Open Vulnerability and Assessment Language (OVAL).

Comments and questions may be addressed to checklists@nist.gov.

Frequently Asked Questions - FAQ
1. Who produces the Microsoft Vista security guide?

In a collaborative effort with DISA, NSA, and NIST, Microsoft produced the Vista security guide that reflects the consensus recommended settings from DISA, NSA, and NIST for the Windows Vista platform. NIST has reviewed the security guide and provided comments that Microsoft has adopted in the production of the guide.

2. What should agencies do?

Assuming that agencies will transition to the Vista platform, they should begin interoperability testing with deployed applications and systems due to the substantial changes in the security architecture and default out of the box configurations.

3. When should agencies deploy Vista?

This is an operational and business case decision. Among the many factors to consider are the time it takes to test existing applications for compatibility, operating in mixed Vista/Windows XP environments, interoperability with existing configuration management and security tools (e.g., antivirus software), vulnerability and patch management, upgrading existing applications, training considerations for affected personnel, understanding the new security features, and other technology changes such as server OS upgrades.

4. What are some of the out of the box security changes?

For example, the built-in Administrator account and LanMan (LM) authentication protocol are disabled. Only NTLMv2 passwords are sent over the network. Members of the Administrators group operate as standard users and get the additional rights when required.

5. What are some of the security features?

Microsoft has introduced a number of security changes in Vista such as the User Account Control (UAC), hardened services, Windows Integrity Control, Internet Explorer protected mode, phishing filter, Windows Defender, a bi-directional Windows firewall, Suite B cryptographic algorithms (undergoing FIPS 140 evaluation), full disk encryption with BitLocker, virtualized file and registry, etc.

6. Is Windows Vista more secure?

Windows Vista is a major and significant upgrade in security from Windows XP. It has undergone the Microsoft Secure Development Lifecycle (SDL) process. The default configuration of Windows Vista is much more locked down than any previous version of Windows. This is illustrated by changes such as the fact that the built-in Administrator account and LanMan (LM) password hash are disabled, by default NTLMv2 is used for network authentication to Windows servers. Members of the Administrators group operate as standard users and get the additional rights when required. The Power Users group has the same rights as Users group. Microsoft has introduced a number of security changes in Vista, such as the ones listed above. As Vista is widely deployed and field tested, organizations will have a better understanding of the impact of these security improvements.

7. What are some of the new features?

Microsoft has introduced a number of new features that agencies should consider such as a new graphical user interface, the next generation TCP/IP stack that supports IPv6 by default, network discovery protocol, Windows event log, etc.

8. Who is the intended audience?

The intended audience is Windows Vista system administrators and technical Windows Vista systems users. The document assumes that the reader has experience installing and administering Windows-based systems in domain configurations.

9. Should I test this before applying it in my environment?

Yes. Test the recommended settings on carefully selected test machines that are deployed in an environment that simulates the organziation's operational infrastructure.

10. What is the impact caused by applying the Specialized Security-Limited Functionality template?

The Specialized Security-Limited Functionality template contains the more restrictive settings and will reduce the functionality and interoperability of the Windows Vista system. It will reduce the usability of a typical system found in a multi-purpose managed environment and will break legacy or other general-purpose applications. It should only be used by the experienced security specialists and seasoned system administrators who understand the impact of implementing these strict requirements.

11. Should I make changes to the baseline settings?

Given the wide variation in operational and technical considerations for operating any major enterprise, it is appropriate that some local changes will need to be made to the baseline and the associated settings (with hundreds of settings, a myriad of applications, and the variety of business functions supported by Windows Vista systems, this should be expected). Of course, use caution and good judgment in making changes to the security settings. Always test the settings on carefully selected test machines first and document the implemented settings.

12. Is NIST endorsing or mandating the use of the Windows Vista Systems or requiring each setting be applied as stated?

No. NIST does not endorse the use of any particular product or system. NIST is not mandating the use of the Windows Vista Systems nor is NIST establishing conditions or prerequisites for Federal agency procurement or deployment of any system. NIST is not precluding any Federal agency from procuring or deploying other computer hardware or software systems for which NIST has not developed a publication or a security configuration checklist.


Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.

Last updated: February 3, 2008
Page created: January10, 2001

Disclaimer Notice & Privacy Statement / Security Notice
Send comments or suggestions to itsec@nist.gov
NIST is an Agency of the U.S. Commerce Department's Technology Administration