At TechEd this year, I gave a presentation called "21st century networking: time to throw away your medieval gateways." (Actually, I've given this same talk before, at events in Amsterdam, Brussels, Oslo, and numerous on-campus customer meetings. It's time to bring the knowledge to the masses.)

I described an idea of using IPv6, IPsec, NAP, and group policy to build a pretty slick replacement for clunky VPN gateways. Turns out we've been piloting this very idea on our internal corpnet. Like a good little bunny I got myself enrolled in the thing and -- pardon the unattractive gushing -- this thing rawks! Here's a brief rundown of the parts you'd configure on managed clients:

• Windows Vista Business (with Software Assurance), Enterprise, or Ultimate editions
• That are domain-joined
• Users run as non-admin
• Group policy applies numerous settings
• UAC is enabled
• BitLocker is configured to protect confidential information stored offline
• The Windows Firewall is enabled
• NAP is used for checking health
• Forefront Client Security for keeping malware off the box
• Smart cards for strong authentication of users
• IPsec is required for connection authentication and traffic encryption
• IPv6 is required for worldwide Internet connectivity
• A DNS suffix search list represents the data center name space
• Static IPv6 DNS servers provide name resolution for hosts in the data center

What does this give you? True anywhere access, anywhere in the world, directly to corpnet resources from managed and secure client PCs. The Internet has replaced private WAN links for good reason: enormous cost benefits. The only thing holding us back from fully utilizing this development has been a lack of way to enforce and monitor the security of clients not physically located within the corpnet. Well, those days are over. Now you can build PCs that are trusted just as if they were on the corpnet, without knowing or caring anything about the underlying network connections. And let me tell you, it's as addictive as a few other substances I could mention, but will refrain, since this is (I hope) a family blog :)

Maybe you've heard of the notion of "deperimeterization." Taken to its extreme, I think it's a bit silly. To put a SQL Server directly on the Internet is just plain stupid -- not because I don't think I could keep it protected, but simply because that's unnecessary risk. Only my web server -- and no one else -- should be talking to my SQL Server. But that web server will be in the same subnet as the SQL Server, and IPsec policies used also here will govern who can connect to the SQL Server. Warning to any and all network DMZs: your days are numbered!

Shrink your perimeter to that which really matters -- your data center. All your clients live (as we would say in the olden days) "on the outside of the firewall." Now then, there are two kinds of clients. Managed clients, as I described above, establish IPsec-authenticated/encrypted, group-policy-configured, NAP-enforced IPv6 connections directly to corpnet resources without going through any kind of access gateway. The router connecting you to your ISP is fully sufficient for blocking denial of service attempts. Be sure to follow my advice in "Configure your router to block DOS attempts," and then add two more rules to permit incoming port udp/500 and IP protocol 50 over IPv6. That's it. No NATing or other unnatural network acts are required (finally, you can stop lying to your significant other about why you squirrel yourself away in the computer room all those weekend nights).

Unmanaged clients will continue to use IPv4 to access published Web and Win32 applications through a gateway like IAG. Since you can't trust these clients nor can you trust the data they're throwing at you, you have to inspect and validate at the perimeter. You can take advantage of IAG's application-modifying capabilities to "wrap" security around poorly-written web apps; you can even download an ActiveX control to unmanaged clients to perform some basic health checking, policy enforcement, and cache clearing. None of these eliminates the final requirement to continue inspecting and removing malware from servers where users store data: Exchange, SharePoint, Office Communications Server, and file servers.

Machines are mobile, data is mobile. The mainframes and large desktop PCs of the past posses an effective security attribute: the heaviness of the machines. You couldn't easily saunter out the front door with a PC-AT in your pocket! These days, we all line our pockets with tiny little mobile phones stuffed with 16GB of storage. It's now a fact: data moves. And like water, data moves wherever it can, as rapidly as it can, often beyond your control if you don't prepare for that. With properly-configured and managed clients we can enjoy a single access and authentication experience no matter where the computer is physically located. For example: I can sit in my house and enter '"http://internal-web-site-name" in my browser. The DNS suffix search list adds the appropriate suffix, my browser's resolver performs an IPv6 name lookup, and my computer makes an authenticated and encrypted connection, after it meets the NAP policy, directly to that internal server. Very nice. As far as I'm concerned, there's no difference between the Internet and my corpnet. It's all just there.

For a while now many of you know I've been speaking and writing, mostly at the conceptual level, about the day when such a way of remote computing will arise. Well, my friends, that day is now. You can indeed build it now, with the products you have. I won't admit it's all peaches and cream: there's a fair number of moving parts here, it's true. But most of these moving parts are parts you're already familiar with: I'm simply encouraging you to move them in a specific way. You'll need to do some custom scripting for client-side connection diagnostics, but that's about it.

My next step is to create a more detailed guide, which I plan to publish through TechNet Magazine. I'm targeting (but not promising) the October issue. The article will include greater details about configuring your infrastructure to support the managed clients I describe.

I've lost track of the swelling number of individual conference attendees and the plethora of email writers who've expressed a desire to build this in their own environments. The one common thread from everyone is "I want to do it now!" Folks, it's really pretty exciting for me to see so many of you ready to cross the chasm from the perdition of paleo-networking (layer upon endless, complex layer of DMZs) into the paradise of flat, simple, cheap, and secure access to information. If you haven't yet, please take the time to read through some of our information (especially Scott Charney's paper) on end-to-end trust. Friends, the idea I describe above is the plumbing for realizing the end-to-end trust vision.

Also, if any of you want to deploy RMS now but can't because there's currently no Mac support, I especially need to know. Thanks!

Virus from China, the gift that keeps on giving

An insidious computer virus recently discovered on digital photo frames has been identified as a powerful new Trojan Horse from China that collects passwords for online games -- and its designers might have larger targets in mind.

"It is a nasty worm that has a great deal of intelligence," said Brian Grayek, who heads product development at Computer Associates, a security vendor that analyzed the Trojan Horse... The authors of the new Trojan Horse are well-funded professionals whose malware has "specific designs to capture something and not leave traces," Grayek said. "This would be a nuclear bomb" of malware.

Mocmex is its name. Reportedly, it can evade hundreds of anti-malware and firewall products, including the Windows Firewall. I suspect that this succeeds only when users are logged in as administrators, so here's yet another reason to stop doing this altogether, as is the US Government with its new Federal Desktop Core Configuration for Windows XP and Windows Vista.

The virus actually propagates to just about any kind of removable USB storage device, jumping from various well-concealed hiding places on your PC whenever such a device is inserted. Picture frames are implicated because the virus apparently originated in the factory where the frames were built (in turn sold by Best Buy, Sam's Club, Target, and Costco, but now discontinued). Amazingly, according to the UK security firm Prevx, over 67,500 variants of this thing exist!

Even more amazing:

[Mocmex] isn't the only piece of malware involved. Deborah Hale of Sans said the researchers also found four other, older Trojans on each frame, which may serve as markers for botnets -- networks of infected PCs that are remotely controlled by hackers.

There is W32.Rajump, which deposits the same piece of malware that infected some of Apple's video iPods during manufacturing in October 2006. It gathers IP addresses and port numbers from infected PCs and ships them out, according to Symantec. One destination is registered to a service in China that allows people to conceal their own IP addresses.

Then there is a generic Trojan; a Trojan that opens a back door on PCs and displays pop-up ads; and a Trojan that spreads itself through portable devices like Mocmex does.

More reasons to disable Autorun, I suppose. Yet this isn't a cure-all: if you're logged in as administrator, the virus helpfully re-enables Autorun. Sheesh! If you own one of these frames, SANS suggests that you take it to a friend who has a Mac or Linux box and plug it in there. Yeah, that's good advice; there exist no viruses for these operating systems, correct? It's irrelevant which operating system you're using -- if you run with full privileges, you'll get 0wn3d soon enough.

It's fascinating that the thing targets online games, although it could certainly harvest just about any private information stored on your PC. Mining online game accounts might be pretty profitable, you know. Consider the number of people who pay real money for virtual (=fake) stuff in World of Warcraft, Runescape, and whatever else. I suppose losing their passwords to picture frames might help such people regain a tenuous foothold on reality.

I’ve met thousands of IT pros during my years speaking at conferences around the world. And if there’s one thing that’s true for all of us it’s that all IT pros become support professionals for their family, their friends, and their neighbors—your “FFN” base, as I call it. And, like doctors, we’re expected to provide this kind of support for free!

Once upon a less-demanding time, these questions were rare and usually involved things like setting up Windows, configuring printers, snarfing from the free wireless network across the street—the sorts of things that normal people don’t do when going about their daily lives (face it, we IT pros aren’t normal). So the monthly late-evening phone call usually wasn’t a burden. Alas, those days are now nothing more than wistful memories.

You see, the bad guys (and, increasingly, girls) who lurk in the Internet’s dark alleys and secret passages have discovered that those who constitute your FFN are prime targets for their reprehensible ways. The millions of home computers squatting on kitchen counters and in bedrooms don’t enjoy the protection that corporate PCs do—no fortified network, no centralized administration and updating, no traffic inspection, no security policies. Rarely do the people in our FFNs possess detailed security knowledge, so home computers are ripe targets for attack. The bad guys know this, and they’re rapidly taking over as many machines as they can get their grubby little hands on.

For a while now, Microsoft has provided easy-to-follow guidance for home users at our Security at Home site. This is an excellent resource, with information on how to protect your computer, yourself, and your family. However, we can’t do it alone—we need your help! Maybe it’s already happened to many of you; if not, it’ll happen soon: you’ll become a security consultant for your FFN. That’s right, you. Stop glancing around the room, don’t slink down in your chair and hope I won’t see you. Your FFN is having security problems right now, and they need your help.

What to say, you ask? Where to go for guidance on how to talk to your FFN? It’s the same place: Security at Home. I’ll review some of the most important steps you can take.

Four steps to protect your computer

These aren’t optional; they aren’t open for debate. At the very minimum, all computers connected to the Internet should follow these steps.

1. Keep your firewall switched on.
2. Keep Windows up to date.
3. Use updated antivirus software.
4. Use updated antispyware software.

Computers running Windows Vista or Windows XP Service Pack 2 (SP2) already have firewalls that are enabled by default. Leave them running. I've yet to see any example of applications typically run on home computers that would break because the firewall is running. There’s simply no excuse for running a PC connected to the Internet without a firewall. Computers running anything older than Windows XP SP2 should be upgraded immediately—and this is again where you can help. Visit your FFN and ensure that everyone has installed the service pack.

Make a habit of ensuring that the automatic update client is running whenever you visit your FFN. This feature exists for them and minimizes the amount of work you need to do. Let Microsoft take care of patch management for your FFN—outsource it to us by making sure that all computers are downloading and installing updates automatically.

Simply using a firewall and installing updates can be enough to protect a computer from most attacks. But as we security consultants (stop looking around the room again!) know, attackers don’t target only computers. They target people, often by concealing malicious software inside tempting packages delivered by e-mail or Web sites. We call this the “dancing pig” phenomenon—no amount of self-control can stop someone from clicking on links or running attachments when the payoff is the promise of tutu-clad swine parading across the screen! So to add to a home computer’s defense, we need utilities that detect and remove malicious software. Antivirus and antispyware tools can take care of this for you. (Yes, you need both; they detect different kinds of attacks.)

The case could be made that antivirus and antispyware tools aren’t necessary for computers whose users are highly skilled, security savvy, and have an experienced feel for recognizing malware before it strikes. Indeed, I’ve written about this before ("Antivirus softwre—who needs it"? and "More on the necessity of antivirus software"). However, for my FFN, antivirus and antispyware are requirements. They should be for your FFN, too.

The Malicious Software Removal Tool also helps to eliminate malware. It’s updated each month through the automatic update client and runs the next time a computer boots. It scans for and removes common malware like certain prevalent worms and rootkits. Since the tool’s introduction, millions of computers have been cleaned of billions of pieces of malware.

If you need to quickly scan a computer for malware, try the Windows Live OneCare safety scanner. It’s free, and it might be a useful habit for you to develop every so often when you get a call from an FFN. There are two versions of the scanner. One is for Windows XP, the other is a beta for Windows Vista.

What about ensuring that your FFN runs as non-admin? That would be an excellent step, but a lot of software written for the home market still requires being an admin to install and run (yeah, not everyone realizes the Earth is round). Such software should be tossed in the junk bin—yet if you need to manage some knitting projects, and there’s only one program you can find that works for you, sigh… Non-admin is a tough call. Perhaps you can enforce it on the home network in your own house, since you’re right there. Enforcing it on the computers in your FFN, though, might end up creating more work for you.

Keep your information more secure

Spam and scams are the techniques most bad guys use to steal your information to try to assume your identity. I don’t like the common term “identity theft”—how can you really steal someone’s identity? You can steal a purse, thus denying the purse’s benefit to its original owner. But you simply can’t take away someone’s identity. Think of identity theft as a form of impersonation attack (it’s like spoofing a human, I suppose). To impersonate you, the bad guy needs to obtain information about you. Phishing scams and spam lure millions of unsuspecting folk (these would be your FFN) into divulging secret details they’d never tell their pastors or principals or parents.

To reduce the likelihood of having your identity impersonated, teach your FFN to follow a few simple steps.

1. Use the phishing filter that’s built into Internet Explorer 7.
2. Reduce the amount of spam in your e-mail.
3. Use good passwords online.

The phishing filter in Internet Explorer 7 includes a long list of known phishing sites, and it warns users if a site they’re visiting is on the list or exhibits characteristics typical of phishing sites. The filter can communicate with an online service to keep itself updated—and this is important, since phishing sites often disappear after just a couple days.

Windows Live Hotmail, Windows Live Mail, and Windows Mail—probably the most common mail programs in your FFN—include technology to reduce spam. Their spam filters are updated regularly through Microsoft Update, which is yet another excellent reason for keeping the automatic update client enabled. Also be sure that you configure them to block images in HTML mail, which are often used for secretly tracking whether someone’s read a message.

Don’t forget to teach your FFN about basic techniques they can learn to become more security savvy. Common practices like disguising your e-mail address on discussion boards (me AT example DOT com), using a separate e-mail address for newsletters and online transactions (yes, you can have more than one Hotmail account), and being aware of prechecked boxes on Web forms that will result in things you didn’t want—for example, various toolbars, sharing your e-mail address with “partners,” or signing you up for newsletters that you can’t unsubscribe from.

Similarly, spam becomes easy to spot once you get in tune with its characteristics. Don’t reply to any message that wants personal details. It’s highly unusual; legitimate sites will use Web pages to sign up for services or maintain accounts. If you get an e-mail message that appears to come from your bank, don’t read it—delete it. Then call your bank; if they need something from you, their customer service department can handle it. Legitimate businesses simply don’t use e-mail to conduct account maintenance transactions, because e-mail itself is insecure. Never click on links to any kind of online payment service you use; instead, type the address directly into the browser’s address bar. If you hover your mouse over a link, the real URL appears in a small box—and if they don’t match, then yep, the e-mail message is definitely fraudulent.

While working with your FFN, make the link between online safety and personal safety. Most of us wouldn’t wander down random smelly alleys in isolated parts of the city during the middle of the night. It’s the same with your e-mail. Ignore attachments you don’t expect, avoid pleas for giving to “charities,” dismiss any messages that promise easy money, and don’t reply to any spam—all this does is confirm that your e-mail address is legitimate, guaranteeing that you’ll get more. Teach your FFN to make regular use of Snopes.com, one of the best sites on the Internet for learning whether something is legitimate or a scam. Type a few words from the suspicious e-mail message into the site’s search box and see what the results are.

Web sites often require you to log on. This means you need to create a user ID and password for every site you might visit. There’s a lot of discussion about what constitutes a “good” password; personally, I’m a fan of length rather than complexity. A simple 15-character passphrase (think short sentence) is easy to remember, quick to type, and far stronger than any short complex password. A passphrase like this will withstand any kind of automated password attack, including those based on rainbow tables. And you can even use a method that helps you remember unique phrases for each site, if you wish:

• Web mail: "my dog and i got the mail"
• Shopping: "my dog and i bought some stuff"
• Office: "my dog and i went to work"

If you don’t follow this kind of system, eventually you’ll start to forget which password you used on which Web site. Ugh, how can you manage it all? How can you have strong and unique passwords on the 60 different sites you visit every day? If the site uses basic authentication, you can instruct Internet Explorer to remember its password—however, few sites use this method. Instead, forms-based authentication is far more common, and Internet Explorer can’t remember these. Some sites have “Remember my password” checkboxes on the logon forms, which causes the site to store your password in an encrypted cookie (this is fine). There are many third-party programs you can use to manage passwords; one popular and well-regarded one is the free Password Safe.

Won’t all this just overwhelm my FFN?

Not really. Ordinary people subconsciously make security and safety decisions every day—going to the same hot dog vendor you’ve always trusted, changing lanes after verifying the target lane is unoccupied, walking along known streets with good lighting. Being safe online is really no different than being safe in the real world. Yet, online, people have a tendency to move toward one of two extremes—trusting everything they read and receive or becoming suspicious and essentially refusing to engage in anything online. Maybe it’s because online threats use scary language (like “identity theft”) and receive attention that far outweighs the risks (like child predators).

The threats we all face daily online are really no different than the threats we’ve all faced ever since we came down from the trees. This doesn’t mean we should ignore them or become too agitated. It means that we can apply the common sense most of us already have, aided with numerous tools and bits of good advice from software vendors, and—most importantly—a cadre of IT pros who can help their FFNs become savvy enough to protect their computers, themselves, and their families so that they can integrate the vast power of the Internet into their normal routines and enjoy everything it has to offer.

This article gave you some starting points for conversations with your FFN. There’s far more to explore. Spend an evening perusing the resources we’ve provided for you at Security at Home. We’re regularly updating the pages here to ensure that the information is current and relevant for home users. We’ve also created a newsletter specifically for home computer security, an online safety and security magazine, and several videos that cover a variety of security topics.

One more thing: accept our humble thanks for your help. We believe that you, our IT pros, can become the most valuable element in spreading the message of how to be safe and secure online. Thank you!

That group had rights install software and drivers. And if you can install software and drivers, then you can elevate yourself to Administrator or SYSTEM. Vista includes a signed installer that allows standard users to install packages signed by a trusted root. (The "Trusted Installer" is a service that has a SID, so you'll see it in the permissions list on various objects throughout the operating system.) The installer validates the signature chain, then elevates itself to perform the actual installation. Now, standard users can install and update approved software without having to grant membership in the too-powerful Power Users group.

We deprecated the Power Users group and removed it wherever we detected it on ACLs. We recommend that you do the same.

More details in these blog postings:

• Power Users are Admins who have not made themselves Admin yet, by Jesper Johannson
• The power in Power Users, by Mark Russinovich

It's useful if we take a moment and consider the definition of the auditing function. Here's mine:

Audits help us ensure that we are following our own policies. Audits measure the current state, compare the results against what the state should be, and show where we are out of compliance. Essentially, audits help us know that we are indeed doing what we say we're doing.

Audits are the natural outcomes of implementing good policies and following effective procedures. It makes no sense to spend time developing policies and without having some mechanism to measure compliance. That's the role of the auditing function -- to measure compliance. If we all agree that policies are good, then we should all agree that checking up on ourselves is also good.

So, then, who should conduct the audits? For comparison, let's examine a typical software development department. Here at Microsoft, such departments are composed of four over-arching roles:

• program management
• product management
• software development
• software test

Why this way? Consider the first two. We don't have "project managers" at Microsoft because project management incorporates two conflicting goals: managing people, schedules, and budgets (program management) versus incorporating customer requirements and creating new markets (product management). Program management optimizes resources while product management optimizes features. Rather than shoulder that inherent conflict onto a single person and expect them to deal with it without going completely bonkers, we have two roles, with different people. People skilled in each area negotiate with each other and come to an agreement about what's best both for Microsoft and for our customers.

Similar thinking exists for the second pair of roles. Developers strive to write high-quality code, and even do some testing along the way. But because no one's perfect, all code has some mistakes; it's valuable to have other people bang hard on the code, abuse it almost, to find and squash more bugs. Often, even the best developers are embedded so deeply in their own code that some bugs escape them. Developers rightly concern themselves with creating code that works and provides proper output. Testers figure out how to purposefully break software and discover code vulnerabilities. These are different skill sets, and using different people results in higher quality software.

We can apply the same logic to the information security department. How about these four roles:

• security standards
• security alignment
• security operations
• security auditing

The security standards group defines an organization's security architecture, creates policies and procedures, and ultimately takes responsibility for stewarding the integrity of the organization's information assets. The security alignment group spends time understanding the needs and drivers of the various business units, and advocates the business units' positions in meetings with the security standards group. Like in the software development model, having different folks negotiate together about standards and alignment helps ensure that business needs are met while also ensuring that the business is able to rely on information that's kept secure.

Remember: the primary purpose of information security is risk management. The standards folk know all about the bad guys and their techniques, and build up knowledge about which threats create risk for the organization. The alignment folk understand, through their constant interaction with people in the business units, all about business risk and get a feel for the business's risk tolerance -- that is, the level and kinds of risk that matter or don't matter. Together, the security standards and the security alignment folk can develop a security posture that allows the business to remain agile while also addressing the risks that make sense.

(Notice that I haven't indicated where, exactly, the alignment folk sit within the organization. They might be part of the security department, or they might be part of the individual business units. A case could be made for either choice; however, except for very large organizations, the alignment role probably isn't full-time. This leans the role toward sitting in the business units.)

Day-to-day work becomes the responsibility of those in security operations. They create standard configurations, perform installs and updates, monitor traffic, and respond to incidents. Ideally, policies and procedures guide all of these activities. But having policies and procedures isn't enough: we must also have a way to measure conformance. And that's the role of security auditing. Security auditors compare a system's current configuration to what it should be, based on the policy. Where systems are out of compliance, the auditor works with operations folk to understand the reasons, without engaging in blame-storming or launching personal attacks (this goes for operations folk, too). Most of the time, it's simply a mistake; here, auditors are like software testers, uncovering configuration vulnerabilities (bugs) that otherwise might be overlooked by operations and thus exploited by attackers.

Now you auditors out there, this doesn't mean that your role is simply that of checklist slave. Especially if your checklist is something you downloaded from the Internet. Remember: these checklists are only guidance, good ideas written by a person (or a committee) based on that person's risk tolerance. Effective auditors develop relationships with people in the other three groups: standards, alignment, and operations. Effective auditors take the time to learn the security landscape, how attackers operate, where vulnerabilities lie, and which threats matter. Really effective auditors learn how to do penetration testing, thus uncovering not only code and configuration vulnerabilities but also circumvention vulnerabilities through social engineering. By doing this, effective auditors remove the "us versus them" stigma often associated with auditing and truly become part of the security team, all working together to protect the organization's information assets.

(Notice that, as with the alignment group, I haven't indicated organizationally where the audit group should sit. I do, however, have a strong opinion on this: the management chains of the audit group and the operations group must be different. The people conducting audits shouldn't work for those who have a stake in an audit's outcome. To do so would create unavoidable and unrecoverable conflicts of interest.)

I'm sure there's more to the topic of organizing a security department. What do you think of this approach? Do you like the idea of dividing conflicting roles into different groups, then structuring them to work together to achieve realistic and useful outcomes? I don't suspect I've necessarily invented anything new here, but maybe just used a few new words -- such as "security alignment" -- and thought out loud about some of the tension that exists within the standards/alignment and operations/audit pairs. (Oh, and I got to write about my code/configuration/circumvention vulnerability triple again, heh.) Please tell me your thoughts. Maybe there's an entire white paper here, possibly even a TechEd presentation. Maybe someday we should offer a "TechManagementEd" conference!

• It's 11:00 PM, do you know where your data is?
  IT Forum: TechEd Europe, November 2007
• The fortified data center in your future
  TechEd US, June 2007
• Windows Mobile 6 security in depth
  TechEd US, June 2007
• Making the tradeoff: be secure or get work done
  TechEd US, June 2007
• Defending layer 8: how to recognize and combat social engineering
  IT Forum: TechEd Europe, November 2006
• Windows Vista firewall and IPsec enhancements
  IT Forum: TechEd Europe, November 2006

All of my videos on TechNet Spotlight
There are older videos, too, including a four-part security basics series with Jesper Johansson.

Take a look at http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000001286. It's a quick read. Glad to see they chose to use IPsec-based enforcement, it's my favorite :)

Get the tool here: http://www.microsoft.com/downloads/details.aspx?FamilyID=1d4c292c-7998-42e4-8786-789c7b457881&displaylang=en

It works on these versions of Windows:

• Windows Server 2003 Service Pack 1
• Windows Server 2003 Service Pack 2
• Windows Server 2003 Service Pack 2 x64 Edition
• Windows Server 2008
• Windows Vista Business
• Windows Vista Business 64-bit edition
• Windows Vista Enterprise
• Windows Vista Enterprise 64-bit edition
• Windows Vista Ultimate
• Windows XP 64-bit; Windows XP Home Edition
• Windows XP Professional Edition
• Windows XP Service Pack 1
• Windows XP Service Pack 2