10Sp_Win7IT1
Download
Report
Transcript 10Sp_Win7IT1
Windows 7 for IT Professionals Part 1:
Security and Control
Donald Hester
May 4, 2010
For audio call Toll Free 1-888-886-3951
and use PIN/code 227625
Housekeeping
• Maximize your CCC Confer window.
• Phone audio will be in presenter-only mode.
• Ask questions and make comments using the chat window.
Adjusting Audio
1) If you’re listening on your computer, adjust your volume using
the speaker slider.
2) If you’re listening over the phone, click on phone headset.
Do not listen on both computer and phone.
Saving Files & Open/close Captions
1. Save chat window with floppy disc icon
2. Open/close captioning window with CC icon
Emoticons and Polling
1) Raise hand and Emoticons
2) Polling options
Windows 7 for IT Professionals Part 1:
Security and Control
Donald Hester
Session Overview
User Account Control
Windows BitLocker™ and Windows
BitLocker To Go™
Windows AppLocker™
Windows Defender
User Account Control
User Groups
UAC Security Settings
Modify User Account Control Settings
User Groups
User Groups
Standard Users
Administrators
Type of Elevation Prompt
Consent Prompt
Credential Prompt
Description
Displayed to administrators in
Admin Approval Mode when
they attempt to perform an
administrative task. It
requests approval to continue
from the user.
Displayed to standard users
when they attempt to perform
an administrative task.
UAC Security Settings
Admin Approval Mode for the Built-in Administrator account
Allow UIAccess applications to prompt for elevation without
using the secure desktop
Behavior of the elevation prompt for administrators in Admin
Approval Mode
Behavior of the elevation prompt for standard users
Detect application installations and prompt for elevation
Only elevate executables that are signed and validated
Only elevate UIAccess applications that are installed in
secure locations
Run all administrators in Admin Approval Mode
Virtualize file and registry write failures to per-user locations
UAC in GPO
Modify User Account Control
Settings
Elevation Prompt
Description
Never notify me
UAC is off.
Notify me only when
programs try to make
changes to my computer (do
not dim my desktop)
When a program makes a
change, a prompt appears, but the
desktop is not dimmed.
Otherwise, no prompt appears.
When a program makes a
change, a prompt appears, and
the desktop is dimmed to provide
a visual cue that installation is
being attempted. Otherwise, no
prompt appears.
Notify me only when
programs try to make
changes to my computer
Always notify me
The user is always prompted
when changes are made to the
computer.
UAC Slide Bar
BitLocker and BitLocker To Go
Hardware Requirements for BitLocker
Drive Encryption
BitLocker Functionality
BitLocker To Go
Locate a Recovery Password
Hardware Requirements for
BitLocker Drive Encryption
Encryption and decryption key
A computer with Trusted Platform Module (TPM)
A removable USB memory device.
Hard drive
Have at least two partitions
Have a BIOS that is compatible with TPM and
supports USB devices during computer startup.
Spectrum Of Protection
Ease of Use
BDE offers a spectrum of protection
allowing customers to balance easeof-use against the threats they are
most concerned with.
TPM Only
“What it is.”
Protects against:
SW-only attacks
Vulnerable to: HW
attacks (including
potentially “easy”
HW attacks)
Dongle Only
“What you have.”
Protects against:
All HW attacks
Vulnerable to:
Losing dongle
Pre-OS attacks
******
TPM + PIN
*
“What you know.”
Protects against:
Many HW attacks
Vulnerable to: TPM
breaking attacks
Security
TPM + Dongle
“Two what I
have’s.”
Protects against:
Many HW attacks
Vulnerable to: HW
attacks
17
BitLocker Functionality
Save recovery information in one of these formats
A 48-digit number divided into eight groups.
A Recovery Key in a format that can be read directly by
the BitLocker recovery console.
Configure how to access an encrypted drive
Use the Set BitLocker startup preferences window.
Select an access option:
USB
Enter the Passphrase by using function keys
No key
Performance & Security
4 levels of AES
encryption
128 & 256 bit
the diffuser is a new
unproven algorithm
diffuser runs in about
10 clock cycles/byte
Combination with AESCBC for performance &
security
BitLocker To Go
Extends BitLocker Drive Encryption to portable devices
Manageable through Group Policy
Users choose to encrypt portable devices and use them to their
fullest capabilities or leave them unencrypted and have them
be read-only
Enable BitLocker Drive Encryption by right-clicking the
device and then clicking Turn On BitLocker
Data on encrypted portable devices can be accessed from
BitLocker can be configured to unlock with one of the following:
computers that do not have BitLocker enabled
Recovery Password or passphrase
Smart Card
Always auto-unlock this device on this PC
BitLocker-to-Go Format
Visible
but RO
Readme.txt
Hidden files - Must be accessed
using BitLockerToGo.exe
Meta
Data
BitLocker Data File
(COV 0000.ER)
BitLocker Data File
(COV 0000.BL)
Wizard.exe
Virtual
Block
Autorun.inf
BitLocker protected volume
FAT32 Partition
Invisible
Visible, mapped as a volume
Prevent unencrypted use
22
23
BitLocker to Go
24
Locate a Recovery Password
Conditions that must be true:
Be a domain administrator or have delegated permissions
The client’s BitLocker recovery information is configured to be stored in AD
The client’s computer has been joined to the domain
BitLocker Drive Encryption must be enabled on the client’s computer
Before providing a password to a user:
Confirm the person is the account owner and is authorized to access
data on the computer in question
Examine the returned Recovery Password to make sure that it matches
the Password ID that was provided by the user
AppLocker
AppLocker Definition and Setup
Application Rules
Enforce and Validate AppLocker Rules
Definition and Setup
AppLocker
Enables IT professionals to specify exactly
what is allowed to run on user desktops
users to run the applications, installation
Allows
programs, and scripts that they need to be productive
Default rules
Make sure key operating system files run for
all users
Prevent non-administrator users from running
programs installed in their user profile directory
Can be recreated at anytime
Application Rules
Type
Description
Merge rule
If two path rules
have the same
paths, they are
merged into a
single rule.
Hash
Uses the file hash of a
file
Path
If two publisher
rules have the
Uses a folder path or file exact same
path
publisher and
product fields, they
are merged.
Publisher
Uses the attributes of a
digitally signed file, like
publisher or version
No optimizations
are possible
because each hash
is unique.
Enforce and Validate AppLocker
Rules
Enforcement
In Local Security Policy, Configure Rule
Enforcement area
Refresh computer’s policy with gpupdate /force
Option
Description
Default setting. If linked GPOs contain
Enforce rules, but a different setting, that setting is used.
allow setting to be If any rules are present in the
corresponding rule collection, they are
overridden
enforced.
Enforce rules
Audit only
Rules are enforced.
Rules are audited, but not enforced.
Windows Defender
Overview
Alert Levels
Windows Defender Tasks
Overview
Three ways to help protect the computer:
Real-time protection (RTP)
The SpyNet community
Scanning options
Definitions
Used to determine if software that it detects is spyware or other
potentially unwanted software, and then to alert you to potential risks.
Works with Windows Update to automatically install new definitions as
they are released.
Set Windows Defender to check online for updated definitions before
scanning.
Alert Levels
Help you choose how to respond to spyware and
potentially unwanted software
Severe - remove this software immediately.
High - remove this software immediately.
Medium - review the alert details, consider blocking the software.
Low - review the alert details to see if you trust the publisher.
Actions
Quarantine – software is moved to another location on the computer;
prevents the software from running until you choose to restore or
remove it from the computer.
Remove - permanently deletes the software from the computer.
Allow - adds the software to the Windows Defender allowed list and
allows it to run on the computer. Add software to the allowed list only if
you trust the software and the software publisher.
Windows Defender Tasks
Turn on Windows Defender
Enable real-time protection
Automatically check for new definitions
Schedule a scan
Manually scan for new definitions
Windows Defender helps
automatically
remove malicious software.
Windows Defender
Performance enhancement
Removed the Software Explorer tool
Session Summary
Security and User Productivity Enhancements
Customizable UAC requires fewer instances of elevation prompts
Manageable through Group Policy
BitLocker and BitLocker To Go
BitLocker To Go extends BitLocker Drive Encryption to password-protected portable
media
Users choose to encrypt drive or leave read-only
Manageable through Group Policy
AppLocker
Provides a rule-based structure to specify which applications are available
to which end users
Create default rules first
View rule event information in the Event Viewer
Windows Defender
Integrated with Action Center
Provides an improved user experience when scanning for spyware or
manually checking for updates.
Q&A
Donald E. Hester
CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+
Maze & Associates
@One / San Diego City College
www.LearnSecurity.org
http://www.linkedin.com/in/donaldehester
http://www.facebook.com/group.php?gid=245570977486
Evaluation Survey Link
Help us improve our seminars by filing
out a short online evaluation survey at:
http://www.surveymonkey.com/s/10SpWinIT1
Windows 7 for IT Professionals Part 1:
Security and Control
Thanks for attending
For upcoming events and links to recently archived
seminars, check the @ONE Web site at:
http://onefortraining.org/