Windows 7 for IT Professionals Part 1: Security and Control Donald Hester May 4, 2010 For audio call Toll Free 1-888-886-3951 and use PIN/code 227625 Housekeeping • Maximize your CCC Confer window. • Phone audio will be in presenter-only mode. • Ask questions and make comments using the chat window. Adjusting Audio 1) If you’re listening on your computer, adjust your volume using the speaker slider. 2) If you’re listening over the phone, click on phone headset. Do not listen on both computer and phone. Saving Files & Open/close Captions 1. Save chat window with floppy disc icon 2. Open/close captioning window with CC icon Emoticons and Polling 1) Raise hand and Emoticons 2) Polling options Windows 7 for IT Professionals Part 1: Security and Control Donald Hester Session Overview User Account Control Windows BitLocker™ and Windows BitLocker To Go™ Windows AppLocker™ Windows Defender User Account Control User Groups UAC Security Settings Modify User Account Control Settings User Groups User Groups Standard Users Administrators Type of Elevation Prompt Consent Prompt Credential Prompt Description Displayed to administrators in Admin Approval Mode when they attempt to perform an administrative task. It requests approval to continue from the user. Displayed to standard users when they attempt to perform an administrative task. UAC Security Settings Admin Approval Mode for the Built-in Administrator account Allow UIAccess applications to prompt for elevation without using the secure desktop Behavior of the elevation prompt for administrators in Admin Approval Mode Behavior of the elevation prompt for standard users Detect application installations and prompt for elevation Only elevate executables that are signed and validated Only elevate UIAccess applications that are installed in secure locations Run all administrators in Admin Approval Mode Virtualize file and registry write failures to per-user locations UAC in GPO Modify User Account Control Settings Elevation Prompt Description Never notify me UAC is off. Notify me only when programs try to make changes to my computer (do not dim my desktop) When a program makes a change, a prompt appears, but the desktop is not dimmed. Otherwise, no prompt appears. When a program makes a change, a prompt appears, and the desktop is dimmed to provide a visual cue that installation is being attempted. Otherwise, no prompt appears. Notify me only when programs try to make changes to my computer Always notify me The user is always prompted when changes are made to the computer. UAC Slide Bar BitLocker and BitLocker To Go Hardware Requirements for BitLocker Drive Encryption BitLocker Functionality BitLocker To Go Locate a Recovery Password Hardware Requirements for BitLocker Drive Encryption Encryption and decryption key A computer with Trusted Platform Module (TPM) A removable USB memory device. Hard drive Have at least two partitions Have a BIOS that is compatible with TPM and supports USB devices during computer startup. Spectrum Of Protection Ease of Use BDE offers a spectrum of protection allowing customers to balance easeof-use against the threats they are most concerned with. TPM Only “What it is.” Protects against: SW-only attacks Vulnerable to: HW attacks (including potentially “easy” HW attacks) Dongle Only “What you have.” Protects against: All HW attacks Vulnerable to: Losing dongle Pre-OS attacks ****** TPM + PIN * “What you know.” Protects against: Many HW attacks Vulnerable to: TPM breaking attacks Security TPM + Dongle “Two what I have’s.” Protects against: Many HW attacks Vulnerable to: HW attacks 17 BitLocker Functionality Save recovery information in one of these formats A 48-digit number divided into eight groups. A Recovery Key in a format that can be read directly by the BitLocker recovery console. Configure how to access an encrypted drive Use the Set BitLocker startup preferences window. Select an access option: USB Enter the Passphrase by using function keys No key Performance & Security 4 levels of AES encryption 128 & 256 bit the diffuser is a new unproven algorithm diffuser runs in about 10 clock cycles/byte Combination with AESCBC for performance & security BitLocker To Go Extends BitLocker Drive Encryption to portable devices Manageable through Group Policy Users choose to encrypt portable devices and use them to their fullest capabilities or leave them unencrypted and have them be read-only Enable BitLocker Drive Encryption by right-clicking the device and then clicking Turn On BitLocker Data on encrypted portable devices can be accessed from BitLocker can be configured to unlock with one of the following: computers that do not have BitLocker enabled Recovery Password or passphrase Smart Card Always auto-unlock this device on this PC BitLocker-to-Go Format Visible but RO Readme.txt Hidden files - Must be accessed using BitLockerToGo.exe Meta Data BitLocker Data File (COV 0000.ER) BitLocker Data File (COV 0000.BL) Wizard.exe Virtual Block Autorun.inf BitLocker protected volume FAT32 Partition Invisible Visible, mapped as a volume Prevent unencrypted use 22 23 BitLocker to Go 24 Locate a Recovery Password Conditions that must be true: Be a domain administrator or have delegated permissions The client’s BitLocker recovery information is configured to be stored in AD The client’s computer has been joined to the domain BitLocker Drive Encryption must be enabled on the client’s computer Before providing a password to a user: Confirm the person is the account owner and is authorized to access data on the computer in question Examine the returned Recovery Password to make sure that it matches the Password ID that was provided by the user AppLocker AppLocker Definition and Setup Application Rules Enforce and Validate AppLocker Rules Definition and Setup AppLocker Enables IT professionals to specify exactly what is allowed to run on user desktops users to run the applications, installation Allows programs, and scripts that they need to be productive Default rules Make sure key operating system files run for all users Prevent non-administrator users from running programs installed in their user profile directory Can be recreated at anytime Application Rules Type Description Merge rule If two path rules have the same paths, they are merged into a single rule. Hash Uses the file hash of a file Path If two publisher rules have the Uses a folder path or file exact same path publisher and product fields, they are merged. Publisher Uses the attributes of a digitally signed file, like publisher or version No optimizations are possible because each hash is unique. Enforce and Validate AppLocker Rules Enforcement In Local Security Policy, Configure Rule Enforcement area Refresh computer’s policy with gpupdate /force Option Description Default setting. If linked GPOs contain Enforce rules, but a different setting, that setting is used. allow setting to be If any rules are present in the corresponding rule collection, they are overridden enforced. Enforce rules Audit only Rules are enforced. Rules are audited, but not enforced. Windows Defender Overview Alert Levels Windows Defender Tasks Overview Three ways to help protect the computer: Real-time protection (RTP) The SpyNet community Scanning options Definitions Used to determine if software that it detects is spyware or other potentially unwanted software, and then to alert you to potential risks. Works with Windows Update to automatically install new definitions as they are released. Set Windows Defender to check online for updated definitions before scanning. Alert Levels Help you choose how to respond to spyware and potentially unwanted software Severe - remove this software immediately. High - remove this software immediately. Medium - review the alert details, consider blocking the software. Low - review the alert details to see if you trust the publisher. Actions Quarantine – software is moved to another location on the computer; prevents the software from running until you choose to restore or remove it from the computer. Remove - permanently deletes the software from the computer. Allow - adds the software to the Windows Defender allowed list and allows it to run on the computer. Add software to the allowed list only if you trust the software and the software publisher. Windows Defender Tasks Turn on Windows Defender Enable real-time protection Automatically check for new definitions Schedule a scan Manually scan for new definitions Windows Defender helps automatically remove malicious software. Windows Defender Performance enhancement Removed the Software Explorer tool Session Summary Security and User Productivity Enhancements Customizable UAC requires fewer instances of elevation prompts Manageable through Group Policy BitLocker and BitLocker To Go BitLocker To Go extends BitLocker Drive Encryption to password-protected portable media Users choose to encrypt drive or leave read-only Manageable through Group Policy AppLocker Provides a rule-based structure to specify which applications are available to which end users Create default rules first View rule event information in the Event Viewer Windows Defender Integrated with Action Center Provides an improved user experience when scanning for spyware or manually checking for updates. Q&A Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+ Maze & Associates @One / San Diego City College www.LearnSecurity.org http://www.linkedin.com/in/donaldehester http://www.facebook.com/group.php?gid=245570977486 Evaluation Survey Link Help us improve our seminars by filing out a short online evaluation survey at: http://www.surveymonkey.com/s/10SpWinIT1 Windows 7 for IT Professionals Part 1: Security and Control Thanks for attending For upcoming events and links to recently archived seminars, check the @ONE Web site at: http://onefortraining.org/