Windows 7 for IT Professionals Part 1:
Security and Control
Donald Hester
May 4, 2010
For audio call Toll Free 1-888-886-3951
and use PIN/code 227625
Housekeeping
• Maximize your CCC Confer window.
• Phone audio will be in presenter-only mode.
• Ask questions and make comments using the chat window.
Adjusting Audio
1) If you’re listening on your computer, adjust your volume using
the speaker slider.
2) If you’re listening over the phone, click on phone headset.
Do not listen on both computer and phone.
Saving Files & Open/close Captions
1. Save chat window with floppy disc icon
2. Open/close captioning window with CC icon
Emoticons and Polling
1) Raise hand and Emoticons
2) Polling options
Windows 7 for IT Professionals Part 1:
Security and Control
Donald Hester
Session Overview
 User Account Control
 Windows BitLocker™ and Windows
BitLocker To Go™
 Windows AppLocker™
 Windows Defender
User Account Control
 User Groups
 UAC Security Settings
 Modify User Account Control Settings
User Groups
User Groups
Standard Users
Administrators
Type of Elevation Prompt
Consent Prompt
Credential Prompt
Description
Displayed to administrators in
Admin Approval Mode when
they attempt to perform an
administrative task. It
requests approval to continue
from the user.
Displayed to standard users
when they attempt to perform
an administrative task.
UAC Security Settings
Admin Approval Mode for the Built-in Administrator account
 Allow UIAccess applications to prompt for elevation without
using the secure desktop
 Behavior of the elevation prompt for administrators in Admin
Approval Mode
 Behavior of the elevation prompt for standard users
 Detect application installations and prompt for elevation
 Only elevate executables that are signed and validated
 Only elevate UIAccess applications that are installed in
secure locations
 Run all administrators in Admin Approval Mode
 Virtualize file and registry write failures to per-user locations
UAC in GPO
Modify User Account Control
Settings
Elevation Prompt
Description
Never notify me
UAC is off.
Notify me only when
programs try to make
changes to my computer (do
not dim my desktop)
When a program makes a
change, a prompt appears, but the
desktop is not dimmed.
Otherwise, no prompt appears.
When a program makes a
change, a prompt appears, and
the desktop is dimmed to provide
a visual cue that installation is
being attempted. Otherwise, no
prompt appears.
Notify me only when
programs try to make
changes to my computer
Always notify me
The user is always prompted
when changes are made to the
computer.
UAC Slide Bar
BitLocker and BitLocker To Go
 Hardware Requirements for BitLocker
Drive Encryption
 BitLocker Functionality
 BitLocker To Go
 Locate a Recovery Password
Hardware Requirements for
BitLocker Drive Encryption
Encryption and decryption key
 A computer with Trusted Platform Module (TPM)
 A removable USB memory device.
Hard drive
Have at least two partitions
Have a BIOS that is compatible with TPM and
supports USB devices during computer startup.
Spectrum Of Protection
Ease of Use
BDE offers a spectrum of protection
allowing customers to balance easeof-use against the threats they are
most concerned with.
TPM Only
“What it is.”
Protects against:
SW-only attacks
Vulnerable to: HW
attacks (including
potentially “easy”
HW attacks)
Dongle Only
“What you have.”
Protects against:
All HW attacks
Vulnerable to:
Losing dongle
Pre-OS attacks
******
TPM + PIN
*
“What you know.”
Protects against:
Many HW attacks
Vulnerable to: TPM
breaking attacks
Security
TPM + Dongle
“Two what I
have’s.”
Protects against:
Many HW attacks
Vulnerable to: HW
attacks
17
BitLocker Functionality
Save recovery information in one of these formats
A 48-digit number divided into eight groups.
A Recovery Key in a format that can be read directly by
the BitLocker recovery console.
Configure how to access an encrypted drive
Use the Set BitLocker startup preferences window.
Select an access option:
 USB
 Enter the Passphrase by using function keys
 No key
Performance & Security
 4 levels of AES
encryption
 128 & 256 bit
 the diffuser is a new
unproven algorithm
 diffuser runs in about
10 clock cycles/byte
 Combination with AESCBC for performance &
security
BitLocker To Go
 Extends BitLocker Drive Encryption to portable devices
 Manageable through Group Policy

Users choose to encrypt portable devices and use them to their
fullest capabilities or leave them unencrypted and have them
be read-only
 Enable BitLocker Drive Encryption by right-clicking the
device and then clicking Turn On BitLocker

Data on encrypted portable devices can be accessed from

BitLocker can be configured to unlock with one of the following:
computers that do not have BitLocker enabled
 Recovery Password or passphrase
 Smart Card
 Always auto-unlock this device on this PC
BitLocker-to-Go Format
Visible
but RO
Readme.txt
Hidden files - Must be accessed
using BitLockerToGo.exe
Meta
Data
BitLocker Data File
(COV 0000.ER)
BitLocker Data File
(COV 0000.BL)
Wizard.exe
Virtual
Block
Autorun.inf
BitLocker protected volume
FAT32 Partition
Invisible
Visible, mapped as a volume
Prevent unencrypted use
22
23
BitLocker to Go
24
Locate a Recovery Password
Conditions that must be true:
Be a domain administrator or have delegated permissions
The client’s BitLocker recovery information is configured to be stored in AD
The client’s computer has been joined to the domain
BitLocker Drive Encryption must be enabled on the client’s computer
Before providing a password to a user:
 Confirm the person is the account owner and is authorized to access
data on the computer in question
 Examine the returned Recovery Password to make sure that it matches
the Password ID that was provided by the user
AppLocker
 AppLocker Definition and Setup
 Application Rules
 Enforce and Validate AppLocker Rules
Definition and Setup
AppLocker
 Enables IT professionals to specify exactly
what is allowed to run on user desktops
users to run the applications, installation
 Allows
programs, and scripts that they need to be productive
Default rules
 Make sure key operating system files run for
all users
Prevent non-administrator users from running

programs installed in their user profile directory
 Can be recreated at anytime
Application Rules
Type
Description
Merge rule
If two path rules
have the same
paths, they are
merged into a
single rule.
Hash
Uses the file hash of a
file
Path
If two publisher
rules have the
Uses a folder path or file exact same
path
publisher and
product fields, they
are merged.
Publisher
Uses the attributes of a
digitally signed file, like
publisher or version
No optimizations
are possible
because each hash
is unique.
Enforce and Validate AppLocker
Rules
Enforcement
In Local Security Policy, Configure Rule
Enforcement area
Refresh computer’s policy with gpupdate /force
Option
Description
Default setting. If linked GPOs contain
Enforce rules, but a different setting, that setting is used.
allow setting to be If any rules are present in the
corresponding rule collection, they are
overridden
enforced.
Enforce rules
Audit only
Rules are enforced.
Rules are audited, but not enforced.
Windows Defender
 Overview
 Alert Levels
 Windows Defender Tasks
Overview
Three ways to help protect the computer:
Real-time protection (RTP)
The SpyNet community
Scanning options
Definitions
 Used to determine if software that it detects is spyware or other
potentially unwanted software, and then to alert you to potential risks.
 Works with Windows Update to automatically install new definitions as
they are released.
 Set Windows Defender to check online for updated definitions before
scanning.
Alert Levels
Help you choose how to respond to spyware and
potentially unwanted software




Severe - remove this software immediately.
High - remove this software immediately.
Medium - review the alert details, consider blocking the software.
Low - review the alert details to see if you trust the publisher.
Actions
 Quarantine – software is moved to another location on the computer;
prevents the software from running until you choose to restore or
remove it from the computer.
 Remove - permanently deletes the software from the computer.
 Allow - adds the software to the Windows Defender allowed list and
allows it to run on the computer. Add software to the allowed list only if
you trust the software and the software publisher.
Windows Defender Tasks
 Turn on Windows Defender
 Enable real-time protection
 Automatically check for new definitions
 Schedule a scan
 Manually scan for new definitions
Windows Defender helps
automatically
remove malicious software.
Windows Defender
 Performance enhancement
 Removed the Software Explorer tool
Session Summary
Security and User Productivity Enhancements


Customizable UAC requires fewer instances of elevation prompts
Manageable through Group Policy
BitLocker and BitLocker To Go

BitLocker To Go extends BitLocker Drive Encryption to password-protected portable
media


Users choose to encrypt drive or leave read-only
Manageable through Group Policy
AppLocker



Provides a rule-based structure to specify which applications are available
to which end users
Create default rules first
View rule event information in the Event Viewer
Windows Defender


Integrated with Action Center
Provides an improved user experience when scanning for spyware or
manually checking for updates.
Q&A
Donald E. Hester
CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+
Maze & Associates
@One / San Diego City College
www.LearnSecurity.org
http://www.linkedin.com/in/donaldehester
http://www.facebook.com/group.php?gid=245570977486
Evaluation Survey Link
Help us improve our seminars by filing
out a short online evaluation survey at:
http://www.surveymonkey.com/s/10SpWinIT1
Windows 7 for IT Professionals Part 1:
Security and Control
Thanks for attending
For upcoming events and links to recently archived
seminars, check the @ONE Web site at:
http://onefortraining.org/