Safeguarding Your Computer

advertisement
Safeguarding Your Computer
To keep pace with constantly evolving security threats, the Windows operating system must also
evolve and provide new ways of protecting your computer. Windows Vista meets this challenge
by expanding the security offerings of Windows XP in a variety of ways and by providing
entirely new security features, such as Windows Service Hardening and Network Access
Protection. Together these features offer additional layers of protection for your computer.
Getting to Know the Windows Vista Expanded Security Features
Windows Vista expands the security features offered in earlier versions of Windows in several
ways. To ensure that organizations have a wide variety of authentication mechanisms to choose
from, Windows Vista includes a new authentication architecture that is both extensible and
customizable. Because the new architecture makes it easier for third-party developers to extend
and customize the Windows Vista authentication mechanisms, this should lead to more choices
for smart cards, biometrics, and other forms of strong authentication.
Windows Vista provides enhancements to the Kerberos authentication protocol and smart card
logons. Deployment and management tools, such as self-service personal identification number
(PIN) reset tools, make smart cards easier to manage. Windows Vista also has improved support
for data protection at the document, file, folder, and machine level.
With integrated rights management, you can enforce policies regarding document access and
usage. The Encrypting File System (EFS), which provides user-based file and folder encryption,
has been enhanced to allow storage of encryption keys on smart cards, providing better
protection of encryption keys. To extend the level of data encryption protection beyond files and
folders, Windows Vista includes support for Trusted Platform Modules and BitLocker Drive
Encryption. On a computer with appropriate enabling hardware, these features validate boot
integrity and provide full disk encryption, which helps protect data from being compromised on
a lost or stolen machine.
Getting Started with Network Access Protection
Business versions of Windows Vista include Network Access Protection (NAP) to prevent a
Windows Vista–based client from connecting to your private network if the client lacks current
security updates and virus signatures or otherwise fails to meet your computer health
requirements. NAP is designed to protect client computers as well as your network from
vulnerabilities that could otherwise be exploited if NAP wasn’t used and enforced.
When remote access connections and wireless networks were new, they were popular targets for
people who wanted to break into those networks. So, members of the security community put
their heads together and developed some near-bullet-proof techniques for keeping the bad guys
out—even if the “bad guy” was just a computer that hadn’t been patched.
Many of us forgot our Ethernet networks, and did not provide the same security protections.
Somehow, we felt safe inside our offices because wired networks are more difficult for an
attacker to connect to. However, mobile users can still connect to a wired network and spread
worms and viruses. Finally, with NAP, we have a good way to help protect wired, wireless, and
remote access connections from traditional hackers as well as malicious software.
Understanding Network Access Protection
Network Access Protection can be used to protect your network from local clients as well as
remote access clients. At the heart of this feature are three components:
Network Access Protection Agent A software component that allows a client running Windows
to participate in Network Access Protection. This agent runs as a service on computers running
Windows Vista.
NAP Client Configuration A configuration tool that is used to define and enforce NAP
requirements on clients. This tool is also used to specify health registration settings and designate
trusted servers.
NAP Server Configuration A configuration tool that is used to manage NAP and define NAP
policy.
The Network Access Protection Agent reports the health status of a client computer to a server
called a Health Registration Authority. The report includes details about the client’s overall
security health, such as whether the client has current security updates and up-to-date virus
signatures installed. The security mechanism by which a client computer communicates with a
Health Registration Authority is configured through a designated Request Policy.
Request Policies can be configured to use:
1. Any of a variety of private key algorithms, including asymmetric key algorithms based on
Rivest-Shamir-Adleman (RSA), Digital Signal Algorithm (DSA), and other security
specifications.
2. Any of a variety of signed and unsigned hash algorithms, including RSA MD5 hashing and
DSA SHA1 hashing.
3. Any of a variety of Cryptographic Service Providers, including the Microsoft Enhanced
Cryptographic Provider version 1.0, the Microsoft Enhanced RSA and AES Cryptographic
Provider, and the Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider.
4. You can access the NAP Client Configuration tool, shown in Figure 10-3, by following these
steps:
a. Click Start, and then click Control Panel.
b. In Control Panel, click the System And Maintenance category heading link, and then click
Administrative Tools.
c. Double-click NAP Client Configuration.
Figure 10-3: Using the NAP Client Configuration console to manage NAP
Using Network Access Protection
Using the NAP Client Configuration tool, administrators can configure separate enforcement
policies for Dynamic Host Configuration Protocol (DHCP) clients, remote access clients, and
terminal services clients. Enforcement policy can also be configured for virtual private network
(VPN) clients that use Extensible Authentication Protocol (EAP).
Administrators can use NAP to enforce health requirements for all computers that are connected
to an organization’s private network, regardless of how those computers are connected to the
network. You can use NAP to improve the security of your private network by ensuring that the
latest updates are installed before users connect to your private network. If a client computer
does not meet the health requirements, you can:
Prevent the computer from connecting to your private network.
Provide instructions to users on how to update their computers. (In some cases, you can update
their computers automatically.)
Limit access to your network so that users with out-of-date computer security can access only
designated servers on your network.
To allow NAP to be enforced when a computer is acting as a DHCP client, follow these steps:
1. Start the NAP Client Configuration tool.
2. In the left panel, select Enforcement Clients.
3. Double-click DHCP Quarantine Enforcement Client.
4. In the DHCP Quarantine Enforcement Client Properties dialog box, select the Enable This
Enforcement Client check box, as shown in Figure 10-4.
Figure 10-4: Enforcing NAP when DHCP is used
You can enable enforcement for other types of connections using a similar procedure:
To enforce remote access NAP, open NAP Client Configuration tool, double-click Remote
Access Quarantine Enforcement Client, and then select the Enable This Enforcement Client
check box.
To enforce terminal services NAP, open NAP Client Configuration tool, double-click TS
Gateway Quarantine Enforcement Client, and then select the Enable This Enforcement Client
check box.
To enforce VPN protection, NAP Client Configuration tool, double-click EAP Quarantine
Enforcement Client, and then select the Enable This Enforcement Client check box.
You configure the actual NAP policies that apply to clients by using the NAP Server
Configuration tool.
Understanding Windows Service Hardening
Earlier versions of Windows grant wide access to the system-level services running on the
computer. Many of these services run under the LocalSystem account, where any breach could:
Grant wide access to the data on the computer.
Allow malicious programs to modify the system configuration.
Open the computer to other types of attacks.
Windows Vista uses Windows Service Hardening to provide an additional layer of protection so
that services cannot be compromised. Following the security principle of defense-in-depth,
Windows Service Hardening:
Restricts critical Windows services from performing abnormal activities that affect the file
system, registry, network, or other resources that could be used to allow malicious software to
install itself or attack other computers. Services can be restricted from replacing system files or
modifying the registry. Unnecessary Windows privileges, such as the ability to perform
debugging, have also been removed on a per-service basis.
Limits the number of services that are running and operational by default to reduce the overall
attack surface in Windows. Some services are now configured to start manually as needed rather
than automatically when the operating system starts.
Limits the privilege level of servers by limiting the number of services that run in the
LocalSystem account. Some services that previously ran in the LocalSystem account now run in
a less privileged account, such as the Local Service or Network Service account. This reduces
the overall privilege level of the service, which is similar to the benefits derived from User
Account Control (UAC). (UAC is discussed in Chapter 9.)
Windows Service Hardening introduces entirely new features, which are used by Windows
services as well. Like user accounts, each service has a security identifier that is used to manage
the security permissions granted to the service. Per-service security identifiers (SIDs) enable perservice identity. Per-service identity, in turn, enables access control partitioning through the
existing Windows access control model, covering all objects and resource managers that use
access control lists (ACLs). Services can now apply explicit ACLs to resources that are private to
the service, and this prevents other services as well as the user from accessing those resources.
All services now have write-restricted access tokens. A write-restricted access token can be used
in cases where the set of objects written to by the service is bounded and can be configured.
Write attempts to resources to which the service was not granted explicit access fail. Further,
services are assigned a network firewall policy to prevent network access outside the normal
bounds of the service program. The firewall policy is linked directly to the per-service SID.
While Windows Service Hardening cannot prevent a vulnerable service from being
compromised, it does go a long way toward limiting how much damage an attacker can do in the
unlikely event the attacker is able to identify and exploit a vulnerable service. When combined
with other Windows Vista components and other defense-in-depth strategies, such as Windows
Firewall and Windows Defender, computers running Windows Vista have much more protection
than computers running earlier versions of Windows.
Download