Windows 7

advertisement
Windows 7
Qing Liu
Qing.Liu@chi.frb.org
Michael Stevens
Michael.Stevens@chi.frb.org
1
Overview
1.
2.
3.
4.
5.
6.
7.
Financial Institution’s Preliminary Steps
User Interface
Data Protection
User and Group Changes
Kernel Changes
Audit changes
New and Changed Security Options
2
Section 1:
Financial Institution’s
Preliminary Steps
3
Learning Objectives
In this module you will learn:
• Preliminary Steps on migration
• How to determine if a PC is Windows 7
ready
• What features the various versions of
Windows 7 provide to the FI.
4
To Migrate or Not to Migrate?
• Plan now
• Start migration before 2012
• Windows XP expires in 2014
5
Preliminary Migration Steps
• Planning and rollout
• Hardware upgrades
• Application compatibility evaluation
• New applications Office 2007
consideration
• Training
6
Hardware Requirements
32-bit
64-bit
Processor
1 GHz
1 GHz
Processor Type
32bit x86 or better,
such as 64 bit
64 bit
RAM
1 GB
2 GB
Hard Disk Space
16 GB
20 GB
Graphics
DirectX 9 device with
WDDM 1.0+ driver
DirectX 9 device with
WDDM 1.0+ driver
Note: The 64-bit edition of Windows offers better
performance, but has additional system requirements
(notably a 64-bit processor), needs different hardware
drivers, and thus requires additional testing for hardware
and software compatibility.
7
Windows 7 Versions
Feature
Home Premium
Professional
Ultimate
Make the things you do every day
easier with improved desktop
navigation.
Start programs faster and more easily,
and quickly find the documents you
use most often.
Make your web experience faster,
easier and safer than ever with
Internet Explorer 8.
Run many Windows XP productivity
programs in Windows XP Mode.
Help protect data on your PC and
portable storage devices against loss
or theft with BitLocker.
8
Windows 7 Enterprise
•
•
•
•
•
•
Direct Access ( Security)
BranchCache
Federated Search
BitLocker and BitLocker-to-Go (Security)
AppLocker (Security)
Virtual desktop infrastructure (VDI)
optimizations
• Multilingual user interface
9
Windows 7 Readiness
•
•
•
•
Download Windows 7 Upgrade Advisor
Run
Hardware / software compatibility report
Windows 7 Upgrade Advisor link
– http://windows.microsoft.com/enus/windows/downloads/upgrade-advisor
– http://www.microsoft.com/windows/windows-7/get/upgradeadvisor.aspx
10
Section 2:
User Interface
11
Learning Objectives
In this module you will:
• Describe Windows 7’s Graphical User
Interface options
• List new features
• Become familiar with “Windows XP
Mode” integrated virtualization
12
Changes to Windows Aero
• New taskbar: right-click applications to see new tasks
13
Changes to Windows Aero
• Taskbar Thumbnails: Quickly preview the content of each
open window, not merely the name
14
Changes to Windows Aero
• Aero Peek: hover over lower-right corner of screen to reveal
desktop temporarily
15
Live Icons
16
Flip 3D
17
Getting Started
18
Start Menu and Search
Many elements of
Windows 7 incorporate
new search capabilities.
• Search box
• Libraries
• Ability to “Save” Searches
19
Demo – Search
20
Libraries
21
Gadgets
Gadgets mounted to the
Desktop
Gadget selection window
22
How about old applications
running on XP?
23
XP Mode
• Processor: Processor capable of hardware
virtualization, with AMD-V™ or Intel® VT
turned on in the BIOS.
• Memory: 2GB of memory recommended.
• Hard disk requirement: 20MB hard disk
space for installing Windows Virtual PC.
Additional 15GB of hard disk space per virtual
Windows environment recommended.
Section 3:
Data Protection
25
Learning Objectives
In this module you will learn:
• The current threats
• Authentication and encryption features
–
–
–
–
Trusted Platform Module
Rights Management Service
Encrypted Files System
BitLocker / BitLocker to go
26
Current Threats
• Threats to data
• Password recovery programs are widely
available that enable offline attacks
• Offline attacks expose core system keys that
allow for the compromise of secured data
• Hundreds of thousands of laptops are lost
every year
• Software Based Security
27
Trusted Platform Module (TPM)
Module on the motherboard
• Performs cryptographic functions
• Can create, store and manage keys
• Performs digital signature operations
28
Source: http://www.trustedcomputinggroup.org
Multi-Factor Authentication
Three authentication factors:
Factor
Example
Something you have
USBToken, or TPM chip
Something you know
Password
Something you are
Fingerprint
SINGLE-FACTOR:
Something you have
(TPM chip)
MULTI-FACTOR:
Something you have
(TPM chip)
Something you know
(password)
*******
Something you have
(TPM chip and token)
29
Three Windows 7 Applications –
RMS, EFS, and BitLocker
Three levels of protection:
• Rights Management Services (RMS)
Per-document enforcement of policy-based rights
• Encrypting File Systems (EFS)
Per file or folder encryption of data for confidentiality
• BitLocker™ Full Volume Encryption
Per volume encryption (see earlier)
30
Rights Management Services (RMS)
• Rights Management Services embeds usage
policies in documents to control their use
– Protecting confidential e-mail messages
– Enforcing document rights
– Distributing media content
• RMS components
– RMS-enabled application
– Client SW
– Server SW
31
Encrypting File System (EFS)
• Only files and folders on NTFS volumes can be
encrypted.
• Encrypted files can become decrypted if you copy or
move the file to a volume that is not an NTFS
volume.
• Moving unencrypted files into an encrypted folder will
automatically encrypt those files in the new folder.
However, the reverse operation will not automatically
decrypt files. Files must be explicitly decrypted.
32
Encrypting File System (EFS)
33
BitLocker™ & BitLocker To Go
34
Video – Bitlocker
35
Who are you protecting against?
• Other users or administrators on the machine? EFS
• Unauthorized users with physical access? BitLocker™
Scenarios
BitLocker
EFS
RMS
Laptops
Branch office server
Local single-user file & folder protection
Local multi-user file & folder protection
Remote file & folder protection
Untrusted network admin
Remote document policy enforcement
37
Section 4:
User and Group
Changes
38
Learning Objectives
In this module you will learn:
• Add a new user
• More new groups available
• User Account Control to mitigates risk
39
New Users
40
New Groups
41
User Account Control
User provides explicit consent
before using elevated privilege.
42
User Account Control Setup
43
Changes to UAC in Windows 7
Four levels of notification for UAC in Windows 7:
Most
Secure
Least
secure
Always Notify Me
Displays all
prompts
Prompts dim
screen
Default for standard
users
Notify Me Only When
Programs Try to
Make Changes to My
Computer (default)
Display only
prompts from
applications
Prompts dim
screen
Default for
administrators
Do not Dim Desktop
Displays only
prompts from
applications
No screen
dimming
Not default
Never Notify Me
Displays no
prompts
No screen
dimming
Not default
44
ACL
45
Section 5:
Kernel Changes
46
Learning Objectives
In this module you will learn:
• New security features via Windows 7
kernel improvement
47
Security Enhancements
• User Account Control level
• Virtual Accounts
• BitLocker and BitLocker-to-go
48
Virtual Accounts
•
•
•
Want better isolation than existing service account
– Don’t want to manage passwords
Virtual accounts are like service accounts
– Process runs with virtual SID as principal
– System-managed password
– Show up as computer account when accessing network
Services can specify a virtual account
– Account name must be “NT SERVICE\<service>”
– Service control manager verifies the service account and creates a
user profile for the account
49
Section 6:
Audit Changes
50
Learning Objective
In this module you will learn:
• How Windows 7 has improved upon
auditing capabilities.
51
Improved Auditing
• More Granularity
– Support for many auditing subcategories: Logon, logoff,
file system access, registry access, use of administrative
privilege
– Previous versions of Windows only support high-level
categories such as System, Logon/Logoff, and Object
Access, with little granularity
• New Logging Infrastructure
– Easier to filter out “noise” in logs and find the event you’re
looking for
– Tasks tied to events: When an event occurs, such as
administrative privilege use, tasks such as sending an
Email to an auditor can run automatically
52
Granular Audit Policy
53
Added Auditing
For
• Registry value change audit events (old + new values)
• AD change audit events (old + new values)
• Improved operation-based audit
• Audit events for UAC
• Improved IPSec audit events including support for AuthIP
• RPC Call audit events
• Share Access audit events
• Share Management events
• Cryptographic function audit events
• IAS (RADIUS) audit events (server only)
54
Section 6:
New and Changed
Security Options
55
Learning Objectives
In this module you will learn following features:
•
•
•
•
•
•
Windows Biometric Framework
AppLocker
DirectAccess
Windows Firewall
Windows Security Essential
Internet Explorer 8
56
AppLocker
58
DirectAccess
59
Windows 7 Firewall
•
•
•
Both inbound and
outbound
Authentication and
authorization aware
Outbound applicationaware filtering is now
possible
– Includes IPSec
management
– Policy-based administration
60
Multiple Active Firewall Profiles
• New feature in Windows 7
• Previously, Windows Firewall rules applied over all network
connections (wired, wireless, VPN, hotspot, home, etc.)
• Now, can have different firewall rules for three classes of
connections.
Win7 Firewall Profile
Domain
Private
Connection
Most secure
Least secure
Firewall policies
Least restrictive
Most restrictive
Example
VPN
Home wireless
network
Public
All non-domain
connections, by
default
61
Microsoft Security Essentials
• Free anti-virus/spyware/malware
tool from Microsoft designed for
home PCs
• Not included in Windows 7
installation; needs to be
downloaded separately from
Microsoft
• No central management
capabilities unlike Windows
Defenderīƒ  not ideal solution for
large organizations
62
Security Essentials Scanning Modes
• Real-Time Protection
– Warns users when potential spyware is
executed or tries to perform certain
operations
63
MS vs Other Brand Name Vendors
Security Essentials Scanning Modes
• Scheduled & On-Demand Scans
– Quick: scans only system files likely to
be targeted by malware and viruses or
likely culprits such as processes
currently running and files currently
open on the machine
– Full: scans all files, much longer
process
66
Internet Explorer 8 Secure Features
•
•
•
•
SmartScreen
Domain Highlighting
InPrivate Browsing
Cross Site Scripting Filter
67
SmartScreen and SmartScreen Filter
68
SmartScreen Filter
69
Domain Highlighting
The Microsoft domain is easy to read.
70
Cross Site Scripting Filtering
Internet Explorer 8 detects potential cross-site scripting
Vulnerabilities and disables harmful scripts.
71
InPrivate Browsing
72
•
•
•
•
Click-jacking prevention
Data Execution Prevention (DEP)
InPrivate Filtering
Automatic crash recovery
Windows 7 Conclusion
• Many features already exist in other operating
systems.
• Incorporates most major security changes introduced
in Windows 7.
• UAC password requirements seen as less annoying
in Windows 7 due to more customization and better
software design.
• Improved security by additional features and options.
74
Questions?
75
References
• Windows 7: Evolved for the modern enterprise
– https://www.microsoft.com/windows/enterprise/products/windows7/default.aspx
• Understanding and Configuring User Account Control
– http://www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx
76
References – Windows 7
• Windows 7 on Microsoft TechNet (for IT Pros)
– http://technet.microsoft.com/enus/windows/dd361745.aspx?ITPID=mscomsc
• Windows 7 UAC
– http://go.microsoft.com/fwlink/?LinkID=139554
• Microsoft Security Essentials
– http://www.microsoft.com/security_essentials/
77
Download