Windows 7 Qing Liu Qing.Liu@chi.frb.org Michael Stevens Michael.Stevens@chi.frb.org 1 Overview 1. 2. 3. 4. 5. 6. 7. Financial Institution’s Preliminary Steps User Interface Data Protection User and Group Changes Kernel Changes Audit changes New and Changed Security Options 2 Section 1: Financial Institution’s Preliminary Steps 3 Learning Objectives In this module you will learn: • Preliminary Steps on migration • How to determine if a PC is Windows 7 ready • What features the various versions of Windows 7 provide to the FI. 4 To Migrate or Not to Migrate? • Plan now • Start migration before 2012 • Windows XP expires in 2014 5 Preliminary Migration Steps • Planning and rollout • Hardware upgrades • Application compatibility evaluation • New applications Office 2007 consideration • Training 6 Hardware Requirements 32-bit 64-bit Processor 1 GHz 1 GHz Processor Type 32bit x86 or better, such as 64 bit 64 bit RAM 1 GB 2 GB Hard Disk Space 16 GB 20 GB Graphics DirectX 9 device with WDDM 1.0+ driver DirectX 9 device with WDDM 1.0+ driver Note: The 64-bit edition of Windows offers better performance, but has additional system requirements (notably a 64-bit processor), needs different hardware drivers, and thus requires additional testing for hardware and software compatibility. 7 Windows 7 Versions Feature Home Premium Professional Ultimate Make the things you do every day easier with improved desktop navigation. Start programs faster and more easily, and quickly find the documents you use most often. Make your web experience faster, easier and safer than ever with Internet Explorer 8. Run many Windows XP productivity programs in Windows XP Mode. Help protect data on your PC and portable storage devices against loss or theft with BitLocker. 8 Windows 7 Enterprise • • • • • • Direct Access ( Security) BranchCache Federated Search BitLocker and BitLocker-to-Go (Security) AppLocker (Security) Virtual desktop infrastructure (VDI) optimizations • Multilingual user interface 9 Windows 7 Readiness • • • • Download Windows 7 Upgrade Advisor Run Hardware / software compatibility report Windows 7 Upgrade Advisor link – http://windows.microsoft.com/enus/windows/downloads/upgrade-advisor – http://www.microsoft.com/windows/windows-7/get/upgradeadvisor.aspx 10 Section 2: User Interface 11 Learning Objectives In this module you will: • Describe Windows 7’s Graphical User Interface options • List new features • Become familiar with “Windows XP Mode” integrated virtualization 12 Changes to Windows Aero • New taskbar: right-click applications to see new tasks 13 Changes to Windows Aero • Taskbar Thumbnails: Quickly preview the content of each open window, not merely the name 14 Changes to Windows Aero • Aero Peek: hover over lower-right corner of screen to reveal desktop temporarily 15 Live Icons 16 Flip 3D 17 Getting Started 18 Start Menu and Search Many elements of Windows 7 incorporate new search capabilities. • Search box • Libraries • Ability to “Save” Searches 19 Demo – Search 20 Libraries 21 Gadgets Gadgets mounted to the Desktop Gadget selection window 22 How about old applications running on XP? 23 XP Mode • Processor: Processor capable of hardware virtualization, with AMD-V™ or Intel® VT turned on in the BIOS. • Memory: 2GB of memory recommended. • Hard disk requirement: 20MB hard disk space for installing Windows Virtual PC. Additional 15GB of hard disk space per virtual Windows environment recommended. Section 3: Data Protection 25 Learning Objectives In this module you will learn: • The current threats • Authentication and encryption features – – – – Trusted Platform Module Rights Management Service Encrypted Files System BitLocker / BitLocker to go 26 Current Threats • Threats to data • Password recovery programs are widely available that enable offline attacks • Offline attacks expose core system keys that allow for the compromise of secured data • Hundreds of thousands of laptops are lost every year • Software Based Security 27 Trusted Platform Module (TPM) Module on the motherboard • Performs cryptographic functions • Can create, store and manage keys • Performs digital signature operations 28 Source: http://www.trustedcomputinggroup.org Multi-Factor Authentication Three authentication factors: Factor Example Something you have USBToken, or TPM chip Something you know Password Something you are Fingerprint SINGLE-FACTOR: Something you have (TPM chip) MULTI-FACTOR: Something you have (TPM chip) Something you know (password) ******* Something you have (TPM chip and token) 29 Three Windows 7 Applications – RMS, EFS, and BitLocker Three levels of protection: • Rights Management Services (RMS) Per-document enforcement of policy-based rights • Encrypting File Systems (EFS) Per file or folder encryption of data for confidentiality • BitLocker™ Full Volume Encryption Per volume encryption (see earlier) 30 Rights Management Services (RMS) • Rights Management Services embeds usage policies in documents to control their use – Protecting confidential e-mail messages – Enforcing document rights – Distributing media content • RMS components – RMS-enabled application – Client SW – Server SW 31 Encrypting File System (EFS) • Only files and folders on NTFS volumes can be encrypted. • Encrypted files can become decrypted if you copy or move the file to a volume that is not an NTFS volume. • Moving unencrypted files into an encrypted folder will automatically encrypt those files in the new folder. However, the reverse operation will not automatically decrypt files. Files must be explicitly decrypted. 32 Encrypting File System (EFS) 33 BitLocker™ & BitLocker To Go 34 Video – Bitlocker 35 Who are you protecting against? • Other users or administrators on the machine? EFS • Unauthorized users with physical access? BitLocker™ Scenarios BitLocker EFS RMS Laptops Branch office server Local single-user file & folder protection Local multi-user file & folder protection Remote file & folder protection Untrusted network admin Remote document policy enforcement 37 Section 4: User and Group Changes 38 Learning Objectives In this module you will learn: • Add a new user • More new groups available • User Account Control to mitigates risk 39 New Users 40 New Groups 41 User Account Control User provides explicit consent before using elevated privilege. 42 User Account Control Setup 43 Changes to UAC in Windows 7 Four levels of notification for UAC in Windows 7: Most Secure Least secure Always Notify Me Displays all prompts Prompts dim screen Default for standard users Notify Me Only When Programs Try to Make Changes to My Computer (default) Display only prompts from applications Prompts dim screen Default for administrators Do not Dim Desktop Displays only prompts from applications No screen dimming Not default Never Notify Me Displays no prompts No screen dimming Not default 44 ACL 45 Section 5: Kernel Changes 46 Learning Objectives In this module you will learn: • New security features via Windows 7 kernel improvement 47 Security Enhancements • User Account Control level • Virtual Accounts • BitLocker and BitLocker-to-go 48 Virtual Accounts • • • Want better isolation than existing service account – Don’t want to manage passwords Virtual accounts are like service accounts – Process runs with virtual SID as principal – System-managed password – Show up as computer account when accessing network Services can specify a virtual account – Account name must be “NT SERVICE\<service>” – Service control manager verifies the service account and creates a user profile for the account 49 Section 6: Audit Changes 50 Learning Objective In this module you will learn: • How Windows 7 has improved upon auditing capabilities. 51 Improved Auditing • More Granularity – Support for many auditing subcategories: Logon, logoff, file system access, registry access, use of administrative privilege – Previous versions of Windows only support high-level categories such as System, Logon/Logoff, and Object Access, with little granularity • New Logging Infrastructure – Easier to filter out “noise” in logs and find the event you’re looking for – Tasks tied to events: When an event occurs, such as administrative privilege use, tasks such as sending an Email to an auditor can run automatically 52 Granular Audit Policy 53 Added Auditing For • Registry value change audit events (old + new values) • AD change audit events (old + new values) • Improved operation-based audit • Audit events for UAC • Improved IPSec audit events including support for AuthIP • RPC Call audit events • Share Access audit events • Share Management events • Cryptographic function audit events • IAS (RADIUS) audit events (server only) 54 Section 6: New and Changed Security Options 55 Learning Objectives In this module you will learn following features: • • • • • • Windows Biometric Framework AppLocker DirectAccess Windows Firewall Windows Security Essential Internet Explorer 8 56 AppLocker 58 DirectAccess 59 Windows 7 Firewall • • • Both inbound and outbound Authentication and authorization aware Outbound applicationaware filtering is now possible – Includes IPSec management – Policy-based administration 60 Multiple Active Firewall Profiles • New feature in Windows 7 • Previously, Windows Firewall rules applied over all network connections (wired, wireless, VPN, hotspot, home, etc.) • Now, can have different firewall rules for three classes of connections. Win7 Firewall Profile Domain Private Connection Most secure Least secure Firewall policies Least restrictive Most restrictive Example VPN Home wireless network Public All non-domain connections, by default 61 Microsoft Security Essentials • Free anti-virus/spyware/malware tool from Microsoft designed for home PCs • Not included in Windows 7 installation; needs to be downloaded separately from Microsoft • No central management capabilities unlike Windows Defenderī not ideal solution for large organizations 62 Security Essentials Scanning Modes • Real-Time Protection – Warns users when potential spyware is executed or tries to perform certain operations 63 MS vs Other Brand Name Vendors Security Essentials Scanning Modes • Scheduled & On-Demand Scans – Quick: scans only system files likely to be targeted by malware and viruses or likely culprits such as processes currently running and files currently open on the machine – Full: scans all files, much longer process 66 Internet Explorer 8 Secure Features • • • • SmartScreen Domain Highlighting InPrivate Browsing Cross Site Scripting Filter 67 SmartScreen and SmartScreen Filter 68 SmartScreen Filter 69 Domain Highlighting The Microsoft domain is easy to read. 70 Cross Site Scripting Filtering Internet Explorer 8 detects potential cross-site scripting Vulnerabilities and disables harmful scripts. 71 InPrivate Browsing 72 • • • • Click-jacking prevention Data Execution Prevention (DEP) InPrivate Filtering Automatic crash recovery Windows 7 Conclusion • Many features already exist in other operating systems. • Incorporates most major security changes introduced in Windows 7. • UAC password requirements seen as less annoying in Windows 7 due to more customization and better software design. • Improved security by additional features and options. 74 Questions? 75 References • Windows 7: Evolved for the modern enterprise – https://www.microsoft.com/windows/enterprise/products/windows7/default.aspx • Understanding and Configuring User Account Control – http://www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx 76 References – Windows 7 • Windows 7 on Microsoft TechNet (for IT Pros) – http://technet.microsoft.com/enus/windows/dd361745.aspx?ITPID=mscomsc • Windows 7 UAC – http://go.microsoft.com/fwlink/?LinkID=139554 • Microsoft Security Essentials – http://www.microsoft.com/security_essentials/ 77