MCTS Guide to Microsoft Windows 7

Overview

Objectives

Teaching Tips

Quick Quizzes

Class Discussion Topics

Additional Projects

Additional Resources

Key Terms
7-1

MCTS Guide to Microsoft Windows 7
7-2
Chapter 7 describes security features in Windows 7. Students will learn about the security improvements offered by Windows 7. Next, students will use the local security policy to secure Windows 7 and enable auditing to record security events. Chapter 7 also describes and configures User Account Control. In addition, students will review the malware security features in Windows 7 and use the data security features. Finally,
Chapter 7 explains how to secure Windows 7 by using Windows Update.
•
Describe Windows 7 Security improvements
•
Use the local security policy to secure Windows 7
• Enable auditing to record security events
•
Describe and configure User Account Control
•
Describe the malware security features in Windows 7
• Use the data security features in Windows 7
•
Secure Windows 7 by using Windows Update
1.
This section explains the major security improvements in Windows 7, including: a.
Malware protection b.
Easier deployment of alternative authentication methods c.
Enhanced network protection d.
Data protection for stolen hard drives e.
AppLocker for software restriction
Malware Protection
1.
Define malware as malicious software designed to perform unauthorized acts on your computer.
Teaching
Tip
Read more about malware at: http://www.symantec.com/norton/security_response/malware.jsp
.
2.
Define the User Account Control (UAC) as a feature implemented in Windows 7 to control malware. It prompts users when software attempts to take administrative control.

MCTS Guide to Microsoft Windows 7
Teaching
Tip
7-3
Teaching
Tip
Read more about User Account Control at: http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx
.
3.
Define Windows Defender as a real-time spyware monitor to prevent the installation of and remove spyware. Spyware is a threat to privacy and often makes systems unstable.
For more information about Windows Defender, visit: http://www.microsoft.com/windows/products/winfamily/defender/default.mspx
.
4.
Mention that Internet Explorer has been modified to run in a limited state, called protected mode, in which user files cannot be modified.
5.
Mention that a phishing filter has been added to prevent unauthorized Web sites from stealing log-on credentials and other personal information.
6.
Explain that most Windows exploits that are used to install malware are the result of flaws in Windows services.
7.
Describe some of the changes in Windows 7 to harden Windows services: a.
Each service is given a SID number b.
Services run with a lower privilege level by default c.
Unnecessary privileges for services have been removed d.
Windows Firewall can control network access based on service SIDs e.
Services are isolated and cannot interact with users
Alternative Authentication Methods
1.
Explain that usernames and passwords are the most commonly used method for authentication.
2.
Mention that Windows 7 makes smart cards easier to manage.
3.
Explain that the development of additional authentication methods for Windows, such as biometrics, has been simplified.
Network Protection
1.
Explain that Windows 7 is protected on networks by an enhanced firewall and Network
Access Protection (NAP).
2.
Explain that the enhanced firewall can control both inbound and outbound network packets.

MCTS Guide to Microsoft Windows 7
3.
Explain that NAP prevents unhealthy computers from accessing the network. An
7-4 unhealthy computer is one that has outdated antivirus signatures or is missing security updates.
Teaching
Tip
For more information about Network Access Protection, visit: http://technet.microsoft.com/en-us/network/bb545879.aspx
.
Data Protection
1.
Explain that the NTFS file system provides data protection by using permissions on files and folders. However, NTFS permissions can be easily circumvented when you have physical access to a computer.
2.
Explain that BitLocker Drive Encryption encrypts the contents of a partition and protects the system partition.
AppLocker for Software Restrictions
1.
Explain that AppLocker simplifies the management of software restrictions by implementing simpler rules than were available in software restriction policies.
1.
Explain that Windows 7 includes a local security policy that can be used to control many facets of Windows. You can access the Local Security Policy in Administrative
Tools. Use Figure 7-1 to illustrate your explanation.
2.
Describe the local security policy categories, including: a.
Account policies b.
Local policies c.
Windows Firewall with Advanced Security d.
Network List Manager Policies e.
Public Key Policies f.
Software Restriction Policies g.
Application Control Policies h.
IP Security Policies on Local Computer i.
Advanced Audit Policy Configuration
3.
Mention that the local security policy is part of a larger Windows management system called Group Policy, which can be implemented on a local computer, but is typically part of a domain-based network.

MCTS Guide to Microsoft Windows 7
Account Policies
7-5
1.
Explain that the account policies category contains the password policy and the account lockout policy. Account policies do not affect domain accounts and must be configured at the domain level.
2.
The password policy controls password characteristics for local user accounts. Describe the available settings, including: a.
Enforce password history b.
Maximum password age c.
Minimum password age d.
Minimum password length e.
Password must meet complexity requirements f.
Store passwords using reversible encryption
3.
Explain that the account lockout policy is used to prevent unauthorized access to
Windows 7. It can configure an account to be temporarily disabled after a number of incorrect log-on attempts. Describe the available settings, including: a.
Account lockout duration b.
Account lockout threshold c.
Reset account lockout counter after
Local Policies
1.
Explain that local policies are for auditing system access, assigning user rights, and configuring specific security options. Use Figure 7-2 to illustrate your explanation.
2.
Describe some of the user rights assignment settings, including: a.
Allow log on locally b.
Back up files and directories c.
Change the system time d.
Load and unload device drivers e.
Shut down the system
3.
Describe some of the security options settings, including: a.
Devices: Prevent users from installing printer drivers b.
Interactive logon: Do not display last username c.
Interactive logon: Message text for users attempting to log on d.
Shutdown
AppLocker
1.
Explain that the software restriction policies are used to define which programs are allowed or disallowed in the system. They are commonly used in corporate environments where parental controls are not able to be used. Use Figure 7-3 to illustrate your explanation.
2.
Describe some of the AppLocker enhancements over software restriction policies, including:

MCTS Guide to Microsoft Windows 7 a.
Rules can be applied to specific users and groups rather than all users b.
Default rule action is deny to increase security
7-6 c.
Wizard to help create rules. d.
Audit only mode for testing that only writes events to the event log
3.
Mention that you can audit or enforce AppLocker rules. Auditing or enforcement relies on the configuration of appropriate rules and the Application Identity service.
4.
Describe and explain the following rules collections (use Figure 7-4): a.
Executable b.
Windows Installer c.
Scripts d.
DLL
5.
Explain that each rule contains permissions that define whether the rule allows or denies software the ability to run. Use Figure 7-5 to illustrate your explanation.
6.
Explain that rule conditions define the software that is affected by the rule. There are three conditions that can be used: a.
Publisher b.
Path c.
File hash
7.
Mention that rule exceptions define software that the rule does not apply to.
Other Security Policies
1.
Explain that the Windows Firewall with Advanced Security is used to configure the new firewall in Windows 7. It lets you configure both inbound and outbound rules. You can configure specific computer-to-computer rules. It can also be used to configure IP
Security (IPsec) rules.
2.
Explain that Network List Manager Policies are used to control how Windows 7 categorizes networks to which it is connected.
3.
Mention that the Public Key Policies have a single setting for the Encrypting File
System (EFS). IP Security Policies on Local Computer are used to control encrypted network communication.
Security Templates
1.
Define security templates as .inf files that contain settings that correspond with the
Account Policies and Local Policies in the local security policy. They also contain settings for the event log, restricted groups, service configuration, registry security, and file system security.
2.
Explain that the security templates are edited by using the security templates snap-in.
Use Figure 7-8 to illustrate your explanation. Security templates are used by Security
Configuration and Analysis tool and Secedit.

MCTS Guide to Microsoft Windows 7
3.
Describe some of the tasks you can perform with the Security Configuration and
Analysis tool, including: a.
Analyze b.
Configure c.
Export
7-7
1.
Define auditing as the security process that records the occurrence of specific operating system events in the Security log. Every object in Windows 7 has audit events related to it.
2.
Explain that auditing is enabled through the local security policy or by using Group
Policy. Use Figure 7-9 and Table 7-1 to illustrate your explanation.
3.
Explain that once the audit policy is configured, the audited events are recorded in the
Security log that is viewed by using Event Viewer. Use Figure 7-10 to illustrate your explanation.
1.
Define User Account Control (UAC) as a new feature in Windows 7 that makes running applications more secure. Security is enhanced by reducing the need to log on and run applications using administrator privileges.
2.
Explain that when UAC is enabled and an administrative user logs on, the administrative user is assigned two access tokens. One access token includes standard user privileges, and the other access token includes administrative privileges.
3.
Mention that the standard user access token is used to launch the Windows 7 user interface. Admin Approval Mode ensures that the access token with administrative privileges is used only when required.
4.
Mention that the Application Information Service is responsible for launching programs by using the access token with administrative privileges.
Application Manifest
1.
Explain that an application manifest describes the structure of an application. The structure includes required DLL files and whether they are shared.
2.
Explain that applications that are not designed for Windows 7 and that require administrative privileges, do not properly request elevated privileges. You can eliminate this error by using the Application Compatibility Toolkit.

MCTS Guide to Microsoft Windows 7 7-8
Teaching
Tip
For more information about application manifests, visit: http://msdn.microsoft.com/en-us/library/aa374191(VS.85).aspx
.
UAC Configuration Options
1.
Mention that Windows 7 introduces a simplified interface for managing UAC. Use
Figure 7-11 to illustrate your explanation.
2.
Explain that UAC is configured by using either the Windows 7 Local Security Policy for small environments or Group Policy for larger environments.
3.
Use Table 7-2 to describe the UAC configuration options.
1.
____ are used to define which programs are allowed or disallowed in the system.
Answer: Software restriction policies
2.
____ are .inf files that contain settings that correspond with the Account Policies and
Local Policies in the local security policy.
Answer: Security templates
3.
____ is the security process that records the occurrence of specific operating system events in the Security log.
Answer: Auditing
4.
Newer Windows applications use an application ____ to describe the structure of an application.
Answer: manifest
1.
Explain that Windows 7 includes the following features to protect computers from malware: a.
Windows Defender b.
Microsoft Security Essentials
Windows Defender
1.
Define Windows Defender as antispyware software included with Windows 7. Spyware is software that is silently installed on your computer, monitors your behavior, and performs actions based on your behavior. Use Figure 7-12 to show Windows Defender.

MCTS Guide to Microsoft Windows 7 7-9
2.
Explain that Windows Defender provides two levels of protection: on-demand scanning and real-time scanning. Both types of scanning use signatures to identify known and potential spyware.
3.
Explain that Windows Defender can perform ad hoc scanning when you suspect that spyware is present on your computer. Windows Defender can also perform scheduled scans.
4.
Explain that with real-time scanning, Windows Defender constantly monitors your computer and alerts you when spyware attempts to install. Real-time scanning is better than on-demand scanning because you are preventing the problem rather than fixing it.
5.
Describe the areas protected by real-time scanning, including: a.
Downloaded files and attachments b.
Programs that run on my computer
6.
Describe the Windows Defender alert levels, including: a.
Severe or High b.
Medium c.
Low
7.
Explain that when malware is detected, it can be quarantined, removed, or allowed. You can define default actions that are applied for severe, high, medium, and low alerts.
Microsoft Security Essentials
1.
Explain that viruses are a different type of software than spyware. Some of the things viruses can do include: a.
Send spam from your computer to the internet b.
Capture usernames and passwords for Web sites, including online banking c.
Steal enough personal information for identity theft d.
Allow others to remote control your computer and use it as a launching point for illegal activities
2.
Mention that Windows 7 does not include any software to protect your computer from viruses. However, when you own a genuine version of Windows XP, Windows Vista, or Windows 7, you can download Microsoft Security Essentials from the Microsoft
Web site at http://www.microsoft.com/security_essentials/ .
1.
Explain that NTFS permissions are the most basic level of data security in Windows 7.
NTFS permissions stop logged-on users from accessing files and folders that they are not assigned read or write permission to.
2.
Mention that it is relatively easy to work around NTFS permissions when you have physical access to the computer.

MCTS Guide to Microsoft Windows 7 7-10
3.
Explain that to secure data on desktop computers and laptops, encryption is required.
Windows 7 includes Encrypting File System (EFS) and BitLocker Drive Encryption.
Encryption Algorithms
1.
Define encryption as the process of taking data and making it unreadable. Decryption makes data readable again.
2.
Explain that symmetric encryption uses the same key to encrypt data and decrypt data.
The key is a long number that is very hard to guess. Use Figure 7-13 to illustrate your explanation.
3.
Mention that since symmetric encryption is strong and fast, it is well-suited to encrypting large volumes of data such as files. It is used by both EFS and BitLocker
Drive Encryption.
4.
Explain that the biggest problem with symmetric encryption is securing the key.
Teaching
Tip
Read more about symmetric encryption at: http://www.howstuffworks.com/encryption2.htm
.
5.
Explain that asymmetric encryption uses two keys to encrypt and decrypt data. Data encrypted by one key is decrypted by the other. Use Figure 7-14 to illustrate your explanation.
6.
Mention that the keys are part of a digital certificate. Digital certificates are obtained from certificate authorities.
7.
Explain that asymmetric encryption requires more processing power and is less secure than symmetric encryption.
8.
Mention that many systems that require encryption use symmetric encryption to encrypt the data and then use asymmetric encryption to protect just the symmetric key.
Teaching
Tip
Read more about asymmetric encryption at: http://computer.howstuffworks.com/encryption3.htm
.
9.
Define hash encryption as a one-way encryption, which means that it encrypts data, but the data cannot be decrypted. Hash encryption is used to uniquely identify data rather than prevent access to data. Use Figure 7-15 to illustrate your explanation.
10.
Mention that sometimes hash values for data are referred to as fingerprints.

MCTS Guide to Microsoft Windows 7 7-11
11.
Explain that hash encryption is used for storing passwords. When passwords are stored as only a hash value, it is impossible to decrypt the password.
Teaching
Tip
Read more about hash encryption at: http://computer.howstuffworks.com/encryption5.htm
.
Encrypting File System
1.
Explain that the Encrypting File System (EFS) was first included with Windows 2000
Professional. EFS encrypts individual files and folders on a partition. EFS is suitable for protecting data files and folders on workstations and laptops. It can also be used to encrypt files and folders on network servers.
2.
Use Figure 7-16 to describe the process of encrypting a file with EFS. To use EFS, users must have a digital certificate with a public key and a private key.
Teaching
Tip
3.
Mention that from the user perspective, encryption is a file attribute. Use Figure 7-17 to illustrate your explanation.
Read more about Encrypting File System (EFS) at: http://en.wikipedia.org/wiki/Encrypting_File_System .
4.
Mention that files can also be encrypted using the command-line utility Cipher.
5.
Explain that if a user loses the EFS key, then an encrypted file is unrecoverable with the default configuration.
6.
Describe some of the ways EFS keys may be lost, including: a.
The user profile is corrupted b.
The user profile is deleted accidentally c.
The user is deleted from the system d.
The user password is reset
7.
Explain that in User Accounts, there is an option for you to manage your file encryption certificates. This option allows you to view, create, and back up certificates used for
EFS.
8.
Explain that creating a recovery certificate allows the files encrypted by all users to be recovered if required.
9.
Describe the steps for creating and using a recovery certificate, including: a.
Create the recovery certificate b.
Install the recovery certificate c.
Update existing encrypted files

MCTS Guide to Microsoft Windows 7
10.
Describe the steps to work with encrypted files on multiple computers, including: a.
Encrypt the file on the first computer
7-12 b.
Export the EFS certificate, including the private key from the first computer c.
Import the EFS certificate, including the private key on the second computer d.
Open the encrypted file on the second computer
11.
Describe the steps to share encrypted files with other users, including: a.
Export the EFS certificate of the first user, but do not include the private key b.
Import the EFS certificate of the first user into the profile of the second user as a trusted person c.
Second user encrypts the file and shares it with the first user
12.
Mention that encrypted files behave differently when copied or moved.
13.
Describe the rules that apply for moving and copying encrypted files, including: a.
An unencrypted file copied or moved to an encrypted folder becomes encrypted b.
An encrypted file copied or moved to an unencrypted folder remains encrypted c.
An encrypted file copied or moved to a FAT partition, FAT32 partition, or floppy disk becomes unencrypted if you have access to decrypt the file d.
If you do not have access to decrypt a file, then you get an access-denied error if you attempt to copy or move the file to a FAT partition, FAT32 partition, or floppy disk
BitLocker Drive Encryption
1.
Define BitLocker Drive Encryption as a data encryption feature included with Windows
7. An entire volume is encrypted when you use BitLocker Drive Encryption. It also protects the operating system. Use Figure 7-18 to illustrate your explanation.
2.
Explain that BitLocker Drive Encryption is designed to be used with a Trusted Platform
Module (TPM). TPM is a part of the motherboard in your computer and is used to store encryption keys and certificates.
3.
Describe the BitLocker Drive Encryption modes, including: a.
TPM only b.
Startup key
4.
Explain that the hard drive must be divided into two partitions. One encrypted partition is used as the operating system volume. One not encrypted system partition contains the necessary files to boot the operating system.
5.
Use Figure 7-19 to describe the BitLocker encryption keys, including: a.
Volume Master Key (VMK) b.
Full Volume Encryption Key (FVEK)
6.
Explain that when you activate BitLocker Drive Encryption, a recovery password is generated automatically. You can save it to a USB drive or folder, display on the screen, or print.

MCTS Guide to Microsoft Windows 7 7-13
7.
Mention that the recovery password is required when the normal decryption process is unable to function. Describe the most common reasons when recovery passwords are required, including: a.
Modified boot files b.
Lost encryption keys c.
Lost or forgotten startup PIN
8.
Explain that disabling BitLocker Drive Encryption decrypts all of the data on the hard drive and makes it readable again.
Teaching
Tip
Read more about BitLocker Drive Encryption at: http://technet.microsoft.com/en-us/library/ee449438(WS.10).aspx
.
9.
Define BitLocker To Go as a new feature in Windows 7 that allows you to protects data on removable storage such as USB drives.
10.
Describe the options for unlocking removable storage, including: a.
Use a password to unlock the drive b.
Use my smart card to unlock the drive.
1.
Explain that scheduling automatic updates with Windows Update is the most important security precaution you can take with Windows 7. Use Figure 7-20 to illustrate your explanation.
2.
Mention that when a Windows security flaw is found, the flaw is reported to Microsoft.
Microsoft creates and releases a patch to fix the problem.
3.
Describe the Windows Update categories, including: a.
Important b.
Recommended c.
Optional
4.
Use Figure 7-21 to describe the Windows Update settings: a.
Install updates automatically (recommended) b.
Download updates but let me choose whether to install them c.
Check for updates but let me choose whether to download and install them d.
Never check for updates (not recommended)
5.
Explain that Microsoft has improved the quality of their patches. The Windows Update process can be modified to use Windows Server Update Services (WSUS). WSUS allows corporations to test patches before releasing them.

MCTS Guide to Microsoft Windows 7 7-14
1.
Define Action Center as a Control Panel applet that lets you quickly check important security settings in Windows 7.
2.
Use Figure 7-22 to describe the settings monitored by Windows Security, including: a.
Network Firewall b.
Windows Update c.
Virus protection d.
Spyware and unwanted software protection e.
Internet security settings f.
User Account Control g.
Network Access Protection
Teaching
Tip
Read more about Action Center at: http://windows.microsoft.com/enus/windows7/products/features/action-center .
1.
A(n) ____ algorithm uses the same key to encrypt data and decrypt data.
Answer: symmetric encryption
2.
A(n) ____ algorithm is one-way encryption, which means that it encrypts data, but the data cannot be decrypted.
Answer: hash encryption
3.
The standard Windows Update process can be modified to use ____.
Answer: Windows Server Update Services (WSUS)
Windows Server Update Services
WSUS
4.
____ is a Control Panel applet that lets you quickly check important security settings in
Windows 7.
Answer: Action Center
1.
Describe the main characteristics of the Windows 7 security improvements.
2.
Briefly describe the main characteristics of symmetric, asymmetric, and hash encryption algorithms.

MCTS Guide to Microsoft Windows 7 7-15
1.
Use the Internet to read more about malware including worms, viruses, spyware, and adware, and write a report highlighting the most important characteristics of each.
2.
Use the Internet to read more about symmetric, asymmetric, and hash encryption algorithms. Describe at least three algorithms for each category including AES, RSA, and SHA.
1.
Defining Malware: FAQ: www.microsoft.com/technet/security/alerts/info/malware.mspx
2.
User Account Control in Windows 7 Best Practices: http://technet.microsoft.com/en-us/library/ee679793(WS.10).aspx
3.
What's New in User Account Control: http://technet.microsoft.com/en-us/library/dd446675(WS.10).aspx
4.
User Account Control Step by Step Guide: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx
5.
Network Access Protection: http://en.wikipedia.org/wiki/Network_Access_Protection
6.
Phishing: www.computerworld.com/securitytopics/security/story/0,10801,89096,00.html
7.
What is Encrypting File System (EFS)?: http://windowshelp.microsoft.com/Windows/en-US/Help/e895bd18-36e5-4229-8424dff307b155c21033.mspx
8.
Understanding BitLocker Drive Encryption: http://technet.microsoft.com/en-us/library/dd744540(WS.10).aspx
 account lockout policy
—A collection of settings, such as lockout duration, that control account lockouts.
 application manifest —An XML file that describes the structure of an application, including required DLL files and privilege requirements.

AppLocker
—A new feature in Windows 7 that is used to define which programs are allowed to run. This is a replacement for the software restriction policies found in
Windows XP and Windows Vista.

MCTS Guide to Microsoft Windows 7 7-16
 asymmetric encryption algorithm
—An encryption algorithm that uses two keys to encrypt and decrypt data. Data encrypted with one key is decrypted by the other key.
 audit policy
—The settings that define which operating system events are audited.
 auditing
—The security process that records the occurrence of specific operating system events in the Security log.

BitLocker Drive Encryption
—A new feature in Windows 7 that encrypts the operating system partition of a hard drive and protects system files from modification.

BitLocker To Go
—A new feature in Windows 7 that allows you to encrypt removable storage.
 Encrypting File System (EFS) —An encryption technology for individual files and folders that can be enabled by users.

Full Volume Encryption Key (FVEK)
—The key used to encrypt the VMK when
BitLocker Drive Encryption is enabled.
 hash encryption algorithm —A one-way encryption algorithm that creates a unique identifier that can be used to determine whether data has been changed.
 local security policy
—A set of security configuration options in Windows 7. These options are used to control user rights, auditing, password settings, and more.
 malware
—Malicious software designed to perform unauthorized acts on your computer. Malware includes viruses, worms, and spyware.
 Microsoft Security Essentials —Free antivirus software that is available if your copy of Windows 7 is genuine.

Network Access Protection (NAP)
—A computer authorization system for networks that prevents unhealthy computers from accessing the network.
 password policy —A collection of settings to control password characteristics such as length and complexity.

Secedit
—A command-line tool that is used to apply, export, or analyze security templates.

Security Configuration and Analysis tool
—An MMC snap-in that is used to apply, export, or analyze security templates.
 security template
—An .inf file that contains security settings that can be applied to a computer or analyzed against a computer’s existing configuration.
 symmetric encryption algorithm
—An encryption algorithm that uses the same key to encrypt and decrypt data.

Trusted Platform Module (TPM) —A motherboard module that is used to store encryption keys and certificates.

User Account Control (UAC)
—A new feature in Windows 7 that elevates user privileges only when required.

Volume Master Key (VMK)
—The key used to encrypt hard drive data when
BitLocker Drive Encryption is enabled.

Windows Defender
—Antispyware software included with Windows 7.

Windows Server Update Services (WSUS) —A service that collects and distributes patches to Windows workstations by using the automatic updates process.