Troubleshooting Windows Vista Security Chapter 4 Troubleshooting IE7 PolicySetting Issues • Features of IE7 now managed through Group Policy – Previously some features managed through the IE admin kit • Internet Explorer Maintenance (IEM) extension controls certain settings – Advantageous for settings that cannot wait for a Group Policy refresh – Preference mode allows a setting to be changed – Example: Setting for proxy server so it cannot be temporarily overwritten – Example: Proxy server set but can be changed by someone who travels outside the office Troubleshooting IE7 Protected Mode Issues • Custom web applications may expect access to areas of the machine that are now restricted • Application shims deal with some of these issues, redirecting calls to restricted areas to default unrestricted areas • Identify if protected mode is enabled – Lower-right area of IE will list “Protected Mode: On” or “Protected Mode: Off” • Protected mode is not used if: – – – – – Protected Mode is disabled on the Security tab The web page is local to the machine IE7 was launched using “Run As Administrator” UAC is disabled The website is parts of the Trusted Sites zone Troubleshooting IE7 Certificate Issues • When a certificate error is encountered, the display will look like the following Troubleshooting IE7 Certificate Issues (continued) • Valid reasons to encounter a certificate error include: – The certificate has expired – The certificate is not configured properly to the website’s identity – The certificate is not on a list of trusted CA’s – Accessing the website by IP instead of by name • Click the “Certificate Error” drop down in the address bar for details • If the error is from a truly trusted source, you can bypass the error by clicking “continue to this website” • You can bypass the error depending upon the source issue – Add a CA to your trusted CA list – Disable the check for revocation • Any bypass of certificate errors has risk associated Troubleshooting Windows Firewall Issues • If you are prevented from accessing network resources, use the built-in exceptions on the Exceptions tab • Application problem are usually related to specifics ports, which can be unblocked • Use the NETSH FIREWALL command line utility to also configure the Firewall – Use this when scripting your configuration – Example: When several hundred ports need to be defined, using the GUI is impractical Troubleshooting Windows Defender Issues • Defender is designed to deal with spyware in real time and with periodic scans • Can quarantine software suspected as spyware • When real software is quarantine as spyware, use the Quarantine Items option to restore the program • Keep definitions updated using Windows Update and enable recommended updates Troubleshooting EFS and BitLocker Issues • EFS Issues – The volume must be formatted as NTFS – If unable to access encrypted files, check for certificate issues – Import the certificate from backup if necessary • BitLocker Issues – Any tampering will cause BitLocker to go into Recovery Mode – Hardware failures may require the drive be recovered in another computer with BitLocker available – Recovery Mode requires the recovery password which, if not setup individually, may be stored in AD and accessible by the domain admin – BitLocker protection can be disabled temporarily to make changes that might trip it’s tamper detection Troubleshooting Auditing Issues • If auditing using subcategories, these apply over regular GPO categories – To allow use of GPO categories, do not use the setting “Force Audit Policy Subcategory Settings (Windows Vista or later) to Overrise Audit Policy Category Settings Troubleshooting Access Denied Messages • When attempting to access a resource, Access Denied implies the user is not part of the ACL of that resource – Check ACLs of the resource – Check for EFS encryption • You can Take Ownership of files and folder to gain access • You can use CIPHER.EXE to decrypt EFS files Troubleshoot Authentication • Username and password issues – Check for proper rights – Reset password – Create a password reset disk or USB key to use when admin access is lost • Certificates – When a user roams between machines and need certificates to work, setup credential roaming in the domain • Smart Cards – Two-factor authentication requires a smart card and a PIN to logon. Make sure the smart ard is being used correctly. • Public Keys – Errors from public key infrastructure issues is stored in the CAPI2 event log Troubleshooting UAC • UAC depends on the Application Information service – Make sure the service is running • UAC Virtualization – The policy setting “Virtualize File and Registry Write Failures to Per-User Locations” can cause errors for some apps that write to protected areas if turned off • User experience issues with UAC – Adjust settings if the UAC prompts are too intrusive and your security policy allows it Troubleshooting Windows Updates • When encountering errors, you will only receive an error code – 80072efd – Problem Connecting to website: check connection to Internet – 80070003 Problem with temporary files: delete Windows Update temp files – 800f020b – Downloading a driver for a device not connected: connect the device – 80246007 – Background Intelligent Transfer Service issue: check that the service is running