Implementing Client Security on Windows 2000 and Windows XP Byron P. Hynes MCSE+I, MCSE:Security, MCSA:Messaging, MCSD, MCDBA, MCT, AVT, A+ Technet Security Specialist Microsoft Corporation v-bhynes@microsoft.com

Introduction Introduction Core Client Security Antivirus Software Client Firewalls Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Software Restriction Policy Local Group Policy Settings for Stand-Alone Clients

The Importance of Security Protecting client computers from attack can help an organization: Protect information Protect communication channels Reduce downtime Protect revenues Prevent damage to reputation

Policies, Procedures, & Awareness Physical Security Perimeter Internal Network Host Application Data OS hardening, authentication, patch management, HIDS Firewalls, Network Access Quarantine Control Guards, locks, tracking devices Network segments, IPSec, NIDS Application hardening, antivirus ACLs, encryption, EFS Security documents, user education Using a layered approach Increases an attacker’s risk of detection Reduces an attacker’s chance of success Defense in Depth Defense in Depth Using a layered approach Increases attacker’s risk of detection Reduces attacker’s chance of success Policies, Procedures, & Awareness Physical Security Perimeter Internal Network Host Application Data Policies, Procedures, & Awareness Physical Security Perimeter Internal Network Host Application Data ACLs, encryption, EFS Application hardening, antivirus OS hardening, authentication, patch management, HIDS Network segments, IPSec, NIDS Firewalls, Network Access Quarantine Control Guards, locks, tracking devices Security documents, user education

Core Client Security Introduction Core Client Security Antivirus Software Client Firewalls Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Software Restriction Policy Local Group Policy Settings for Stand-Alone Clients

Components of Client Computer Security Software Updates Antivirus Password Best Practices Firewalls Client Management Tools Mobile Computing Application Security Data Protection

Managing Software Updates Customer type Scenario Customer chooses Consumer All scenarios Windows Update Small business No Windows servers One to three Windows servers and one IT administrator SUS Medium or large enterprise Wants a patch management solution with basic level of control that updates Windows 2000 and later versions of Windows Wants a single, flexible patch management solution with extended level of control to patch, update, and distribute all software SMS

Microsoft® Windows® XP Service Pack 2 (SP2) Number of days to exploit Why it is needed: Malicious exploits are becoming more and more sophisticated Time to exploit Microsoft issued patches accelerating Current approach is not sufficient

Windows XP SP2 Provides innovative security features and default safeguards to proactively protect and guard against hackers, viruses and other security risks Four main areas of focus: Memory Provide system-level protection for the base operating system Network Help protect the system from attacks from the network Attachments Enable more secure Email and Instant Messaging experience Web Enable more secure Internet experience for most common Internet tasks

Begin Your Evaluation Today Why evaluate Windows XP Service Pack 2 Release Candidate? Default settings in Service Pack 2 might affect how some programs work Windows XP SP2 Release Candidate 1 (RC1) is available for evaluation today Install from the CD in your TechNet package Download from www.microsoft.com/sp2preview For more information on Windows XP SP2 visit www.microsoft.com/sp2preview

Mobile Computing When connected to the corporate network, mobile computing devices extend the network perimeter To increase security for these devices, consider using: BIOS passwords Network Access Quarantine Control Strong wireless authentication Backup utility

Data Protection To protect data: Sign e-mail messages and software to ensure authenticity Use EFS to restrict access to data Use Information Rights Management to protect documents from unauthorized use

Rights-protected information – no printing (1 of 3): Display the browser’s “File” drop down menu and how the applied policies affect it (Print) SCRIPT: Let’s see what happens when Mary tries to print the rendered information. When she clicks on the “File” drop down menu, you can see that none of the options are grayed out except for Save and Edit– this was due to user feedback in pre-beta usability tests. Instead, when Mary tries to print, she receives a pop-up box in the upper right hand corner letting her know she cannot print. This pop-up box also shows it is affiliated with this new “Permissions” icon. ACTION: Click to reveal File menu drop down and mouse over “Print” ACTION: Click to show you are trying to Print. The “You do not have permission” popup appears.

Password Best Practices Educate users about good password practices Use pass phrases with spaces, numbers, and special characters instead of passwords Use different passwords for different resources, and protect password lists Lock workstations when away, and configure screen savers to use password protection Use multifactor authentication for extra levels of security

Antivirus Software Introduction Core Client Security Client Firewalls Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Software Restriction Policy Local Group Policy Settings for Stand-Alone Clients

The Virus Problem It is estimated that last year virus costs exceeded $12.5 billion: Direct costs ─ IT staff and consultants Indirect costs: Loss of productivity Loss of revenue Loss of data Compromise of confidential information Damage to reputation

Antivirus Software Deployment Organization size Antivirus software deployment solution Individuals and very small organizations Install stand-alone antivirus software on individual client computers Small and midsize organizations Centralized deployment: Use Group Policy to deploy antivirus software Enterprise-level organizations Use Group Policy to deploy antivirus software Install and manage using vendor administration console

Antivirus Software Updates Desktop computers Local servers store antivirus software updates for distribution Use a push model, in which definitions are immediately copied to clients Do not rely on users to download updates Laptop computers Use Internet updates when away from office

Free software (1st in a series…) CA’s stand-alone anti-virus scanner, personal firewall and one year of free updates: http://www.my-etrust.com/microsoft

Client Firewalls Introduction Core Client Security Antivirus Software Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Software Restriction Policy Local Group Policy Settings for Stand-Alone Clients

The Need for Client Firewalls Which clients need firewalls? LAN clients Desktops with modem connections Mobile clients

Internet Connection Firewall ICF provides basic protection from Internet threats by disallowing incoming traffic Limitations: No outbound filtering Support and software issues Limited configuration options ICF is improved and named Windows Firewall in Windows XP Service Pack 2

Third-Party Firewall Software Reasons to consider using: Ability to control outbound as well as inbound traffic Can specify which applications can access the Internet Issues: Rules can be complex Scalability may be a problem

How to Configure Internet Connection Firewall Open Control Panel, and then double-click Network Connections 1 Right-click the connection on which you want to configure ICF, and then click Properties 2 Click the Advanced tab, and then select the Protect my computer and network by limiting or preventing access to this computer from the Internet check box 3 To configure additional settings for ICF, click Settings 4

Demonstration: Internet Connection Firewall Your instructor will demonstrate how to: Enable Internet Connection Firewall (ICF) Test outbound access Test inbound access

How to Configure Windows Firewall

Best Practices for Client Firewalls Require users to enable ICF or Windows Firewall on all connections when their computers are not physically connected to your organization’s intranet Use scripting to force remote clients to use ICF or Windows Firewall for VPN connections Use caution when implementing ICF or Windows Firewall on client computers that are physically connected to your organization’s intranet

Securing Clients with Active Directory Introduction Core Client Security Antivirus Software Client Firewalls Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Software Restriction Policy Local Group Policy Settings for Stand-Alone Clients

Active Directory Components Group Policy The infrastructure that enables the implementation and management of network security Forest A security boundary in Active Directory Domain A collection of computer, user, and group objects defined by the administrator Organizational Unit (OU) An Active Directory container object used within domains

Establishing an OU Hierarchy Domain Policy Group Policy simplifies the application of client security settings Split hierarchy model Separates user OUs and computer OUs Applies appropriate policy settings to each OU Root Domain Department OU Domain Controller OU Windows XP OU Secured Windows XP Users OU Desktop Policy Desktop OU Laptop Policy Laptop OU

How to Create an OU Hierarchy Create OUs for each department 1 Create OUs under each operating system OU for each computer type (for example, laptops) Move each client computer object into the appropriate OU Create OUs in each department for users and for various operating system versions 2 3 4

Best Practices for Using Active Directory to Implement Client Security Design the OU structure to facilitate client security Design the OU structure to separate user and computer objects based on role Create a GPO for each OU with the appropriate security settings for the users or clients in that OU

Using Group Policy to Secure Clients Introduction Core Client Security Antivirus Software Client Firewalls Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Software Restriction Policy Local Group Policy Settings for Stand-Alone Clients

What Are the Security Settings? Security settings include: Account Password Policy Account Lockout Policy Audit Policy Event Log File System IP Security Policies Registry Settings Restricted Groups Security Options Software Restriction Policies System Services User Rights Assignment Settings

Using Security Templates Security templates are preconfigured sets of security settings There are templates for: All users and computers in the domain Desktop computers Laptop computers Each template has an Enterprise Client and a High Security environment version You can edit security template settings and import them into a GPO

Using Administrative Templates Administrative Templates define the settings available in a GPO. They may contain: User Configuration settings Computer Configuration settings You can use administrative templates to configure: The user’s operating environment Application security settings

How to Apply Security Templates and Administrative Templates Open Group Policy Management, and then open the GPO for the OU to which you want to apply the security or administrative template 1 Import a security template 2 Import administrative templates as needed 3 Configure additional security and administrative settings as needed 4

Creating an OU Hierarchy and Applying a Security Template Your instructor will demonstrate how to: Customize a security template Create an OU hierarchy and move a client computer object into an OU Create a GPO and import a security template Verify that the GPO has been applied

Best Practices for Using Group Policy to Secure Clients Use Enterprise Client templates as a baseline and modify them to meet the needs of your organization Implement strict account and audit policies at the domain level Test templates thoroughly before deployment Use additional administrative templates

Securing Applications Introduction Core Client Security Antivirus Software Client Firewalls Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Software Restriction Policy Local Group Policy Settings for Stand-Alone Clients

Internet Explorer Administrative Templates Help you enforce security requirements for Windows XP workstations Prevent the exchange of unwanted content Consider using the settings included in the Enterprise Client templates

Internet Explorer Zones Security zone Default setting in Windows XP SP1 Internet Medium Local intranet Medium-Low Trusted sites Low Restricted sites High My computer -

How to Use Group Policy to Configure Internet Explorer Zones Start Group Policy Management, open a GPO for editing, and navigate to: User Configuration\Windows Settings\ Internet Explorer Maintenance\Security In the details pane, double-click Security Zones and Content Ratings In the Security Zones and Content Ratings dialog box, click Import the current security zones and privacy settings, and then click Modify Settings In the Internet Properties dialog box, click Trusted sites, and then click Sites 1 2 3 4 Type the URL for the site you want to add, and then click Add 5 How to Use Group Policy to Configure Internet Explorer Zones How to Use Group Policy to Configure Internet Explorer Zones Start Group Policy Management, open a GPO for editing, and navigate to: User Configuration\Windows Settings\ Internet Explorer Maintenance\Security http://www.microsoft.com/security/guidance 1 2 3 4 5

Microsoft Outlook Security Tools for customizing the security features of Microsoft Outlook: Outlook Administrator Pack Outlook administrative template Outlook 2003 security enhancements include: Warns user before opening potentially dangerous file types Runs executable content in the Restricted Sites zone Does not automatically load HTML content

Microsoft Office Administrative Templates Administrative templates for Office 97 and later are available by downloading the appropriate edition of the Office Resource kit Administrative templates for Office XP are included with the Windows XP Security Guide A key security feature of Office XP and later versions is macro security

Best Practices for Securing Applications Educate users about how to download files from the Internet safely and how to open e-mail attachments safely Only install applications that are required for users to do their jobs Implement a policy for updating applications

Software Restriction Policy Introduction Core Client Security Antivirus Software Client Firewalls Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Software Restriction Policy Local Group Policy Settings for Stand-Alone Clients

Software Restriction Policies A policy-driven mechanism that identifies and controls software on a client computer Can be used to fight viruses and/or to ensure that only approved software can be run on computers Two components: A default rule for which programs can run Default rule options: Unrestricted Disallowed An inventory of exceptions to the default rule

How Software Restriction Policy Works Use Group Policy Editor to define the policy for the site, domain, or OU 1 Policy is downloaded and applied to a computer 2 Policy is enforced by the operating system when software is run 3

Four Rules for Identifying Software Hash Rule Compares the MD5 or SHA1 hash of a file to the one attempting to run Use when you want to allow or prohibit a certain version of a file from being run Certificate Rule Checks for digital signature on application (for example, Authenticode) Use when you want to restrict both Win32 applications and ActiveX content Path Rule Compares path of file being run to an allowed path list Use when you have a folder with many files for the same application Essential when SRPs are strict Internet Zone Rule Controls how Internet Zones can be accessed Use in high-security environments to control access to Web applications

How to Apply a Software Restriction Policy Open the Group Policy object for the OU in which you want to apply the software restriction policy 1 Navigate to the Computer Settings\Windows Settings\Security Settings node 2 Right-click Software Restriction Policies, and then click Create New Policies 3 Configure Hash, Certificate, Path, and Internet Zone rules to accommodate your organization’s needs 4

Applying Software Restriction Policies Your instructor will demonstrate how to: Create a software restriction policy Test the software restriction policy

Best Practices for Applying Software Restriction Policies Create a rollback plan Use a separate GPO to manage each software restriction policy Use software restriction policies in conjunction with NTFS permissions for defense in depth Never link a GPO to another domain Thoroughly test new policy settings before applying them to the domain

Local Group Policy Settings for Stand-Alone Clients Introduction Core Client Security Antivirus Software Client Firewalls Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Software Restriction Policy Local Group Policy Settings for Stand-Alone Clients

Local Group Policy Settings Use local Group Policy to configure stand-alone client computers Stand-alone Windows XP clients: Use a modified version of the security templates Have one local GPO Settings must be manually applied by using Group Policy Editor or scripts

How to Use Local Group Policy to Secure Stand-Alone Clients Start the local Group Policy MMC (Gpedit.msc) 1 Navigate to Computer Settings\Windows Settings, right-click the Security Settings node, and then select Import Policy 2 Browse to the location that contains the appropriate security template (for example, Legacy Enterprise Client – Desktop) 3 Configure additional security settings according to prescriptive guidance 4

Securing Stand-Alone Clients Your instructor will demonstrate how to: Create a custom security template Use a script to manually apply the security template to a stand-alone client

Best Practices for Applying Local Group Policy Settings Use the stand-alone templates from the Windows XP Security Guide as a baseline Use the Secedit.exe tool to automate application of local Group Policy to stand-alone clients Develop procedures for deploying Group Policy settings to stand-alone clients Develop procedures to facilitate the reapplication of settings to stand-alone clients when needed

Session Summary Introduction Core Client Security Antivirus Software Client Firewalls Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Software Restriction Policy Local Group Policy Settings for Stand-Alone Clients

Next Steps Find additional security training events: http://www.microsoft.com/seminar/events/security.mspx Sign up for security communications: http://www.microsoft.com/technet/security/signup/ default.mspx Order the Security Guidance Kit: http://www.microsoft.com/security/guidance/order/ default.mspx Get additional security tools and content: http://www.microsoft.com/security/guidance