Implementing Client Security on Windows 2000 and Windows XP

Slides:



Advertisements
Similar presentations
Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.
Advertisements

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 7 HARDENING SERVERS.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Lesson 19: Configuring Windows Firewall
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Microsoft ® Official Course Module 9 Configuring Applications.
Module 7: Implementing Security Using Group Policies.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
GROUP POLICY An overview of Microsoft Windows Group Policy.
Securing Windows Servers Using Group Policy Objects
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Using Windows Firewall and Windows Defender
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Week #7 Objectives: Secure Windows 7 Desktop
Section 2: Using Group Policy Management Tools Local vs. Domain Policies Editing Local Policies Managing Domain Policies Understanding Group Policy Refresh.
Module 14: Configuring Server Security Compliance
Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Performing Software Installation with Group Policy Lesson 9.
Module 7: Managing the User Environment by Using Group Policy.
Module 5: Configuring Internet Explorer and Supporting Applications.
Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Troubleshooting Security Issues Lesson 6. Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer.
Lesson 11: Configuring and Maintaining Network Security
Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Module 7: Implementing Security Using Group Policy.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
Implementing Server Security on Windows 2000 and Windows Server 2003
Module 8 Implementing Security Using Group Policy.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Implementing Client Security on Windows 2000 and Windows XP.
ITMT Windows 7 Configuration Chapter 7 – Working with Applications.
Managing Servers Lesson 10. Skills Matrix Technology SkillObjective DomainObjective # Using Remote DesktopPlan server management strategies 2.1 Delegating.
Overview Microsoft Windows XP Pro (SP2) Microsoft Windows Server 2003 User accounts and groups File sharing and file permissions Password/Lockout Policy.
Unit 9 ITT TECHNICAL INSTITUTE NT1330 Client-Server Networking II Date: 2/17/2016 Instructor: Williams Obinkyereh.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
Configuring Windows Firewall with Advanced Security
HARDENING CLIENT COMPUTERS
Securing the Network Perimeter with ISA 2004
Objectives Differentiate between the different editions of Windows Server 2003 Explain Windows Server 2003 network models and server roles Identify concepts.
Lesson #8 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 8 Configuring Applications and Internet Explorer.
Unit 8 NT1330 Client-Server Networking II Date: 8/2/2016
Utilize Group Policy Terminal Server Settings
Lesson #7 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 7 Configuring Devices and Updates.
Goals Introduce the Windows Server 2003 family of operating systems
Unit 9 NT1330 Client-Server Networking II Date: 8/9/2016
Implementing Client Security on Windows 2000 and Windows XP Level 150
Securing Windows 7 Lesson 10.
Security through Group Policy
Introduction to Group Policy
Designing IIS Security (IIS – Internet Information Service)
Implementing Security Patch Management
Presentation transcript:

Implementing Client Security on Windows 2000 and Windows XP Byron P. Hynes MCSE+I, MCSE:Security, MCSA:Messaging, MCSD, MCDBA, MCT, AVT, A+ Technet Security Specialist Microsoft Corporation v-bhynes@microsoft.com

Introduction Introduction Core Client Security Antivirus Software Client Firewalls Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Software Restriction Policy Local Group Policy Settings for Stand-Alone Clients

The Importance of Security Protecting client computers from attack can help an organization: Protect information Protect communication channels Reduce downtime Protect revenues Prevent damage to reputation

Policies, Procedures, & Awareness Physical Security Perimeter Internal Network Host Application Data OS hardening, authentication, patch management, HIDS Firewalls, Network Access Quarantine Control Guards, locks, tracking devices Network segments, IPSec, NIDS Application hardening, antivirus ACLs, encryption, EFS Security documents, user education Using a layered approach Increases an attacker’s risk of detection Reduces an attacker’s chance of success Defense in Depth Defense in Depth Using a layered approach Increases attacker’s risk of detection Reduces attacker’s chance of success Policies, Procedures, & Awareness Physical Security Perimeter Internal Network Host Application Data Policies, Procedures, & Awareness Physical Security Perimeter Internal Network Host Application Data ACLs, encryption, EFS Application hardening, antivirus OS hardening, authentication, patch management, HIDS Network segments, IPSec, NIDS Firewalls, Network Access Quarantine Control Guards, locks, tracking devices Security documents, user education

Core Client Security Introduction Core Client Security Antivirus Software Client Firewalls Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Software Restriction Policy Local Group Policy Settings for Stand-Alone Clients

Components of Client Computer Security Software Updates Antivirus Password Best Practices Firewalls Client Management Tools Mobile Computing Application Security Data Protection

Managing Software Updates Customer type Scenario Customer chooses Consumer All scenarios Windows Update Small business No Windows servers One to three Windows servers and one IT administrator SUS Medium or large enterprise Wants a patch management solution with basic level of control that updates Windows 2000 and later versions of Windows Wants a single, flexible patch management solution with extended level of control to patch, update, and distribute all software SMS

Microsoft® Windows® XP Service Pack 2 (SP2) Number of days to exploit Why it is needed: Malicious exploits are becoming more and more sophisticated Time to exploit Microsoft issued patches accelerating Current approach is not sufficient

Windows XP SP2 Provides innovative security features and default safeguards to proactively protect and guard against hackers, viruses and other security risks Four main areas of focus: Memory Provide system-level protection for the base operating system Network Help protect the system from attacks from the network Attachments Enable more secure Email and Instant Messaging experience Web Enable more secure Internet experience for most common Internet tasks

Begin Your Evaluation Today Why evaluate Windows XP Service Pack 2 Release Candidate? Default settings in Service Pack 2 might affect how some programs work Windows XP SP2 Release Candidate 1 (RC1) is available for evaluation today Install from the CD in your TechNet package Download from www.microsoft.com/sp2preview For more information on Windows XP SP2 visit www.microsoft.com/sp2preview

Mobile Computing When connected to the corporate network, mobile computing devices extend the network perimeter To increase security for these devices, consider using: BIOS passwords Network Access Quarantine Control Strong wireless authentication Backup utility

Data Protection To protect data: Sign e-mail messages and software to ensure authenticity Use EFS to restrict access to data Use Information Rights Management to protect documents from unauthorized use

Rights-protected information – no printing (1 of 3): Display the browser’s “File” drop down menu and how the applied policies affect it (Print) SCRIPT: Let’s see what happens when Mary tries to print the rendered information. When she clicks on the “File” drop down menu, you can see that none of the options are grayed out except for Save and Edit– this was due to user feedback in pre-beta usability tests. Instead, when Mary tries to print, she receives a pop-up box in the upper right hand corner letting her know she cannot print. This pop-up box also shows it is affiliated with this new “Permissions” icon. ACTION: Click to reveal File menu drop down and mouse over “Print” ACTION: Click to show you are trying to Print. The “You do not have permission” popup appears.

Password Best Practices Educate users about good password practices Use pass phrases with spaces, numbers, and special characters instead of passwords Use different passwords for different resources, and protect password lists Lock workstations when away, and configure screen savers to use password protection Use multifactor authentication for extra levels of security

Antivirus Software Introduction Core Client Security Client Firewalls Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Software Restriction Policy Local Group Policy Settings for Stand-Alone Clients

The Virus Problem It is estimated that last year virus costs exceeded $12.5 billion: Direct costs ─ IT staff and consultants Indirect costs: Loss of productivity Loss of revenue Loss of data Compromise of confidential information Damage to reputation

Antivirus Software Deployment Organization size Antivirus software deployment solution Individuals and very small organizations Install stand-alone antivirus software on individual client computers Small and midsize organizations Centralized deployment: Use Group Policy to deploy antivirus software Enterprise-level organizations Use Group Policy to deploy antivirus software Install and manage using vendor administration console

Antivirus Software Updates Desktop computers Local servers store antivirus software updates for distribution Use a push model, in which definitions are immediately copied to clients Do not rely on users to download updates Laptop computers Use Internet updates when away from office

Free software (1st in a series…) CA’s stand-alone anti-virus scanner, personal firewall and one year of free updates: http://www.my-etrust.com/microsoft

Client Firewalls Introduction Core Client Security Antivirus Software Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Software Restriction Policy Local Group Policy Settings for Stand-Alone Clients

The Need for Client Firewalls Which clients need firewalls? LAN clients Desktops with modem connections Mobile clients

Internet Connection Firewall ICF provides basic protection from Internet threats by disallowing incoming traffic Limitations: No outbound filtering Support and software issues Limited configuration options ICF is improved and named Windows Firewall in Windows XP Service Pack 2

Third-Party Firewall Software Reasons to consider using: Ability to control outbound as well as inbound traffic Can specify which applications can access the Internet Issues: Rules can be complex Scalability may be a problem

How to Configure Internet Connection Firewall Open Control Panel, and then double-click Network Connections 1 Right-click the connection on which you want to configure ICF, and then click Properties 2 Click the Advanced tab, and then select the Protect my computer and network by limiting or preventing access to this computer from the Internet check box 3 To configure additional settings for ICF, click Settings 4

Demonstration: Internet Connection Firewall Your instructor will demonstrate how to: Enable Internet Connection Firewall (ICF) Test outbound access Test inbound access

How to Configure Windows Firewall

Best Practices for Client Firewalls Require users to enable ICF or Windows Firewall on all connections when their computers are not physically connected to your organization’s intranet Use scripting to force remote clients to use ICF or Windows Firewall for VPN connections Use caution when implementing ICF or Windows Firewall on client computers that are physically connected to your organization’s intranet

Securing Clients with Active Directory Introduction Core Client Security Antivirus Software Client Firewalls Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Software Restriction Policy Local Group Policy Settings for Stand-Alone Clients

Active Directory Components Group Policy The infrastructure that enables the implementation and management of network security Forest A security boundary in Active Directory Domain A collection of computer, user, and group objects defined by the administrator Organizational Unit (OU) An Active Directory container object used within domains

Establishing an OU Hierarchy Domain Policy Group Policy simplifies the application of client security settings Split hierarchy model Separates user OUs and computer OUs Applies appropriate policy settings to each OU Root Domain Department OU Domain Controller OU Windows XP OU Secured Windows XP Users OU Desktop Policy Desktop OU Laptop Policy Laptop OU

How to Create an OU Hierarchy Create OUs for each department 1 Create OUs under each operating system OU for each computer type (for example, laptops) Move each client computer object into the appropriate OU Create OUs in each department for users and for various operating system versions 2 3 4

Best Practices for Using Active Directory to Implement Client Security Design the OU structure to facilitate client security Design the OU structure to separate user and computer objects based on role Create a GPO for each OU with the appropriate security settings for the users or clients in that OU

Using Group Policy to Secure Clients Introduction Core Client Security Antivirus Software Client Firewalls Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Software Restriction Policy Local Group Policy Settings for Stand-Alone Clients

What Are the Security Settings? Security settings include: Account Password Policy Account Lockout Policy Audit Policy Event Log File System IP Security Policies Registry Settings Restricted Groups Security Options Software Restriction Policies System Services User Rights Assignment Settings

Using Security Templates Security templates are preconfigured sets of security settings There are templates for: All users and computers in the domain Desktop computers Laptop computers Each template has an Enterprise Client and a High Security environment version You can edit security template settings and import them into a GPO

Using Administrative Templates Administrative Templates define the settings available in a GPO. They may contain: User Configuration settings Computer Configuration settings You can use administrative templates to configure: The user’s operating environment Application security settings

How to Apply Security Templates and Administrative Templates Open Group Policy Management, and then open the GPO for the OU to which you want to apply the security or administrative template 1 Import a security template 2 Import administrative templates as needed 3 Configure additional security and administrative settings as needed 4

Creating an OU Hierarchy and Applying a Security Template Your instructor will demonstrate how to: Customize a security template Create an OU hierarchy and move a client computer object into an OU Create a GPO and import a security template Verify that the GPO has been applied

Best Practices for Using Group Policy to Secure Clients Use Enterprise Client templates as a baseline and modify them to meet the needs of your organization Implement strict account and audit policies at the domain level Test templates thoroughly before deployment Use additional administrative templates

Securing Applications Introduction Core Client Security Antivirus Software Client Firewalls Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Software Restriction Policy Local Group Policy Settings for Stand-Alone Clients

Internet Explorer Administrative Templates Help you enforce security requirements for Windows XP workstations Prevent the exchange of unwanted content Consider using the settings included in the Enterprise Client templates

Internet Explorer Zones Security zone Default setting in Windows XP SP1 Internet Medium Local intranet Medium-Low Trusted sites Low Restricted sites High My computer -

How to Use Group Policy to Configure Internet Explorer Zones Start Group Policy Management, open a GPO for editing, and navigate to: User Configuration\Windows Settings\ Internet Explorer Maintenance\Security In the details pane, double-click Security Zones and Content Ratings In the Security Zones and Content Ratings dialog box, click Import the current security zones and privacy settings, and then click Modify Settings In the Internet Properties dialog box, click Trusted sites, and then click Sites 1 2 3 4 Type the URL for the site you want to add, and then click Add 5 How to Use Group Policy to Configure Internet Explorer Zones How to Use Group Policy to Configure Internet Explorer Zones Start Group Policy Management, open a GPO for editing, and navigate to: User Configuration\Windows Settings\ Internet Explorer Maintenance\Security http://www.microsoft.com/security/guidance 1 2 3 4 5

Microsoft Outlook Security Tools for customizing the security features of Microsoft Outlook: Outlook Administrator Pack Outlook administrative template Outlook 2003 security enhancements include: Warns user before opening potentially dangerous file types Runs executable content in the Restricted Sites zone Does not automatically load HTML content

Microsoft Office Administrative Templates Administrative templates for Office 97 and later are available by downloading the appropriate edition of the Office Resource kit Administrative templates for Office XP are included with the Windows XP Security Guide A key security feature of Office XP and later versions is macro security

Best Practices for Securing Applications Educate users about how to download files from the Internet safely and how to open e-mail attachments safely Only install applications that are required for users to do their jobs Implement a policy for updating applications

Software Restriction Policy Introduction Core Client Security Antivirus Software Client Firewalls Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Software Restriction Policy Local Group Policy Settings for Stand-Alone Clients

Software Restriction Policies A policy-driven mechanism that identifies and controls software on a client computer Can be used to fight viruses and/or to ensure that only approved software can be run on computers Two components: A default rule for which programs can run Default rule options: Unrestricted Disallowed An inventory of exceptions to the default rule

How Software Restriction Policy Works Use Group Policy Editor to define the policy for the site, domain, or OU 1 Policy is downloaded and applied to a computer 2 Policy is enforced by the operating system when software is run 3

Four Rules for Identifying Software Hash Rule Compares the MD5 or SHA1 hash of a file to the one attempting to run Use when you want to allow or prohibit a certain version of a file from being run Certificate Rule Checks for digital signature on application (for example, Authenticode) Use when you want to restrict both Win32 applications and ActiveX content Path Rule Compares path of file being run to an allowed path list Use when you have a folder with many files for the same application Essential when SRPs are strict Internet Zone Rule Controls how Internet Zones can be accessed Use in high-security environments to control access to Web applications

How to Apply a Software Restriction Policy Open the Group Policy object for the OU in which you want to apply the software restriction policy 1 Navigate to the Computer Settings\Windows Settings\Security Settings node 2 Right-click Software Restriction Policies, and then click Create New Policies 3 Configure Hash, Certificate, Path, and Internet Zone rules to accommodate your organization’s needs 4

Applying Software Restriction Policies Your instructor will demonstrate how to: Create a software restriction policy Test the software restriction policy

Best Practices for Applying Software Restriction Policies Create a rollback plan Use a separate GPO to manage each software restriction policy Use software restriction policies in conjunction with NTFS permissions for defense in depth Never link a GPO to another domain Thoroughly test new policy settings before applying them to the domain

Local Group Policy Settings for Stand-Alone Clients Introduction Core Client Security Antivirus Software Client Firewalls Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Software Restriction Policy Local Group Policy Settings for Stand-Alone Clients

Local Group Policy Settings Use local Group Policy to configure stand-alone client computers Stand-alone Windows XP clients: Use a modified version of the security templates Have one local GPO Settings must be manually applied by using Group Policy Editor or scripts

How to Use Local Group Policy to Secure Stand-Alone Clients Start the local Group Policy MMC (Gpedit.msc) 1 Navigate to Computer Settings\Windows Settings, right-click the Security Settings node, and then select Import Policy 2 Browse to the location that contains the appropriate security template (for example, Legacy Enterprise Client – Desktop) 3 Configure additional security settings according to prescriptive guidance 4

Securing Stand-Alone Clients Your instructor will demonstrate how to: Create a custom security template Use a script to manually apply the security template to a stand-alone client

Best Practices for Applying Local Group Policy Settings Use the stand-alone templates from the Windows XP Security Guide as a baseline Use the Secedit.exe tool to automate application of local Group Policy to stand-alone clients Develop procedures for deploying Group Policy settings to stand-alone clients Develop procedures to facilitate the reapplication of settings to stand-alone clients when needed

Session Summary Introduction Core Client Security Antivirus Software Client Firewalls Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Software Restriction Policy Local Group Policy Settings for Stand-Alone Clients

Next Steps Find additional security training events: http://www.microsoft.com/seminar/events/security.mspx Sign up for security communications: http://www.microsoft.com/technet/security/signup/ default.mspx Order the Security Guidance Kit: http://www.microsoft.com/security/guidance/order/ default.mspx Get additional security tools and content: http://www.microsoft.com/security/guidance