©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation

Slides:



Advertisements
Similar presentations
Windows Vista Security Tidbits
Advertisements

Security Features in Microsoft® Windows® XP James Noyce, Senior Consultant Security Solutions Team, Business Critical Services Microsoft Security Solutions,
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Chapter 13 Securing Windows Server 2008
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Chapter 7 HARDENING SERVERS.
Security and Policy Enforcement Mark Gibson Dave Northey
Chapter 6: Configuring Security. Options for Managing Security Configurations LGPO (Local Group Policy Object) –Used if Computer is not part of a domain.
Introduction To Windows NT ® Server And Internet Information Server.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.
Securing Windows Servers Using Group Policy Objects
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Hands-On Microsoft Windows Server 2008 Chapter 10 Securing Windows Server 2008.
Windows Server 2008 Chapter 10 Last Update
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
MCTS Guide to Microsoft Windows 7 Chapter 7 Windows 7 Security Features.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
70-270: MCSE Guide to Microsoft Windows XP Professional Second Edition, Enhanced Chapter 6: Windows XP Security and Access Controls.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Hands-On Microsoft Windows Server 2008
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Week #7 Objectives: Secure Windows 7 Desktop
Chapter Six Windows XP Security and Access Controls.
C HAPTER 6 NTFS PERMISSIONS & SECURITY SETTING. INTRODUCTION NTFS provides performance, security, reliability & advanced features that are not found in.
Section 7: Implementing Security Using Group Policy Exploring the Windows Security Architecture Securing User Accounts Exploring Security Policies Hardening.
Windows Server 2003 Overview 1 Windows 2003 Server Overview Ayaz
Troubleshooting Windows Vista Security Chapter 4.
MCTS Guide to Microsoft Windows Vista Chapter 7 Windows Vista Security Features.
Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.
Module 7: Fundamentals of Administering Windows Server 2008.
1 Week 6 – NPS and RADIUS Install and Configure a Network Policy Server Configure RADIUS Clients and Servers NPS Authentication Methods Monitor and Troubleshoot.
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
Module 11: Remote Access Fundamentals
1 Chapter Overview Configuring Account Policies Configuring User Rights Configuring Security Options Configuring Internet Options.
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
Lesson 17-Windows 2000/Windows 2003 Server Security Issues.
Breno de MedeirosFlorida State University Fall 2005 Windows servers The NT security model.
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 7 Windows 7 Security Features.
Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Troubleshooting Security Issues Lesson 6. Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer.
Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Module 7: Implementing Security Using Group Policy.
Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.
Implementing Server Security on Windows 2000 and Windows Server 2003
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 7 Windows 7 Security Features.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Module 8 Implementing Security Using Group Policy.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Secure Connected Infrastructure
Module Overview Installing and Configuring a Network Policy Server
Configuring Windows Firewall with Advanced Security
Lesson 16-Windows NT Security Issues
{ Security Technologies}
Operating System Security
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation

©2006 Microsoft Corporation. All rights reserved. Overview User And Group Changes Admin account New/Missing SIDs New/Missing Users and Groups Cached credentials Kernel Changes Buffer overflow protection ACL Changes Encryption changes Suite B TS SSO EFS with Smart Cards Audit changes User rights New and changed security options Firewall Auth IP SMBv2

©2006 Microsoft Corporation. All rights reserved. User and Group Changes

©2006 Microsoft Corporation. All rights reserved. Administrator Account Status

©2006 Microsoft Corporation. All rights reserved. Built-in “Administrator” Safe mode created a hole: reboot and login without a password! New behavior: Non-domain: if you have a local admin, safe mode prohibits use of BA Domain: BA can never be used

©2006 Microsoft Corporation. All rights reserved. Power Users Are Not Anymore

©2006 Microsoft Corporation. All rights reserved. New Groups

©2006 Microsoft Corporation. All rights reserved. Some Additional SIDs

©2006 Microsoft Corporation. All rights reserved. And A Few More SIDs The Trusted Installer A Service INTERNET USER High integrity SID Low integrity SID Medium integrity SID System integrity SID

©2006 Microsoft Corporation. All rights reserved. Integrity Levels in Token

©2006 Microsoft Corporation. All rights reserved. ACL Changes

©2006 Microsoft Corporation. All rights reserved. ACL Modifications

©2006 Microsoft Corporation. All rights reserved. Old ACL UI

©2006 Microsoft Corporation. All rights reserved. New ACL UI

©2006 Microsoft Corporation. All rights reserved. Owner Needs Explicit Perms

©2006 Microsoft Corporation. All rights reserved. Kernel Changes

©2006 Microsoft Corporation. All rights reserved. Better Buffer Overflow Protection Second cookie protects exception handlers Safer CRT exception handlers No more executable pages outside images Enforced by better development practices and code scanning tools /NXCOMPAT linker flag in build tools If all binaries in a process are marked NX is automatically enabled for the process Heap protection Signed kernel code (x64 only)

©2006 Microsoft Corporation. All rights reserved. Crypto Changes

©2006 Microsoft Corporation. All rights reserved. Offline Files Encrypted Per User

©2006 Microsoft Corporation. All rights reserved. Encrypted Pagefile

©2006 Microsoft Corporation. All rights reserved. Suite-B Crypto Software and Smart Card Key Storage Providers Cryptographic configuration NIST ECC Prime Curves support (smart cards too) AESSHA-2 IPsec support for AES and ECDH ECC cipher suites in SSL EFS with smart cards

©2006 Microsoft Corporation. All rights reserved. Cached Credentials Much Tougher

©2006 Microsoft Corporation. All rights reserved. Improved Auditing

©2006 Microsoft Corporation. All rights reserved. Granular Audit Policy

©2006 Microsoft Corporation. All rights reserved. Object Access Auditing Object Access Attempt: Object Server:%1 Handle ID:%2 Object Type:%3 Process ID:%4 Image File Name:%5 Access Mask:%6

©2006 Microsoft Corporation. All rights reserved. Object Access Auditing An operation was performed on an object. Subject : Security ID:%1 Account Name:%2 Account Domain:%3 Logon ID:%4 Object: Object Server:%5 Object Type:%6 Object Name:%7 Handle ID:%9 Operation: Operation Type:%8 Accesses:%10 Access Mask:%11 Properties:%12 Additional Info:%13 Additional Info2:%14

©2006 Microsoft Corporation. All rights reserved. Added Auditing For Registry value change audit events (old+new values) AD change audit events (old+new values) Improved operation-based audit Audit events for UAC Improved IPSec audit events including support for AuthIP RPC Call audit events Share Access audit events Share Management events Cryptographic function audit events NAP audit events (server only) IAS (RADIUS) audit events (server only)

©2006 Microsoft Corporation. All rights reserved. More Info In Event Log UI

©2006 Microsoft Corporation. All rights reserved. XML Events

©2006 Microsoft Corporation. All rights reserved. New Event Numbers

©2006 Microsoft Corporation. All rights reserved. New and Modified User Rights

©2006 Microsoft Corporation. All rights reserved. Changes to User Rights All rights for Power Users removed Create global objects does not have INTERACTIVE SE_IMPERSONATE has added IIS_IUSRS and removed ASPNET Logon as a service is now empty by default

©2006 Microsoft Corporation. All rights reserved. New User Rights Access credential manager as a trusted caller Winlogon uses for credential manager backup/restore Change time zone user right Create symbolic links Modify an object’s integrity label Synchronize directory service data Increase a process working set

©2006 Microsoft Corporation. All rights reserved. Security Options With Modified Defaults

©2006 Microsoft Corporation. All rights reserved. Anonymous Named Pipes

©2006 Microsoft Corporation. All rights reserved. Anonymous Named Pipes

©2006 Microsoft Corporation. All rights reserved. Network access: remotely accessible registry paths

©2006 Microsoft Corporation. All rights reserved. Network access: remotely accessible registry paths

©2006 Microsoft Corporation. All rights reserved. Network access: shares that can be accessed anonymously

©2006 Microsoft Corporation. All rights reserved. Network access: shares that can be accessed anonymously

©2006 Microsoft Corporation. All rights reserved. Network Security: Do not store LAN Manager hash value on next password change

©2006 Microsoft Corporation. All rights reserved. Network Security: Do not store LAN Manager hash value on next password change

©2006 Microsoft Corporation. All rights reserved. Network security: LAN Manager authentication level

©2006 Microsoft Corporation. All rights reserved. Network security: LAN Manager authentication level

©2006 Microsoft Corporation. All rights reserved. Devices: Allowed to format and eject removable media

©2006 Microsoft Corporation. All rights reserved. Devices: Allowed to format and eject removable media

©2006 Microsoft Corporation. All rights reserved. Devices: Restrict CD-ROM/Floppy access to locally logged on user only

©2006 Microsoft Corporation. All rights reserved. Devices: Restrict CD-ROM/Floppy access to locally logged on user only

©2006 Microsoft Corporation. All rights reserved. Devices: Unsigned driver installation behavior

©2006 Microsoft Corporation. All rights reserved. Devices: Unsigned driver installation behavior

©2006 Microsoft Corporation. All rights reserved. Why Change It?

©2006 Microsoft Corporation. All rights reserved. Devices and Drivers

©2006 Microsoft Corporation. All rights reserved. Allowing users to install drivers

©2006 Microsoft Corporation. All rights reserved. Installing devices

©2006 Microsoft Corporation. All rights reserved. Configuring device restrictions

©2006 Microsoft Corporation. All rights reserved. New Security Options

©2006 Microsoft Corporation. All rights reserved. Network access: Restrict anonymous access to named pipes and shares

©2006 Microsoft Corporation. All rights reserved. System settings: Optional subsystems

©2006 Microsoft Corporation. All rights reserved. System settings: Use certificate rules on windows executables for software restriction policies

©2006 Microsoft Corporation. All rights reserved. Lots and lots and lots of GP changes

©2006 Microsoft Corporation. All rights reserved. Last Logon Display

©2006 Microsoft Corporation. All rights reserved. Trusted Path Credential Entry

©2006 Microsoft Corporation. All rights reserved. Smart Card Policies

©2006 Microsoft Corporation. All rights reserved. RDP

©2006 Microsoft Corporation. All rights reserved. New RDP Control

©2006 Microsoft Corporation. All rights reserved. New RDP Control

©2006 Microsoft Corporation. All rights reserved. Timeless Security Advice! Order online: om

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.