Week #7 Objectives: Secure Windows 7 Desktop

Slides:



Advertisements
Similar presentations
Donald Hester May 4, 2010 For audio call Toll Free and use PIN/code Windows 7 for IT Professionals Part 1: Security and Control.
Advertisements

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Support for Windows 7 Chapter 2 Securing and Troubleshooting Windows 7.
Lesson 17: Configuring Security Policies
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Chapter 6: Configuring Security. Options for Managing Security Configurations LGPO (Local Group Policy Object) –Used if Computer is not part of a domain.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.
70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
Week:#14 Windows Recovery
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Virtual techdays Desktop Security with Windows 7 AppLocker & BitLocker to Go Aviraj Ajgekar│ Technology Evangelist │Microsoft Corporation Blog:
Chapter 7 Installing and Using Windows XP Professional.
Microsoft ® Official Course Module 9 Configuring Applications.
Module 6 Securing Windows 7 Desktops. Module Overview Overview of Security Management in Windows 7 Securing a Windows 7 Client Computer by Using Local.
9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Troubleshoot Access, Authentication, and User Account Control Issues Lesson 8.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2008
Module 13: Configuring Availability of Network Resources and Content.
Windows XP Professional Windows XP Professional Overview Install and Upgrade Windows XP Pro Customize and Manage Windows XP Pro Troubleshoot Common Windows.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Microsoft ® Official Course Module 8 Securing Windows 8 Desktops.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 5 Windows XP Professional McGraw-Hill.
Troubleshooting Windows Vista Security Chapter 4.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.
Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
1 Chapter Overview Publishing Resources in Active Directory Service Redirecting Folders Using Group Policies Deploying Applications Using Group Policies.
Module 7: Managing the User Environment by Using Group Policy.
Module 7 Configure User and Computer Environments By Using Group Policy.
1 Week #10Business Continuity Backing Up Data Configuring Shadow Copies Providing Server and Service Availability.
Module 3 Configuring File Access and Printers on Windows ® 7 Clients.
Module 15 Managing Windows Server® 2008 Backup and Restore.
Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.
Module 3 Configuring File Access and Printers on Windows 7 Clients.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
Module 3: Configuring File Access and Printers on Windows 7 Clients
Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.
Administering Group Policy Chapter Eleven. Exam Objectives in this Chapter  Plan a Group Policy strategy using Resultant Set of Policy Planning mode.
Managing Applications, Services, Folders, and Libraries Lesson 4.
Understand Encryption LESSON 2.5_A Security Fundamentals.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.
Lesson 18: Configuring Security for Mobile Devices MOAC : Configuring Windows 8.1.
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 7 Windows 7 Security Features.
HOW TO INSTALL WINDOWS 7? This step-by-step guide demonstrates how to install Windows 7 Ultimate. The guide is similar for other versions of Windows 7.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Automating Installations by Using the Microsoft Windows 2000 Setup Manager Create setup scripts simply and easily. Create and modify answer files and UDFs.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
Using Mobile Computers Lesson 12. Objectives Understand wireless security Configure wireless networking Use Windows mobility controls Synchronize data.
Windows Vista Configuration MCTS : NTFS Security Features and File Sharing.
1 Remote Installation Service Windows 2003 Server Prof. Abdul Hameed.
UNM Encryption Services in Development
Configuring Encryption and Advanced Auditing
Chapter Objectives In this chapter, you will learn:
Create setup scripts simply and easily.
Securing Windows 7 Lesson 10.
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Presentation transcript:

Week #7 Objectives: Secure Windows 7 Desktop Course 6292A Week #7 Objectives: Secure Windows 7 Desktop Module 6: Securing Windows 7 Desktops Overview of Security Management in Windows 7 Secure a Windows 7 Client Computer by Using Group Policy Secure Data by Using EFS and BitLocker Configure Application Restrictions Configure User Account Control

Key Security Features in Windows 7 Course 6292A Module 6: Securing Windows 7 Desktops Key Security Features in Windows 7 Windows 7 Action Center ü Encrypting File System (EFS) ü Windows BitLocker™ and BitLocker To Go™ ü Windows AppLocker™ ü User Account Control ü Windows Firewall with Advanced Security ü Windows Defender™ ü

Select the items that you want checked for user alerts Course 6292A Module 6: Securing Windows 7 Desktops What Is Action Center? Demo Action Center is a central location for viewing messages about your system and the starting point for diagnosing and solving issues with your system Select the items that you want checked for user alerts

What Is Group Policy? Use Group Policy to: Course 6292A Module 6: Securing Windows 7 Desktops What Is Group Policy? Group Policy enables IT administrators to automate one-to-several management of users and computers Use Group Policy to: Apply standard configurations Deploy software Enforce security settings Enforce a consistent desktop environment Local Group Policy is always in effect for local and domain users, and local computer settings

How Are Group Policy Objects Applied? Course 6292A Module 6: Securing Windows 7 Desktops How Are Group Policy Objects Applied? Computer settings are applied at startup and then at regular intervals, while user settings are applied at logon and then at regular intervals. 4. OU GPOs Group Policy Processing Order: 3. Domain GPOs 2. Site-level GPOs 1. Local GPOs

How Multiple Local Group Policies Work Course 6292A Module 6: Securing Windows 7 Desktops How Multiple Local Group Policies Work Demo Multiple Local Group Policy allows an administrator to apply different levels of Local Group Policy to local users on a stand-alone computer. There are three layers of Local Group Policy Objects, which are applied in the following order: Local Group Policy object that may contain both computer and user settings. Administrators and Non-Administrators Local Group Policy objects are applied next and contain only user settings. User-specific Local Group Policy is applied last, contains only user settings, and applies to one specific user on the local computer.

New EFS Features in Windows 7 Course 6292A Module 6: Securing Windows 7 Desktops What Is EFS? Demo Support for storing private keys on Smart Cards ü Encrypting File System Rekeying wizard New EFS Group Policy settings Encryption of the system page file Support for AIS 256-bit encryption New EFS Features in Windows 7 Per-user encryption of offline files Encrypting File System (EFS) is the built-in file encryption tool for Windows file systems. Enables transparent file encryption and decryption Requires the appropriate cryptographic (symmetric) key to read the encrypted data Each user must have a public and private key pair that is used to protect the symmetric key A user’s public and private keys: Can either be self-generated or issued from a Certificate Authority Are protected by the user’s password Allows files to be shared with other user certificates

Course 6292A Module 6: Securing Windows 7 Desktops What Is BitLocker? Windows BitLocker Drive Encryption encrypts the computer operating system and data stored on the operating system volume ü Provides offline data protection Protects all other applications installed on the encrypted volume Includes system integrity verification Verifies integrity of early boot components and boot configuration data Ensures the integrity of the startup process

BitLocker Requirements Course 6292A Module 6: Securing Windows 7 Desktops BitLocker Requirements Encryption and decryption key: Hardware Requirements: BitLocker encryption requires either: A computer with Trusted Platform Module (TPM) v1.2 or later A removable USB memory device Have enough available hard drive space for BitLocker to create two partitions Have a BIOS that is compatible with TPM and supports USB devices during computer startup

Provides limited authentication Course 6292A Module 6: Securing Windows 7 Desktops BitLocker Modes Windows 7 supports two modes of operation: TPM mode Non-TPM mode Non-TPM mode Uses Group Policy to allow BitLocker to work without a TPM Locks the boot process similar to TPM mode, but the BitLocker startup key must be stored on a USB drive The computer’s BIOS must be able to read from a USB drive Provides limited authentication Unable to perform BitLocker’s system integrity checks to verify that boot components did not change TPM mode Locks the normal boot process until the user optionally supplies a personal PIN and/or inserts a USB drive containing a BitLocker startup key The encrypted disk must be located in the original computer Performs system integrity verification on boot components If any items changed unexpectedly, the drive is locked and prevented from being accessed or decrypted

Group Policy Settings for BitLocker Course 6292A Module 6: Securing Windows 7 Desktops Group Policy Settings for BitLocker Settings for Removable Data Drives Local Group Policy Settings for BitLocker Drive Encryption Settings for Fixed Data Drives Settings for Operating System Drives Group Policy provides the following settings for BitLocker: Turn on BitLocker backup to Active Directory Domain Services Configure the recovery folder on Control Panel Setup Enable advanced startup options on Control Panel Setup Configure the encryption method Prevent memory overwrite on restart Configure TPM validation method used to seal BitLocker keys

Configuring BitLocker Course 6292A Module 6: Securing Windows 7 Desktops Configuring BitLocker Enabling BitLocker initiates a start-up wizard: Validates system requirements Creates the second partition if it does not already exist Allows you to configure how to access an encrypted drive: USB User function keys to enter the Passphrase No key Three methods to enable BitLocker: From System and Settings in Control Panel Right-click the volume to be encrypted in Windows Explorer and select the Turn on BitLocker menu option Use the command-line tool titled manage-bde.wsf Initiating BitLocker through the Control Panel Initiating BitLocker through Windows Explorer

Configuring BitLocker To Go Course 6292A Module 6: Securing Windows 7 Desktops Configuring BitLocker To Go Select how to store your recovery key Encrypt the Drive Manage a Drive Encrypted by BitLocker To Go Enable BitLocker To Go Drive Encryption by right-clicking the portable device (such as a USB drive) and then clicking Turn On BitLocker Select one of the following settings to unlock a drive encrypted with BitLocker To Go: Unlock with a Recovery Password or passphrase Unlock with a Smart Card Always auto-unlock this device on this PC Manage a Drive Encrypted by BitLocker To Go Select how to unlock the drive – through a password or by using a Smartcard

Recovering BitLocker Encrypted Drives Course 6292A Module 6: Securing Windows 7 Desktops Recovering BitLocker Encrypted Drives When a BitLocker-enabled computer starts: BitLocker checks the operating system for conditions indicating a security risk If a condition is detected: BitLocker enters recovery mode and keeps the system drive locked The user must enter the correct Recovery Password to continue The BitLocker Recovery Password is: A 48-digit password used to unlock a system in recovery mode Unique to a particular BitLocker encryption Can be stored in Active Directory If stored in Active Directory, search for it by using either the drive label or the computer’s password

Course 6292A Module 6: Securing Windows 7 Desktops What Is AppLocker? AppLocker is a new Windows 7 security feature that enables IT professionals to specify exactly what is allowed to run on user desktops Benefits of AppLocker Controls how users can access and run all types of applications Ensures that user desktops are running only approved, licensed software

Course 6292A Module 6: Securing Windows 7 Desktops AppLocker Rules Demo Default rules enable the following: All users to run files in the default Program Files directory All users to run all files signed by the Windows operating system Members of the built-in Administrators group to run all files Create default AppLocker rules first, before manually creating new rules or automatically generating rules for a specific folder Creating Custom Rules Use an AppLocker wizard found in the Local Security Policy Console to automatically generate rules ü You can configure Executable rules, Windows Installer rules, and Script rules You can specify a folder that contains the .exe files for the applications that apply to the rule You can create exceptions for .exe files You can create rules based on the digital signature of an application You can manually create a custom rule for a given executable

What Are Software Restriction Policies? Course 6291A Module 6: Securing Windows 7 Desktops What Are Software Restriction Policies? Software Restriction Policies (SRP) allow administrators to identify which software is allowed to run SRP was added in Windows XP and Windows Server 2003 SRP was designed to help organizations control not just hostile code, but any unknown code - malicious or otherwise SRP consists of a default security level and all the rules that apply to a Group Policy Object (GPO) How does SRP compare to Windows AppLocker? Comparing SRP and AppLocker AppLocker replaces the Software Restriction Policies (SRP) feature from prior Windows versions ü SRP snap-in and SRP rules are included in Windows 7 for compatibility purposes AppLocker rules are completely separate from SRP rules AppLocker group policies are separate from SRP group policies If AppLocker rules have been defined in a GPO, only those rules are applied Define AppLocker rules in a separate GPO to ensure interoperability between SRP and AppLocker policies

Course 6292A Module 6: Securing Windows 7 Desktops What Is UAC? User Account Control (UAC) is a security feature that simplifies the ability of users to run as standard users and perform all necessary daily tasks UAC prompts the user for an administrative user’s credentials if the task requires administrative permissions Windows 7 increases user control of the prompting experience

Course 6292A Module 6: Securing Windows 7 Desktops How UAC Works Demo In Windows 7, what happens when a user performs a task requiring administrative privileges? Administrative Users UAC prompts the user for permission to complete the task Standard Users UAC prompts the user for the credentials of a user with administrative privileges

Configuring UAC Notification Settings Course 6292A Module 6: Securing Windows 7 Desktops Configuring UAC Notification Settings UAC elevation prompt settings include the following: Always notify me Notify me only when programs try to make changes to my computer Notify me only when programs try to make changes to my computer (do not dim my desktop) Never notify