Donald HesterMay 4, 2010
For audio call Toll Free 1-888-886-3951
and use PIN/code 227625
Windows 7 for IT Professionals Part 1:Security and ControlWindows 7 for IT Professionals Part 1:Security and Control
• Maximize your CCC Confer window.• Phone audio will be in presenter-only mode.• Ask questions and make comments using the chat window.
HousekeepingHousekeeping
Adjusting AudioAdjusting Audio
1) If you’re listening on your computer, adjust your volume using the speaker slider.
2) If you’re listening over the phone, click on phone headset.
Do not listen on both computer and phone.
Saving Files & Open/close CaptionsSaving Files & Open/close Captions
1. Save chat window with floppy disc icon
2. Open/close captioning window with CC icon
Emoticons and PollingEmoticons and Polling
1) Raise hand and Emoticons
2) Polling options
Donald Hester
Windows 7 for IT Professionals Part 1:Security and ControlWindows 7 for IT Professionals Part 1:Security and Control
User Account Control Windows BitLocker™ and Windows
BitLocker To Go™ Windows AppLocker™ Windows Defender
User Groups UAC Security Settings Modify User Account Control Settings
User GroupsUser GroupsStandard Users
Administrators
Standard Users
Administrators
Type of Elevation Prompt Description
Consent Prompt
Displayed to administrators in Admin Approval Mode when they attempt to perform an administrative task. It requests approval to continue from the user.
Credential PromptDisplayed to standard users when they attempt to perform an administrative task.
Admin Approval Mode for the Built-in Administrator account Allow UIAccess applications to prompt for elevation without using the secure desktop Behavior of the elevation prompt for administrators in Admin Approval Mode Behavior of the elevation prompt for standard users Detect application installations and prompt for elevation Only elevate executables that are signed and validated Only elevate UIAccess applications that are installed in secure locations Run all administrators in Admin Approval Mode Virtualize file and registry write failures to per-user locations
Admin Approval Mode for the Built-in Administrator account Allow UIAccess applications to prompt for elevation without using the secure desktop Behavior of the elevation prompt for administrators in Admin Approval Mode Behavior of the elevation prompt for standard users Detect application installations and prompt for elevation Only elevate executables that are signed and validated Only elevate UIAccess applications that are installed in secure locations Run all administrators in Admin Approval Mode Virtualize file and registry write failures to per-user locations
Elevation Prompt Description
Never notify me UAC is off.
Notify me only when programs try to make changes to my computer (do not dim my desktop)
When a program makes a change, a prompt appears, but the desktop is not dimmed. Otherwise, no prompt appears.
Notify me only when programs try to make changes to my computer
When a program makes a change, a prompt appears, and the desktop is dimmed to provide a visual cue that installation is being attempted. Otherwise, no prompt appears.
Always notify me The user is always prompted when changes are made to the computer.
Hardware Requirements for BitLocker Drive Encryption
BitLocker Functionality BitLocker To Go Locate a Recovery Password
Encryption and decryption key
Hard drive
Encryption and decryption key
Hard drive
A computer with Trusted Platform Module (TPM)A removable USB memory device.
A computer with Trusted Platform Module (TPM)A removable USB memory device.
Have at least two partitionsHave a BIOS that is compatible with TPM
and supports USB devices during computer startup.
Have at least two partitionsHave a BIOS that is compatible with TPM
and supports USB devices during computer startup.
Security
Eas
e of
Us e
TPM Only“What it is.”
Protects against: SW-only attacks
Vulnerable to: HW attacks (including potentially “easy”
HW attacks)
TPM + PIN“What you know.”Protects against: Many HW attacks
Vulnerable to: TPM breaking attacks
Dongle Only“What you have.” Protects against: All HW attacksVulnerable to: Losing donglePre-OS attacks
TPM + Dongle“Two what I
have’s.”Protects against: Many HW attacksVulnerable to: HW
attacks
BDE offers a spectrum of protection allowing customers to balance ease-of-use against the
threats they are most concerned with.
BDE offers a spectrum of protection allowing customers to balance ease-of-use against the
threats they are most concerned with.
**************
17
Save recovery information in one of these formatsSave recovery information in one of these formatsA 48-digit number divided into eight groups.
A Recovery Key in a format that can be read directly by the BitLocker recovery console.
A 48-digit number divided into eight groups.
A Recovery Key in a format that can be read directly by the BitLocker recovery console.
Configure how to access an encrypted driveConfigure how to access an encrypted drive
Use the Set BitLocker startup preferences window.Use the Set BitLocker startup preferences window.
Select an access option:USBEnter the Passphrase by using function keysNo key
Select an access option:USBEnter the Passphrase by using function keysNo key
4 levels of AES encryption
128 & 256 bit the diffuser is a new
unproven algorithm diffuser runs in about
10 clock cycles/byte Combination with AES-
CBC for performance & security
Extends BitLocker Drive Encryption to portable devicesExtends BitLocker Drive Encryption to portable devices
Manageable through Group PolicyManageable through Group PolicyUsers choose to encrypt portable devices and use them to their fullest capabilities or leave them unencrypted and have them
be read-only
Users choose to encrypt portable devices and use them to their fullest capabilities or leave them unencrypted and have them
be read-only
Enable BitLocker Drive Encryption by right-clicking the device and then clicking Turn On BitLocker
Enable BitLocker Drive Encryption by right-clicking the device and then clicking Turn On BitLocker
Data on encrypted portable devices can be accessed from computers that do not have BitLocker enabledData on encrypted portable devices can be accessed from computers that do not have BitLocker enabled
BitLocker can be configured to unlock with one of the following: Recovery Password or passphrase Smart Card Always auto-unlock this device on this PC
BitLocker can be configured to unlock with one of the following: Recovery Password or passphrase Smart Card Always auto-unlock this device on this PC
MetaData
Readme.txt
Wizard.exe
Visible but RO
Hidden files - Must be accessed using BitLockerToGo.exe
Invisible Visible, mapped as a volume
Autorun.inf
BitLocker protected volume
FAT32 Partition
BitLocker Data File(COV 0000.ER)
BitLocker Data File(COV 0000.BL)
VirtualBlock
22
23
24
Conditions that must be true:
Before providing a password to a user:
Conditions that must be true:
Before providing a password to a user: Confirm the person is the account owner and is authorized to access data on the computer in question Examine the returned Recovery Password to make sure that it matches the Password ID that was provided by the user
Confirm the person is the account owner and is authorized to access data on the computer in question Examine the returned Recovery Password to make sure that it matches the Password ID that was provided by the user
Be a domain administrator or have delegated permissionsBe a domain administrator or have delegated permissionsThe client’s BitLocker recovery information is configured to be stored in ADThe client’s BitLocker recovery information is configured to be stored in AD
The client’s computer has been joined to the domainThe client’s computer has been joined to the domain
BitLocker Drive Encryption must be enabled on the client’s computer
BitLocker Drive Encryption must be enabled on the client’s computer
AppLocker Definition and Setup Application Rules Enforce and Validate AppLocker Rules
AppLocker
Default rules
AppLocker
Default rules
Enables IT professionals to specify exactly what is allowed to run on user desktops
Enables IT professionals to specify exactly what is allowed to run on user desktops
Allows users to run the applications, installation programs, and scripts that they need to be productive
Allows users to run the applications, installation programs, and scripts that they need to be productive
Make sure key operating system files run for all users
Make sure key operating system files run for all users
Prevent non-administrator users from running programs installed in their user profile directory
Prevent non-administrator users from running programs installed in their user profile directory
Can be recreated at anytimeCan be recreated at anytime
Type Description Merge rule
Hash Uses the file hash of a file
If two path rules have the same paths, they are merged into a single rule.
Path Uses a folder path or file path
If two publisher rules have the exact same publisher and product fields, they are merged.
Publisher Uses the attributes of a digitally signed file, like publisher or version
No optimizations are possible because each hash is unique.
EnforcementEnforcementIn Local Security Policy, Configure Rule Enforcement area
Refresh computer’s policy with gpupdate /force
In Local Security Policy, Configure Rule Enforcement area
Refresh computer’s policy with gpupdate /force
Option Description
Enforce rules, but allow setting to be overridden
Default setting. If linked GPOs contain a different setting, that setting is used. If any rules are present in the corresponding rule collection, they are enforced.
Enforce rules Rules are enforced.
Audit only Rules are audited, but not enforced.
Overview Alert Levels Windows Defender Tasks
Three ways to help protect the computer:
Definitions
Three ways to help protect the computer:
Definitions Used to determine if software that it detects is spyware or other potentially unwanted software, and then to alert you to potential risks. Works with Windows Update to automatically install new definitions as they are released. Set Windows Defender to check online for updated definitions before scanning.
Used to determine if software that it detects is spyware or other potentially unwanted software, and then to alert you to potential risks. Works with Windows Update to automatically install new definitions as they are released. Set Windows Defender to check online for updated definitions before scanning.
Real-time protection (RTP)Real-time protection (RTP)
The SpyNet communityThe SpyNet community
Scanning optionsScanning options
Help you choose how to respond to spyware and potentially unwanted softwareHelp you choose how to respond to spyware and potentially unwanted software Severe - remove this software immediately. High - remove this software immediately. Medium - review the alert details, consider blocking the software. Low - review the alert details to see if you trust the publisher.
Severe - remove this software immediately. High - remove this software immediately. Medium - review the alert details, consider blocking the software. Low - review the alert details to see if you trust the publisher.
ActionsActions Quarantine – software is moved to another location on the
computer; prevents the software from running until you choose to restore or remove it from the computer.
Remove - permanently deletes the software from the computer.
Allow - adds the software to the Windows Defender allowed list and allows it to run on the computer. Add software to the allowed list only if you trust the software and the software publisher.
Quarantine – software is moved to another location on the computer; prevents the software from running until you choose to restore or remove it from the computer.
Remove - permanently deletes the software from the computer.
Allow - adds the software to the Windows Defender allowed list and allows it to run on the computer. Add software to the allowed list only if you trust the software and the software publisher.
Turn on Windows DefenderTurn on Windows Defender
Enable real-time protectionEnable real-time protection
Automatically check for new definitionsAutomatically check for new definitions
Schedule a scanSchedule a scan
Manually scan for new definitionsManually scan for new definitions
Windows Defender helps automatically remove malicious software.
Windows Defender helps automatically remove malicious software.
Performance enhancement Removed the Software Explorer tool
Security and User Productivity Enhancements Customizable UAC requires fewer instances of elevation prompts Manageable through Group Policy
BitLocker and BitLocker To Go BitLocker To Go extends BitLocker Drive Encryption to password-protected portable
media
Users choose to encrypt drive or leave read-only
Manageable through Group Policy
AppLocker Provides a rule-based structure to specify which applications are available
to which end users Create default rules first View rule event information in the Event Viewer
Windows Defender Integrated with Action Center Provides an improved user experience when scanning for spyware or
manually checking for updates.
Donald E. HesterCISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+
Maze & Associates
@One / San Diego City College
www.LearnSecurity.org
http://www.linkedin.com/in/donaldehester
http://www.facebook.com/group.php?gid=245570977486
Q&AQ&A
Evaluation Survey LinkEvaluation Survey Link
Help us improve our seminars by filing out a short online evaluation survey at:
http://www.surveymonkey.com/s/10SpWinIT1
Thanks for attendingFor upcoming events and links to recently archived
seminars, check the @ONE Web site at:
http://onefortraining.org/
Windows 7 for IT Professionals Part 1:Security and ControlWindows 7 for IT Professionals Part 1:Security and Control