Session 1: Security Enhancements in Windows Vista 13 • Applying a write-restricted access token to the service process. This access token can be used in cases where the set of objects written to by the service is bounded and can be configured. Write attempts to resources that do not explicitly grant the Service SID access will fail. • Controlling services by using network firewall policies, which prevents network access outside the normal bounds of the service program. Service SIDs are linked directly with the firewall policy. 14 Session 1: Security Enhancements in Windows Vista Demonstration: Viewing Service Configuration In this demonstration, you will see how you can: • View the properties of the Dynamic Host Configuration Protocol (DHCP) Client service. • View the properties of the Workstation service. Key Points • Services in Windows Vista have been hardened to require lower privileges to reduce the risk of a service being compromised. Session 1: Security Enhancements in Windows Vista 15 What Is User Account Control? User Account Control (UAC) is a new feature in Windows Vista that makes it easier for users to run as standard users and perform all their necessary day-to-day tasks. Administrative users also benefit from UAC because administrative privileges are available only after UAC requests permission from the user for that instance. Standard Users In previous versions of Windows, many users were configured to use administrative privileges rather than standard user permissions. This was done because previous versions of Windows required administrator permissions to perform basic system tasks such as adding a printer, or configuring the time zone. In Windows Vista, many of these tasks no longer require administrative privileges. When users have administrative permissions to their computers, they are able to install additional software. Despite corporate policies against installing unauthorized software, many users do install unauthorized software, which may make their systems less stable and drive up support costs. When UAC is enabled, and a user needs to perform a task that requires administrative permissions, UAC prompts the user for the credentials of a user with administrative privileges. In a corporate environment, the Help desk could give the user temporary credentials that have local administrative privileges to complete the task. 16 Session 1: Security Enhancements in Windows Vista Administrative Users UAC allows users with administrative privileges to run as standard users most of the time. When users with administrative privileges perform a task that requires administrative privileges, UAC prompts the user for permission to complete the task. When the user grants permission, the task in question is performed using full administrative rights, and then the account reverts to a lower level of privilege. Session 1: Security Enhancements in Windows Vista 17 How UAC Prevents Malware Malware usually is installed by using the privileges of the user that is logged on at the computer. When a user has standard user privileges rather than administrative privileges, malware is less likely to be installed and will cause less damage if it does get installed. Standard Users If a standard user attempts to install a Trojan that contains malware, the user will not be able to install it because a standard user does not have sufficient privileges to install software. Because UAC allows users to perform most necessary tasks without administrative privileges, users can be configured as standard users and still perform all of their necessary tasks. If malware is installed on a computer when a user logs on, the ability of the malware to spread itself and access data is limited to the privileges of the user. If the user has only standard user privileges, the impact of the malware is reduced when compared to running as a user with administrative privileges. Administrative Users Malware can no longer silently install itself when administrative users are logged in. The default permission level for administrative users is to run as a standard user. An application can install only when an administrative user grants permission to elevate privileges. In addition, any malware attempting to perform tasks requiring administrative user privileges must be explicitly granted permission by the user. 18 Session 1: Security Enhancements in Windows Vista UAC Administration UAC can be configured by using the local security policy or Group Policy. In most corporate environments, Group Policy is preferred because it can be centrally managed and controlled. The following options are available to configure UAC in the local security policy or a Group Policy object: • User Account Control: Admin Approval Mode for the Built-in Administrator Account. This option requires the local Administrator account to approve the elevation of privileges to administrative user. The default setting is on. • User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode. This option allows you to disable UAC for administrators, prompt for administrative credentials, or prompt for permission. The default configuration prompts for consent when administrative privileges are required. • User Account Control: Behavior of the elevation prompt for standard users. This option allows you to configure the elevation prompt to ask for credentials or disable the elevation prompt. If the elevation prompt is disabled, users must use Runas to start the application with administrative privileges. The default configuration prompts for credentials. Session 1: Security Enhancements in Windows Vista 19 • User Account Control: Detect application installations and prompt for elevation. This option is required for the proper installation of most legacy applications. When enabled, UAC automatically detects application installations and prompts to elevate privileges. The default setting is on. • User Account Control: Only elevate executables that are signed and validated. This option restricts privilege elevation to applications that are digitally signed. To allow unsigned legacy applications, this option should be disabled. The default configuration is disabled. • User Account Control: Run all administrators in Admin Approval Mode. This option requires all users with administrative privileges to approve privilege elevation for processes. If this option is disabled, UAC is disabled for administrative users and standard users. The default configuration is enabled. • User Account Control: Switch to the secure desktop when prompting for elevation. This option limits communication with the elevation prompt to Windows Vista processes to prevent malware from approving elevation. The default setting is enabled. • User Account Control: Virtual file and registry write failures to per-user locations. This option allows legacy applications that are not UAC compliant to run properly by redirecting registry and file writes to the user profile. Redirection happens silently and the user is unaware of the redirection. The default configuration is enabled. 20 Session 1: Security Enhancements in Windows Vista Demonstration: Working with User Account Control In this demonstration, you will see how you can: • Use UAC as an administrator. • Use UAC as a standard user. • Disable UAC. Key Points • User Account Control allows users to run as standard users and elevate privileges only when required. Session 1: Security Enhancements in Windows Vista 21 What Is Windows Defender? Spyware is software that is installed without your knowledge to monitor what you do with your computer. Spyware can cause serious problems. For example, it can steal the personal information you enter into Web sites, such as online banking sites. Less serious but also troublesome, spyware can present pop-up ads when you visit other Web sites or replace advertisements on legitimate Web sites. Most spyware is not well-written software. As a consequence, spyware often causes computers to stop responding or run slowly. Windows Defender Windows Defender is software that prevents your computer from being infected by spyware and removes spyware that is already installed. Previous revisions of Windows Defender were named Windows AntiSpyware. Windows Defender is available for Microsoft Windows® XP and Windows 2000. However, the version of Windows Defender for Windows Vista has the following features not found in other versions: • Scan changed files only • Run under a security-enhanced account • Scan files when they are run • Scan files as they are downloaded in Internet Explorer 7 22 Session 1: Security Enhancements in Windows Vista Definition Files Windows Defender uses spyware definition files to identify spyware. The definition files contain signatures that uniquely identify files that have been determined to be spyware. When the spyware files are identified, they can be removed. This process is similar to the way antivirus software works. To help build the spyware definition files, Microsoft has created a voting network to collect information about spyware. If you choose to participate in the voting network, information about the programs you have blocked is transmitted to the voting network. Microsoft analyzes the blocked programs from users in the voting network and then determines whether a particular program needs to be added to the spyware definition files. Like antivirus software, Windows Defender definition files need to be updated regularly to be useful. The definition files are updated daily by default. There is not cost for the definition file updates. [...]... 1: Security Enhancements in Windows Vista 23 Windows Defender Scanning Modes The scanning mode you select for Windows Defender determines how your computer is scanned for spyware You can use Real-Time Protection, perform on-demand scans, and schedule scans Real-Time Protection is the first line of defense in spyware protection When Real-Time Protection is enabled, Windows Defender monitors critical... configuration is performed in the advfirewall context This context is specific to Windows Vista The easiest way to manage Windows Firewall for Windows Vista is by using Group Policy All of the firewall configuration options are available by using Group Policy Computers running previous versions of Windows will ignore the Group Policy firewall settings 30 Session 1: Security Enhancements in Windows Vista Demonstration:... Group Policy Session 1: Security Enhancements in Windows Vista 31 What Is Network Access Protection? Network Access Protection (NAP) is a policy enforcement platform built into the Microsoft Windows Vista and Windows Server Code Name “Longhorn” operating systems that allows you to better protect network assets by enforcing compliance with system health requirements With NAP, you can create customized... and closed ports • firewall settings 32 Session 1: Security Enhancements in Windows Vista When a client attempts to access the network, it must present its system health state If a client cannot prove it is compliant with system health policy (for example, that it has the latest operating system and antivirus updates installed), its access to the network will be limited to a restricted network segment... Demonstration: Configuring Windows Firewall In this demonstration, you will see how you can: • Use the basic interface for Windows Firewall • Use the Windows Firewall with Advanced Security snap-in • Test a new rule • Configure Windows Firewall by using Group Policy Key Points • Windows Firewall can now block outgoing packets • Windows Firewall can be managed by using a new snap-in for the MMC • Windows Firewall... specific port 27 28 Session 1: Security Enhancements in Windows Vista Integration with IPsec IPsec is a set of Internet standards that provide cryptographic protection for IP traffic In Windows Server® 20 03 and Windows XP, Windows Firewall and IPsec are configured separately Because both a host-based firewall and IPsec in Windows can block or allow incoming traffic, it is possible to create overlapping... Firewall The firewall in Windows Vista is significantly enhanced over the firewall in Windows XP Service Pack 2 (SP2) The Windows Firewall enhancements in Windows Vista are: • Filtering for outbound traffic • Firewall filtering and Internet Protocol security (IPsec) settings are combined • Rules (exceptions) can be configured for many new situations Filtering Support The firewall in Windows XP SP2 supported... try to connect to your computer without an invitation Windows Firewall is enabled by default in Windows Vista and monitors incoming packets To allow network communication for specific applications, such as network games or instant messaging, where communication may be initiated by another computer, you need to create an exception for that application In most cases, Windows Firewall prompts you to allow... selected for a rule • Rules can be configured for specific interface types such as wireless • Additional Internet Control Message Protocol (ICMP) packet types can be added to the default configuration • Rules can be configured for services regardless of the port numbers the service uses Session 1: Security Enhancements in Windows Vista 29 Windows Firewall Configuration The basic settings for Windows. .. settings for Windows Firewall are available through the same interface as Windows XP Windows XP made Windows Firewall settings available through Control Panel To configure the advanced features of Windows Firewall on a single computer, you can use the Microsoft Management Console (MMC) with the Windows Firewall and Advanced Security snap-in This single snap-in allows you to configure firewall rules and . were named Windows AntiSpyware. Windows Defender is available for Microsoft Windows XP and Windows 2000. However, the version of Windows Defender for Windows Vista has the following features. not cost for the definition file updates. Session 1: Security Enhancements in Windows Vista 23 Windows Defender Scanning Modes The scanning mode you select for Windows Defender determines. 1: Security Enhancements in Windows Vista Integration with IPsec IPsec is a set of Internet standards that provide cryptographic protection for IP traffic. In Windows Server® 20 03 and Windows