240 likes | 702 Vues
Chapter 8. HARDENING CLIENT COMPUTERS. OPERATING SYSTEM SECURITY FEATURES. Microsoft Windows 98/Windows Me Windows NT 4.0 Windows 2000 Professional Windows XP with Service Pack 2. DESIGNING CLIENT SECURITY TEMPLATES. Create a custom security template for each client role: Desktop Laptop
E N D
Chapter 8 HARDENING CLIENT COMPUTERS
Chapter 8: Hardening Client Computers OPERATING SYSTEM SECURITY FEATURES • Microsoft Windows 98/Windows Me • Windows NT 4.0 • Windows 2000 Professional • Windows XP with Service Pack 2
Chapter 8: Hardening Client Computers DESIGNING CLIENT SECURITY TEMPLATES • Create a custom security template for each client role: • Desktop • Laptop • Kiosk • Base custom templates on default workstation templates • Never modify default security templates
Chapter 8: Hardening Client Computers DESIGNING A CLIENT COMPUTER OU MODEL • Create OUs for different operating system versions • Avoid using Windows Management Instrumentation (WMI) filtering • Create OUs for different computer roles • Create OUs for organizations with special security requirements • Use security groups to apply GPOs to cross-sections of client computers
Chapter 8: Hardening Client Computers CLIENT COMPUTER OU MODEL SAMPLE 1
Chapter 8: Hardening Client Computers CLIENT COMPUTER OU MODEL SAMPLE 2
Chapter 8: Hardening Client Computers CLIENT COMPUTER OU MODEL SAMPLE 3
Chapter 8: Hardening Client Computers THIRD-PARTY SECURITY SOFTWARE • Antivirus protection • Antispyware protection • Network backups • Host-based firewalls for earlier versions of Windows
Chapter 8: Hardening Client Computers DESIGNING SOFTWARE RESTRICTION POLICIES • Hash rules • Certificate rules • Path rules • Internet zone rules
Chapter 8: Hardening Client Computers RESTRICTING THE DESKTOP ENVIRONMENT • Windows components • The Start menu • The desktop • The Control Panel
Chapter 8: Hardening Client Computers RESTRICTING THE DESKTOP ENVIRONMENT (CONT.) • Shared folders • The network • System settings • Printers
Chapter 8: Hardening Client Computers RESTRICTING THE START MENU: BEFORE
Chapter 8: Hardening Client Computers RESTRICTING THE START MENU: AFTER
Chapter 8: Hardening Client Computers PROTECTING DESKTOP COMPUTERS • Grant users only local User privileges or less • Remove unnecessary items from the desktop and the Start menu • Leverage the Hisecws.inf security template • Use Group Policy settings to rename default accounts
Chapter 8: Hardening Client Computers PROTECTING MOBILE COMPUTERS • At greater risk than desktop computers, mobile computers might be: • Stolen • Damaged • Used for personal use • Mobile computers require greater flexibility than desktop computers: • Connect to home networks and wireless hotspots • Users might need to install printer drivers • Mobile computers use EFS to protect confidential files
Chapter 8: Hardening Client Computers PROTECTING KIOSKS • Very likely to be abused • Should be extremely restricted • Should not be connected to the internal network
Chapter 8: Hardening Client Computers THE .NET FRAMEWORK • Next-generation application environment: • Required for many new applications • Dramatically more secure • Included with Windows Server 2003 • Free download for earlier operating systems
Chapter 8: Hardening Client Computers CAS OVERVIEW • Role-based security restricts what users can do • CAS restricts what applications can do • Grants access to the file system, registry, printers, the network, and other resources based on permissions assigned to an application • Enables you to run potentially malicious applications safely • Works only with .NET Framework applications
Chapter 8: Hardening Client Computers CAS AT WORK
Chapter 8: Hardening Client Computers CAS ELEMENTS • Evidence • Permission • Permission set • Code groups
Chapter 8: Hardening Client Computers CAS AND OPERATING SYSTEM SECURITY
Chapter 8: Hardening Client Computers GUIDELINES FOR USING CAS • Use the principle of least privilege • Test applications thoroughly after restricting CAS • Push developers to use the .NET Framework • Encourage software vendors to migrate to the .NET Framework
Chapter 8: Hardening Client Computers SUMMARY • Earlier versions of Windows lack important security features • Use security templates and GPOs to implement client security • Create different configuration settings for client roles, operating systems, and security requirements • Use .NET Framework and CAS to reduce the risks of malicious or vulnerable software