1 / 60

Security Features in Windows Vista

Security Features in Windows Vista. What Will We Cover?. Security fundamentals Protecting your company’s resources Anti-malware features. Helpful Experience. Windows user interface Windows security concepts. Level 200. Agenda. Exploring Security Fundamentals

webbn
Télécharger la présentation

Security Features in Windows Vista

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Features in Windows Vista

  2. What Will We Cover? • Security fundamentals • Protecting your company’s resources • Anti-malware features

  3. Helpful Experience • Windows user interface • Windows security concepts Level 200

  4. Agenda • Exploring Security Fundamentals • Mitigating Threats and Vulnerabilities • Controlling Identity and Access • Protecting System Information

  5. Windows Vista Fundamentals Secure by Default • Improved SDL • Common Criteria Certification

  6. Windows Vista Service Hardening D D D D Kernel drivers User-mode drivers D D D D • Reduce size of high-risk layers • Segment the services • Increase number of layers Service … Service 1 Service… Service 2 Service A Service 3 Service B

  7. Agenda • Exploring Security Fundamentals • Mitigating Threats and Vulnerabilities • Controlling Identity and Access • Protecting System Information

  8. Internet Explorer 7.0 Social Engineering Protections Protection from Exploits • Unified URL parsing • Code quality improvements (SDLC) • ActiveX opt-in • Protected Mode to prevent malicious software • Phishing filter and colored address bar • Dangerous Settings notification • Secure defaults for IDN

  9. ActiveX Opt-in IE7 blocks ActiveX Control User grants permission (opts-in) IE7 ActiveX Control enabled Disabled Controls by default IE7 confirms install

  10. Internet Explorer Protected Mode C:\...\Temporary Internet Files C:\...\Startup

  11. Phishing Filter Compares website with local list of known legitimate sites Scans the website for characteristics common to phishing sites Double-checks site with online Microsoft service of reported phishing sites

  12. Windows Vista Firewall IPSec

  13. Windows Defender Improved detection and removal Redesigned and simplified user interface Protection for all users

  14. Network Access Protection Fix Up Servers Policy Servers Windows Vista Client DHCP, VPN Switch/Router MSFT Network Policy Server Corporate Network

  15. Agenda • Exploring Security Fundamentals • Mitigating Threats and Vulnerabilities • Controlling Identity and Access • Protecting System Information

  16. Current Challenges

  17. User Account Control Allows system to run as standard user Allows select applications to run in elevated context Fix or remove inappropriate administrative checks Registry and file virtualization provides compatibility

  18. User Account Control Sample

  19. Elevated Privileges

  20. Consent Prompts Operating System Application Signed Application Unsigned Application

  21. Improved Auditing Main Category File System Access Use of Administrative Privilege Registry Access Logon/ Logoff New Logging Infrastructure

  22. Authentication Improvements GINA.dll Winlogon

  23. Plug and Play Smartcard Support

  24. Integrated Control Control over removable device installation Restart Manager Security Center enhancements

  25. Agenda • Exploring Security Fundamentals • Mitigating Threats and Vulnerabilities • Controlling Identity and Access • Protecting System Information

  26. Information Leakage 63% 36% 35% 22% 22% 20% Virus infection Unintended forwarding of e-mails Loss of mobile devices Password compromise E-mail piracy Loss of digital assets, restored 0% 10% 20% 30% 40% 50% 60% 70% “After virus infections, businesses report unintended forwarding of e-mails and loss of mobile devices more frequently than they do any other security breach” Jupiter Research Report, 2004

  27. Windows Vista Data Protection Policy Definition and Enforcement Rights Management Services User-Based File System Encryption Encrypted File System Drive-Level Encryption BitLocker Drive Encryption

  28. Windows Vista Firewall • Both inbound and outbound • Authentication and authorization aware • Outbound application-aware filtering is now possible • Includes IPSec management • Of course, policy-based administration • Great for Peer-to-Peer control

  29. Network Access Protection Policy Servers e.g. Microsoft Security Center, SMS, Antigen or 3rd party Fix Up Servers e.g. WSUS, SMS & 3rd party Restricted Network Corporate Network 3 Not policy compliant 1 2 4 Microsoft Network Policy Server Windows Vista Client Policy compliant DHCP, VPN Switch/Router 5

  30. Control Over Device Installation • Control over removable device installation via a policy • Mainly to disable USB-device installation, as many corporations worry about intellectual property leak • You can control them by device class or driver • Approved drivers can be pre-populated into trusted Driver Store • Driver Store Policies (group policies) govern driver packages that are not in the Driver Store: • Non-corporate standard drivers • Unsigned drivers

  31. Client Security Scanner • Finds out and reports Windows client’s security state: • Patch and update levels • Security state • Signature files • Anti-malware status • Ability for Windows to self-report its state • Information can be collected centrally, or just reviewed in the Security Center by the users and admins

  32. Code Integrity • All DLLs and other OS executables have been digitally signed • Signatures verified when components load into memory

  33. BitLocker™ • BitLocker strongly encrypts and signs the entire hard drive (full volume encryption) • TPM chip provides key management • Can use additional protection factors such as a USB dongle, PIN or password • Any unauthorised off-line modification to your data or OS is discovered and no access is granted • Prevents attacks which use utilities that access the hard drive while Windows is not running and enforces Windows boot process • Protects data after laptop theft etc. • Data recovery strategy must be planned carefully! • Vista supports three modes: key escrow, recovery agent, backup

  34. BitLocker Drive Encryption • Improved at-rest data protection with full drive encryption • Usability with scalable security protections • Enterprise-ready deployment capabilities • Offline system-tampering resistance • Worry-free hardware repurposing and decommissioning • Integrated disaster recovery features

  35. Trusted Platform Module Encrypted Volume Key Encrypted Data Encrypted Full Volume Encryption Key Cleartext Data TPM Volume Master Key Full Volume Encryption Key

  36. Session Summary • Windows Vista is the most secure Windows operating system to date • Windows Vista protects users • Numerous other security improvements help protect data and ease deployment

  37. A BRIEF OVERVIEW • “Need to Know Basis” • Baseline • User Account Administration • Password Administration • Group or Role Administration • File Permissions on Critical Files • UMASK • SUID & SGID • Cron • Syslog • Services • Patches • Conclusion

  38. Need to Know Basis • When setting up security on your Unix systems, ensure that security is set up on a need to know need to use basis.

  39. Baseline • A Baseline ensures that security policies are implemented consistently and completely across various platforms. • Should be in a written form • Include specific instructions to achieve security on a specific server.

  40. User Account Administration • User Account Policies should address: • Immediate deactivation of Users Accounts for terminated employees • Superuser account procedures • Contractors Accounts • Naming Conventions for User accounts

  41. Password Administration • 60 to 90 day expiration for ordinary users • 30 day password expiration for superusers • Do not allow password sharing • Set minimum password lengths to at least 6 characters

  42. Group or Role Administration • Assign users with like responsibilities to groups

  43. File Permissions on Critical Files • Unix controls access to files, programs, and all other resources via file permissions. • Unix permission are controlled by three categories: Owner, Group, and World • Each category has the ability to either READ, WRITE, and/or EXECUTE Unix files or resources • Ex. –rwxr-x--x

  44. UMASK • Ensure that your UMASK settings automatically assigns each newly created file with the most secure file permission.

  45. SUID & SGID • SUID and SGID files allow the World user to temporarily assume the permissions of the Owner or Group users while using the program.

  46. CRON • Cron is the Unix Job scheduler • Many system administrators use the Cron to perform automatic full or incremental back-ups of the systems. • The Cron can also be used to email log files, clean up file system etc.

  47. Syslog • The syslog utility allows systems administrators to log various events occurring on the Unix system. • If Syslog is configured correctly, Unix can log many security events without the use of a third party plug-in.

  48. Services • The inetd.conf file controls the services that are allowed on the Unix system. • Make sure that only necessary services are activated • Unix comes with all services activated by default, and many of these services have severe security vulnerabilities.

  49. Patches • Ensure that your Unix systems are patched regularly. A policy should be adopted to ensure that all patches are tested and installed on a schedule.

  50. Remote File Systemsref: Vahalia, ch 10 • Goals • Mount file systems of a remote computer on a local system • Mount any FS, not only UNIX • H/w independent • Transport independent • UNIX FS semantics must be maintained • Performance • Crash recovery • Security

More Related