Donald HesterMay 4, 2010

For audio call Toll Free 1-888-886-3951

and use PIN/code 227625

Windows 7 for IT Professionals Part 1:Security and ControlWindows 7 for IT Professionals Part 1:Security and Control

• Maximize your CCC Confer window.• Phone audio will be in presenter-only mode.• Ask questions and make comments using the chat window.

HousekeepingHousekeeping

Adjusting AudioAdjusting Audio

1) If you’re listening on your computer, adjust your volume using the speaker slider.

2) If you’re listening over the phone, click on phone headset.

Do not listen on both computer and phone.

Saving Files & Open/close CaptionsSaving Files & Open/close Captions

1. Save chat window with floppy disc icon

2. Open/close captioning window with CC icon

Emoticons and PollingEmoticons and Polling

1) Raise hand and Emoticons

2) Polling options

Donald Hester

Windows 7 for IT Professionals Part 1:Security and ControlWindows 7 for IT Professionals Part 1:Security and Control

User Account Control Windows BitLocker™ and Windows

BitLocker To Go™ Windows AppLocker™ Windows Defender

User Groups UAC Security Settings Modify User Account Control Settings

User GroupsUser GroupsStandard Users

Administrators

Standard Users

Administrators

Type of Elevation Prompt Description

Consent Prompt

Displayed to administrators in Admin Approval Mode when they attempt to perform an administrative task. It requests approval to continue from the user.

Credential PromptDisplayed to standard users when they attempt to perform an administrative task.

Admin Approval Mode for the Built-in Administrator account Allow UIAccess applications to prompt for elevation without using the secure desktop Behavior of the elevation prompt for administrators in Admin Approval Mode Behavior of the elevation prompt for standard users Detect application installations and prompt for elevation Only elevate executables that are signed and validated Only elevate UIAccess applications that are installed in secure locations Run all administrators in Admin Approval Mode Virtualize file and registry write failures to per-user locations

Admin Approval Mode for the Built-in Administrator account Allow UIAccess applications to prompt for elevation without using the secure desktop Behavior of the elevation prompt for administrators in Admin Approval Mode Behavior of the elevation prompt for standard users Detect application installations and prompt for elevation Only elevate executables that are signed and validated Only elevate UIAccess applications that are installed in secure locations Run all administrators in Admin Approval Mode Virtualize file and registry write failures to per-user locations

Elevation Prompt Description

Never notify me UAC is off.

Notify me only when programs try to make changes to my computer (do not dim my desktop)

When a program makes a change, a prompt appears, but the desktop is not dimmed. Otherwise, no prompt appears.

Notify me only when programs try to make changes to my computer

When a program makes a change, a prompt appears, and the desktop is dimmed to provide a visual cue that installation is being attempted. Otherwise, no prompt appears.

Always notify me The user is always prompted when changes are made to the computer.

Hardware Requirements for BitLocker Drive Encryption

BitLocker Functionality BitLocker To Go Locate a Recovery Password

Encryption and decryption key

Hard drive

Encryption and decryption key

Hard drive

A computer with Trusted Platform Module (TPM)A removable USB memory device.

A computer with Trusted Platform Module (TPM)A removable USB memory device.

Have at least two partitionsHave a BIOS that is compatible with TPM

and supports USB devices during computer startup.

Have at least two partitionsHave a BIOS that is compatible with TPM

and supports USB devices during computer startup.

Security

Eas

e of

Us e

TPM Only“What it is.”

Protects against: SW-only attacks

Vulnerable to: HW attacks (including potentially “easy”

HW attacks)

TPM + PIN“What you know.”Protects against: Many HW attacks

Vulnerable to: TPM breaking attacks

Dongle Only“What you have.” Protects against: All HW attacksVulnerable to: Losing donglePre-OS attacks

TPM + Dongle“Two what I

have’s.”Protects against: Many HW attacksVulnerable to: HW

attacks

BDE offers a spectrum of protection allowing customers to balance ease-of-use against the

threats they are most concerned with.

BDE offers a spectrum of protection allowing customers to balance ease-of-use against the

threats they are most concerned with.

**************

17

Save recovery information in one of these formatsSave recovery information in one of these formatsA 48-digit number divided into eight groups.

A Recovery Key in a format that can be read directly by the BitLocker recovery console.

A 48-digit number divided into eight groups.

A Recovery Key in a format that can be read directly by the BitLocker recovery console.

Configure how to access an encrypted driveConfigure how to access an encrypted drive

Use the Set BitLocker startup preferences window.Use the Set BitLocker startup preferences window.

Select an access option:USBEnter the Passphrase by using function keysNo key

Select an access option:USBEnter the Passphrase by using function keysNo key

4 levels of AES encryption

128 & 256 bit the diffuser is a new

unproven algorithm diffuser runs in about

10 clock cycles/byte Combination with AES-

CBC for performance & security

Extends BitLocker Drive Encryption to portable devicesExtends BitLocker Drive Encryption to portable devices

Manageable through Group PolicyManageable through Group PolicyUsers choose to encrypt portable devices and use them to their fullest capabilities or leave them unencrypted and have them

be read-only

Users choose to encrypt portable devices and use them to their fullest capabilities or leave them unencrypted and have them

be read-only

Enable BitLocker Drive Encryption by right-clicking the device and then clicking Turn On BitLocker

Enable BitLocker Drive Encryption by right-clicking the device and then clicking Turn On BitLocker

Data on encrypted portable devices can be accessed from computers that do not have BitLocker enabledData on encrypted portable devices can be accessed from computers that do not have BitLocker enabled

BitLocker can be configured to unlock with one of the following: Recovery Password or passphrase Smart Card Always auto-unlock this device on this PC

BitLocker can be configured to unlock with one of the following: Recovery Password or passphrase Smart Card Always auto-unlock this device on this PC

MetaData

Readme.txt

Wizard.exe

Visible but RO

Hidden files - Must be accessed using BitLockerToGo.exe

Invisible Visible, mapped as a volume

Autorun.inf

BitLocker protected volume

FAT32 Partition

BitLocker Data File(COV 0000.ER)

BitLocker Data File(COV 0000.BL)

VirtualBlock

22

23

24

Conditions that must be true:

Before providing a password to a user:

Conditions that must be true:

Before providing a password to a user: Confirm the person is the account owner and is authorized to access data on the computer in question Examine the returned Recovery Password to make sure that it matches the Password ID that was provided by the user

Confirm the person is the account owner and is authorized to access data on the computer in question Examine the returned Recovery Password to make sure that it matches the Password ID that was provided by the user

Be a domain administrator or have delegated permissionsBe a domain administrator or have delegated permissionsThe client’s BitLocker recovery information is configured to be stored in ADThe client’s BitLocker recovery information is configured to be stored in AD

The client’s computer has been joined to the domainThe client’s computer has been joined to the domain

BitLocker Drive Encryption must be enabled on the client’s computer

BitLocker Drive Encryption must be enabled on the client’s computer

AppLocker Definition and Setup Application Rules Enforce and Validate AppLocker Rules

AppLocker

Default rules

AppLocker

Default rules

Enables IT professionals to specify exactly what is allowed to run on user desktops

Enables IT professionals to specify exactly what is allowed to run on user desktops

Allows users to run the applications, installation programs, and scripts that they need to be productive

Allows users to run the applications, installation programs, and scripts that they need to be productive

Make sure key operating system files run for all users

Make sure key operating system files run for all users

Prevent non-administrator users from running programs installed in their user profile directory

Prevent non-administrator users from running programs installed in their user profile directory

Can be recreated at anytimeCan be recreated at anytime

Type Description Merge rule

Hash Uses the file hash of a file

If two path rules have the same paths, they are merged into a single rule.

Path Uses a folder path or file path

If two publisher rules have the exact same publisher and product fields, they are merged.

Publisher Uses the attributes of a digitally signed file, like publisher or version

No optimizations are possible because each hash is unique.

EnforcementEnforcementIn Local Security Policy, Configure Rule Enforcement area

Refresh computer’s policy with gpupdate /force

In Local Security Policy, Configure Rule Enforcement area

Refresh computer’s policy with gpupdate /force

Option Description

Enforce rules, but allow setting to be overridden

Default setting. If linked GPOs contain a different setting, that setting is used. If any rules are present in the corresponding rule collection, they are enforced.

Enforce rules Rules are enforced.

Audit only Rules are audited, but not enforced.

Overview Alert Levels Windows Defender Tasks

Three ways to help protect the computer:

Definitions

Three ways to help protect the computer:

Definitions Used to determine if software that it detects is spyware or other potentially unwanted software, and then to alert you to potential risks. Works with Windows Update to automatically install new definitions as they are released. Set Windows Defender to check online for updated definitions before scanning.

Used to determine if software that it detects is spyware or other potentially unwanted software, and then to alert you to potential risks. Works with Windows Update to automatically install new definitions as they are released. Set Windows Defender to check online for updated definitions before scanning.

Real-time protection (RTP)Real-time protection (RTP)

The SpyNet communityThe SpyNet community

Scanning optionsScanning options

Help you choose how to respond to spyware and potentially unwanted softwareHelp you choose how to respond to spyware and potentially unwanted software Severe - remove this software immediately. High - remove this software immediately. Medium - review the alert details, consider blocking the software. Low - review the alert details to see if you trust the publisher.

Severe - remove this software immediately. High - remove this software immediately. Medium - review the alert details, consider blocking the software. Low - review the alert details to see if you trust the publisher.

ActionsActions Quarantine – software is moved to another location on the

computer; prevents the software from running until you choose to restore or remove it from the computer.

Remove - permanently deletes the software from the computer.

Allow - adds the software to the Windows Defender allowed list and allows it to run on the computer. Add software to the allowed list only if you trust the software and the software publisher.

Quarantine – software is moved to another location on the computer; prevents the software from running until you choose to restore or remove it from the computer.

Remove - permanently deletes the software from the computer.

Allow - adds the software to the Windows Defender allowed list and allows it to run on the computer. Add software to the allowed list only if you trust the software and the software publisher.

Turn on Windows DefenderTurn on Windows Defender

Enable real-time protectionEnable real-time protection

Automatically check for new definitionsAutomatically check for new definitions

Schedule a scanSchedule a scan

Manually scan for new definitionsManually scan for new definitions

Windows Defender helps automatically remove malicious software.

Windows Defender helps automatically remove malicious software.

Performance enhancement Removed the Software Explorer tool

Security and User Productivity Enhancements Customizable UAC requires fewer instances of elevation prompts Manageable through Group Policy

BitLocker and BitLocker To Go BitLocker To Go extends BitLocker Drive Encryption to password-protected portable

media

Users choose to encrypt drive or leave read-only

Manageable through Group Policy

AppLocker Provides a rule-based structure to specify which applications are available

to which end users Create default rules first View rule event information in the Event Viewer

Windows Defender Integrated with Action Center Provides an improved user experience when scanning for spyware or

manually checking for updates.

Donald E. HesterCISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+

Maze & Associates

@One / San Diego City College

www.LearnSecurity.org

http://www.linkedin.com/in/donaldehester

http://www.facebook.com/group.php?gid=245570977486

Q&AQ&A

Evaluation Survey LinkEvaluation Survey Link

Help us improve our seminars by filing out a short online evaluation survey at:

http://www.surveymonkey.com/s/10SpWinIT1

Thanks for attendingFor upcoming events and links to recently archived

seminars, check the @ONE Web site at:

http://onefortraining.org/

Windows 7 for IT Professionals Part 1:Security and ControlWindows 7 for IT Professionals Part 1:Security and Control