Tools to Manage Access Control Lists |
In addition to the updates to ACLs mentioned previously, Microsoft has also updated some of the tools you use to manage ACLs. Interestingly, the most significant of these updates are command-line tools. |
|
Registry ACLs |
The registry ACLs have undergone changes, just like the file system ACLs. The changes are much smaller in scope than the changes to the file system, however. The most obvious difference from earlier versions of Windows is that, because of the deprecation of Power Users, almost all the Power User ACEs are gone. |
|
Application Security in Windows Vista |
Windows Vista changes several things with respect to applications and how they run. We looked at the most notable change, User Account Control (UAC) in Chapter 4. For developers, these changes require rethinking how you write applications. For system administrators, it means rethinking how you use them. |
|
Restart Manager in Windows Vista |
One of the primary complaints in the early versions of Windows NT was that it needed far too many reboots to be a viable enterprise operating system, particularly for servers. Those of us who had installed binary patches on VMS years earlier could not figure out why Windows NT needed so many reboots. |
|
ActiveX Installer Service in Windows Vista |
ActiveX was introduced with IE many years ago to allow developers to include active content in a web page. It was a competitor to Netscape's plug-in technology and eventually won that battle. A battle ActiveX never quite managed to win, even though it, by and large, was the only competitor until things such as Shockwave and Flash. |
|
Microsoft Malicious Software Removal Tool |
Windows users can expect to see MSRT show up more and do more. Microsoft initially created it to quickly remove common malware threats in response to current attacks and before new Microsoft software was installed. |
|
Security Center in Windows Vista |
The Security Center application was introduced in Windows XP Pro SP2, as a way of displaying a high-level overview of the system's security status in one screen window. After the install, Vista's first start highlights the Security Center summary screen. Administrators are asked to confirm and set configuration options. |
|
Windows Defender |
Windows Defender is Microsoft's real-time anti-spyware and unwanted pest detection and removal tool. Best of all, it's free. Windows Defender was originally created, and bought from, a company called Giant Company Software. It was completely rewritten and enhanced by Microsoft, and released as an extended beta download for Windows 2000 and above. |
|
Windows Live OneCare |
Windows Live OneCare (http://www.windowsonecare.com) is Microsoft's subscription-based PC protection service for non-enterprise computers. OneCare covers up to three PCs, giving antivirus, anti-spyware, host-based firewall, performance tune-ups, backups, and automated Windows patch management. |
|
Securing Internet Explorer |
Since its release, Internet Explorer (IE) has been Microsoft's weakest security point. As the most common browser in the world, it is a malicious hacker's most popular target. Nearly 85 percent of the world's computers run IE (see http://www.en.wikipedia.org/wiki/Usage_share_of_web_browsers). |
|
New IE 7.0 Security Features |
IE 7 has dozens of new security features. This section will not cover the dozens of other new features that have nothing to do with security (for example, tabbed browsing, RSS support, improved printing, search block, and so on). Here are the most significant security improvements: |
|
Internet Explorer Security Settings |
IE has very granular security settings that outpace any of its rivals. You can place Web sites in one of five IE security zones, and modify nearly 50 settings for each zone. |
|
Introducing IIS 7 |
Windows Vista introduces Internet Information Service (IIS) 7, built on Microsoft's highly successful IIS 6 product. After over four years (IIS 6 was released in March 2003 along with Windows Server 2003), IIS 6 remains without a single significant security blemish. |
|
New IIS 7 Features |
IIS 7 builds upon IIS 6's excellent performance and security record, adding sweeping changes inside and out. The major new IIS 7 features include: |
|
IIS 7 Components |
There are over three dozen components and subcomponents to choose from when installing IIS. Table 9-2 discusses the various components. One of IIS 7's biggest improvements over previous versions is the granularity of the features that can be, or not be, installed. |
|
|
IUSR and IIS_USRS |
When a user connects to an IIS Web site, the files and content are accessed by IIS in the context of an impersonated user. Whatever permissions and privileges the impersonated user has, so too does the connecting Web site user. This is an extremely important point to remember when configuring IIS security. |
|
IIS 7 Administration |
Every aspect of IIS can be managed using command-line tools, and nearly as much with a completely revamped and improved IIS Manager GUI (see Figure 9-9). It separates the various aspects of web server administration into different categories (for example, IIS, ASP.NET, Web Server Management, Server Components, Security, Performance, Health, and so on). |
|
IIS 7 Authentication |
When a client machine connects to an IIS server, it will almost always connect as either an anonymous user (i.e., no user credentials supplied) or with supplied user account credentials. In IIS, user credentials can be stored in Active Directory or the local SAM, handled by an application, or stored in an external authentication database source. |
|
Web Server Access Control Permissions in IIS 7 |
Two types of access control permissions apply to IIS: IIS Handler Permissions and NTFS. Handler permissions are specific to IIS and guide how various types of content are accessed. NTFS permissions are the ultimate deciding access control method, but IIS permissions also play an important role. |
|
Defending IIS 7 |
IIS is secure by default out-of-the-box. But web servers are a combination of components (i.e., network environment, hardware, software, OS, and applications. Making sure IIS and its running applications are secure means checking and hardening a lot of components beyond IIS. |
|
Protecting E-mail in Wondows 7 |
Malicious attack types come in cycles. Two decades ago it was boot viruses. In the mid 1990s, macro viruses reined. Malicious e-mails have been a huge problem since the Melissa virus in 1999 and the Iloveyou worm of 2000. These days, malicious e-mails account for the majority of the e-mail traffic headed across the Internet, albeit using bots, viruses, worms, spam, or phishing attacks. |
|
Introducing Windows Mail |
The popularity of e-mail attacks led Microsoft to completely re-write the Windows e-mail client. The new version was renamed Windows Mail to differentiate from prior versions of Outlook Express and Outlook. While substantial changes have been made to Windows Mail, this section will focus on the security improvements. |
|
E-mail Defenses in Windows Vista |
Unless you use e-mail clients that significantly restrict the permitted HTML tags and active content in HTML-based messages, all incoming and outgoing e-mail should be converted to plain-text, removing any potentially malicious HTML-enabled content. |
|
Managing Windows Firewall in Windows Vista |
When Windows XP was introduced in 2001 it included a feature called Internet Connection Firewall (ICF). Unlike the TCP/IP Filtering that was included in prior Windows releases, ICF was a stateful, packet filtering firewall. It even blocked unsolicited SYN-ACK packets, but that was pretty much where its benefits stopped. |
|
New Features of Windows Vista's Firewall |
The firewall in Windows Vista is a completely different beast. It is actually just one possible implementation on top of a comprehensive, extensible filtering platform; an implementation that happens to have a lot of useful features. This is an important distinction as much of the work really went into the underlying platform not the firewall itself. |
|
Firewall (Vista) Management |
Firewall management with Windows Vista will require some thought. Not only do you need to think about what you want to accomplish, but there are several different interfaces, and it is not always intuitive which one you should use. In this section, we will try to resolve some of the confusion and explain how to manage the firewall in various scenarios. |
|
Server and Domain Isolation in Windows Vista |
Quite possibly the most powerful security measure in recent memory is something Microsoft calls Server and Domain Isolation (SDI). SDI has, in fact, become a marketing rallying cry for Microsoft, although it really started as a purely technical measure for restricting avenues of attack. |
|
Forget About the Perimeter |
Several years ago our friend Steve Riley was running around the world delivering a presentation he called "Death of the DMZ." Steve was one of many insightful security professionals who were claiming that the perimeter was becoming increasingly meaningless as a defensive measure. |
|
Changes in Windows Vista Affecting SDI |
With all the changes in the firewall and IPsec implementation in Windows Vista, it stands to reason that the way you implement SDI has also changed a bit. |
|
Wireless Security in Windows Vista |
Wi-Fi networks have become a common connectivity tool in most corporate and many home environments. Unfortunately, a large percentage of users have installed Wi-Fi networking without any security defenses or with weak defenses. This chapter covers Wi-Fi terminology, threats to 802.11 wireless networks, and improvements in wireless for Vista. |
|
Wireless Threats |
By default, wireless network traffic is unbounded, unauthenticated, and unencrypted. Without any additional protection, wireless network traffic can be intercepted anywhere the wireless waves can be detected, recorded, and manipulated. |
|
New Wireless Improvements in Vista |
There have been dozens of wireless improvements in Windows Vista over previous Windows versions. Here's a brief cap of the most significant ones. |
|
Securing Wireless Networks in Windows Vista |
Despite all the wireless threats, there are many standard ways to secure Wi-Fi networks. To combat the vulnerabilities listed previously, administrators can implement one of the following common security options, listed from weakest to most secure: |
|
Using Group Policy in Windows Vista |
Group Policy… The mere mention of it stirs up strong feelings in seasoned Windows administrators. Typically the reaction is some mixture of awe, revulsion, and resignation. Group Policy is a mixture between dark arts, defense against the dark arts, and your ordinary, run-of-the-mill mystery. |
|
Updated Group Policy Features in Windows Vista |
Many features in Group Policy were also updated in Windows Vista. Some of these are quite significant from a security perspective, and others are simply nice additions to the toolset. |
|
New or Updated Group Policy Settings in Windows Vista |
Now that we have a handle on the new features in Group Policy in Windows Vista, let's turn our attention to the things that really matter: the knobs! There are lots of new knobs, dials, buttons, and switches that we can use to turn on security, and just to pass an afternoon after we locked everyone else out from doing their jobs. |
|
Windows Vista Security Guide |
The day Windows Server 2003 was released, Microsoft released a Security Guide for it. This guide was a staggering success and eventually was accepted as the deployment guide for the United States Department of Defense (DoD) along with other agencies. |
|
Managing Group Policy in a Mixed Environment |
As mentioned earlier, Windows Vista introduces a new administrative template format, ADMX. All settings under Administrative Templates in Windows Vista are defined in these new files. This calls into immediate question what happens to settings for older operating systems, or to Windows Vista, when settings in a GPO were made using an older operating system. |
|
Rollout Strategy in Group Policy of Windows Vista |
Before you start upgrading users to the new OS, the basic recommendation for rollout is to upgrade a few administrative workstations to Windows Vista quickly. This not only lets administrators familiarize themselves with the new OS, it also gives you some place to build and manage group policies for computers running Windows Vista. |
|