The world as frankps sees it!
Posts tagged Network Access Protection
Introduction to Windows 7 Security
13 years ago
Paul Cooke – CISSP
Director
Microsoft
Core Security in Windows 7, explore related usage scenarios, and look into how to manage these in an enterprise environment.
The Windows Vista Foundation is continued. User Account Control and Enhanced Auditing. Security Development Lifecycle process. Kernel Patch Protection, Windows Service Hardening, DEP & ASLR (IE 8 inclusive), Mandatory Integrity Controls.
User Access Control
Make the system work well for standard users
Administrators use full privilege only for administrative tasks
File and registry virtualization helps applications that are not UAC compliant
Windows 7
Reduce the number of OS applications and tasks that require elevation
Refactor applications into elevated/non-elevated pieces
Flexible promt behavior for administrators
Customer Value: Users can do even more as a standard user (for instance change time zone) and administrators will see fewer UAC Elevation Prompts. MS has done a lot to evaluate user submitted data of their user experiences. Users will be able to do more in Windows 7 then in Vista.
Desktop Auditing
Simplidied configuration results in lower TCO
Demonstrate why a person has access to specific information
Understand why a person has been denied access to specific informatioin
Track all changes made by specific people or groups
Advanced Security Settings for Global File SACL (Photo taken) – you can then find when and who is poking around on the system.
UAC Control
Set the level for what level the UAC should prompted you on. You can no longer turn UAC off, but can set it to never prompt me. More or less the same? You can now look at the BitLocker state on your disk without getting prompted. Users can run updates without getting prompted. You set the level of UAC. You can also prevent them from doing so.
Securing Anywhere Access
Network Security
Windows Firefall can coexist with 3rd party products
Multi-Home Profiles – with Vista you can only have one such Home profile.
DNSSec
Network Access Protection (NAP)
Ensure that only “healthy” machines can access corporate data
Enable “unhealthy” machines to get clean before they gain access
NAP is the same as for Vista. Just as UAC, NAP is here to stay
DirectAccess
Same experiences accessing corporate resources inside and outside the office
Seamless connection increases productivity updates and policies
Seamless connection increases productivity of mobile users
Easy to service mobile PCs and distribute updates and policies
Built on Open Standards, IPv6 and IPSec. Not many people has IPv6 deployed. Torado protocol to tunnel IPv6 over an IPv4 network. Use Kerberos token. Cisco VPN also use IPSec. It is the VPNless VPN…
AppLocker
Application Control
Users can install and run non-standard application. Run applications from USB sticks and non-standard applications.
Even standard users can install some types of software
unauthorized applications may:
- introduce malware
- Increase helpdesk calls
- Reduce user productivity
Simple Rule Strcture: Allow, Exception & Deny
Publisher Rules: Product Publisher, Name, Filename & Version
Multiple Policies: Executables, installers, scripts & DLLs
Rule creation tools & wizard
Audit mode only
He actually mentioned somebody bloged about blocking Google apps. I guess that was my blog …
(Photo of a white list)
Publisher – Path – Hash are different ways of blocking/allowing applications. You can set version number, but also allow higher version number. Then you don’t have to maintain the white list every time there is a patch. You can also allow applications from a Publisher, for instance Microsoft, and you allow one specific application or a suite of applications. You can also allow a specific user or a group of users to use an application that is banned for the rest of the organization.
More about AppLocker tomorrow – First lecture, 9 o’clock.
Internet Explorer 8
(foto)
Freedom from intrusion – Social Engineering and Exploits
Reduce unwanted communications
Protection from harm: Browser and Web Server Exploits.
Protect Data
RMS, EFS and BitLocker
30 % of lost data is from lost devices.
BitLocker To Go
USB external devices (sticks and drives)
Create group policies to mandate the use of encryption
Now supports the FAT filesystem from Windows 7.
New Key Protectors for BitLocker
- Domain Recovery Agent (DRA)
- Smart Card – data volumes only
Windows 7 has a bunch of new GPOs for BitLocker. You can now set the minimum pin length. Deny write access to removable media if it is not BitLocker protected. A BitLocker protected device only give write access to other Windows 7 machines, but read access to XP SP2, Vista and Windows Server 2008.
You can choose between passphrase or smart card for your removable devices.