Implementing Client Security on Windows 2000 and Windows XP
Session Prerequisites Hands-on experience with Windows 2000 or Windows XP management tools Knowledge of Active Directory and Group Policy Level 200
Agenda Introduction Core Client Security Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Local Group Policy Settings for Standalone Clients Software Restriction Policy Antivirus Software Client Firewalls
The Importance of Security Protect information Protect communication channels Reduce downtime Protect revenues Protect worker processes 2003 CSI/FBI Computer Crime and Security Survey
Defense in Depth Using a layered approach: Increases an attacker’s risk of detection Reduces an attacker’s chance of success Policies, Procedures, & Awareness OS hardening, update management, authentication, HIDS Firewalls, VPN quarantine Guards, locks, tracking devices Network segments, IPSec, NIDS Application hardening, antivirus ACL, encryption User education Physical Security Perimeter Internal Network Host Application Data
Agenda Introduction Core Client Security Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Local Group Policy Settings for Standalone Clients Software Restriction Policy Antivirus Software Client Firewalls
Components of Client Computer Security Client Security Defense In Depth Software Updates Apply software updates to keep systems current Password Best Practices Use strong passwords across systems to restrict access Data Protection Back up, encrypt, and restrict access to data Application Security Deploy, configure, and restrict application software installation Client Management Use Active Directory, templates, and policies to enforce security Mobile Computing Implement policies and technologies to secure remote and wireless access Antivirus Install and maintain antivirus software to help protect against malicious code Firewalls Configure hardware devices and/or software to help protect perimeter
Managing Software Updates Implement an update management solution to protect against vulnerabilities Attend Patch Management training session or review prescriptive guidance at: Customer Type Scenario Customer Chooses ConsumerAll scenarios Windows Update Small business No servers running Windows Windows Update Have one to three servers running Windows and one IT administratorSUS Medium or large enterprise Want update management solution with basic level of control that updates Windows 2000 and later versions of Windows SUS Want single flexible update management solution with extended level of control to update (and distribute) all software SMS
Password Best Practices Educate users about good password practices Use pass phrases with spaces, numbers, and special characters instead of passwords Use different passwords for different resources, and protect password list Configure screen savers to use password protection, and lock workstations when away Use multifactor authentication for extra levels of security
Data Protection Use EFS to restrict access to data Sign and software to ensure authenticity Use Information Rights Management to protect digital information from unauthorized use
Mobile Computing The use of mobile computing devices introduces further security considerations Mobile devices extend the perimeter when connected to corporate assets Additional layers of defense are required: BIOS passwords Network Access Quarantine Control Wireless authentication protocols Data protection
Agenda Introduction Core Client Security Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Local Group Policy Settings for Standalone Clients Software Restriction Policy Antivirus Software Client Firewalls
Active Directory Components Forest A security boundary in Active Directory Domain A collection of computer, user, and group objects defined by the administrator Organizational Unit An Active Directory container object used within domains Group Policy The infrastructure that enables the implementation and management of network security
Establishing an OU Hierarchy Group Policy simplifies the application of client security settings Split hierarchy model Windows XP Security Guide Separates user and computer OUs Applies appropriate policy settings to each OU Root Domain Department OU Domain Controller OU Secured XP Users OU Windows XP OU Desktop OU Laptop OU
Demonstration 1 Modifying Active Directory for Client Security Viewing Default Domain Policy Creating an OU Hierarchy Creating an OU Policy Moving the Client
How to Create an OU Hierarchy 1. Create OUs for each department 2. Create OUs in each department for users and for various operating system versions Create OUs under each operating system OU for each computer type (for example, laptops) Move each client computer object into the appropriate OU
Best Practices for Using Active Directory to Implement Security Create OU structure for client security Create OU hierarchy to separate user and computer objects based on role Apply Group Policy with appropriate security settings for each computer role
Agenda Introduction Core Client Security Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Local Group Policy Settings for Standalone Clients Software Restriction Policy Antivirus Software Client Firewalls
Using Security Templates Security templates are preconfigured sets of security settings Windows XP Security Guide templates include: Two domain templates that contain settings for all computers in the domain Two templates that contain settings for desktop computers Two templates that contain settings for laptop computers Each templates has an enterprise and high- security version The settings in a security template can be edited, saved, and imported into a GPO
Using Administrative Templates Administrative templates contain registry settings that can be applied to users and computers Windows XP SP1 administrative templates have over 850 settings The Windows XP Security Guide includes ten additional administrative templates Third-party software companies might supply additional templates You can import additional templates when editing a GPO
What Are Security Settings? Security SettingsExplanation Account PolicySets password and account lockout policy for domain Account Lockout PolicyPrevents access after a number of failed logon attempts Audit PolicySpecifies which security events will be recorded Event LogSpecifies settings for log retention and maximum log size File SystemSpecifies permissions and audit settings for file system objects IPSec PoliciesFilter traffic to and from server to block unwanted traffic Registry SettingsSpecify access permissions and audit settings for registry keys Restricted Groups Specifies which accounts are members of the group, and which groups the group is a member of Security OptionsSpecify a wide variety of security settings for users and computers Software RestrictionsPrevent malicious software from running on client computers System ServicesSpecifies the startup mode and access permissions for services User Rights Assignment Specifies which users and groups are able to perform specific actions on computers
Top Eight Client Security Settings The most commonly modified client computer security settings include: Allowed to Format and eject removable media Anonymous enumeration of SAM accounts Enable auditing Everyone includes anonymous LAN Manager authentication Level Password Policy Remove LM hashes SMB signing
Demonstration 2 Using Group Policy Viewing Windows XP Security Settings Viewing Administrative Templates Viewing the Available Security Templates Applying Security Templates Implementing the Security Templates
How to Apply Security Templates and Administrative Templates Root Domain Department OU Domain Controller OU Secured XP Users OU Windows XP OU Desktop OU Laptop OU Enterprise Client Domain.inf Domain Policy Secured XP Users Policy Enterprise Client Desktop.inf Enterprise Client Laptop.inf Laptop Policy Desktop Policy
Best Practices for Using Group Policy to Secure Clients Use enterprise client templates as a baseline and modify them to suit your needs Implement strict account and audit policies Test templates thoroughly before deployment Use additional administrative templates
Agenda Introduction Core Client Security Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Local Group Policy Settings for Standalone Clients Software Restriction Policy Antivirus Software Client Firewalls
Internet Explorer Administrative Templates Enforces security requirements for Windows XP workstations Prevents the exchange of unwanted content Use settings included in the enterprise client templates Use Internet Explorer Maintenance (IEM) in Group Policy to configure security zones for trusted sites
Internet Explorer Zones Security ZoneDescription My Computer Hidden from Internet Explorer interface Intended for content that is found on the local computer Intranet Internal sites. Includes UNC paths, sites that bypass the proxy, and all internal sites not listed in another zone, except: Windows Server 2003 with Enhanced Security Configuration Does not automatically cover internal sites Explicitly lists http(s)://localhost and hcp://system Trusted Sites Empty by default except on WS03 WS03 with ESC includes Online Crash Analysis & Windows Update Configurable by local interface or by policy Internet Everything not covered in another zone Windows Server 2003 includes all intranet sites by default Restricted Sites Empty by default Specifies permissions and audit settings for file system objects User Rights Assignment Prevents ActiveX, scripting, and downloads Configurable by local interface or by policy
Microsoft Outlook Use the Outlook Administrator Pack to customize Outlook security Use the Outlook Administrative Template to configure Outlook security Outlook 2003 security enhancements Warns user before opening potentially dangerous file types Runs executable content in the Restricted Sites zone Does not automatically load HTML content
Microsoft Office Administrative Templates Templates for Office XP ship with the Windows XP Security Guide Templates for Office 97 and later are available when you download the applicable version of the Office Resource kit
Best Practices for Securing Applications Educate users about how to safely download files from the Internet and how to safely open attachments Only install applications that are required for users to do their jobs Implement a policy for updating applications
Agenda Introduction Core Client Security Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Local Group Policy Settings for Standalone Clients Software Restriction Policy Antivirus Software Client Firewalls
Local Group Policy Settings When clients are not members of an Active Directory domain, use local Group Policy to configure standalone client computers Standalone Windows XP clients use a modified version of the security templates Each Windows XP Professional client uses a local GPO and the Group Policy Object Editor or scripts to apply settings
Predefined Security Templates If clients connect to a Windows NT 4.0 domain, use: If clients do not connect to a Windows NT 4.0 domain, use standalone security templates Legacy Enterprise Client Legacy High Security Client Baseline security for desktops Legacy Enterprise Client - desktop.inf Legacy High Security - desktop.inf Baseline security for laptops Legacy Enterprise Client - laptop.inf Legacy High Security - laptop.inf
Demonstration 3 Securing Standalone Clients Modifying a Security Template Deploying a Security Template Viewing Example Scripts Viewing Security Settings
How To Use Local Security Policy to Secure Standalone Clients 1. Load the Local Group Policy MMC (Gpedit.msc) 2. Navigate to Computer Settings/Windows Settings and then right-click the Security Settings node and select Import Policy 3. Browse to the location that contains the appropriate security template (for example, Legacy High Security – Desktop) 4. Configure additional security settings as per prescriptive guidance
Best Practices for Applying Local Group Policy Settings Use the standalone template from the Windows XP Security Guide as a baseline Use the secedit tool to automate standalone template distribution Develop procedures to deploy policies Implement mechanisms to update clients
Agenda Introduction Core Client Security Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Local Group Policy Settings for Standalone Clients Software Restriction Policy Antivirus Software Client Firewalls
What Is Software Restriction Policy? Policy-driven mechanism that identifies and controls software on a client computer Default security level has two options: Unrestricted – all software except specifically denied software can be run Disallowed – only specifically allowed software can be run
How Software Restriction Works Define policy for the domain using Group Policy Editor Download policy by Group Policy to the computer Enforced by operating system when software is run 1 2 3
Four Rules for Identifying Software Path Rule Compares path of file being run to an allowed path list Compares path of file being run to an allowed path list Use when you have a folder with many files for the same application Use when you have a folder with many files for the same application Essential when SRPs are strict Essential when SRPs are strict Hash Rule Compares the MD5 or SHA1 hash of a file to the one attempting to run Compares the MD5 or SHA1 hash of a file to the one attempting to run Use when you want to allow or prohibit a certain version of a file from being run Use when you want to allow or prohibit a certain version of a file from being run Certificate Rule Checks for digital signature on application (for example, Authenticode) Checks for digital signature on application (for example, Authenticode) Use when you want to restrict both win32 applications and ActiveX content Use when you want to restrict both win32 applications and ActiveX content Internet Zone Rule Controls how Internet Zones can be accessed Controls how Internet Zones can be accessed Use when in high security environments to control access to Web applications Use when in high security environments to control access to Web applications
Demonstration 4 Applying a Software Restriction Policy Creating a Software Restriction Policy Restarting the Virtual Machine Setting Administrator Override Testing the Software Restriction Policy
How to Apply Software Restrictions 1. Open the Group Policy object for the OU in which you want to apply the software restriction policy 2. Navigate to the Computer Settings/Windows Settings/Security Settings node 3. Right-click Software Restriction Policies and then click Create New Policies 4. Configure Hash, Certificate, Path, and Internet Zone rules to accommodate your organization’s needs
Create a rollback plan Use a separate Group Policy object to implement software restrictions Use in conjunction with NTFS for defense in depth Never link to another domain Thoroughly test new policy settings Best Practices for Applying Software Restriction Policies
Agenda Introduction Core Client Security Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Local Group Policy Settings for Standalone Clients Software Restriction Policy Antivirus Software Client Firewalls
The Virus Problem Virus costs now exceed $10 billion dollars Direct cost IT staff or consultants Indirect IT costs Loss of productivity, data, or goodwill
Antivirus Deployment Organization sizeAntivirus deployment solution Individuals and very small organizations Install standalone antivirus products on individual Windows XP clients. Small and midsize organizations Centralized deployment. Use Group Policy to deploy antivirus software. Enterprise-level organizations Centralized deployment. Install using Active Directory and Group Policy. Install and manage using vendor administration console.
Desktop computers Local servers store virus updates for distribution The best solution is a push model, in which the definitions are immediately copied to the clients Do not rely on users to download updates Laptop computers Use Internet updates when away from office Antivirus Updates
Best Practices for Virus Protection Apply vendor updates regularly Use a central deployment strategy Use client-specific software on clients
Agenda Introduction Core Client Security Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Local Group Policy Settings for Standalone Clients Software Restriction Policy Antivirus Software Client Firewalls
For clients on the LAN, a firewall protects network computers from automated attacks Desktops with modem connections to the Internet need ICF or a third-party firewall Laptops with Internet connection at home, hotel, or WiFi hotspot need a personal or individual firewall The Need for Client Firewalls
Internet Connection Firewall Basic protection from Internet threats Disallows incoming traffic Limitations No outbound filtering Support and software issues Limited configuration options ICF is Improved in Windows XP SP2 ICF is Improved in Windows XP SP2
Third-Party Firewall Software Reasons to use third- party firewalls: Increased ability to control inbound and outbound traffic Additional features, such as intrusion detection Issues with third-party firewalls: Scalability Complexity
Demonstration 5 Enabling the Client Firewall Enabling Internet Connection Firewall Testing Outbound Access Testing Inbound Access
How to Enable Internet Connection Firewall 1. Open Control Panel and select Network Connections Right-click the connection to secure, and then click Properties Click the Advanced tab and then select the Protect My Computer Network By Limiting Or Preventing Access To This Computer From The Internet check box Configure the Settings tab to open ports for services running on the computer (for example, Remote Desktop)
Best Practices for Firewalls Require users to enable Internet Connection Firewall on all connections when not using the organization’s LAN Use scripting to force remote clients to use Internet Connection Firewall for VPN connections Do not implement Internet Connection Firewall on client computers that are physically connected to your corporate network
Session Summary Introduction Core Client Security Securing Clients with Active Directory Using Group Policy to Secure Clients Securing Applications Local Group Policy Settings for Standalone Clients Software Restriction Policy Antivirus Software Client Firewalls
Next Steps 1. Stay informed about security Sign up for security bulletins: Get the latest Microsoft security guidance: 2. Get additional security training Find online and in-person training seminars: Find a local CTEC for hands-on training:
For More Information Microsoft Security Site (all audiences) TechNet Security Site (IT professionals) MSDN Security Site (developers)
Questions and Answers