Implementing Client Security on Windows2000 and WindowsXP

1
Implementing Client Security on Windows 2000 and
Windows XP

• Byron P. HynesMCSEI, MCSESecurity,
  MCSAMessaging, MCSD, MCDBA, MCT, AVT, A
  
• Technet Security SpecialistMicrosoft
  Corporation
  
• v-bhynes_at_microsoft.com

2
Introduction

• Introduction
• Core Client Security
• Antivirus Software
• Client Firewalls
• Securing Clients with Active Directory
• Using Group Policy to Secure Clients
• Securing Applications
• Software Restriction Policy
• Local Group Policy Settings for Stand-Alone
  Clients

3
The Importance of Security
Protecting client computers from attack can help
an organization

• Protect information
• Protect communication channels
• Reduce downtime
• Protect revenues
• Prevent damage to reputation

4
Defense in Depth

• Using a layered approach
• Increases attackers risk of detection
• Reduces attackers chance of success

ACLs, encryption, EFS
Application hardening, antivirus
OS hardening, authentication, patch management,
HIDS
Network segments, IPSec, NIDS
Firewalls, Network Access Quarantine Control
Guards, locks, tracking devices
Security documents, user education
5
Core Client Security

• Introduction
• Core Client Security
• Antivirus Software
• Client Firewalls
• Securing Clients with Active Directory
• Using Group Policy to Secure Clients
• Securing Applications
• Software Restriction Policy
• Local Group Policy Settings for Stand-Alone
  Clients

6
Components of Client Computer Security
Software Updates
Antivirus
Password Best Practices
Firewalls
Client Management Tools
Mobile Computing
Application Security
Data Protection
7
Managing Software Updates
8
Microsoft Windows XP Service Pack 2 (SP2)
Number of days to exploit

• Why it is needed
• Malicious exploits are becoming more and more
  sophisticated
  
• Time to exploit Microsoft issued patches
  accelerating
  
• Current approach is not sufficient

9
Windows XP SP2
Provides innovative security features and default
safeguards to proactively protect and guard
against hackers, viruses and other security
risks Four main areas of focus
10
Begin Your Evaluation Today

• Why evaluate Windows XP Service Pack 2 Release
  Candidate?
  
• Default settings in Service Pack 2 might affect
  how some programs work
  
• Windows XP SP2 Release Candidate 1 (RC1) is
  available for evaluation today
  
• Install from the CD in your TechNet package
• Download from www.microsoft.com/sp2preview
• For more information on Windows XP SP2 visit
  www.microsoft.com/sp2preview

11
Mobile Computing

• When connected to the corporate network, mobile
  computing devices extend the network perimeter
  
• To increase security for these devices, consider
  using
  
• BIOS passwords
• Network Access Quarantine Control
• Strong wireless authentication
• Backup utility

12
Data Protection
To protect data

• Sign e-mail messages and softwareto ensure
  authenticity
  
• Use EFS to restrict access to data
• Use Information Rights Managementto protect
  documents fromunauthorized use

13
(No Transcript)
14
(No Transcript)
15
(No Transcript)
16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
Password Best Practices
28
Antivirus Software

• Introduction
• Core Client Security
• Antivirus Software
• Client Firewalls
• Securing Clients with Active Directory
• Using Group Policy to Secure Clients
• Securing Applications
• Software Restriction Policy
• Local Group Policy Settings for Stand-Alone
  Clients

29
The Virus Problem
It is estimated that last year virus
costs exceeded 12.5 billion

• Direct costs - IT staff and consultants
• Indirect costs
• Loss of productivity
• Loss of revenue
• Loss of data
• Compromise of confidential information
• Damage to reputation

30
Antivirus Software Deployment
31
Antivirus Software Updates

• Desktop computers
• Local servers store antivirus software
  updatesfor distribution
  
• Use a push model, in which definitionsare
  immediately copied to clients
  
• Do not rely on users todownload updates
• Laptop computers
• Use Internet updates when away from office

32
Free software(1st in a series)

• CAs stand-alone anti-virus
• scanner, personal firewall and one year of free
  updates
  
• http//www.my-etrust.com/microsoft

33
Client Firewalls

• Introduction
• Core Client Security
• Antivirus Software
• Client Firewalls
• Securing Clients with Active Directory
• Using Group Policy to Secure Clients
• Securing Applications
• Software Restriction Policy
• Local Group Policy Settings for Stand-Alone
  Clients

34
The Need for Client Firewalls
Which clients need firewalls?

• LAN clients
• Desktops with modem connections
• Mobile clients

35
Internet Connection Firewall

• ICF provides basic protection from Internet
  threats by disallowing incoming traffic
  
• Limitations
• No outbound filtering
• Support and software issues
• Limited configuration options

ICF is improved and named Windows Firewallin
Windows XP Service Pack 2
36
Third-Party Firewall Software

• Reasons to consider using
• Ability to control outbound as well as inbound
  traffic
  
• Can specify which applications can access the
  Internet
  
• Issues
• Rules can be complex
• Scalability may be a problem

37
How to Configure Internet Connection Firewall
Open Control Panel, and then double-click Network
Connections
1
Right-click the connection on which you want to
configure ICF, and then click Properties
2
Click the Advanced tab, and then select the
Protect my computer and network by limiting or
preventing access to this computer from the
Internet check box
3
To configure additional settings for ICF, click
Settings
4
38
Demonstration Internet Connection Firewall

• Your instructor will demonstrate how to
• Enable Internet Connection Firewall (ICF)
• Test outbound access
• Test inbound access

39
How to Configure Windows Firewall
40
Best Practices for Client Firewalls
Require users to enable ICF or Windows Firewall
on all connections when their computers are not
physically connected to your organizations
intranet
Use scripting to force remote clients to use ICF
or Windows Firewall for VPN connections
Use caution when implementing ICF or Windows
Firewall on client computers that are physically
connected to your organizations intranet
41
Securing Clients with Active Directory

• Introduction
• Core Client Security
• Antivirus Software
• Client Firewalls
• Securing Clients with Active Directory
• Using Group Policy to Secure Clients
• Securing Applications
• Software Restriction Policy
• Local Group Policy Settings for Stand-Alone
  Clients

42
Active Directory Components

• Group Policy
• The infrastructure that enables the
  implementation and management of network security
  
  
• Forest
• A security boundary in Active Directory
• Domain
• A collection of computer, user, and group
  objects defined by the administrator
  
• Organizational Unit (OU)
• An Active Directory container object used
  within domains

43
Establishing an OU Hierarchy
Domain Policy

• Group Policy simplifies the application of
  client security settings
  
• Split hierarchy model
• Separates user OUsand computer OUs
• Applies appropriatepolicy settings to each OU

Root Domain
Department OU
Domain Controller OU
Windows XP OU
Secured Windows XP Users OU
Desktop Policy
Desktop OU
Laptop Policy
Laptop OU
44
How to Create an OU Hierarchy
45
Best Practices for Using Active Directory to
Implement Client Security
46
Using Group Policy to Secure Clients

• Introduction
• Core Client Security
• Antivirus Software
• Client Firewalls
• Securing Clients with Active Directory
• Using Group Policy to Secure Clients
• Securing Applications
• Software Restriction Policy
• Local Group Policy Settings for Stand-Alone
  Clients

47
What Are the Security Settings?

• Security settings include
• Account Password Policy
• Account Lockout Policy
• Audit Policy
• Event Log
• File System
• IP Security Policies

• Registry Settings
• Restricted Groups
• Security Options
• Software Restriction Policies
• System Services
• User Rights Assignment Settings

48
Using Security Templates
49
Using Administrative Templates

• Administrative Templates define the settings
  available in a GPO. They may contain
  
• User Configuration settings
• Computer Configuration settings

• You can use administrative templates to
  configure
  
• The users operating environment
• Application security settings

50
How to Apply Security Templates and
Administrative Templates
Open Group Policy Management, and then open the
GPO for the OU to which you want to apply the
security or administrative template
1
Import a security template
2
Import administrative templates as needed
3
Configure additional security and administrative
settings as needed
4
51
Creating an OU Hierarchy and Applying a Security
Template

• Your instructor will demonstrate how to
• Customize a security template
• Create an OU hierarchy and move a client computer
  object into an OU
  
• Create a GPO and import a security template
• Verify that the GPO has been applied

52
Best Practices for Using Group Policy to Secure
Clients
53
Securing Applications

• Introduction
• Core Client Security
• Antivirus Software
• Client Firewalls
• Securing Clients with Active Directory
• Using Group Policy to Secure Clients
• Securing Applications
• Software Restriction Policy
• Local Group Policy Settings for Stand-Alone
  Clients

54
Internet Explorer Administrative Templates

• Help you enforce security requirements for
  Windows XP workstations
  
• Prevent the exchange of unwanted content
• Consider using the settings included in the
  Enterprise Client templates
  

55
Internet Explorer Zones
56
How to Use Group Policy to Configure Internet
Explorer Zones
Start Group Policy Management, open a GPO for
editing, and navigate to User Configuration\Win
dows Settings\Internet Explorer
Maintenance\Security
http//www.microsoft.com/security/guidance
1
2
3
4
5
57
Microsoft Outlook Security

• Tools for customizing the security features of
  Microsoft Outlook
  
• Outlook Administrator Pack
• Outlook administrative template
• Outlook 2003 security enhancements include
• Warns user before opening potentially dangerous
  file types
  
• Runs executable content in the RestrictedSites
  zone
  
• Does not automatically load HTML content

58
Microsoft Office Administrative Templates

• Administrative templates for Office 97 and later
  are available by downloading the appropriate
  edition of the Office Resource kit
  
• Administrative templates for Office XP are
  included with the Windows XP Security Guide
  
• A key security feature of Office XP and later
  versions is macro security

59
Best Practices for Securing Applications
Educate users about how to download files from
the Internet safely and how to open e-mail
attachments safely
Only install applications that are required for
users to do their jobs
Implement a policy for updating applications
60
Software Restriction Policy

• Introduction
• Core Client Security
• Antivirus Software
• Client Firewalls
• Securing Clients with Active Directory
• Using Group Policy to Secure Clients
• Securing Applications
• Software Restriction Policy
• Local Group Policy Settings for Stand-Alone
  Clients

61
Software Restriction Policies

• A policy-driven mechanism that identifies and
  controls software on a client computer
  
• Can be used to fight viruses and/or to ensure
  that only approved software can be run on
  computers
  
• Two components
• A default rule for which programs can run
• Default rule options
• Unrestricted
• Disallowed
• An inventory of exceptions to thedefault rule

62
How Software Restriction Policy Works
Use Group Policy Editor to define the policy for
the site, domain, or OU
1
Policy is downloaded and applied to a computer
2
Policy is enforced by the operating system when
software is run
3
63
Four Rules for Identifying Software

• Certificate Rule
• Checks for digital signature on application (for
  example, Authenticode)
  
• Use when you want to restrict both Win32
  applications and ActiveX content

• Hash Rule
• Compares the MD5 or SHA1 hash of a file to the
  one attempting to run
  
• Use when you want to allow or prohibit a certain
  version of a file from being run

• Internet Zone Rule
• Controls how Internet Zones can be accessed
• Use in high-security environments to control
  access to Web applications

• Path Rule
• Compares path of file being run to an allowed
  path list
  
• Use when you have a folder with many files for
  the same application
  
• Essential when SRPs are strict

64
How to Apply a Software Restriction Policy
Open the Group Policy object for the OU in which
you want to apply the software restriction policy
1
Navigate to the Computer Settings\Windows
Settings\Security Settings node
2
Right-click Software Restriction Policies, and
then click Create New Policies
3
Configure Hash, Certificate, Path, and Internet
Zone rules to accommodate your organizations
needs
4
65
Applying Software Restriction Policies

• Your instructor will demonstrate how to
• Create a software restriction policy
• Test the software restriction policy

66
Best Practices for Applying Software Restriction
Policies
Create a rollback plan
Use a separate GPO to manage each software
restriction policy
Use software restriction policies in conjunction
with NTFS permissions for defense in depth
Never link a GPO to another domain
Thoroughly test new policy settings before
applying them to the domain
67
Local Group Policy Settings for Stand-Alone
Clients

• Introduction
• Core Client Security
• Antivirus Software
• Client Firewalls
• Securing Clients with Active Directory
• Using Group Policy to Secure Clients
• Securing Applications
• Software Restriction Policy
• Local Group Policy Settings for Stand-Alone
  Clients

68
Local Group Policy Settings

• Use local Group Policy to configure stand-alone
  client computers
  
• Stand-alone Windows XP clients
• Use a modified version of the security templates
• Have one local GPO
• Settings must be manually applied by usingGroup
  Policy Editor or scripts

69
How to Use Local Group Policy to Secure
Stand-Alone Clients
Start the local Group Policy MMC (Gpedit.msc)
1
Navigate to Computer Settings\Windows Settings,
right-click the Security Settings node, and then
select Import Policy
2
Browse to the location that contains the
appropriate security template (for example,
Legacy Enterprise Client Desktop)
3
Configure additional security settings according
to prescriptive guidance
4
70
Securing Stand-Alone Clients

• Your instructor will demonstrate how to
• Create a custom security template
• Use a script to manually apply the security
  template to a stand-alone client

71
Best Practices for Applying Local Group Policy
Settings
Use the stand-alone templates from the Windows
XP Security Guide as a baseline
Use the Secedit.exe tool to automate application
of local Group Policy to stand-alone clients
Develop procedures for deploying Group Policy
settings to stand-alone clients
Develop procedures to facilitate the
reapplication of settings to stand-alone clients
when needed
72
Session Summary

• Introduction
• Core Client Security
• Antivirus Software
• Client Firewalls
• Securing Clients with Active Directory
• Using Group Policy to Secure Clients
• Securing Applications
• Software Restriction Policy
• Local Group Policy Settings for Stand-Alone
  Clients

73
Next Steps

• Find additional security training events
• http//www.microsoft.com/seminar/events/securit
  y.mspx
  
• Sign up for security communications
• http//www.microsoft.com/technet/security/signu
  p/default.mspx
  
• Order the Security Guidance Kit
• http//www.microsoft.com/security/guidance/orde
  r/default.mspx
  
• Get additional security tools and content
• http//www.microsoft.com/security/guidance