8/8/2011
Windows 7 Security: “To Protect and Serve”
Matthew Hartel J. Abernethy Application Analyst Practice Manager – Legal Applications mindSHIFT Technologies, Inc. White and Williams LLP Booth 407/409 [email protected] J. [email protected] Tel: 215-864-7485 617-715-3607
Windows 7 Security Overview • What’s different – Windows XP and Vista • Mature • Basic Security Toolbox – Authentication – Permissions – Malware – Data Protection – Compatibility • Manageable Framework
Windows 7 Security Model
Group Policy and Trusted Preferences Installer
UAC User Installs
File and Internet Threats Registry Virtualization
1 8/8/2011
Administrative Rights
• 90% of vulnerabilities can be mitigated by running as a user.1 • Principle of Least Privilege • Built to run as user - Local administrator disabled by dfdefau lt • Live as a user - “Know thy User, for He is not Thee” • Application compatibility features help older programs work without admin privileges
1BeyondTrust 2009 Microsoft Vulnerability Analysis
Bit Locker Encryption
• Ties data to the hardware. • Encrypt ALL portable devices. • Seamless – Active Directory integration for pin recovery – No partition creation (as in Vista) – Trusted Platform Modules (TPM) are standard • Features – Bit Locker – Local Drive – Bit Locker to Go – USB Drives – Active Directory Integration – Group Policy Management • Demo
User Access Control
• State Change • Leave it on – but customize • Process Isolation (think CTRL –ALT –DEL) • More “relaxed” with Windows 7. • “Fixes” for incompatible apps available via shims and manifests (Application Compatibility Toolkit)
2 8/8/2011
File & Registry Virtualization
• UAC must be enabled • Technical support needs to • 32-bit Applications only understand how – %WinDir% virtualization works. – \Program Files • Watch settings changes from wihiithin the – \Program Files (x86) application. • Dealing with Bad Apps – Open rights – difficult to manage – Allow virtualization
Windows Firewall
• Very similar to Vista, but a far cry from XP • Improvements – Inbound and outbound – StSupport for multilltiple netktwork connec ti/liitions/policies – Configuration Wizards – no more netsh commands and hokey text editing – More granular exceptions, connection and port configurations
App Locker
• For restricting • Group or user driven installation or execution • Must start Application of apps Identity service and set • Inventory of current default rules. application is critical. • Can get frustrating to • Much more granular support if over utilized than software restriction policies • More maintainable over the long term.
3 8/8/2011
Windows 7 Security Management
• Deployment – Group Policy includes over 300 new settings to manage security – Group Policy Preferences adds additional Client Side Extensions for management • Compliance – Enhanced Auditing provides capabilities to make it easier for an organization to meet business compliance requirements.
What can be Managed?
• Windows Firewall • BitLocker / BitLocker To • AppLocker Go • User Account Control • Internet Explorer • Local Security Rights Security • • Local User Accounts NTFS / Registry • Device Access
Policy versus Preferences
Group Policy Characteristics: • Popular Client Side Extensions (CSE): Folder Redirection, Scripts, Security, Application Management, IE Settings • May be extended through ADM/ADMX files • Can hide aspects of the application or OS Interface. • Does not “tattoo” by default
Group Policy Preference Characteristics: • Popular CSEs: Shortcuts, Drive Maps, Files, Registry, Printers, Power • Allows item-level targeting based on an extensive set of criteria • “Tattoos” by default • Can be used to set first use settings
4 8/8/2011
Common Group Policy Myths
• Myth: Group Policy Preferences only work on Windows 7 – Actually, GPPs work Vista, Server 2008 / R2 natively, and XP SP2, Server 2003 with CSEs installed. GPPs must be managed by Vista, Server 2008 or above. • Myth: You should upgrade to Windows 2008 R2 before implementing Windows 7 – Act uall y, Win dows 2008 R2 DCs and/ or 2008 R2 Functi ona l Level provide few specific benefits to Windows 7 • Myth: You must implement a Group Policy Central Store when going to Windows 7 – Actually, while adding some performance and replication benefits, a central store is NOT required.
T y p ic a l S e c u rity P o lic ie s
• Account policies – Password complexity and aging. Enhanced with Windows 2008 R2 Functional level! • Local User and Group management – Control the Administrator password and username • Applocker / Software Restrictions – Monitor or prevent application execution • Internet Explorer Security Settings – Manage Trusted Sites, ActiveX Controls
Typical Security Policies Part 2
• Device Management – Control the ability to Load and unload devices, such as removable media • Desktop Encryption – Control Bitlocker configuration, recovery passwords • User Interface – Remove access to run command, hide drives, or prevent context menus • User Account Control – For both users and administrators • Windows Firewall – Enforce more restrictive rules when not connected to the corporate network
5 8/8/2011
Windows 7 Enhanced Auditing
• 53 auditable events in Windows 7 – Only 9 in XP • “Reason for Access” Reporting • All can be managed via Group Policy
For Your C onsideration… • Group Policies / Preferences are not perfect! You cannot easily: – Granularly control registry / file permissions – Run executables – Apply privilege to individual executables • Centralized Event Viewer Reporting needs to be assessed • There are dozens of security products in the marketplace that are designed to enhance and augment the base Windows 7 Security features
Questions?
6